e34775f2935f33dd92586f14b847eb6bd4952985fb96bec02ee662c864af61ae

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
24/08/2024, 05:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e34775f2935f33dd92586f14b847eb6bd4952985fb96bec02ee662c864af61ae.exe
Size

64KB
MD5

6053543c2c0f4fc75ce109f5566ad973
SHA1

eec22974b1ae7233a1ac7e397e14e440e0a3810f
SHA256

e34775f2935f33dd92586f14b847eb6bd4952985fb96bec02ee662c864af61ae
SHA512

412225cd2da70cfc9f56f8e8ca1887d3bfc49948ac6f9d0b8628826b68e913f449bff7834c23a675efafadb0788bd76f45d401e6b1851830d174a0512c6f1c0e
SSDEEP

768:4Sldw3B4+U9BLN1dTVoB5NbG78Sr+yqbMIp4Okqj5Jj2p/1H5ZXdnhaBGHBJ1nVW:4yw30LNdoBHG78SsbjkC2LRsBMu/H1

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cgmkai32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dcdkfjfm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dihjopom.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Daobpnoo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Epkebi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fibflm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hjghnj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Igmemnco.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ihchhp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fkecjajp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fpbkbhhg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Igmemnco.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ijpkdh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jncmefpn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kgdddj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cgdhkk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddnnlinc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Djgfic32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Edbhgh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kbjibc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfjncepi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gndhmjjq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ijnnoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ibgcef32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jiogcn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjeamffe.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ccmeek32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfbhbf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eicjkodp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fflcobod.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jdobhp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bfdkahba.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cckipl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfbhbf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iaefpf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jjedohjg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jqfcmq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jjngefam.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kjemfe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kkejph32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bpmpjm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Edddmhhk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gkkelngg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Igpbbm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Inndjg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eadkkm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fmihal32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gainmj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Djqphdlg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Efngnd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fikpknng.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jdmebp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jkgnojog.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dcdkfjfm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Emmifn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ikpgnk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmcmiaei.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gdjgoefc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gdlcdedp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ggmlfp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kgdddj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kggajj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Edbhgh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gdjgoefc.exe

Executes dropped EXE 64 IoCs

pid	Process
572	Bfdkahba.exe
2152	Bichmcae.exe
2700	Bpmpjm32.exe
2212	Cgdhkk32.exe
2228	Ciedbcob.exe
4992	Calldppd.exe
4068	Cckipl32.exe
1828	Cjeamffe.exe
560	Cmcmiaei.exe
532	Caoiip32.exe
1824	Ccmeek32.exe
1392	Cjgnbedb.exe
4468	Cmejnacf.exe
1908	Cpdfjlbj.exe
1500	Ccpbkk32.exe
2256	Cjijhe32.exe
1644	Cpfbpl32.exe
3784	Cgmkai32.exe
656	Ciogiagg.exe
5024	Cafojogj.exe
2732	Dcdkfjfm.exe
336	Dfbhbf32.exe
2292	Diadna32.exe
1776	Dmmpopmn.exe
5020	Dahlpo32.exe
3092	Dgbdlimd.exe
1968	Djqphdlg.exe
4132	Dmomdpkk.exe
2720	Dcieaj32.exe
4496	Dhdabhka.exe
2000	Diemiqqp.exe
696	Dmaijo32.exe
2196	Dckagiqe.exe
4600	Dfjncepi.exe
1360	Dihjopom.exe
1308	Daobpnoo.exe
2596	Ddnnlinc.exe
1332	Dfljhdnf.exe
4044	Djgfic32.exe
5092	Epdoajdg.exe
872	Ehkgbgdi.exe
2480	Efngnd32.exe
1768	Eimcjp32.exe
4024	Eadkkm32.exe
940	Edbhgh32.exe
5000	Ejlpdbbj.exe
3716	Eafhamig.exe
2904	Edddmhhk.exe
4668	Ehppng32.exe
2432	Eiameofb.exe
4524	Emmifn32.exe
1152	Epkebi32.exe
3500	Efemocel.exe
4492	Eicjkodp.exe
2200	Eakall32.exe
3432	Epnbgill.exe
5072	Efhjdc32.exe
3924	Ekcfealb.exe
2692	Emabamkf.exe
3376	Fppomhjj.exe
684	Fhgfnfjl.exe
4872	Fkecjajp.exe
2192	Fmdofmic.exe
3396	Fpbkbhhg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Dihjopom.exe	Dfjncepi.exe
File created	C:\Windows\SysWOW64\Jjedohjg.exe	Ihchhp32.exe
File opened for modification	C:\Windows\SysWOW64\Diadna32.exe	Dfbhbf32.exe
File opened for modification	C:\Windows\SysWOW64\Djqphdlg.exe	Dgbdlimd.exe
File created	C:\Windows\SysWOW64\Hdpedijp.dll	Dmaijo32.exe
File created	C:\Windows\SysWOW64\Dakkik32.dll	Eicjkodp.exe
File created	C:\Windows\SysWOW64\Fioifm32.exe	Fhnmoedd.exe
File opened for modification	C:\Windows\SysWOW64\Fafahj32.exe	Fioifm32.exe
File created	C:\Windows\SysWOW64\Mdbdmc32.dll	Ggmlfp32.exe
File opened for modification	C:\Windows\SysWOW64\Jhhacopd.exe	Jdmebp32.exe
File opened for modification	C:\Windows\SysWOW64\Emmifn32.exe	Eiameofb.exe
File created	C:\Windows\SysWOW64\Keomkeoe.dll	Bichmcae.exe
File opened for modification	C:\Windows\SysWOW64\Cgdhkk32.exe	Bpmpjm32.exe
File created	C:\Windows\SysWOW64\Cckipl32.exe	Calldppd.exe
File created	C:\Windows\SysWOW64\Cjgnbedb.exe	Ccmeek32.exe
File created	C:\Windows\SysWOW64\Dfbhbf32.exe	Dcdkfjfm.exe
File opened for modification	C:\Windows\SysWOW64\Dfbhbf32.exe	Dcdkfjfm.exe
File created	C:\Windows\SysWOW64\Jbmnicfe.dll	Daobpnoo.exe
File opened for modification	C:\Windows\SysWOW64\Ikpgnk32.exe	Ihakbp32.exe
File created	C:\Windows\SysWOW64\Phdojnfc.dll	e34775f2935f33dd92586f14b847eb6bd4952985fb96bec02ee662c864af61ae.exe
File created	C:\Windows\SysWOW64\Eadkkm32.exe	Eimcjp32.exe
File created	C:\Windows\SysWOW64\Aomonkoj.dll	Fgcjpa32.exe
File created	C:\Windows\SysWOW64\Pmjimh32.dll	Inndjg32.exe
File opened for modification	C:\Windows\SysWOW64\Ganghiel.exe	Gghckqef.exe
File created	C:\Windows\SysWOW64\Dpmqklee.dll	Igpbbm32.exe
File created	C:\Windows\SysWOW64\Pipilb32.dll	Eimcjp32.exe
File created	C:\Windows\SysWOW64\Lbagmj32.dll	Efhjdc32.exe
File opened for modification	C:\Windows\SysWOW64\Gdjgoefc.exe	Ghcfjd32.exe
File created	C:\Windows\SysWOW64\Pgbfcjfc.dll	Hghlbn32.exe
File opened for modification	C:\Windows\SysWOW64\Fabhmkoj.exe	Fikpknng.exe
File opened for modification	C:\Windows\SysWOW64\Fioifm32.exe	Fhnmoedd.exe
File created	C:\Windows\SysWOW64\Opmbqnpm.dll	Kjemfe32.exe
File created	C:\Windows\SysWOW64\Gabqci32.exe	Gikibk32.exe
File created	C:\Windows\SysWOW64\Bgoignbq.dll	Ihakbp32.exe
File created	C:\Windows\SysWOW64\Jkgnojog.exe	Jhhacopd.exe
File created	C:\Windows\SysWOW64\Ciedbcob.exe	Cgdhkk32.exe
File opened for modification	C:\Windows\SysWOW64\Ejlpdbbj.exe	Edbhgh32.exe
File created	C:\Windows\SysWOW64\Eafhamig.exe	Ejlpdbbj.exe
File created	C:\Windows\SysWOW64\Plmnmopf.dll	Edddmhhk.exe
File created	C:\Windows\SysWOW64\Fpgdng32.exe	Fmihal32.exe
File created	C:\Windows\SysWOW64\Kammndim.dll	Fhnmoedd.exe
File created	C:\Windows\SysWOW64\Dcfgeddi.dll	Ikmkilgb.exe
File created	C:\Windows\SysWOW64\Knomadfq.exe	Knomadfq.exe
File created	C:\Windows\SysWOW64\Phalpk32.dll	Keheno32.exe
File opened for modification	C:\Windows\SysWOW64\Bpmpjm32.exe	Bichmcae.exe
File created	C:\Windows\SysWOW64\Emmifn32.exe	Eiameofb.exe
File created	C:\Windows\SysWOW64\Ghjlkcjf.exe	Gapdni32.exe
File opened for modification	C:\Windows\SysWOW64\Ibgcef32.exe	Ijpkdh32.exe
File created	C:\Windows\SysWOW64\Inndjg32.exe	Ikpgnk32.exe
File opened for modification	C:\Windows\SysWOW64\Jbqfld32.exe	Jnejkfnk.exe
File opened for modification	C:\Windows\SysWOW64\Kidaomff.exe	Keheno32.exe
File opened for modification	C:\Windows\SysWOW64\Ciogiagg.exe	Cgmkai32.exe
File opened for modification	C:\Windows\SysWOW64\Dmmpopmn.exe	Diadna32.exe
File created	C:\Windows\SysWOW64\Efemocel.exe	Epkebi32.exe
File created	C:\Windows\SysWOW64\Dldkia32.dll	Jkkgjj32.exe
File created	C:\Windows\SysWOW64\Abgopa32.dll	Kkejph32.exe
File created	C:\Windows\SysWOW64\Efngnd32.exe	Ehkgbgdi.exe
File opened for modification	C:\Windows\SysWOW64\Hgkignea.exe	Hhhhla32.exe
File opened for modification	C:\Windows\SysWOW64\Ikianl32.exe	Igmemnco.exe
File created	C:\Windows\SysWOW64\Qedbin32.dll	Jkdaikaj.exe
File created	C:\Windows\SysWOW64\Mekfnpag.dll	Jdobhp32.exe
File created	C:\Windows\SysWOW64\Dponijih.dll	Dgbdlimd.exe
File created	C:\Windows\SysWOW64\Dmomdpkk.exe	Djqphdlg.exe
File created	C:\Windows\SysWOW64\Cqnkjjaf.dll	Dcieaj32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
6928	6820	WerFault.exe	253

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kidaomff.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kekacnkk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ehkgbgdi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Edddmhhk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Efemocel.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gndhmjjq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jncmefpn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djgfic32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fibflm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hhhhla32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ijpkdh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Epkebi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hdhcpc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hdjpfc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jhhacopd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jkkgjj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Efhjdc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gkflaokm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jkijdj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ciogiagg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cafojogj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmmpopmn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hnnkcibf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ejlpdbbj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Eiameofb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gdlcdedp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cgdhkk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Calldppd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dcdkfjfm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmaijo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dihjopom.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Idoiabdk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ingnjh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jkgnojog.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cckipl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddnnlinc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Efngnd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Eafhamig.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fkecjajp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dckagiqe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fmdofmic.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jjngefam.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kqklhpgg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jiogcn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kbjibc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kggajj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jqomlb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfdkahba.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Eadkkm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fioifm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fafahj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ihchhp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ijnnoi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Keheno32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhdabhka.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gpeaoeha.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hgafaoml.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hpaqkd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Igmemnco.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fabhmkoj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jhfdmobf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjgnbedb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cgmkai32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Emabamkf.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jdmebp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjjghfeb.dll"	Jiogcn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	e34775f2935f33dd92586f14b847eb6bd4952985fb96bec02ee662c864af61ae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ciogiagg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ddnnlinc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dfljhdnf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bfjpkifk.dll"	Ganghiel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kkegph32.dll"	Hhhhla32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aekfamcj.dll"	Ehkgbgdi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Eadkkm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fhnmoedd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Inmdoh32.dll"	Kbjibc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dfjncepi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cgmkai32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mfpgek32.dll"	Dmmpopmn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ehkgbgdi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdkacp32.dll"	Caoiip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Coqhbb32.dll"	Hniahj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hdhcpc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hnpgiipc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dcfgeddi.dll"	Ikmkilgb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dfbhbf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dfjncepi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ehkgbgdi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fibflm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gabqci32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jdobhp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kidaomff.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fpbkbhhg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hnnkcibf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ijiecide.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Igmemnco.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bpmpjm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhdabhka.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Djgfic32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fhicde32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hniahj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ibgcef32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Caoiip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dfljhdnf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cccimd32.dll"	Eafhamig.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jjngefam.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Diemiqqp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jkkgjj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dldkia32.dll"	Jkkgjj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Knomadfq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hnpgiipc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ijpkdh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fkecjajp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fabhmkoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fmihal32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fafahj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gkflaokm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fhicde32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kblegblg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cglnooho.dll"	Cafojogj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fafahj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ikemgf32.dll"	Gpeaoeha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hgkignea.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Godhhjgq.dll"	Cpfbpl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Alophn32.dll"	Djgfic32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hkoogn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ikpgnk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jjngefam.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4016 wrote to memory of 572	4016	e34775f2935f33dd92586f14b847eb6bd4952985fb96bec02ee662c864af61ae.exe	84
PID 4016 wrote to memory of 572	4016	e34775f2935f33dd92586f14b847eb6bd4952985fb96bec02ee662c864af61ae.exe	84
PID 4016 wrote to memory of 572	4016	e34775f2935f33dd92586f14b847eb6bd4952985fb96bec02ee662c864af61ae.exe	84
PID 572 wrote to memory of 2152	572	Bfdkahba.exe	85
PID 572 wrote to memory of 2152	572	Bfdkahba.exe	85
PID 572 wrote to memory of 2152	572	Bfdkahba.exe	85
PID 2152 wrote to memory of 2700	2152	Bichmcae.exe	86
PID 2152 wrote to memory of 2700	2152	Bichmcae.exe	86
PID 2152 wrote to memory of 2700	2152	Bichmcae.exe	86
PID 2700 wrote to memory of 2212	2700	Bpmpjm32.exe	87
PID 2700 wrote to memory of 2212	2700	Bpmpjm32.exe	87
PID 2700 wrote to memory of 2212	2700	Bpmpjm32.exe	87
PID 2212 wrote to memory of 2228	2212	Cgdhkk32.exe	88
PID 2212 wrote to memory of 2228	2212	Cgdhkk32.exe	88
PID 2212 wrote to memory of 2228	2212	Cgdhkk32.exe	88
PID 2228 wrote to memory of 4992	2228	Ciedbcob.exe	89
PID 2228 wrote to memory of 4992	2228	Ciedbcob.exe	89
PID 2228 wrote to memory of 4992	2228	Ciedbcob.exe	89
PID 4992 wrote to memory of 4068	4992	Calldppd.exe	90
PID 4992 wrote to memory of 4068	4992	Calldppd.exe	90
PID 4992 wrote to memory of 4068	4992	Calldppd.exe	90
PID 4068 wrote to memory of 1828	4068	Cckipl32.exe	91
PID 4068 wrote to memory of 1828	4068	Cckipl32.exe	91
PID 4068 wrote to memory of 1828	4068	Cckipl32.exe	91
PID 1828 wrote to memory of 560	1828	Cjeamffe.exe	92
PID 1828 wrote to memory of 560	1828	Cjeamffe.exe	92
PID 1828 wrote to memory of 560	1828	Cjeamffe.exe	92
PID 560 wrote to memory of 532	560	Cmcmiaei.exe	93
PID 560 wrote to memory of 532	560	Cmcmiaei.exe	93
PID 560 wrote to memory of 532	560	Cmcmiaei.exe	93
PID 532 wrote to memory of 1824	532	Caoiip32.exe	94
PID 532 wrote to memory of 1824	532	Caoiip32.exe	94
PID 532 wrote to memory of 1824	532	Caoiip32.exe	94
PID 1824 wrote to memory of 1392	1824	Ccmeek32.exe	95
PID 1824 wrote to memory of 1392	1824	Ccmeek32.exe	95
PID 1824 wrote to memory of 1392	1824	Ccmeek32.exe	95
PID 1392 wrote to memory of 4468	1392	Cjgnbedb.exe	97
PID 1392 wrote to memory of 4468	1392	Cjgnbedb.exe	97
PID 1392 wrote to memory of 4468	1392	Cjgnbedb.exe	97
PID 4468 wrote to memory of 1908	4468	Cmejnacf.exe	98
PID 4468 wrote to memory of 1908	4468	Cmejnacf.exe	98
PID 4468 wrote to memory of 1908	4468	Cmejnacf.exe	98
PID 1908 wrote to memory of 1500	1908	Cpdfjlbj.exe	99
PID 1908 wrote to memory of 1500	1908	Cpdfjlbj.exe	99
PID 1908 wrote to memory of 1500	1908	Cpdfjlbj.exe	99
PID 1500 wrote to memory of 2256	1500	Ccpbkk32.exe	100
PID 1500 wrote to memory of 2256	1500	Ccpbkk32.exe	100
PID 1500 wrote to memory of 2256	1500	Ccpbkk32.exe	100
PID 2256 wrote to memory of 1644	2256	Cjijhe32.exe	102
PID 2256 wrote to memory of 1644	2256	Cjijhe32.exe	102
PID 2256 wrote to memory of 1644	2256	Cjijhe32.exe	102
PID 1644 wrote to memory of 3784	1644	Cpfbpl32.exe	103
PID 1644 wrote to memory of 3784	1644	Cpfbpl32.exe	103
PID 1644 wrote to memory of 3784	1644	Cpfbpl32.exe	103
PID 3784 wrote to memory of 656	3784	Cgmkai32.exe	104
PID 3784 wrote to memory of 656	3784	Cgmkai32.exe	104
PID 3784 wrote to memory of 656	3784	Cgmkai32.exe	104
PID 656 wrote to memory of 5024	656	Ciogiagg.exe	106
PID 656 wrote to memory of 5024	656	Ciogiagg.exe	106
PID 656 wrote to memory of 5024	656	Ciogiagg.exe	106
PID 5024 wrote to memory of 2732	5024	Cafojogj.exe	107
PID 5024 wrote to memory of 2732	5024	Cafojogj.exe	107
PID 5024 wrote to memory of 2732	5024	Cafojogj.exe	107
PID 2732 wrote to memory of 336	2732	Dcdkfjfm.exe	108

C:\Users\Admin\AppData\Local\Temp\e34775f2935f33dd92586f14b847eb6bd4952985fb96bec02ee662c864af61ae.exe
"C:\Users\Admin\AppData\Local\Temp\e34775f2935f33dd92586f14b847eb6bd4952985fb96bec02ee662c864af61ae.exe"
1⤵
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4016
- C:\Windows\SysWOW64\Bfdkahba.exe
  C:\Windows\system32\Bfdkahba.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:572
- - C:\Windows\SysWOW64\Bichmcae.exe
    C:\Windows\system32\Bichmcae.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious use of WriteProcessMemory
    PID:2152
  - - C:\Windows\SysWOW64\Bpmpjm32.exe
      C:\Windows\system32\Bpmpjm32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2700
    - - C:\Windows\SysWOW64\Cgdhkk32.exe
        
        C:\Windows\system32\Cgdhkk32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2212
      - C:\Windows\SysWOW64\Ciedbcob.exe
        
        C:\Windows\system32\Ciedbcob.exe
        6⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2228
        
        C:\Windows\SysWOW64\Calldppd.exe
        
        C:\Windows\system32\Calldppd.exe
        7⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4992
        
        C:\Windows\SysWOW64\Cckipl32.exe
        
        C:\Windows\system32\Cckipl32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4068
        
        C:\Windows\SysWOW64\Cjeamffe.exe
        
        C:\Windows\system32\Cjeamffe.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1828
        
        C:\Windows\SysWOW64\Cmcmiaei.exe
        
        C:\Windows\system32\Cmcmiaei.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:560
        
        C:\Windows\SysWOW64\Caoiip32.exe
        
        C:\Windows\system32\Caoiip32.exe
        11⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:532
        
        C:\Windows\SysWOW64\Ccmeek32.exe
        
        C:\Windows\system32\Ccmeek32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1824
        
        C:\Windows\SysWOW64\Cjgnbedb.exe
        
        C:\Windows\system32\Cjgnbedb.exe
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1392
        
        C:\Windows\SysWOW64\Cmejnacf.exe
        
        C:\Windows\system32\Cmejnacf.exe
        14⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4468
        
        C:\Windows\SysWOW64\Cpdfjlbj.exe
        
        C:\Windows\system32\Cpdfjlbj.exe
        15⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1908
        
        C:\Windows\SysWOW64\Ccpbkk32.exe
        
        C:\Windows\system32\Ccpbkk32.exe
        16⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1500
        
        C:\Windows\SysWOW64\Cjijhe32.exe
        
        C:\Windows\system32\Cjijhe32.exe
        17⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2256
        
        C:\Windows\SysWOW64\Cpfbpl32.exe
        
        C:\Windows\system32\Cpfbpl32.exe
        18⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1644
        
        C:\Windows\SysWOW64\Cgmkai32.exe
        
        C:\Windows\system32\Cgmkai32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3784
        
        C:\Windows\SysWOW64\Ciogiagg.exe
        
        C:\Windows\system32\Ciogiagg.exe
        20⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:656
        
        C:\Windows\SysWOW64\Cafojogj.exe
        
        C:\Windows\system32\Cafojogj.exe
        21⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5024
        
        C:\Windows\SysWOW64\Dcdkfjfm.exe
        
        C:\Windows\system32\Dcdkfjfm.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2732
        
        C:\Windows\SysWOW64\Dfbhbf32.exe
        
        C:\Windows\system32\Dfbhbf32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:336
        
        C:\Windows\SysWOW64\Diadna32.exe
        
        C:\Windows\system32\Diadna32.exe
        24⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2292
        
        C:\Windows\SysWOW64\Dmmpopmn.exe
        
        C:\Windows\system32\Dmmpopmn.exe
        25⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1776
        
        C:\Windows\SysWOW64\Dahlpo32.exe
        
        C:\Windows\system32\Dahlpo32.exe
        26⤵
        Executes dropped EXE
        
        PID:5020
        
        C:\Windows\SysWOW64\Dgbdlimd.exe
        
        C:\Windows\system32\Dgbdlimd.exe
        27⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3092
        
        C:\Windows\SysWOW64\Djqphdlg.exe
        
        C:\Windows\system32\Djqphdlg.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1968
        
        C:\Windows\SysWOW64\Dmomdpkk.exe
        
        C:\Windows\system32\Dmomdpkk.exe
        29⤵
        Executes dropped EXE
        
        PID:4132
        
        C:\Windows\SysWOW64\Dcieaj32.exe
        
        C:\Windows\system32\Dcieaj32.exe
        30⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2720
        
        C:\Windows\SysWOW64\Dhdabhka.exe
        
        C:\Windows\system32\Dhdabhka.exe
        31⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4496
        
        C:\Windows\SysWOW64\Diemiqqp.exe
        
        C:\Windows\system32\Diemiqqp.exe
        32⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2000
        
        C:\Windows\SysWOW64\Dmaijo32.exe
        
        C:\Windows\system32\Dmaijo32.exe
        33⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:696
        
        C:\Windows\SysWOW64\Dckagiqe.exe
        
        C:\Windows\system32\Dckagiqe.exe
        34⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2196
        
        C:\Windows\SysWOW64\Dfjncepi.exe
        
        C:\Windows\system32\Dfjncepi.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4600
        
        C:\Windows\SysWOW64\Dihjopom.exe
        
        C:\Windows\system32\Dihjopom.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1360
        
        C:\Windows\SysWOW64\Daobpnoo.exe
        
        C:\Windows\system32\Daobpnoo.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1308
        
        C:\Windows\SysWOW64\Ddnnlinc.exe
        
        C:\Windows\system32\Ddnnlinc.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2596
        
        C:\Windows\SysWOW64\Dfljhdnf.exe
        
        C:\Windows\system32\Dfljhdnf.exe
        39⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1332
        
        C:\Windows\SysWOW64\Djgfic32.exe
        
        C:\Windows\system32\Djgfic32.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4044
        
        C:\Windows\SysWOW64\Epdoajdg.exe
        
        C:\Windows\system32\Epdoajdg.exe
        41⤵
        Executes dropped EXE
        
        PID:5092
        
        C:\Windows\SysWOW64\Ehkgbgdi.exe
        
        C:\Windows\system32\Ehkgbgdi.exe
        42⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:872
        
        C:\Windows\SysWOW64\Efngnd32.exe
        
        C:\Windows\system32\Efngnd32.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2480
        
        C:\Windows\SysWOW64\Eimcjp32.exe
        
        C:\Windows\system32\Eimcjp32.exe
        44⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1768
        
        C:\Windows\SysWOW64\Eadkkm32.exe
        
        C:\Windows\system32\Eadkkm32.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4024
        
        C:\Windows\SysWOW64\Edbhgh32.exe
        
        C:\Windows\system32\Edbhgh32.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:940
        
        C:\Windows\SysWOW64\Ejlpdbbj.exe
        
        C:\Windows\system32\Ejlpdbbj.exe
        47⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5000
        
        C:\Windows\SysWOW64\Eafhamig.exe
        
        C:\Windows\system32\Eafhamig.exe
        48⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3716
        
        C:\Windows\SysWOW64\Edddmhhk.exe
        
        C:\Windows\system32\Edddmhhk.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2904
        
        C:\Windows\SysWOW64\Ehppng32.exe
        
        C:\Windows\system32\Ehppng32.exe
        50⤵
        Executes dropped EXE
        
        PID:4668
        
        C:\Windows\SysWOW64\Eiameofb.exe
        
        C:\Windows\system32\Eiameofb.exe
        51⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2432
        
        C:\Windows\SysWOW64\Emmifn32.exe
        
        C:\Windows\system32\Emmifn32.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4524
        
        C:\Windows\SysWOW64\Epkebi32.exe
        
        C:\Windows\system32\Epkebi32.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1152
        
        C:\Windows\SysWOW64\Efemocel.exe
        
        C:\Windows\system32\Efemocel.exe
        54⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3500
        
        C:\Windows\SysWOW64\Eicjkodp.exe
        
        C:\Windows\system32\Eicjkodp.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4492
        
        C:\Windows\SysWOW64\Eakall32.exe
        
        C:\Windows\system32\Eakall32.exe
        56⤵
        Executes dropped EXE
        
        PID:2200
        
        C:\Windows\SysWOW64\Epnbgill.exe
        
        C:\Windows\system32\Epnbgill.exe
        57⤵
        Executes dropped EXE
        
        PID:3432
        
        C:\Windows\SysWOW64\Efhjdc32.exe
        
        C:\Windows\system32\Efhjdc32.exe
        58⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5072
        
        C:\Windows\SysWOW64\Ekcfealb.exe
        
        C:\Windows\system32\Ekcfealb.exe
        59⤵
        Executes dropped EXE
        
        PID:3924
        
        C:\Windows\SysWOW64\Emabamkf.exe
        
        C:\Windows\system32\Emabamkf.exe
        60⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2692
        
        C:\Windows\SysWOW64\Fppomhjj.exe
        
        C:\Windows\system32\Fppomhjj.exe
        61⤵
        Executes dropped EXE
        
        PID:3376
        
        C:\Windows\SysWOW64\Fhgfnfjl.exe
        
        C:\Windows\system32\Fhgfnfjl.exe
        62⤵
        Executes dropped EXE
        
        PID:684
        
        C:\Windows\SysWOW64\Fkecjajp.exe
        
        C:\Windows\system32\Fkecjajp.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4872
        
        C:\Windows\SysWOW64\Fmdofmic.exe
        
        C:\Windows\system32\Fmdofmic.exe
        64⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2192
        
        C:\Windows\SysWOW64\Fpbkbhhg.exe
        
        C:\Windows\system32\Fpbkbhhg.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3396
        
        C:\Windows\SysWOW64\Fhicde32.exe
        
        C:\Windows\system32\Fhicde32.exe
        66⤵
        Modifies registry class
        
        PID:2592
        
        C:\Windows\SysWOW64\Fflcobod.exe
        
        C:\Windows\system32\Fflcobod.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4972
        
        C:\Windows\SysWOW64\Fikpknng.exe
        
        C:\Windows\system32\Fikpknng.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:3608
        
        C:\Windows\SysWOW64\Fabhmkoj.exe
        
        C:\Windows\system32\Fabhmkoj.exe
        69⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1880
        
        C:\Windows\SysWOW64\Fpehhh32.exe
        
        C:\Windows\system32\Fpehhh32.exe
        70⤵
        
        PID:4512
        
        C:\Windows\SysWOW64\Fkjleq32.exe
        
        C:\Windows\system32\Fkjleq32.exe
        71⤵
        
        PID:1284
        
        C:\Windows\SysWOW64\Fmihal32.exe
        
        C:\Windows\system32\Fmihal32.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:2484
        
        C:\Windows\SysWOW64\Fpgdng32.exe
        
        C:\Windows\system32\Fpgdng32.exe
        73⤵
        
        PID:2188
        
        C:\Windows\SysWOW64\Fhnmoedd.exe
        
        C:\Windows\system32\Fhnmoedd.exe
        74⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1852
        
        C:\Windows\SysWOW64\Fioifm32.exe
        
        C:\Windows\system32\Fioifm32.exe
        75⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3484
        
        C:\Windows\SysWOW64\Fafahj32.exe
        
        C:\Windows\system32\Fafahj32.exe
        76⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1656
        
        C:\Windows\SysWOW64\Fdemdf32.exe
        
        C:\Windows\system32\Fdemdf32.exe
        77⤵
        
        PID:3340
        
        C:\Windows\SysWOW64\Fgcjpa32.exe
        
        C:\Windows\system32\Fgcjpa32.exe
        78⤵
        Drops file in System32 directory
        
        PID:392
        
        C:\Windows\SysWOW64\Fibflm32.exe
        
        C:\Windows\system32\Fibflm32.exe
        79⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2928
        
        C:\Windows\SysWOW64\Gainmj32.exe
        
        C:\Windows\system32\Gainmj32.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4660
        
        C:\Windows\SysWOW64\Ghcfjd32.exe
        
        C:\Windows\system32\Ghcfjd32.exe
        81⤵
        Drops file in System32 directory
        
        PID:3752
        
        C:\Windows\SysWOW64\Gdjgoefc.exe
        
        C:\Windows\system32\Gdjgoefc.exe
        82⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2072
        
        C:\Windows\SysWOW64\Gghckqef.exe
        
        C:\Windows\system32\Gghckqef.exe
        83⤵
        Drops file in System32 directory
        
        PID:3760
        
        C:\Windows\SysWOW64\Ganghiel.exe
        
        C:\Windows\system32\Ganghiel.exe
        84⤵
        Modifies registry class
        
        PID:5004
        
        C:\Windows\SysWOW64\Gdlcdedp.exe
        
        C:\Windows\system32\Gdlcdedp.exe
        85⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:1884
        
        C:\Windows\SysWOW64\Gkflaokm.exe
        
        C:\Windows\system32\Gkflaokm.exe
        86⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3564
        
        C:\Windows\SysWOW64\Gndhmjjq.exe
        
        C:\Windows\system32\Gndhmjjq.exe
        87⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:836
        
        C:\Windows\SysWOW64\Gapdni32.exe
        
        C:\Windows\system32\Gapdni32.exe
        88⤵
        Drops file in System32 directory
        
        PID:2064
        
        C:\Windows\SysWOW64\Ghjlkcjf.exe
        
        C:\Windows\system32\Ghjlkcjf.exe
        89⤵
        
        PID:2312
        
        C:\Windows\SysWOW64\Ggmlfp32.exe
        
        C:\Windows\system32\Ggmlfp32.exe
        90⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:860
        
        C:\Windows\SysWOW64\Gikibk32.exe
        
        C:\Windows\system32\Gikibk32.exe
        91⤵
        Drops file in System32 directory
        
        PID:5128
        
        C:\Windows\SysWOW64\Gabqci32.exe
        
        C:\Windows\system32\Gabqci32.exe
        92⤵
        Modifies registry class
        
        PID:5172
        
        C:\Windows\SysWOW64\Gpeaoeha.exe
        
        C:\Windows\system32\Gpeaoeha.exe
        93⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5216
        
        C:\Windows\SysWOW64\Ghlipchd.exe
        
        C:\Windows\system32\Ghlipchd.exe
        94⤵
        
        PID:5260
        
        C:\Windows\SysWOW64\Ggoilp32.exe
        
        C:\Windows\system32\Ggoilp32.exe
        95⤵
        
        PID:5304
        
        C:\Windows\SysWOW64\Gkkelngg.exe
        
        C:\Windows\system32\Gkkelngg.exe
        96⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5348
        
        C:\Windows\SysWOW64\Hniahj32.exe
        
        C:\Windows\system32\Hniahj32.exe
        97⤵
        Modifies registry class
        
        PID:5392
        
        C:\Windows\SysWOW64\Hpgnde32.exe
        
        C:\Windows\system32\Hpgnde32.exe
        98⤵
        
        PID:5440
        
        C:\Windows\SysWOW64\Hgafaoml.exe
        
        C:\Windows\system32\Hgafaoml.exe
        99⤵
        System Location Discovery: System Language Discovery
        
        PID:5484
        
        C:\Windows\SysWOW64\Hjpbmklp.exe
        
        C:\Windows\system32\Hjpbmklp.exe
        100⤵
        
        PID:5532
        
        C:\Windows\SysWOW64\Hnknni32.exe
        
        C:\Windows\system32\Hnknni32.exe
        101⤵
        
        PID:5576
        
        C:\Windows\SysWOW64\Hpjjje32.exe
        
        C:\Windows\system32\Hpjjje32.exe
        102⤵
        
        PID:5620
        
        C:\Windows\SysWOW64\Hhabkb32.exe
        
        C:\Windows\system32\Hhabkb32.exe
        103⤵
        
        PID:5664
        
        C:\Windows\SysWOW64\Hkoogn32.exe
        
        C:\Windows\system32\Hkoogn32.exe
        104⤵
        Modifies registry class
        
        PID:5708
        
        C:\Windows\SysWOW64\Hnnkcibf.exe
        
        C:\Windows\system32\Hnnkcibf.exe
        105⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5752
        
        C:\Windows\SysWOW64\Hdhcpc32.exe
        
        C:\Windows\system32\Hdhcpc32.exe
        106⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5796
        
        C:\Windows\SysWOW64\Hnpgiipc.exe
        
        C:\Windows\system32\Hnpgiipc.exe
        107⤵
        Modifies registry class
        
        PID:5840
        
        C:\Windows\SysWOW64\Halcjg32.exe
        
        C:\Windows\system32\Halcjg32.exe
        108⤵
        
        PID:5884
        
        C:\Windows\SysWOW64\Hdjpfc32.exe
        
        C:\Windows\system32\Hdjpfc32.exe
        109⤵
        System Location Discovery: System Language Discovery
        
        PID:5928
        
        C:\Windows\SysWOW64\Hghlbn32.exe
        
        C:\Windows\system32\Hghlbn32.exe
        110⤵
        Drops file in System32 directory
        
        PID:5972
        
        C:\Windows\SysWOW64\Hjghnj32.exe
        
        C:\Windows\system32\Hjghnj32.exe
        111⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6016
        
        C:\Windows\SysWOW64\Hpaqkd32.exe
        
        C:\Windows\system32\Hpaqkd32.exe
        112⤵
        System Location Discovery: System Language Discovery
        
        PID:6060
        
        C:\Windows\SysWOW64\Hhhhla32.exe
        
        C:\Windows\system32\Hhhhla32.exe
        113⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6100
        
        C:\Windows\SysWOW64\Hgkignea.exe
        
        C:\Windows\system32\Hgkignea.exe
        114⤵
        Modifies registry class
        
        PID:3780
        
        C:\Windows\SysWOW64\Ijiecide.exe
        
        C:\Windows\system32\Ijiecide.exe
        115⤵
        Modifies registry class
        
        PID:5164
        
        C:\Windows\SysWOW64\Idoiabdk.exe
        
        C:\Windows\system32\Idoiabdk.exe
        116⤵
        System Location Discovery: System Language Discovery
        
        PID:5232
        
        C:\Windows\SysWOW64\Igmemnco.exe
        
        C:\Windows\system32\Igmemnco.exe
        117⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5300
        
        C:\Windows\SysWOW64\Ikianl32.exe
        
        C:\Windows\system32\Ikianl32.exe
        118⤵
        
        PID:5388
        
        C:\Windows\SysWOW64\Ingnjh32.exe
        
        C:\Windows\system32\Ingnjh32.exe
        119⤵
        System Location Discovery: System Language Discovery
        
        PID:5428
        
        C:\Windows\SysWOW64\Idaffb32.exe
        
        C:\Windows\system32\Idaffb32.exe
        120⤵
        
        PID:5516
        
        C:\Windows\SysWOW64\Igpbbm32.exe
        
        C:\Windows\system32\Igpbbm32.exe
        121⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5596
        
        C:\Windows\SysWOW64\Ijnnoi32.exe
        
        C:\Windows\system32\Ijnnoi32.exe
        122⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5656
        
        C:\Windows\SysWOW64\Iaefpf32.exe
        
        C:\Windows\system32\Iaefpf32.exe
        123⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5748
        
        C:\Windows\SysWOW64\Ikmkilgb.exe
        
        C:\Windows\system32\Ikmkilgb.exe
        124⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5812
        
        C:\Windows\SysWOW64\Ijpkdh32.exe
        
        C:\Windows\system32\Ijpkdh32.exe
        125⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5920
        
        C:\Windows\SysWOW64\Ibgcef32.exe
        
        C:\Windows\system32\Ibgcef32.exe
        126⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6008
        
        C:\Windows\SysWOW64\Idfoaa32.exe
        
        C:\Windows\system32\Idfoaa32.exe
        127⤵
        
        PID:6092
        
        C:\Windows\SysWOW64\Ihakbp32.exe
        
        C:\Windows\system32\Ihakbp32.exe
        128⤵
        Drops file in System32 directory
        
        PID:2956
        
        C:\Windows\SysWOW64\Ikpgnk32.exe
        
        C:\Windows\system32\Ikpgnk32.exe
        129⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5224
        
        C:\Windows\SysWOW64\Inndjg32.exe
        
        C:\Windows\system32\Inndjg32.exe
        130⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5336
        
        C:\Windows\SysWOW64\Ibjpkeml.exe
        
        C:\Windows\system32\Ibjpkeml.exe
        131⤵
        
        PID:5432
        
        C:\Windows\SysWOW64\Ihchhp32.exe
        
        C:\Windows\system32\Ihchhp32.exe
        132⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5588
        
        C:\Windows\SysWOW64\Jjedohjg.exe
        
        C:\Windows\system32\Jjedohjg.exe
        133⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5676
        
        C:\Windows\SysWOW64\Jqomlb32.exe
        
        C:\Windows\system32\Jqomlb32.exe
        134⤵
        System Location Discovery: System Language Discovery
        
        PID:5780
        
        C:\Windows\SysWOW64\Jhfdmobf.exe
        
        C:\Windows\system32\Jhfdmobf.exe
        135⤵
        System Location Discovery: System Language Discovery
        
        PID:5924
        
        C:\Windows\SysWOW64\Jkdaikaj.exe
        
        C:\Windows\system32\Jkdaikaj.exe
        136⤵
        Drops file in System32 directory
        
        PID:6048
        
        C:\Windows\SysWOW64\Jjgaeg32.exe
        
        C:\Windows\system32\Jjgaeg32.exe
        137⤵
        
        PID:5168
        
        C:\Windows\SysWOW64\Jncmefpn.exe
        
        C:\Windows\system32\Jncmefpn.exe
        138⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5288
        
        C:\Windows\SysWOW64\Jdmebp32.exe
        
        C:\Windows\system32\Jdmebp32.exe
        139⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5528
        
        C:\Windows\SysWOW64\Jhhacopd.exe
        
        C:\Windows\system32\Jhhacopd.exe
        140⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5700
        
        C:\Windows\SysWOW64\Jkgnojog.exe
        
        C:\Windows\system32\Jkgnojog.exe
        141⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5892
        
        C:\Windows\SysWOW64\Jnejkfnk.exe
        
        C:\Windows\system32\Jnejkfnk.exe
        142⤵
        Drops file in System32 directory
        
        PID:6084
        
        C:\Windows\SysWOW64\Jbqfld32.exe
        
        C:\Windows\system32\Jbqfld32.exe
        143⤵
        
        PID:5324
        
        C:\Windows\SysWOW64\Jdobhp32.exe
        
        C:\Windows\system32\Jdobhp32.exe
        144⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5584
        
        C:\Windows\SysWOW64\Jkijdj32.exe
        
        C:\Windows\system32\Jkijdj32.exe
        145⤵
        System Location Discovery: System Language Discovery
        
        PID:5832
        
        C:\Windows\SysWOW64\Jngfqe32.exe
        
        C:\Windows\system32\Jngfqe32.exe
        146⤵
        
        PID:5292
        
        C:\Windows\SysWOW64\Jqfcmq32.exe
        
        C:\Windows\system32\Jqfcmq32.exe
        147⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5652
        
        C:\Windows\SysWOW64\Jkkgjj32.exe
        
        C:\Windows\system32\Jkkgjj32.exe
        148⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5160
        
        C:\Windows\SysWOW64\Jjngefam.exe
        
        C:\Windows\system32\Jjngefam.exe
        149⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5744
        
        C:\Windows\SysWOW64\Jiogcn32.exe
        
        C:\Windows\system32\Jiogcn32.exe
        150⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5544
        
        C:\Windows\SysWOW64\Kjqdkfpj.exe
        
        C:\Windows\system32\Kjqdkfpj.exe
        151⤵
        
        PID:6028
        
        C:\Windows\SysWOW64\Kqklhpgg.exe
        
        C:\Windows\system32\Kqklhpgg.exe
        152⤵
        System Location Discovery: System Language Discovery
        
        PID:6160
        
        C:\Windows\SysWOW64\Kgdddj32.exe
        
        C:\Windows\system32\Kgdddj32.exe
        153⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6212
        
        C:\Windows\SysWOW64\Knomadfq.exe
        
        C:\Windows\system32\Knomadfq.exe
        154⤵
        Drops file in System32 directory
        
        PID:6264
        
        C:\Windows\SysWOW64\Knomadfq.exe
        
        C:\Windows\system32\Knomadfq.exe
        155⤵
        Modifies registry class
        
        PID:6292
        
        C:\Windows\SysWOW64\Kbjibc32.exe
        
        C:\Windows\system32\Kbjibc32.exe
        156⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6332
        
        C:\Windows\SysWOW64\Keheno32.exe
        
        C:\Windows\system32\Keheno32.exe
        157⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6392
        
        C:\Windows\SysWOW64\Kidaomff.exe
        
        C:\Windows\system32\Kidaomff.exe
        158⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6448
        
        C:\Windows\SysWOW64\Kggajj32.exe
        
        C:\Windows\system32\Kggajj32.exe
        159⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:6504
        
        C:\Windows\SysWOW64\Kjemfe32.exe
        
        C:\Windows\system32\Kjemfe32.exe
        160⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6564
        
        C:\Windows\SysWOW64\Kblegblg.exe
        
        C:\Windows\system32\Kblegblg.exe
        161⤵
        Modifies registry class
        
        PID:6628
        
        C:\Windows\SysWOW64\Kekacnkk.exe
        
        C:\Windows\system32\Kekacnkk.exe
        162⤵
        System Location Discovery: System Language Discovery
        
        PID:6688
        
        C:\Windows\SysWOW64\Kkejph32.exe
        
        C:\Windows\system32\Kkejph32.exe
        163⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6744
        
        C:\Windows\SysWOW64\Kjhjlejb.exe
        
        C:\Windows\system32\Kjhjlejb.exe
        164⤵
        
        PID:6820
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6820 -s 404
        165⤵
        Program crash
        
        PID:6928

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 6820 -ip 6820
1⤵
PID:6884

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Bfdkahba.exe

Filesize
64KB

MD5
6549fdb2fc8f3135123d4dd8e52a1de1

SHA1
512f007c5cdc5663c50ce7710452add3cdb55ac0

SHA256
45214b57a8a3ea47d6ad93c59b659b0594aac123d175e400a7c217038888c65a

SHA512
fda26290824a4d70c60e9431950b1eeb519e7c8a8b563a701b9a2740fb31358effaf8a73aa0e3ed4ece4f33995eece32c6dfc8daab3a87e8284b35b6ab5d677c

Download Submit
C:\Windows\SysWOW64\Bichmcae.exe

Filesize
64KB

MD5
17865494a84fa850f7a3d8ce8508c1b8

SHA1
07a00e08b9a1816e26308ce6f6c64fb0e4f7994e

SHA256
f43ce4e420c069f47dbb956dc9f3dab9c81bdf998e68668c41294b135259fb13

SHA512
aa219e1baa0fa593963b3ec325abc1c3886c18201ecaf9c0a899d244933c0fa508518b559d899270012235c791f950d932446b2eb1487cb7a2436bf7a1421efc

Download Submit
C:\Windows\SysWOW64\Bpmpjm32.exe

Filesize
64KB

MD5
864584c81785167ec3439d6c0d21647d

SHA1
6cb3266e84b64c9320b540cce20b8ab31787460c

SHA256
733da6b7e7647728cde4291c753a44699cdefa3e240e9a89391ca06cce0697d8

SHA512
f010285227476ae4eb7a11d0eb78331f2e30a40a70dccbe5994a43ab0c6402013e8ad07f268dec1c1fb70942cb13bd90dbe476bb776fc929ddda60fed5fdf169

Download Submit
C:\Windows\SysWOW64\Cafojogj.exe

Filesize
64KB

MD5
6cf3ba933748a6a3fb5de31055046c99

SHA1
3b74e804506766bf4276d851d2cd34d42f557e8a

SHA256
0d90b9afa205522443a90209e8fd9908f092b34ac92d98dd0dfb3e2c8feab0fc

SHA512
258553246d8e594e91decdc4b5b0d66fde4222372bd72bb650749fb7ee04d264496667c8f350782fbf07e44510134816b855e5afe57944c419c2be239fcb04d5

Download Submit
C:\Windows\SysWOW64\Calldppd.exe

Filesize
64KB

MD5
c021d16a379ac36f983f998322f86774

SHA1
f0ac127a288796ad7e2103a85be9bbe5795dff3f

SHA256
ec0717011807d98ce8e5545146e43959a0891981f4c7abd5843f7b122393ced2

SHA512
58c679a275f2b4336c814ab52f85093ca23450d29680e3534360a0cdb7b238e2efb81b1d6ed3f68be06ef7eaf7928d7cc95e5cf17ca60733ed64585e0da33ae9

Download Submit
C:\Windows\SysWOW64\Caoiip32.exe

Filesize
64KB

MD5
39ff5d2dfa99697571425c7304b59684

SHA1
0fcc2b0416804ddbd552d95538fd155cb79ed027

SHA256
d28d1044b49f5334af037edc06cfe4f7ec4f59e0788e7fe5e021aa7691226a88

SHA512
b3f86cad2bb42df1c4a6280e8cfda041fbf1ba20402190421187decdbed3bb77f2c89df81a1b78dbcba048b6b82ebee1805aa514e8ae4d4e75c80950f14d8714

Download Submit
C:\Windows\SysWOW64\Cckipl32.exe

Filesize
64KB

MD5
b1720d882451b718d1f012390e0a4dd4

SHA1
c2d67bfc124356c28ec298549b8ccc4e4fdd7e63

SHA256
d439a28796bdcb2de1d86b3efd77bd50a904bf74262ed9a6c4b8fd3dfb642273

SHA512
695217cf9399482186647f849f66de5d3d69c00086e11e42c620f77eecd2749a6b510d9bc7cff1d742080e708a4e2cc14a3a8abb3c136ddd7069152acf450980

Download Submit
C:\Windows\SysWOW64\Ccmeek32.exe

Filesize
64KB

MD5
ab16e1e591af84bf36700e2e8ee007d4

SHA1
d271f1bf685927fd710ceab6cad0835e4fb7049d

SHA256
ac3ce060898f68487f49e843800b406ebd85f9dd6e9272a921cab423f6b0d319

SHA512
9e5cf0b317750ac308635e8213c4c552686dbeac7f77a60f3a2b852e0bb90410c2aa904d9656c2d41e47f9bb11257d014f2904670d84263267e97c062bbe7497

Download Submit
C:\Windows\SysWOW64\Ccpbkk32.exe

Filesize
64KB

MD5
59fa45dff50bbda967c6cb1a57ab9e56

SHA1
f8c949ab2e39654c184a5db0f378e19cc8bd9279

SHA256
7e7657c1253bee27beed61caa438b9fad3523b9df529c7e8e24b06abf7178103

SHA512
48edc00167a828b2a48408cf358995548c0b395863563b6d98343c2e27653bf9bd8ec64dd4fed182f52b8f6c9c9a8fcc1089888db9b0ee27a552ffdfa131c0ca

Download Submit
C:\Windows\SysWOW64\Cgdhkk32.exe

Filesize
64KB

MD5
1a044a2f8d003dd2a225796b251bbdf9

SHA1
ebd78aa90dab8ca3c9c96fa2e5d8ed2d9cd4a569

SHA256
15cf7b1ecf21356a42038e268275914e1fc4f0ba0cc35c44b6b497fcb0a61189

SHA512
3c2e631e50b3d3313b43726b8b7bb433049228fd154ac814f58999c082fb426d01702e2e37e6e3e0a6371ffc93a9daca89997ff475146b76b53bdef8749abd3a

Download Submit
C:\Windows\SysWOW64\Cgmkai32.exe

Filesize
64KB

MD5
db3019f4405e0d76136b2313087a1ad0

SHA1
423fea1d1eda623d2d2017e75c2aa1c585d8183f

SHA256
929d7bfe9e8217240f777fd29b2de169ecb30576b468876473ab1b6f5e394058

SHA512
468f52ae5b58055916669b91b2b2309961d3f6f84e78523b29ceca322cf8a211110f9d829a154f5b72b6c27eb1c89d4b6a2ca0c35e52e40444f140f16f00c770

Download Submit
C:\Windows\SysWOW64\Ciedbcob.exe

Filesize
64KB

MD5
93fa06faf5282d0071f0c3b07ca51fb3

SHA1
29570588d67027d5feadcbe3ba182548f71eeeb6

SHA256
d9c2289a38a756066f5331946695900976ecae6304b9e9f6720ac64f8b0e48f4

SHA512
5623957d6600b1215937df64f2c5df383828c6f9e73009c5a0d65735cdb674936335e96acb3321fdddda1c8f1ae177356e63cb4ba55bceb2390d5ae4d1dcb3ed

Download Submit
C:\Windows\SysWOW64\Ciogiagg.exe

Filesize
64KB

MD5
25d614f6499e2da6769dca02e3d1fcd0

SHA1
996fd1f32cf1b4190583df8fa015ebe0cd81d11f

SHA256
bde6926e6eb78d27f3ceb2d7ab03d78985ff001aebd2767eb9ff67d1da51238b

SHA512
6eb638a67700c0678a362b0956d8e8734968af4979529b02b7b54d69566d88a56ca6a894897dd53f740527ab8b83166c904515ae48e3a1395f8d7591fef3a3c7

Download Submit
C:\Windows\SysWOW64\Cjeamffe.exe

Filesize
64KB

MD5
e04aff99fba457465490c969c3f2ba9c

SHA1
817a8b65497c8b2208274e780370c2d06f49b94a

SHA256
b374e44fc6180a34d45eb4b89bdf6284f450c300c691b968da29521d3ff8ea46

SHA512
41d496479737ba80194588c530e237469072e9aa7211c505cb5f3eb9c5fd83efb6a3f1f534adea378410f3d076917278d5fcbddc9bce69616bae17b95c035f45

Download Submit
C:\Windows\SysWOW64\Cjgnbedb.exe

Filesize
64KB

MD5
80505ec604abfa659f9883f1a62effd2

SHA1
9d4ec23a26aa43068c082b31c321a128f93f416a

SHA256
9ec8acc52283867de0d6ff4fd8d9bf5dbd56566db2235279e973be4cc410a0c2

SHA512
4cb10cc2df5c487b5cd39821740dfb96cac7bdc6592a1d89e3e00d2b95589587f8bd9001763a993575154e09c82a9c42783c0a86741e1aa291161676aa1ef955

Download Submit
C:\Windows\SysWOW64\Cjijhe32.exe

Filesize
64KB

MD5
9ff2e8e06e826607b15608def236f1df

SHA1
d6140c2d5b49d0854345fdd593ea6efa2a0c323a

SHA256
35465eeea1bf4eba76226a7c452dfe64248b8452196179dccaf05dc1058db2fa

SHA512
410be00e2b5196f253bd88b47ac3c8b50e318d7669f47d9f358afafba93b1ba5420abdef730a92b11b2b1528a0f9a55b25e97e1622d17272f632ce4b43fcc6f8

Download Submit
C:\Windows\SysWOW64\Cmcmiaei.exe

Filesize
64KB

MD5
39a9fff9f80529cd5f4f340fdf3a30cf

SHA1
92c5c7733f05fb5e0bc4bd60c87cbe711f0c5a2c

SHA256
3ca76ba71f91540597b920ade89b47197cbbc5dd069cb2793f6cb113001a9aeb

SHA512
6cd31c0578d90324d283db4034310a5e92be4d64d41d87f8f5563361ff5bb897aa209c7471de4d985fd3fbe1c7b9333e50167d02cfc2ce9d0444d73ecc796f7b

Download Submit
C:\Windows\SysWOW64\Cmejnacf.exe

Filesize
64KB

MD5
d877e889e447a87f80384037442853ea

SHA1
43b5862f5d10faa76a5492395d42d99b49ef803e

SHA256
109ae42cbf34690a87fcac527fda8eef1f1e64d08988cd7d4a3980d6c280aa68

SHA512
b7484810842dc32ccae341daa5544558ac30354dd6988f7f6c9a86cafadf9042efaa5c70272e67a00adeaefe4381ad69f01f60efd5c54ce582d90b06fe5956f6

Download Submit
C:\Windows\SysWOW64\Cpdfjlbj.exe

Filesize
64KB

MD5
091da788ea14d9a7baba0e64b238253b

SHA1
f168353fe7c42322dd045634b75dcb7886cd004c

SHA256
862ed5a922099fedfb9b5b3ac310e6031258fc0ac391365a4bde35bab211e797

SHA512
d13aff40a3acae70fa7d9f74de53c6b0ae50f71469e0ede08c07b0e1825c740c25b76dae5fb34d1b6046cce96383502905e1db74919a334ff707bb105cd8d664

Download Submit
C:\Windows\SysWOW64\Cpfbpl32.exe

Filesize
64KB

MD5
200d9c6cfb2285c6f59e397c3fbc868a

SHA1
2c2cb075ed1bb5af6d119597f7adb18811acdfbe

SHA256
ad035c0b9fb187c116fb5ed154b6b39a6188b764a7071702cb3c37b93c5ca183

SHA512
37bf6b4a7891b5a17449d3086d4a1863b24f178c3d57dc8fe494083790bc68f4d0c2d1f4e311d0a1cd17c0434357c58647a38551d1432b7f73298e9b91aed870

Download Submit
C:\Windows\SysWOW64\Dahlpo32.exe

Filesize
64KB

MD5
af175eb6f51ce3fd6b2b4b26dd03eba8

SHA1
53ad93d4b7af57734cb705f2ead4e3479fa0dba7

SHA256
5d1394eed334c3a1de579edd304d8da2621bc17482eef64cfb64327aab39355f

SHA512
fca39f76647b15bd33e3953a807b2f320715e2ba452ebe2bb0aae66a108a2685f42c1b3a1ec6e4ce442a441f62b1d4aa1a23fd1e3f28f1279052a1b62576dc5d

Download Submit
C:\Windows\SysWOW64\Dcdkfjfm.exe

Filesize
64KB

MD5
7242a8957fab4737405b9a28bdf57d1b

SHA1
52cf489d4422566d52c0f2d08c6a6e8b4a137aaf

SHA256
a6fdd03bd5150891b330df8f428d05698d8e6151d4a4ba953feaf2afe4736454

SHA512
5ef7037ae048eae576dd9533a819b90fbcfd2ca75f3f31d788100a4f319a0f5a6209c0358020e0789ad5166b382bc4a542a8da926745527ad2d48a92fa11fe9e

Download Submit
C:\Windows\SysWOW64\Dcieaj32.exe

Filesize
64KB

MD5
3db5f9a36223c2970541181a54b78424

SHA1
fb9067646dee22ead7e6111085d8b90ca6adc658

SHA256
af3ba8eb3a60d0b5ef6a8dbc1e73afc151a51d10e4666f91eba0cee19ea53ccd

SHA512
0bc04b4168fb3ea3685af4e936c3e0573094fdc77261de64f8383ce061090ca1def15c0a0b76c0d14b24ebc424d45b6a3127ba8fb558708d182abf71623ee773

Download Submit
C:\Windows\SysWOW64\Dfbhbf32.exe

Filesize
64KB

MD5
583f8ba22e40c8fadd36793748b71947

SHA1
6a0a7eb01fd92defec5e45325169f0e1592d9c30

SHA256
46d5a40b6cd71c5e8372d0815a79b5bbfbb731bae0084f76542f0e992ded03f9

SHA512
fd2c75aa957444b7c242f88997d5d52d96f1c7bbd5ff1d201431fc843b77dc89ff2aabd7909162c2f444862afa29ea56a3ed8c09c113128c7f674fa0868ab89b

Download Submit
C:\Windows\SysWOW64\Dgbdlimd.exe

Filesize
64KB

MD5
6bc3ed74e5d2171324a76044d6534644

SHA1
bf1b33dfaac975a83010763babb889d142a6fb87

SHA256
f49b2b4f1962ee22716b94d8366090637caef8dfcfb7aacf6f3350d0fbf8766d

SHA512
e0d7f5121a8a46606e4c072af3517b5bd900c8267d039f5171caed2917b567cfb907374c49ca8fba398dc1637012b07f321724005c9316554bb9a294f354909c

Download Submit
C:\Windows\SysWOW64\Dhdabhka.exe

Filesize
64KB

MD5
465e488915edf956e227aec7a08e1885

SHA1
515943bfa68f78d1ea8b9e60d2b5e200e9e044b6

SHA256
f142ae1e0321385fbead55968e2e940ef590e0730e2227877ecf20a3d5c34950

SHA512
7bbaf29694e48a36d730244528df7d84c807842ee3c5b778ec19d3f65083c2ff9938b4768f1f79ac18ecdaaf0a865792ab1151902ce4a34d23fd99a5d58da508

Download Submit
C:\Windows\SysWOW64\Diadna32.exe

Filesize
64KB

MD5
753ac06694f597d6af5bd2f79e044c9e

SHA1
c710ecc785601bc69ac5d765856903e65d21abcd

SHA256
a49895cef66364b9fefe8f3c7436d67def6f8be9d7b7ae147c6468f35e03df3c

SHA512
466f1ebd29b27025198b5b3307df9d15ecb42e532a09cb4620c6207375ad9b5093bb2c606c79c0775a3a3ba2ca7d6fec32a0d08d7049b3bd776ae402ec56678b

Download Submit
C:\Windows\SysWOW64\Diemiqqp.exe

Filesize
64KB

MD5
81c331e805880d29f765104de069c536

SHA1
057d5f3fc07c6e627e81799046fe33c776c998f6

SHA256
6c1f0eadcdbba133f421ecdefdbd85cb9b97ec99459695f157386843b4856b38

SHA512
0ab67ad92b05528657e277da6c56c49f6bab44c2a48c2073875f9984288d36136793b3cace27db1d88015099c0971e5da36d670e48971d88646c91d7600e477f

Download Submit
C:\Windows\SysWOW64\Djqphdlg.exe

Filesize
64KB

MD5
575422061f2b1997b276e478f4933c55

SHA1
450d66ad747a95f74478c613399737a10eb01048

SHA256
45861e61e3062954414efab6afffbf445bc633ebbf1c4abee497970e5fa67506

SHA512
72ad72661ea07e0633347d0ea8a6536a99faca53a1e5b2fcdd7c28633f4cfe04fc838b4302ec9fb63d430943ff18bec95be248786c223093f740816a4a571da0

Download Submit
C:\Windows\SysWOW64\Dmaijo32.exe

Filesize
64KB

MD5
61cb3d0ed0046274fe6b746b1baa3c4d

SHA1
888b9064add6a59f7e39f064307a10b210043717

SHA256
51f635b7e3beea8dd9dcf76a2c304de64867868a0413baed33626e813d040416

SHA512
8d07040d069a57ff7a99acc6df61f4b2dce086eabd42225c46cb1e5691edd5bcc500d928481f10cddacc6be5fd4ad549d73b300fb6d01faae41853eaff9f124b

Download Submit
C:\Windows\SysWOW64\Dmmpopmn.exe

Filesize
64KB

MD5
ac279ff4da1c9cf099d4cfd2672901fa

SHA1
6e171b4895ef5050560ca5cc638d7df96041c1dd

SHA256
1b2bf21e74a6e5370a94ff8785c7f93909fc658dafec863c981ef4c3d25c5b10

SHA512
03e5bd212d425a7bc3cdf0d28211249ba681d16a9e85b7fa4eaf5ad0de71e6bdc352547b81e311d292bb5a3e1a22fa589cee35b89a7d11a9d2a70c999c25e452

Download Submit
C:\Windows\SysWOW64\Dmomdpkk.exe

Filesize
64KB

MD5
17e6a9bb24f8f02b99b4a1d9fea788df

SHA1
14a034627d6650c88c54167765cfb9b6630c8310

SHA256
5c30703597e7bbfff05062e5c20027bb3ee33f3a34bcb362c1f806a5913f7712

SHA512
74bc7d9301b20e97dd9cf560338ed9c6c829e7b989b01f1181829e2d0ba6538ca646d7ee3688ade9144826cbf72734e08da563092f27d9171378119a20bd48c3

Download Submit
C:\Windows\SysWOW64\Emmifn32.exe

Filesize
64KB

MD5
c3b5addbaad71fc50829f36e052d679b

SHA1
c755d9def0ea0664cb188768ec387822bbeaf5c5

SHA256
347ac327a5ff81431bb5955b4b98daa330860ec34b865b53ce01f2b2d6450935

SHA512
6c8d9112040be3017e0722969a46fe051413c72663c40a30c573439fbcf69a517a2de55c62073649224db980261c060c94988cb26981a37549da7b075b74a7b5

Download Submit
C:\Windows\SysWOW64\Fhnmoedd.exe

Filesize
64KB

MD5
aadb50b2e49c14a4270175999c1e581d

SHA1
6c6e0fc25099f878d688d42ae5add51082d0a147

SHA256
62da799bba72c27b2669b3fd9ab9aaec9a6dd69c3fb3a832f8775184fb7185f9

SHA512
dff560e37565f3ae23a7e0f16ad0959af8740c89ff607d56a01f16cbefcd2020e0cb81c46e74c43b57a1f06435e39b690a6ca284e548bff99d086f1edd258812

Download Submit
C:\Windows\SysWOW64\Ggmlfp32.exe

Filesize
64KB

MD5
5a9054fbd2982945217c76dcf1477de5

SHA1
e1233d4fb55583b84911b17f2fad955fdc49ff17

SHA256
bf624089b52379dad7d719d19a8706865890b72608018c24c01ad8a3a2520ab4

SHA512
06d6c427db380bd65e59d9cc1439ccf644e6404bdd1b666d373aa7003cb3658135dea75a20aabfa5e540b15550c5847d0ccfe76da9802debe298ab43e70a3afd

Download Submit
C:\Windows\SysWOW64\Hdhcpc32.exe

Filesize
64KB

MD5
db6fe19e5769e6106686a47f01b976e3

SHA1
d1731291023a5a37e564fb0b8451ba5ca407c26f

SHA256
4703162d10161ab3ee66762d2b179e1a79372be05d586ea2c1c9e1c47f34936c

SHA512
029035be9bba97d124c322d8a0d08f331f59576ecab69308248e759979173685b472315bed12edb9ce185ef3009275f995085c28f2c897c5fe438b1e03c73ee0

Download Submit
C:\Windows\SysWOW64\Hdjpfc32.exe

Filesize
64KB

MD5
2aaa88970b1e0b2290be0a34fc3b614a

SHA1
b9123c0bdc16167c9c1ec06ab40dc9287717c099

SHA256
6f3a342a0fee72a46d89f23432c6141290819a94f79bf47ef75e2bb7d40e76a2

SHA512
e3e37e7d409144e2f8e651d888e703486433019466ee9e6c2fea647bc76120c10d06f0454b9bc609c022fd24c10087be11471ae62aa20b297cf7b7c8c5c97a69

Download Submit
C:\Windows\SysWOW64\Hjghnj32.exe

Filesize
64KB

MD5
a7c27a47568c6921305cc9cf0ec3e013

SHA1
f8ef6907b6c34a04961f1e479a7217769d544d5e

SHA256
791fe89638f33963384d2a442e5aed9c99fbc65b2fca2a64e34ea147df28ee22

SHA512
9c6226807d713cd712e7fb8f71ac08792220d11afac074ef426774af8dbc1586a0fc6a67a59c3b9717636c90188190d43942671d362fbc53396d59abf5be6946

Download Submit
C:\Windows\SysWOW64\Hpaqkd32.exe

Filesize
64KB

MD5
80408df68f6511792dec5c0083ffcec1

SHA1
b902b842f2b642fc2d7e52654466b65fc42866b3

SHA256
9f2bf740eb6201e5f8fc6e412b7d48d5848a1da1a0fc588c1533783b90003f39

SHA512
0d78263ae27c5ec6f998f4df77b878bba4dcb7ab8b92ea3d6583a819af10fd28865fb2240be74052fa9c4ef11db472afc18284bc1afe0083aebe4f49a0087ea3

Download Submit
C:\Windows\SysWOW64\Idaffb32.exe

Filesize
64KB

MD5
c39419b46ea14e5d53fe7cc680b0c9bb

SHA1
96cc31cdf1597cb5eb954b0ff8e69a2f0a12f881

SHA256
2e08b989a07f1a1dc505eb1b5e370355fd7aa2a58427f355bff65c7179033566

SHA512
e40e5f66980b73c14614b0238504027b9dab499cd4b185b9223733a7d55bbad4c67b690ad03aa34a9094b38dca8b588b3530aec5f61fff3a7718e351c36a34e8

Download Submit
C:\Windows\SysWOW64\Ikianl32.exe

Filesize
64KB

MD5
53408b2c806d6163440fa5e5391f4a74

SHA1
ce21c1764997f2b820a52e315d249d57e906d3ae

SHA256
a7bfd8670b32e0fdd8fc5104e5ef38fd3e0745f2813abce55b889e21f2e30ac1

SHA512
34aef70e32f709a747d0ba8a5b4a20f29550cd44233f9976f5e4203d4c5986f62db5c3643e91623f90536cfc759a302dd6c91a04b2c356d1146db5d8047712a2

Download Submit
C:\Windows\SysWOW64\Jngfqe32.exe

Filesize
64KB

MD5
fbeb529d86454d6dfe618118680f1906

SHA1
0255fd94f15d694d1d7b44153c40b4c3d8a4a498

SHA256
a32f38bd639ff3b7440f31eadd896ceabd0ffe76ccb5c1a8180b79bcfa43e7fd

SHA512
3cd26d3a53433361d2d22b2b9551d603b37502a84697a9aea1a325f31f235fbd5fb86ae3ba3b5beabc2915ce1b4c266c44e7f6da2e466f6c28ea99ab6fef01f1

Download Submit
C:\Windows\SysWOW64\Kjqdkfpj.exe

Filesize
64KB

MD5
e4cf611ac351f4feab558e0c67044a7c

SHA1
dd762e9d2d958f4ddab29c1548a8a48a2c9f49d7

SHA256
14cc35a3d972399622e6de4bc934084c5df6b1d764571a62af3f1f9676027fa5

SHA512
80f1fabbb7db788f9c883f54a36d959ddc476668584c134a749d487e3fb03fcf3680c815b4f47ccabe8b605c9f5f81731a9af3c8780a70623ab1e13830edeeab

Download Submit
memory/336-184-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/392-527-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/532-81-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/560-72-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/572-552-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/572-9-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/656-153-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/684-431-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/696-256-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/836-592-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/872-311-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/940-335-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1152-377-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1284-485-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1308-281-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1332-293-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1360-275-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1392-97-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1500-120-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1644-136-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1656-515-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1768-323-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1776-192-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1824-89-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1828-64-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1852-503-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1880-473-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1884-574-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1908-113-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1968-216-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2000-253-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2072-553-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2152-16-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2152-559-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2188-497-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2192-443-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2196-267-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2200-395-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2212-32-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2212-573-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2228-580-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2228-40-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2256-128-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2292-185-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2432-365-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2480-317-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2484-491-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2592-455-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2596-287-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2692-419-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2700-24-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2700-566-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2720-233-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2732-168-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2904-357-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2928-533-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3092-209-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3340-521-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3376-425-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3396-449-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3432-401-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3484-509-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3500-383-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3564-581-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3608-467-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3716-347-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3752-546-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3760-560-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3784-144-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3924-413-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4016-539-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4016-1-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/4016-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4024-333-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4044-299-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4068-56-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4068-594-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4132-224-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4468-104-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4492-389-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4496-241-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4512-479-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4524-371-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4600-273-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4660-540-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4668-359-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4872-437-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4972-461-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4992-48-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4992-587-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5000-341-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5004-567-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5020-200-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5024-160-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5072-407-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5092-305-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5324-1157-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/6008-1190-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/6564-1125-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads