bb6c2e6734754dcda73eea10505c9dbae636d892d982db3764e934ed729c3724

Analysis

max time kernel
115s
max time network
122s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
26/08/2024, 04:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ef77b89b8ec975c3a28d703e49ab2860N.exe
Size

78KB
MD5

ef77b89b8ec975c3a28d703e49ab2860
SHA1

829595ca00869eabdf9f8935f8ab8b1b196996f5
SHA256

bb6c2e6734754dcda73eea10505c9dbae636d892d982db3764e934ed729c3724
SHA512

c8e8c0846ca361e70afbd893eea6b84c5f6e53e78937b4fb1682e22d7ad1ce649037a9a74a3521800177fbc3fceea1f6a21b7c503ddb70f243b9b92b9d060f69
SSDEEP

1536:7VRU2FUXKdlGHST/Zw3ZFZcrlHN8wvVWFAKc3P8WxBkIggsJVHcbns:7g2E0lGHST/Zw3ZFZElHNpPKOPxxBogi

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ekngemhd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Edfknb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ciihjmcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Iaedanal.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Iholohii.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Inidkb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jhfbog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kalcik32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kkgdhp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ejojljqa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ielfgmnj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fbaahf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fbdnne32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gbbkocid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dalofi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fdmaoahm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jaqcnl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kejloi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lkqgno32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gdiakp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lkiamp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fclhpo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ihaidhgf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Klmnkdal.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kblpcndd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ccdihbgg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Edfknb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gkoplk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gcjdam32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hcljmj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iajmmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jeaiij32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddmhhd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fgnjqm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hnkhjdle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jjgkab32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jnbgaa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lbqinm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lhmafcnf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lklnconj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Enhifi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fqphic32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Inkaqb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Khdoqefq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dphiaffa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fdmaoahm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jhfbog32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kkbkmqed.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cibain32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fboecfii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gkoplk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kkpnga32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ibnjkbog.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Inkaqb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdmoafdb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Enhifi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ldbefe32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dalofi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gcqjal32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kdffjgpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Eqkondfl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Igjbci32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hkcbnh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jbijgp32.exe

Executes dropped EXE 64 IoCs

pid	Process
4908	Cibain32.exe
3932	Cdhffg32.exe
2932	Cmpjoloh.exe
1920	Ccmcgcmp.exe
3076	Cigkdmel.exe
1992	Cdmoafdb.exe
4952	Ciihjmcj.exe
752	Cpcpfg32.exe
4376	Cgmhcaac.exe
1532	Cildom32.exe
3712	Cdaile32.exe
1480	Ccdihbgg.exe
2532	Dkkaiphj.exe
4160	Dinael32.exe
2692	Dphiaffa.exe
2360	Dgdncplk.exe
2416	Dickplko.exe
2880	Dkbgjo32.exe
1800	Dalofi32.exe
556	Dkedonpo.exe
4420	Ddmhhd32.exe
208	Ejjaqk32.exe
2008	Edoencdm.exe
3724	Egnajocq.exe
4736	Enhifi32.exe
944	Ejojljqa.exe
2844	Eafbmgad.exe
1988	Eddnic32.exe
2220	Ekngemhd.exe
432	Eqkondfl.exe
3180	Edfknb32.exe
3592	Eqmlccdi.exe
2460	Fclhpo32.exe
32	Fkcpql32.exe
4860	Fqphic32.exe
5024	Fgiaemic.exe
4792	Fboecfii.exe
4328	Fdmaoahm.exe
1036	Fjjjgh32.exe
732	Fbaahf32.exe
3212	Fgnjqm32.exe
1644	Fbdnne32.exe
4780	Fgqgfl32.exe
2452	Fbfkceca.exe
184	Gkoplk32.exe
3036	Gqkhda32.exe
3972	Gdgdeppb.exe
2284	Gcjdam32.exe
2868	Gdiakp32.exe
2504	Gkcigjel.exe
2704	Gdknpp32.exe
4548	Ggjjlk32.exe
3912	Gjhfif32.exe
1680	Gcqjal32.exe
3308	Gnfooe32.exe
884	Gbbkocid.exe
1088	Hepgkohh.exe
1556	Hccggl32.exe
2852	Hkjohi32.exe
4632	Hnhkdd32.exe
4056	Hbdgec32.exe
3052	Hebcao32.exe
3612	Hgapmj32.exe
4176	Hbfdjc32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Kkpnga32.exe	Klmnkdal.exe
File created	C:\Windows\SysWOW64\Pnlhmpgg.dll	Cibain32.exe
File opened for modification	C:\Windows\SysWOW64\Ciihjmcj.exe	Cdmoafdb.exe
File opened for modification	C:\Windows\SysWOW64\Ejjaqk32.exe	Ddmhhd32.exe
File created	C:\Windows\SysWOW64\Ibnjkbog.exe	Hkcbnh32.exe
File created	C:\Windows\SysWOW64\Bochcckb.dll	Jjgkab32.exe
File created	C:\Windows\SysWOW64\Dbnefjjd.dll	Jaqcnl32.exe
File opened for modification	C:\Windows\SysWOW64\Hchqbkkm.exe	Heepfn32.exe
File created	C:\Windows\SysWOW64\Lmgglf32.dll	Inidkb32.exe
File created	C:\Windows\SysWOW64\Iajmmm32.exe	Inkaqb32.exe
File created	C:\Windows\SysWOW64\Jdopjh32.exe	Jaqcnl32.exe
File opened for modification	C:\Windows\SysWOW64\Jeaiij32.exe	Jaemilci.exe
File opened for modification	C:\Windows\SysWOW64\Fboecfii.exe	Fgiaemic.exe
File created	C:\Windows\SysWOW64\Obcckehh.dll	Iagqgn32.exe
File created	C:\Windows\SysWOW64\Edoencdm.exe	Ejjaqk32.exe
File created	C:\Windows\SysWOW64\Balfdi32.dll	Jnpjlajn.exe
File opened for modification	C:\Windows\SysWOW64\Kaaldjil.exe	Kocphojh.exe
File opened for modification	C:\Windows\SysWOW64\Lknjhokg.exe	Lddble32.exe
File created	C:\Windows\SysWOW64\Ikfbpdlg.dll	Dphiaffa.exe
File created	C:\Windows\SysWOW64\Gjhfif32.exe	Ggjjlk32.exe
File created	C:\Windows\SysWOW64\Dadeofnh.dll	Heepfn32.exe
File created	C:\Windows\SysWOW64\Kocphojh.exe	Kkgdhp32.exe
File created	C:\Windows\SysWOW64\Gqhomdeb.dll	Ldbefe32.exe
File opened for modification	C:\Windows\SysWOW64\Cibain32.exe	ef77b89b8ec975c3a28d703e49ab2860N.exe
File created	C:\Windows\SysWOW64\Mjlhjjnc.dll	Kefbdjgm.exe
File created	C:\Windows\SysWOW64\Ndmojj32.dll	Ejjaqk32.exe
File opened for modification	C:\Windows\SysWOW64\Ilmedf32.exe	Ihaidhgf.exe
File opened for modification	C:\Windows\SysWOW64\Klmnkdal.exe	Kdffjgpj.exe
File opened for modification	C:\Windows\SysWOW64\Kblpcndd.exe	Klbgfc32.exe
File created	C:\Windows\SysWOW64\Foolmeif.dll	Dgdncplk.exe
File opened for modification	C:\Windows\SysWOW64\Eqkondfl.exe	Ekngemhd.exe
File created	C:\Windows\SysWOW64\Hbdgec32.exe	Hnhkdd32.exe
File opened for modification	C:\Windows\SysWOW64\Icachjbb.exe	Iabglnco.exe
File created	C:\Windows\SysWOW64\Kdkoef32.exe	Kalcik32.exe
File created	C:\Windows\SysWOW64\Khihld32.exe	Kejloi32.exe
File opened for modification	C:\Windows\SysWOW64\Ccdihbgg.exe	Cdaile32.exe
File opened for modification	C:\Windows\SysWOW64\Hnhkdd32.exe	Hkjohi32.exe
File created	C:\Windows\SysWOW64\Jhbejblj.dll	Hgcmbj32.exe
File created	C:\Windows\SysWOW64\Lndkebgi.dll	Jhfbog32.exe
File created	C:\Windows\SysWOW64\Jfdklc32.dll	Lhmafcnf.exe
File created	C:\Windows\SysWOW64\Fbfkceca.exe	Fgqgfl32.exe
File opened for modification	C:\Windows\SysWOW64\Ijbbfc32.exe	Ihceigec.exe
File created	C:\Windows\SysWOW64\Lklnconj.exe	Lhmafcnf.exe
File created	C:\Windows\SysWOW64\Kqcdne32.dll	Hccggl32.exe
File created	C:\Windows\SysWOW64\Cpclaedf.dll	Hnkhjdle.exe
File created	C:\Windows\SysWOW64\Hopaik32.dll	Lknjhokg.exe
File created	C:\Windows\SysWOW64\Bhkacq32.dll	Edoencdm.exe
File created	C:\Windows\SysWOW64\Hbfdjc32.exe	Hnkhjdle.exe
File created	C:\Windows\SysWOW64\Djojepof.dll	Fboecfii.exe
File created	C:\Windows\SysWOW64\Gqkhda32.exe	Gkoplk32.exe
File created	C:\Windows\SysWOW64\Dmfbkh32.dll	Gdgdeppb.exe
File created	C:\Windows\SysWOW64\Ldbefe32.exe	Lacijjgi.exe
File created	C:\Windows\SysWOW64\Cigkdmel.exe	Ccmcgcmp.exe
File opened for modification	C:\Windows\SysWOW64\Gdgdeppb.exe	Gqkhda32.exe
File created	C:\Windows\SysWOW64\Gkcigjel.exe	Gdiakp32.exe
File created	C:\Windows\SysWOW64\Iaedanal.exe	Ilhkigcd.exe
File created	C:\Windows\SysWOW64\Jeolckne.exe	Jjihfbno.exe
File opened for modification	C:\Windows\SysWOW64\Kocphojh.exe	Kkgdhp32.exe
File created	C:\Windows\SysWOW64\Ekngemhd.exe	Eddnic32.exe
File opened for modification	C:\Windows\SysWOW64\Iholohii.exe	Ieqpbm32.exe
File created	C:\Windows\SysWOW64\Ijaaij32.dll	Jogqlpde.exe
File created	C:\Windows\SysWOW64\Enhifi32.exe	Egnajocq.exe
File opened for modification	C:\Windows\SysWOW64\Fbfkceca.exe	Fgqgfl32.exe
File created	C:\Windows\SysWOW64\Clhgbgki.dll	Gdknpp32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
6860	6712	WerFault.exe	242

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Eddnic32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fgqgfl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kejloi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cgmhcaac.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fqphic32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hkjohi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jhfbog32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jhoeef32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ldikgdpe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddmhhd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fjjjgh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gqkhda32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jdopjh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kbeibo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cpcpfg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dgdncplk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fbfkceca.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ieqpbm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lklnconj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gnfooe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ihceigec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jjnaaa32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dickplko.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fgnjqm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jeolckne.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fdmaoahm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kdkoef32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ef77b89b8ec975c3a28d703e49ab2860N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ccmcgcmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gdgdeppb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hccggl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ibnjkbog.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Icachjbb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Icfmci32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Iaedanal.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jhhodg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jeaiij32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lhmafcnf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Egnajocq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Eafbmgad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gkcigjel.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ijbbfc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kahinkaf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kaaldjil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ejjaqk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hgcmbj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Idhiii32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gcjdam32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ilkhog32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kocphojh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkkaiphj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dphiaffa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ggjjlk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ihaidhgf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kdffjgpj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Khdoqefq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lkiamp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fboecfii.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hchqbkkm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Iholohii.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Iagqgn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kblpcndd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dalofi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jbijgp32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Egnelfnm.dll"	Fjjjgh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Clhgbgki.dll"	Gdknpp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hnkhjdle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hkcbnh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Efhbch32.dll"	Jhhodg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pnlhmpgg.dll"	Cibain32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lkiamp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kaaldjil.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fbjbac32.dll"	Eafbmgad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kkcghg32.dll"	Ekngemhd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kbeibo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kkgdhp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cdmoafdb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kdpiqehp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hbdgec32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ejojljqa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gcjdam32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kongimkh.dll"	Jnbgaa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qekjhmdj.dll"	Kblpcndd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gqhomdeb.dll"	Ldbefe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ldbefe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fohogfgd.dll"	Dkbgjo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ikfbpdlg.dll"	Dphiaffa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dphiaffa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gqkhda32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gjhfif32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	ef77b89b8ec975c3a28d703e49ab2860N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lifcnk32.dll"	Gkoplk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gbbkocid.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hebcao32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohjckodg.dll"	Dickplko.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Backedki.dll"	Gcjdam32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fkcpql32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dgdncplk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hgapmj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mpaifo32.dll"	Hkaeih32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lkqgno32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hbiapb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fbaahf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kejloi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dgdncplk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gkcigjel.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hccggl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aehojk32.dll"	Eqkondfl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ejjaqk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Edoencdm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oojnjjli.dll"	Kahinkaf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cigkdmel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iffahdpm.dll"	Fkcpql32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bbjlpn32.dll"	Gqkhda32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Inidkb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qfqbll32.dll"	Jlidpe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Japjfm32.dll"	Kkbkmqed.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cildom32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogajpp32.dll"	Cdhffg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pjpjea32.dll"	Ijiopd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jbijgp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kahinkaf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lddble32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lkqgno32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Edfknb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bkodbfgo.dll"	Dinael32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jbhkbjdi.dll"	Gjhfif32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fiplni32.dll"	Cdmoafdb.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1376 wrote to memory of 4908	1376	ef77b89b8ec975c3a28d703e49ab2860N.exe	91
PID 1376 wrote to memory of 4908	1376	ef77b89b8ec975c3a28d703e49ab2860N.exe	91
PID 1376 wrote to memory of 4908	1376	ef77b89b8ec975c3a28d703e49ab2860N.exe	91
PID 4908 wrote to memory of 3932	4908	Cibain32.exe	92
PID 4908 wrote to memory of 3932	4908	Cibain32.exe	92
PID 4908 wrote to memory of 3932	4908	Cibain32.exe	92
PID 3932 wrote to memory of 2932	3932	Cdhffg32.exe	93
PID 3932 wrote to memory of 2932	3932	Cdhffg32.exe	93
PID 3932 wrote to memory of 2932	3932	Cdhffg32.exe	93
PID 2932 wrote to memory of 1920	2932	Cmpjoloh.exe	94
PID 2932 wrote to memory of 1920	2932	Cmpjoloh.exe	94
PID 2932 wrote to memory of 1920	2932	Cmpjoloh.exe	94
PID 1920 wrote to memory of 3076	1920	Ccmcgcmp.exe	95
PID 1920 wrote to memory of 3076	1920	Ccmcgcmp.exe	95
PID 1920 wrote to memory of 3076	1920	Ccmcgcmp.exe	95
PID 3076 wrote to memory of 1992	3076	Cigkdmel.exe	96
PID 3076 wrote to memory of 1992	3076	Cigkdmel.exe	96
PID 3076 wrote to memory of 1992	3076	Cigkdmel.exe	96
PID 1992 wrote to memory of 4952	1992	Cdmoafdb.exe	97
PID 1992 wrote to memory of 4952	1992	Cdmoafdb.exe	97
PID 1992 wrote to memory of 4952	1992	Cdmoafdb.exe	97
PID 4952 wrote to memory of 752	4952	Ciihjmcj.exe	98
PID 4952 wrote to memory of 752	4952	Ciihjmcj.exe	98
PID 4952 wrote to memory of 752	4952	Ciihjmcj.exe	98
PID 752 wrote to memory of 4376	752	Cpcpfg32.exe	99
PID 752 wrote to memory of 4376	752	Cpcpfg32.exe	99
PID 752 wrote to memory of 4376	752	Cpcpfg32.exe	99
PID 4376 wrote to memory of 1532	4376	Cgmhcaac.exe	100
PID 4376 wrote to memory of 1532	4376	Cgmhcaac.exe	100
PID 4376 wrote to memory of 1532	4376	Cgmhcaac.exe	100
PID 1532 wrote to memory of 3712	1532	Cildom32.exe	102
PID 1532 wrote to memory of 3712	1532	Cildom32.exe	102
PID 1532 wrote to memory of 3712	1532	Cildom32.exe	102
PID 3712 wrote to memory of 1480	3712	Cdaile32.exe	103
PID 3712 wrote to memory of 1480	3712	Cdaile32.exe	103
PID 3712 wrote to memory of 1480	3712	Cdaile32.exe	103
PID 1480 wrote to memory of 2532	1480	Ccdihbgg.exe	104
PID 1480 wrote to memory of 2532	1480	Ccdihbgg.exe	104
PID 1480 wrote to memory of 2532	1480	Ccdihbgg.exe	104
PID 2532 wrote to memory of 4160	2532	Dkkaiphj.exe	105
PID 2532 wrote to memory of 4160	2532	Dkkaiphj.exe	105
PID 2532 wrote to memory of 4160	2532	Dkkaiphj.exe	105
PID 4160 wrote to memory of 2692	4160	Dinael32.exe	107
PID 4160 wrote to memory of 2692	4160	Dinael32.exe	107
PID 4160 wrote to memory of 2692	4160	Dinael32.exe	107
PID 2692 wrote to memory of 2360	2692	Dphiaffa.exe	108
PID 2692 wrote to memory of 2360	2692	Dphiaffa.exe	108
PID 2692 wrote to memory of 2360	2692	Dphiaffa.exe	108
PID 2360 wrote to memory of 2416	2360	Dgdncplk.exe	109
PID 2360 wrote to memory of 2416	2360	Dgdncplk.exe	109
PID 2360 wrote to memory of 2416	2360	Dgdncplk.exe	109
PID 2416 wrote to memory of 2880	2416	Dickplko.exe	110
PID 2416 wrote to memory of 2880	2416	Dickplko.exe	110
PID 2416 wrote to memory of 2880	2416	Dickplko.exe	110
PID 2880 wrote to memory of 1800	2880	Dkbgjo32.exe	111
PID 2880 wrote to memory of 1800	2880	Dkbgjo32.exe	111
PID 2880 wrote to memory of 1800	2880	Dkbgjo32.exe	111
PID 1800 wrote to memory of 556	1800	Dalofi32.exe	112
PID 1800 wrote to memory of 556	1800	Dalofi32.exe	112
PID 1800 wrote to memory of 556	1800	Dalofi32.exe	112
PID 556 wrote to memory of 4420	556	Dkedonpo.exe	114
PID 556 wrote to memory of 4420	556	Dkedonpo.exe	114
PID 556 wrote to memory of 4420	556	Dkedonpo.exe	114
PID 4420 wrote to memory of 208	4420	Ddmhhd32.exe	115

C:\Users\Admin\AppData\Local\Temp\ef77b89b8ec975c3a28d703e49ab2860N.exe
"C:\Users\Admin\AppData\Local\Temp\ef77b89b8ec975c3a28d703e49ab2860N.exe"
1⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1376
- C:\Windows\SysWOW64\Cibain32.exe
  C:\Windows\system32\Cibain32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4908
- - C:\Windows\SysWOW64\Cdhffg32.exe
    C:\Windows\system32\Cdhffg32.exe
    3⤵
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:3932
  - - C:\Windows\SysWOW64\Cmpjoloh.exe
      C:\Windows\system32\Cmpjoloh.exe
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:2932
    - - C:\Windows\SysWOW64\Ccmcgcmp.exe
        
        C:\Windows\system32\Ccmcgcmp.exe
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1920
      - C:\Windows\SysWOW64\Cigkdmel.exe
        
        C:\Windows\system32\Cigkdmel.exe
        6⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3076
        
        C:\Windows\SysWOW64\Cdmoafdb.exe
        
        C:\Windows\system32\Cdmoafdb.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1992
        
        C:\Windows\SysWOW64\Ciihjmcj.exe
        
        C:\Windows\system32\Ciihjmcj.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4952
        
        C:\Windows\SysWOW64\Cpcpfg32.exe
        
        C:\Windows\system32\Cpcpfg32.exe
        9⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:752
        
        C:\Windows\SysWOW64\Cgmhcaac.exe
        
        C:\Windows\system32\Cgmhcaac.exe
        10⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4376
        
        C:\Windows\SysWOW64\Cildom32.exe
        
        C:\Windows\system32\Cildom32.exe
        11⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1532
        
        C:\Windows\SysWOW64\Cdaile32.exe
        
        C:\Windows\system32\Cdaile32.exe
        12⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3712
        
        C:\Windows\SysWOW64\Ccdihbgg.exe
        
        C:\Windows\system32\Ccdihbgg.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1480
        
        C:\Windows\SysWOW64\Dkkaiphj.exe
        
        C:\Windows\system32\Dkkaiphj.exe
        14⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2532
        
        C:\Windows\SysWOW64\Dinael32.exe
        
        C:\Windows\system32\Dinael32.exe
        15⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4160
        
        C:\Windows\SysWOW64\Dphiaffa.exe
        
        C:\Windows\system32\Dphiaffa.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2692
        
        C:\Windows\SysWOW64\Dgdncplk.exe
        
        C:\Windows\system32\Dgdncplk.exe
        17⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2360
        
        C:\Windows\SysWOW64\Dickplko.exe
        
        C:\Windows\system32\Dickplko.exe
        18⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2416
        
        C:\Windows\SysWOW64\Dkbgjo32.exe
        
        C:\Windows\system32\Dkbgjo32.exe
        19⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2880
        
        C:\Windows\SysWOW64\Dalofi32.exe
        
        C:\Windows\system32\Dalofi32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1800
        
        C:\Windows\SysWOW64\Dkedonpo.exe
        
        C:\Windows\system32\Dkedonpo.exe
        21⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:556
        
        C:\Windows\SysWOW64\Ddmhhd32.exe
        
        C:\Windows\system32\Ddmhhd32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4420
        
        C:\Windows\SysWOW64\Ejjaqk32.exe
        
        C:\Windows\system32\Ejjaqk32.exe
        23⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:208
        
        C:\Windows\SysWOW64\Edoencdm.exe
        
        C:\Windows\system32\Edoencdm.exe
        24⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2008
        
        C:\Windows\SysWOW64\Egnajocq.exe
        
        C:\Windows\system32\Egnajocq.exe
        25⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3724
        
        C:\Windows\SysWOW64\Enhifi32.exe
        
        C:\Windows\system32\Enhifi32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4736
        
        C:\Windows\SysWOW64\Ejojljqa.exe
        
        C:\Windows\system32\Ejojljqa.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:944
        
        C:\Windows\SysWOW64\Eafbmgad.exe
        
        C:\Windows\system32\Eafbmgad.exe
        28⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2844
        
        C:\Windows\SysWOW64\Eddnic32.exe
        
        C:\Windows\system32\Eddnic32.exe
        29⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1988
        
        C:\Windows\SysWOW64\Ekngemhd.exe
        
        C:\Windows\system32\Ekngemhd.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2220
        
        C:\Windows\SysWOW64\Eqkondfl.exe
        
        C:\Windows\system32\Eqkondfl.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:432
        
        C:\Windows\SysWOW64\Edfknb32.exe
        
        C:\Windows\system32\Edfknb32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3180
        
        C:\Windows\SysWOW64\Eqmlccdi.exe
        
        C:\Windows\system32\Eqmlccdi.exe
        33⤵
        Executes dropped EXE
        
        PID:3592
        
        C:\Windows\SysWOW64\Fclhpo32.exe
        
        C:\Windows\system32\Fclhpo32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2460
        
        C:\Windows\SysWOW64\Fkcpql32.exe
        
        C:\Windows\system32\Fkcpql32.exe
        35⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:32
        
        C:\Windows\SysWOW64\Fqphic32.exe
        
        C:\Windows\system32\Fqphic32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4860
        
        C:\Windows\SysWOW64\Fgiaemic.exe
        
        C:\Windows\system32\Fgiaemic.exe
        37⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5024
        
        C:\Windows\SysWOW64\Fboecfii.exe
        
        C:\Windows\system32\Fboecfii.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4792
        
        C:\Windows\SysWOW64\Fdmaoahm.exe
        
        C:\Windows\system32\Fdmaoahm.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4328
        
        C:\Windows\SysWOW64\Fjjjgh32.exe
        
        C:\Windows\system32\Fjjjgh32.exe
        40⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1036
        
        C:\Windows\SysWOW64\Fbaahf32.exe
        
        C:\Windows\system32\Fbaahf32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:732
        
        C:\Windows\SysWOW64\Fgnjqm32.exe
        
        C:\Windows\system32\Fgnjqm32.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3212
        
        C:\Windows\SysWOW64\Fbdnne32.exe
        
        C:\Windows\system32\Fbdnne32.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1644
        
        C:\Windows\SysWOW64\Fgqgfl32.exe
        
        C:\Windows\system32\Fgqgfl32.exe
        44⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4780
        
        C:\Windows\SysWOW64\Fbfkceca.exe
        
        C:\Windows\system32\Fbfkceca.exe
        45⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2452
        
        C:\Windows\SysWOW64\Gkoplk32.exe
        
        C:\Windows\system32\Gkoplk32.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:184
        
        C:\Windows\SysWOW64\Gqkhda32.exe
        
        C:\Windows\system32\Gqkhda32.exe
        47⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3036
        
        C:\Windows\SysWOW64\Gdgdeppb.exe
        
        C:\Windows\system32\Gdgdeppb.exe
        48⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3972
        
        C:\Windows\SysWOW64\Gcjdam32.exe
        
        C:\Windows\system32\Gcjdam32.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2284
        
        C:\Windows\SysWOW64\Gdiakp32.exe
        
        C:\Windows\system32\Gdiakp32.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2868
        
        C:\Windows\SysWOW64\Gkcigjel.exe
        
        C:\Windows\system32\Gkcigjel.exe
        51⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2504
        
        C:\Windows\SysWOW64\Gdknpp32.exe
        
        C:\Windows\system32\Gdknpp32.exe
        52⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2704
        
        C:\Windows\SysWOW64\Ggjjlk32.exe
        
        C:\Windows\system32\Ggjjlk32.exe
        53⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4548
        
        C:\Windows\SysWOW64\Gjhfif32.exe
        
        C:\Windows\system32\Gjhfif32.exe
        54⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3912
        
        C:\Windows\SysWOW64\Gcqjal32.exe
        
        C:\Windows\system32\Gcqjal32.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1680
        
        C:\Windows\SysWOW64\Gnfooe32.exe
        
        C:\Windows\system32\Gnfooe32.exe
        56⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3308
        
        C:\Windows\SysWOW64\Gbbkocid.exe
        
        C:\Windows\system32\Gbbkocid.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:884
        
        C:\Windows\SysWOW64\Hepgkohh.exe
        
        C:\Windows\system32\Hepgkohh.exe
        58⤵
        Executes dropped EXE
        
        PID:1088
        
        C:\Windows\SysWOW64\Hccggl32.exe
        
        C:\Windows\system32\Hccggl32.exe
        59⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1556
        
        C:\Windows\SysWOW64\Hkjohi32.exe
        
        C:\Windows\system32\Hkjohi32.exe
        60⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2852
        
        C:\Windows\SysWOW64\Hnhkdd32.exe
        
        C:\Windows\system32\Hnhkdd32.exe
        61⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4632
        
        C:\Windows\SysWOW64\Hbdgec32.exe
        
        C:\Windows\system32\Hbdgec32.exe
        62⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4056
        
        C:\Windows\SysWOW64\Hebcao32.exe
        
        C:\Windows\system32\Hebcao32.exe
        63⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3052
        
        C:\Windows\SysWOW64\Hgapmj32.exe
        
        C:\Windows\system32\Hgapmj32.exe
        64⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3612
        
        C:\Windows\SysWOW64\Hnkhjdle.exe
        
        C:\Windows\system32\Hnkhjdle.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:4552
        
        C:\Windows\SysWOW64\Hbfdjc32.exe
        
        C:\Windows\system32\Hbfdjc32.exe
        66⤵
        Executes dropped EXE
        
        PID:4176
        
        C:\Windows\SysWOW64\Heepfn32.exe
        
        C:\Windows\system32\Heepfn32.exe
        67⤵
        Drops file in System32 directory
        
        PID:5140
        
        C:\Windows\SysWOW64\Hchqbkkm.exe
        
        C:\Windows\system32\Hchqbkkm.exe
        68⤵
        System Location Discovery: System Language Discovery
        
        PID:5180
        
        C:\Windows\SysWOW64\Hgcmbj32.exe
        
        C:\Windows\system32\Hgcmbj32.exe
        69⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5228
        
        C:\Windows\SysWOW64\Hbiapb32.exe
        
        C:\Windows\system32\Hbiapb32.exe
        70⤵
        Modifies registry class
        
        PID:5276
        
        C:\Windows\SysWOW64\Hkaeih32.exe
        
        C:\Windows\system32\Hkaeih32.exe
        71⤵
        Modifies registry class
        
        PID:5320
        
        C:\Windows\SysWOW64\Hcljmj32.exe
        
        C:\Windows\system32\Hcljmj32.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5404
        
        C:\Windows\SysWOW64\Hkcbnh32.exe
        
        C:\Windows\system32\Hkcbnh32.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5452
        
        C:\Windows\SysWOW64\Ibnjkbog.exe
        
        C:\Windows\system32\Ibnjkbog.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5508
        
        C:\Windows\SysWOW64\Ielfgmnj.exe
        
        C:\Windows\system32\Ielfgmnj.exe
        75⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5552
        
        C:\Windows\SysWOW64\Igjbci32.exe
        
        C:\Windows\system32\Igjbci32.exe
        76⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5596
        
        C:\Windows\SysWOW64\Ijiopd32.exe
        
        C:\Windows\system32\Ijiopd32.exe
        77⤵
        Modifies registry class
        
        PID:5636
        
        C:\Windows\SysWOW64\Iabglnco.exe
        
        C:\Windows\system32\Iabglnco.exe
        78⤵
        Drops file in System32 directory
        
        PID:5680
        
        C:\Windows\SysWOW64\Icachjbb.exe
        
        C:\Windows\system32\Icachjbb.exe
        79⤵
        System Location Discovery: System Language Discovery
        
        PID:5720
        
        C:\Windows\SysWOW64\Ilhkigcd.exe
        
        C:\Windows\system32\Ilhkigcd.exe
        80⤵
        Drops file in System32 directory
        
        PID:5772
        
        C:\Windows\SysWOW64\Iaedanal.exe
        
        C:\Windows\system32\Iaedanal.exe
        81⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5816
        
        C:\Windows\SysWOW64\Ieqpbm32.exe
        
        C:\Windows\system32\Ieqpbm32.exe
        82⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5860
        
        C:\Windows\SysWOW64\Iholohii.exe
        
        C:\Windows\system32\Iholohii.exe
        83⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5904
        
        C:\Windows\SysWOW64\Ilkhog32.exe
        
        C:\Windows\system32\Ilkhog32.exe
        84⤵
        System Location Discovery: System Language Discovery
        
        PID:5948
        
        C:\Windows\SysWOW64\Inidkb32.exe
        
        C:\Windows\system32\Inidkb32.exe
        85⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5992
        
        C:\Windows\SysWOW64\Iagqgn32.exe
        
        C:\Windows\system32\Iagqgn32.exe
        86⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6040
        
        C:\Windows\SysWOW64\Icfmci32.exe
        
        C:\Windows\system32\Icfmci32.exe
        87⤵
        System Location Discovery: System Language Discovery
        
        PID:6084
        
        C:\Windows\SysWOW64\Ihaidhgf.exe
        
        C:\Windows\system32\Ihaidhgf.exe
        88⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6128
        
        C:\Windows\SysWOW64\Ilmedf32.exe
        
        C:\Windows\system32\Ilmedf32.exe
        89⤵
        
        PID:5152
        
        C:\Windows\SysWOW64\Inkaqb32.exe
        
        C:\Windows\system32\Inkaqb32.exe
        90⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5208
        
        C:\Windows\SysWOW64\Iajmmm32.exe
        
        C:\Windows\system32\Iajmmm32.exe
        91⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5316
        
        C:\Windows\SysWOW64\Idhiii32.exe
        
        C:\Windows\system32\Idhiii32.exe
        92⤵
        System Location Discovery: System Language Discovery
        
        PID:5396
        
        C:\Windows\SysWOW64\Ihceigec.exe
        
        C:\Windows\system32\Ihceigec.exe
        93⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5500
        
        C:\Windows\SysWOW64\Ijbbfc32.exe
        
        C:\Windows\system32\Ijbbfc32.exe
        94⤵
        System Location Discovery: System Language Discovery
        
        PID:5592
        
        C:\Windows\SysWOW64\Jbijgp32.exe
        
        C:\Windows\system32\Jbijgp32.exe
        95⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5652
        
        C:\Windows\SysWOW64\Jehfcl32.exe
        
        C:\Windows\system32\Jehfcl32.exe
        96⤵
        
        PID:5716
        
        C:\Windows\SysWOW64\Jhfbog32.exe
        
        C:\Windows\system32\Jhfbog32.exe
        97⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5812
        
        C:\Windows\SysWOW64\Jnpjlajn.exe
        
        C:\Windows\system32\Jnpjlajn.exe
        98⤵
        Drops file in System32 directory
        
        PID:5876
        
        C:\Windows\SysWOW64\Jhhodg32.exe
        
        C:\Windows\system32\Jhhodg32.exe
        99⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5940
        
        C:\Windows\SysWOW64\Jjgkab32.exe
        
        C:\Windows\system32\Jjgkab32.exe
        100⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6012
        
        C:\Windows\SysWOW64\Jnbgaa32.exe
        
        C:\Windows\system32\Jnbgaa32.exe
        101⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6092
        
        C:\Windows\SysWOW64\Jaqcnl32.exe
        
        C:\Windows\system32\Jaqcnl32.exe
        102⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5132
        
        C:\Windows\SysWOW64\Jdopjh32.exe
        
        C:\Windows\system32\Jdopjh32.exe
        103⤵
        System Location Discovery: System Language Discovery
        
        PID:5292
        
        C:\Windows\SysWOW64\Jlfhke32.exe
        
        C:\Windows\system32\Jlfhke32.exe
        104⤵
        
        PID:5424
        
        C:\Windows\SysWOW64\Jjihfbno.exe
        
        C:\Windows\system32\Jjihfbno.exe
        105⤵
        Drops file in System32 directory
        
        PID:5564
        
        C:\Windows\SysWOW64\Jeolckne.exe
        
        C:\Windows\system32\Jeolckne.exe
        106⤵
        System Location Discovery: System Language Discovery
        
        PID:5704
        
        C:\Windows\SysWOW64\Jhmhpfmi.exe
        
        C:\Windows\system32\Jhmhpfmi.exe
        107⤵
        
        PID:5852
        
        C:\Windows\SysWOW64\Jlidpe32.exe
        
        C:\Windows\system32\Jlidpe32.exe
        108⤵
        Modifies registry class
        
        PID:6000
        
        C:\Windows\SysWOW64\Jogqlpde.exe
        
        C:\Windows\system32\Jogqlpde.exe
        109⤵
        Drops file in System32 directory
        
        PID:4256
        
        C:\Windows\SysWOW64\Jaemilci.exe
        
        C:\Windows\system32\Jaemilci.exe
        110⤵
        Drops file in System32 directory
        
        PID:5304
        
        C:\Windows\SysWOW64\Jeaiij32.exe
        
        C:\Windows\system32\Jeaiij32.exe
        111⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5712
        
        C:\Windows\SysWOW64\Jhoeef32.exe
        
        C:\Windows\system32\Jhoeef32.exe
        112⤵
        System Location Discovery: System Language Discovery
        
        PID:6096
        
        C:\Windows\SysWOW64\Jjnaaa32.exe
        
        C:\Windows\system32\Jjnaaa32.exe
        113⤵
        System Location Discovery: System Language Discovery
        
        PID:5440
        
        C:\Windows\SysWOW64\Kbeibo32.exe
        
        C:\Windows\system32\Kbeibo32.exe
        114⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5164
        
        C:\Windows\SysWOW64\Kahinkaf.exe
        
        C:\Windows\system32\Kahinkaf.exe
        115⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6152
        
        C:\Windows\SysWOW64\Kdffjgpj.exe
        
        C:\Windows\system32\Kdffjgpj.exe
        116⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6196
        
        C:\Windows\SysWOW64\Klmnkdal.exe
        
        C:\Windows\system32\Klmnkdal.exe
        117⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6244
        
        C:\Windows\SysWOW64\Kkpnga32.exe
        
        C:\Windows\system32\Kkpnga32.exe
        118⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6292
        
        C:\Windows\SysWOW64\Kbgfhnhi.exe
        
        C:\Windows\system32\Kbgfhnhi.exe
        119⤵
        
        PID:6348
        
        C:\Windows\SysWOW64\Kefbdjgm.exe
        
        C:\Windows\system32\Kefbdjgm.exe
        120⤵
        Drops file in System32 directory
        
        PID:6392
        
        C:\Windows\SysWOW64\Khdoqefq.exe
        
        C:\Windows\system32\Khdoqefq.exe
        121⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:6436
        
        C:\Windows\SysWOW64\Kkbkmqed.exe
        
        C:\Windows\system32\Kkbkmqed.exe
        122⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6480
        
        C:\Windows\SysWOW64\Kbjbnnfg.exe
        
        C:\Windows\system32\Kbjbnnfg.exe
        123⤵
        
        PID:6524
        
        C:\Windows\SysWOW64\Kalcik32.exe
        
        C:\Windows\system32\Kalcik32.exe
        124⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6568
        
        C:\Windows\SysWOW64\Kdkoef32.exe
        
        C:\Windows\system32\Kdkoef32.exe
        125⤵
        System Location Discovery: System Language Discovery
        
        PID:6612
        
        C:\Windows\SysWOW64\Klbgfc32.exe
        
        C:\Windows\system32\Klbgfc32.exe
        126⤵
        Drops file in System32 directory
        
        PID:6656
        
        C:\Windows\SysWOW64\Kblpcndd.exe
        
        C:\Windows\system32\Kblpcndd.exe
        127⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6700
        
        C:\Windows\SysWOW64\Kejloi32.exe
        
        C:\Windows\system32\Kejloi32.exe
        128⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6744
        
        C:\Windows\SysWOW64\Khihld32.exe
        
        C:\Windows\system32\Khihld32.exe
        129⤵
        
        PID:6788
        
        C:\Windows\SysWOW64\Kkgdhp32.exe
        
        C:\Windows\system32\Kkgdhp32.exe
        130⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6832
        
        C:\Windows\SysWOW64\Kocphojh.exe
        
        C:\Windows\system32\Kocphojh.exe
        131⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6876
        
        C:\Windows\SysWOW64\Kaaldjil.exe
        
        C:\Windows\system32\Kaaldjil.exe
        132⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6920
        
        C:\Windows\SysWOW64\Kdpiqehp.exe
        
        C:\Windows\system32\Kdpiqehp.exe
        133⤵
        Modifies registry class
        
        PID:6964
        
        C:\Windows\SysWOW64\Lkiamp32.exe
        
        C:\Windows\system32\Lkiamp32.exe
        134⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:7008
        
        C:\Windows\SysWOW64\Lbqinm32.exe
        
        C:\Windows\system32\Lbqinm32.exe
        135⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7052
        
        C:\Windows\SysWOW64\Lacijjgi.exe
        
        C:\Windows\system32\Lacijjgi.exe
        136⤵
        Drops file in System32 directory
        
        PID:7096
        
        C:\Windows\SysWOW64\Ldbefe32.exe
        
        C:\Windows\system32\Ldbefe32.exe
        137⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:7140
        
        C:\Windows\SysWOW64\Lhmafcnf.exe
        
        C:\Windows\system32\Lhmafcnf.exe
        138⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5272
        
        C:\Windows\SysWOW64\Lklnconj.exe
        
        C:\Windows\system32\Lklnconj.exe
        139⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:6204
        
        C:\Windows\SysWOW64\Lbcedmnl.exe
        
        C:\Windows\system32\Lbcedmnl.exe
        140⤵
        
        PID:6276
        
        C:\Windows\SysWOW64\Lddble32.exe
        
        C:\Windows\system32\Lddble32.exe
        141⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6364
        
        C:\Windows\SysWOW64\Lknjhokg.exe
        
        C:\Windows\system32\Lknjhokg.exe
        142⤵
        Drops file in System32 directory
        
        PID:6428
        
        C:\Windows\SysWOW64\Ledoegkm.exe
        
        C:\Windows\system32\Ledoegkm.exe
        143⤵
        
        PID:6516
        
        C:\Windows\SysWOW64\Ldfoad32.exe
        
        C:\Windows\system32\Ldfoad32.exe
        144⤵
        
        PID:6584
        
        C:\Windows\SysWOW64\Lkqgno32.exe
        
        C:\Windows\system32\Lkqgno32.exe
        145⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6644
        
        C:\Windows\SysWOW64\Ldikgdpe.exe
        
        C:\Windows\system32\Ldikgdpe.exe
        146⤵
        System Location Discovery: System Language Discovery
        
        PID:6712
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6712 -s 400
        147⤵
        Program crash
        
        PID:6860

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 6712 -ip 6712
1⤵
PID:6820

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4384,i,3210801877307184477,8078594481454001567,262144 --variations-seed-version --mojo-platform-channel-handle=3264 /prefetch:8
1⤵
PID:6260

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Ccdihbgg.exe

Filesize
78KB

MD5
36e9873386f5d53f15dc815010b163fd

SHA1
38a27a88e6bad92b662e72c6a8cc7a5029c05663

SHA256
5c5b1c404863defd0e1896c896a07f810e50af6e91cb7fbb07d5f92bcd3bc44c

SHA512
51d08a5b36c629428cf10f44471be68563b8734dc3de45939810627ab4e2029792c94f021417feb886e4ca473e78cc1a8d2dc544cec730789982b122c0f0048f

Download Submit
C:\Windows\SysWOW64\Ccmcgcmp.exe

Filesize
78KB

MD5
5deeed63ecc13f9fe7557e6361a28b86

SHA1
377a0bd61c377e0c27e298418ddd01a4e4c59a8d

SHA256
a9f5f464b46337911a95c4800a8c76eef5bf73e9d706b82aad45799da3ecdbb9

SHA512
d3cabfdf93f56ed3759911f7bcfb7e87d1e79acd880a7922835bf7ce9d999f3cd78c3f51aed92f3b382ddaa6ead230585a755aa8d671db98d20ecacf7b4604d5

Download Submit
C:\Windows\SysWOW64\Cdaile32.exe

Filesize
78KB

MD5
98e9640bf981f09deab3f82a7e89102f

SHA1
6f334e2ca5e2301e3007ec78a1e195e9e2d164d0

SHA256
03dd3e336a601f663c2b9fb80ce10c3490e87d33a89bb5583cb573bf87421e6f

SHA512
7e61d60c4c41c0a270ed636987532abddd497056937858dede8ce8b35a9b585b74e142d4a2912a08ffa26ff42575b9eb485a84f10c87ba1a4dccafbee4de6e24

Download Submit
C:\Windows\SysWOW64\Cdhffg32.exe

Filesize
78KB

MD5
b12fa97dc3b4e073bfe6774a11243d10

SHA1
4651e538f6371ac111b126415a29d7a10f7128b0

SHA256
95c2f4c1b9858573e98ef5b873057efb9914d3378459b882fe540b1bbf89f139

SHA512
9fb0cf9dada42a72691c1ff4715352d8525438919e0f1f99a481600e118a034bb43fed65b0e94feb7c8e93a7ddc9a2b99be76a0063fab8befe8935f25f08bea3

Download Submit
C:\Windows\SysWOW64\Cdmoafdb.exe

Filesize
78KB

MD5
b52db9e2cbe1084b700e5810a8607e44

SHA1
c298293502238c3b8fba23fceed42c68f4e3311b

SHA256
dc2a5004c0613d7f1a6be6e8edd4de883b91a6f2f69df964f515d3e9fe774e06

SHA512
2c5cb9f80c3769c1d562b67391da7ec0d73735b9b6b4ee8a005ec4233e0692fca2b64b83bd5104fa913a8d53e060391e164375e12b50fe12c12cf199c727d1c3

Download Submit
C:\Windows\SysWOW64\Cgmhcaac.exe

Filesize
78KB

MD5
8c8c9d7fb6cf87c772a9075e0a0b04c1

SHA1
55cadb3add90bd18a2370f6127a9ff3eee84bfcf

SHA256
7ecc7facb047ce703d007456ff14c6fee60683486fab827fd8f6a27c2bc5f7b5

SHA512
08c46fef7e7d810cb2b1f625bdf305844a49c0b5fa418906df54e09c64e6e9fb061c4652b1cbf47017fff8ee55775130272c12f52f365c934149e6f2f4c5c86b

Download Submit
C:\Windows\SysWOW64\Cibain32.exe

Filesize
78KB

MD5
bae7f090d531cff8bbb27af94b33624e

SHA1
296b294f3125e1c6118c6ba7f58a6ecc7c2e7621

SHA256
82ff6b1bbb6cee02c51e7085aceb0ddb67e3bb697273b0fed14221442be2cec1

SHA512
2cad8187177d4c5faf4d51f73c8a68240d07740131adc32e3414e4f1c894a006fe89619317b3797321ae81051ddb759409e6ac6c963b72b0def5b7161443f4c0

Download Submit
C:\Windows\SysWOW64\Cigkdmel.exe

Filesize
78KB

MD5
fa4fddd54d2f8ce84570ee1c24981c63

SHA1
9d640de6c174c4367f041a8bf7ad85ce88b90428

SHA256
e0e38ee8fd3f813b3bebce77e679aa5687f0f95e0e8974da43a5666d1d49177e

SHA512
5fa553da7a10505a6041e5fc41bd76d8768c61d739518d40e8d0d4b904c7680fbd6fbd042ec9bd28ad4e8c542d20fc0747583a97192ab17c60388f625eff9f3c

Download Submit
C:\Windows\SysWOW64\Ciihjmcj.exe

Filesize
78KB

MD5
8f371bb5bfd5b3ac34e4f3b018e66dc8

SHA1
58684ba16c68be4fdc8724accdfb41ceb5b09619

SHA256
280775daddf73082fb873303658bd87321230355e1fd31355b0aaed1eac7e4c1

SHA512
1985e790637805f85306063f3a92a826501bc1f6127fe10fb4fd2f822c5f90067c3d78bf654707ab694af1f2ec45d46d1eaae58558d119c44d2634c25dc034a6

Download Submit
C:\Windows\SysWOW64\Cildom32.exe

Filesize
78KB

MD5
cbabc50153364d304bf197832fd7d7c5

SHA1
626f4d8f3789a91fb3a7fcaadb42f6303b33b9a5

SHA256
27906eaac3c719a5aacf067e8efab4cb0a8cbf26e02abc18dca38c737d2d9cb6

SHA512
2e3452f89442bc7ec65d0916210cfb30e45e74e4c8e03f2cab0c734a1de6c2b746631e41f1face3e82cb39fa461ff96255d68c13cb70c176008f7f016aced155

Download Submit
C:\Windows\SysWOW64\Cmpjoloh.exe

Filesize
78KB

MD5
ee19d18a51d305480881fe7571a2839c

SHA1
65f14451132e78b980e97c26e9035eea90b58c88

SHA256
bf736fbd2ba66565885d941d126e9a6f8230656e3a8a6a636ff41129c6db7799

SHA512
141c4697161b3e26ae2b84149feeb399f7bd50038127590f540dc25013fa87cc9dff0db0c3ccb6a716fd79961d88c01b1e7d237c4b667ccf2c6fde3db577a5eb

Download Submit
C:\Windows\SysWOW64\Cpcpfg32.exe

Filesize
78KB

MD5
cf196b35478c1824c98a7d1888cfe680

SHA1
5c0a7d15d2cea998787fa2f8c1ecd0d331840098

SHA256
317e1f847341f0248d405b0d9b63c3ebc702e754327bbf09d3c551cfca23b2fe

SHA512
bf9aef9d779c27327739ff667feecab60e690a7cb53cc34fedf123341f4a8c051d33eb887a6f394c875a5e688b71789336ae9f096524fd0f321f482ce5b40ddc

Download Submit
C:\Windows\SysWOW64\Dalofi32.exe

Filesize
78KB

MD5
ca24c7daa14f57fa47c59938e5b5be49

SHA1
c7c57771deee1d1a0920bc3092ad2f10fea0161b

SHA256
7f00207a55c5c9a35eed28cca82543111a3b406252c8b52cbca516425f97695e

SHA512
0daa8bb86ac4f6fda37d1c7e5d74585e3428e66b245d6cbac6a50dbb616efed5fe9f98b67b3ba2d7daa1ed912d093bdadc7e19b3421d1824b4c214337e3a0f29

Download Submit
C:\Windows\SysWOW64\Ddmhhd32.exe

Filesize
78KB

MD5
08797d04b40116d04a4e34184987397a

SHA1
448fc5aac0ce788fd9eff19fae3ba0f33d4793eb

SHA256
5189d48f4107daf5d6564bae925fb61f78ff2e22be3a529e463703502014dbdb

SHA512
7960fc63794bb89862a03dc16b368cf113f9b12d816e0826a8edcf60df38efb07f7eba58d46d6ff5bef80cd0fcb78fa0e758b6d2e817e710cfdb6b54a5e54778

Download Submit
C:\Windows\SysWOW64\Dgdncplk.exe

Filesize
78KB

MD5
9766779a694c0ce1f3c7d36af2e390b6

SHA1
1176ecd4517447c8e7f1b7bccee4545e0f6a78e4

SHA256
200a475bf9d76b8cbc53d7dcf2d6b49ce00a7c6e51219b59e7692e954e3cb041

SHA512
e0c441893fdcc89e2dc8682875dcc9cf1de749ce7563f13f5c0f366de29687d1c4e164613770a69df33c9f9b42aa94686d38da440bed458298caf8a65bb51cdb

Download Submit
C:\Windows\SysWOW64\Dickplko.exe

Filesize
78KB

MD5
03057f4e20012dcb3e84bcbbff9599ea

SHA1
a535a0e1a47fe6430c518d69b25751ad13d77b2c

SHA256
fc9180cd7583ed6031a2467ddace0524e11812ac485e1d5cdca66971bd1860d0

SHA512
30093779c7481f25b573875558bc3cb3ebd0a400ef2049ae4ede6666537c2d3517c4c114625eda3055aa994a2e0441cd39b0ff88415923a8c44aa2cba260bc2a

Download Submit
C:\Windows\SysWOW64\Dinael32.exe

Filesize
78KB

MD5
087d034620ffbe7741ba79e6e87f1a74

SHA1
17a77236a48da9a1b664e428c24d9b88a839cdde

SHA256
ea9e71560005ce6858d59ef69543bb26cb73dfcb484e2314e2e5bb6abec911f7

SHA512
7658b5b6f8ef3992cfa88f1470498f7c150a0fca432f117ea2efb42fc703509e1be29e843d1cf3f8b78abf2db74074eadb29fd69d86f9676a74ce288525a64bd

Download Submit
C:\Windows\SysWOW64\Dkbgjo32.exe

Filesize
78KB

MD5
defcc147ee16bcc31baf39b919e67d22

SHA1
69a5b0178d51a09902e27237e791b7b5cf90351b

SHA256
ea398937e677141a4247d3c2c0de6b87f4a3e5f65f21c5ba703a49d2d00dba12

SHA512
c056f3361f4b07f6c921a6b343c0cd0b725f8ed7934afad8b9ca41dac0c8a83108f6d231907bcfb86f33e9f12ba44267dd89d5cf3afda037686e7aa2f7bc88bb

Download Submit
C:\Windows\SysWOW64\Dkedonpo.exe

Filesize
78KB

MD5
49e1908226aa5bd0b9955236d2881b8d

SHA1
9d26bc25a31924151a7b55f4cf624aed818e8e7d

SHA256
537e0b97f0f6ee28e9b9189f9c034fbe267edf003ce069bac6c00d59fd1be5ed

SHA512
1264d8e6f8964c9c432b3e37c40b76b31b296e2e976e80e10f89d1a1f6df17abac2d3aa5e3e88f5b3c244fc0c8a6eae1b82ea18588c9cabefbeb689656444353

Download Submit
C:\Windows\SysWOW64\Dkkaiphj.exe

Filesize
78KB

MD5
11c94276468d91b65117ebab1f14118a

SHA1
e5285410bcebeaa8fc6072ad4534dc8d7d763364

SHA256
a271a0e2fbbe6e40d6983712528d64bfb40769507bfbc60823635ab6a7ae826f

SHA512
dce9d9762d13226832236ef2227da0cb022a7748c9227630ea7c9b85bd5326253fc6dacf45c6c93c35d13241928bbee085e1b0aaa61124c28e57cba641549ffc

Download Submit
C:\Windows\SysWOW64\Dphiaffa.exe

Filesize
78KB

MD5
00a026ed2e64e9becfe55eb65794bd65

SHA1
c42b90ef2207230790670f0226b80971f2469398

SHA256
349000eb377e13b0f830e5a6771ec3c8a2d9dcd57ba9faf1035dd4256c8f6193

SHA512
ecae33fa49f5c81fce998bf26c54207d5bdf04845a6377376e2ed2789c0481ab66b7cd404e49d4d6ca99ae5afebfe4a201cad840d1775f864f0f341d03ea3334

Download Submit
C:\Windows\SysWOW64\Eafbmgad.exe

Filesize
78KB

MD5
84c710a6141ba5f8920aa433d7d0593f

SHA1
e03b35bc14590d86f9649fdd416088a425b11158

SHA256
e4a7b98ee9178a6ea0234057b5424b6d18da95b2f72c7cdcf465ff34491cd26c

SHA512
94b54007815ae9f6cead850b315d1695b8eaad9661d6746e170f86a7ea16f1d530b413cad85ac7be4073d7f3f584166e2e1e7ff85e91887933394a6873876017

Download Submit
C:\Windows\SysWOW64\Eddnic32.exe

Filesize
78KB

MD5
d7eb878e952d87dcce43d22f04c43381

SHA1
30effd5839ed068bb185ff7935ae56f2b253fbab

SHA256
676477fc51d9ea693de8cae10ccbff35a076644c3d46121db9408fad51689279

SHA512
83f8cd11580113df463e8af14c82b56abe04d033d0ab8fc6861ea15d2bf615470458298d65ae7ff008b653381fa093379d2e07da79d356b4d2a8af9925049170

Download Submit
C:\Windows\SysWOW64\Edfknb32.exe

Filesize
78KB

MD5
51cae2a28f3419cd05b802fda70ad12c

SHA1
a550e3d2a5b168414b86cfae21ce0edde70f9be7

SHA256
2eb3cf5af022d588ae2636a654f93e1f5afe8160bef98c146047f975d8c3b720

SHA512
29c0e1dc1a6817503a06192b97fecc31089d6e2dc3519925c27802623d3af1f6ec0808de0a9d13407eae1e88d3251f25745f78fbf6439bd36030a0aeaee5fa50

Download Submit
C:\Windows\SysWOW64\Edoencdm.exe

Filesize
78KB

MD5
b35ef97baf3400b3e73dc630db543943

SHA1
fcad41e186a4bfc9e13c18ecdfdc01bdf5f9ef23

SHA256
de6dd9d70ddf83af57c07b3f9bae4c826e47d0cf5acc41a521240cb6823368a4

SHA512
8476cdb321aed804c731900e9ec3ca92636cac4297dec893d245a5a232adf4c468646703ba97b690376cc4b90bd1deea8f368bc3a7b59e5d4b67c8216230eb06

Download Submit
C:\Windows\SysWOW64\Egnajocq.exe

Filesize
78KB

MD5
e69abead0c87540b8fedbb27f649440f

SHA1
419c1ddc52b21fb37b0d71377a164d1eb13719b5

SHA256
9414c155b7ca7ceec89d707b9843dda3c13d4cde139f75d4beac5cd990d6e208

SHA512
852bac3358c5da60be527f7448dda9c0f2b519854c234958306a787b9d33b0160aecc914a4f101b864813ab4981533a9b74f69fe4f867915ba81136e8caeb274

Download Submit
C:\Windows\SysWOW64\Ejjaqk32.exe

Filesize
78KB

MD5
95a66262c37a6d0e181974d8d3316bfa

SHA1
12469450f9151dcb9e4ef465c1f1a9122acde985

SHA256
0120fff2cab52fb13a9ca3bd741300496a3a1942e2923e96a36a35eeb4a521a1

SHA512
c25b6bd84abbd12e7569f6b50b8301cf5cc72856e0e740a5774c176567781541fb88fee3541f4d90e5706d2bd8a7ee026f4cc20d348fe9bd7bc9d7491f9a30db

Download Submit
C:\Windows\SysWOW64\Ejojljqa.exe

Filesize
78KB

MD5
337c5e55b0fc48b8b7bbec9d0ba85bbc

SHA1
a8f8f3bbd92d2a3bdc1fb0a93be1da3dabcee88f

SHA256
4fad92e04e65e13088a823d594c7c2fafb774a829a75bfaff8c71a77c7442a71

SHA512
4623c40ddc81b3f4758552891cb9f77234e2172d741431f6d128a104f94ba0716e44663b9e50cd4ee267ee39dcd06e9ece71176a434f29f471ee776bd5a051a7

Download Submit
C:\Windows\SysWOW64\Ekngemhd.exe

Filesize
78KB

MD5
ea0fd5a473d80dce013d55dc0020118a

SHA1
62a8e47fa1d26566b13ccba0418b53180b7ac199

SHA256
455129c62cee686ef22450d7ca2a42a221754f197bb52debe0144c038527bb94

SHA512
5ac49e81e77affddc079b55f982b9ab77ac926e2e2cb927eef7584c5f73c92f21cd43f76755f10b6c213d79421125c21d23114eac9beac3e95152b0cb82aaf4c

Download Submit
C:\Windows\SysWOW64\Enhifi32.exe

Filesize
78KB

MD5
df24932b56f0a39d43154ff9e3d94039

SHA1
6d89dc15f7be40788e919bb6032f761df8b94539

SHA256
cd47e1018cb49fb6b376cc228dfa81d67ac40c5e0a00f5c314a7bdbea3c991eb

SHA512
da91bf6503002440d0582abeafb05f69dc708a3b003781a760fbff0d97bcd9d34f267f5406bf4858034b95d332a7dc87d035bc57f86600dca2d01e25723116bb

Download Submit
C:\Windows\SysWOW64\Eqkondfl.exe

Filesize
78KB

MD5
b5c851585da4df26fa423c7eb8bef4d1

SHA1
5ef9467b48bb3fa24785dffd16b1927f20d0dfc7

SHA256
e2464da668cc05fd4a39ae1b2f091cc59854681d996009508ea209585d0afdc7

SHA512
99bc78124e1917cf3eae6b27a16df54a52b0660010c4b8f1faf19dbac64b5931e430462dbf14d6016baaa158120a4b6829afbd31951f582d4a59db08f6f2085f

Download Submit
C:\Windows\SysWOW64\Eqmlccdi.exe

Filesize
78KB

MD5
a267097ad2765555b1ecfaedca6dd28d

SHA1
051ac41f6af4b014623c0876ae52ef4aa40a9001

SHA256
993ff46896dd89971bf20b6dda7f20b46a60227e4a85910ecf0010ff0796e561

SHA512
c2902993f873373ba83a65c64e5589d63569257b7239b11365014477b3574c8ee0014e8522561cbf9a13cf7ebb2f28fa8b9544cf6494269657633f865d49c811

Download Submit
C:\Windows\SysWOW64\Idhiii32.exe

Filesize
78KB

MD5
135d59a7a7be18f2f2c36c3709a7eb06

SHA1
97a5e07e5b94f8f6a4ff168418e5c37807b522a5

SHA256
d8d853c51f199871e39262e9b993348851bad39ff80c7c438be763baac985c61

SHA512
2a2a01bdeb772f0a069cdf010a33ceacfc2cb372463fba2eb5a99f13f5d691bead151b893894eef728ff761d349c5bbda1c6489c742116242f60a54d6fc3f5fb

Download Submit
C:\Windows\SysWOW64\Ijbbfc32.exe

Filesize
78KB

MD5
5f6acd4817df596a83d7a1b83be0af1f

SHA1
4e79f6b65e9ae3672af9928c147d665c1cb7f691

SHA256
a07a7deff3791f23cfc10b972b6843e7cd953e32157f3557ec7dc138c70c5869

SHA512
601c11ed9347f5a20e400b6dc60c595370a57a80db451f6bd83ca3831e8076d0ee1719112eb560312d066e1ad71b896ed7c851a9729129f4f696532dc914e87b

Download Submit
C:\Windows\SysWOW64\Ilhkigcd.exe

Filesize
78KB

MD5
798a9f74d13c876a10aa93527e69b2f7

SHA1
c0839b7d2f301e264cb22045d41a5c3b888b3ad0

SHA256
615a31e2525dec53dcf66681b098a73743363f41760a2dbb905617cf51f234c8

SHA512
e543e8994981ae4ddb2271bc20d5339892b99f1dcd8ce34db92b20b657d8c3c171ffb33f056eb09c753efe62a4c53de4ba37fe22b08a46eab3b3a571680a5571

Download Submit
C:\Windows\SysWOW64\Jnpjlajn.exe

Filesize
78KB

MD5
e910fbf9576e09d82caf73276850f858

SHA1
befc56f84004ce4701665d990eb7c76581fdd22e

SHA256
f332f0f8019a045f186fb324a024f73a7f1e1efc877a52666e07bda99117bb12

SHA512
408312322f64abb197bda8ca1233016be5f0b016f1a7b23a38b4fec55a759b01c4653ff81964cba7fa302eacdb43d549da5708fbe1e64c6253aead7d9f325bab

Download Submit
C:\Windows\SysWOW64\Kbgfhnhi.exe

Filesize
78KB

MD5
601a6104f2bc35deaee0f8472b1d8b12

SHA1
71dc42848dcbddfd255560da18e612d979e86e58

SHA256
e9992573f4dc2d8c508b04f65d14bb81fc176da969c7773597d511b5c99baecb

SHA512
f303f9082d97ca8272c80bbec6e9f573dd1f0343b6911d93bac70f4f6c948c2e806e9484e10b6009721c3fa6035e919b018af443031b99661fae89f20b0399a8

Download Submit
memory/32-358-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/32-291-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/184-366-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/208-189-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/208-277-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/432-265-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/556-264-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/556-172-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/732-331-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/732-400-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/752-64-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/752-152-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/944-225-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/944-304-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1036-325-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1036-393-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1376-1-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/1376-0-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1376-72-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1480-100-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1480-188-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1532-82-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1532-171-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1644-414-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1644-345-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1680-429-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1800-251-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1800-162-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1920-116-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1920-32-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1988-242-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1988-317-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1992-48-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1992-135-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2008-202-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2220-324-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2220-252-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2284-387-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2360-136-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2360-224-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2416-237-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2416-144-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2452-359-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2452-428-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2460-285-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2460-351-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2504-401-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2532-113-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2692-127-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2692-214-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2704-408-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2844-238-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2868-394-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2880-241-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2880-153-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2932-112-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2932-24-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3036-373-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3076-126-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3076-40-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3180-270-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3180-337-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3212-338-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3212-407-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3592-278-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3592-344-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3712-91-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3712-179-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3724-211-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3912-422-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3932-99-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3932-16-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3972-384-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4160-210-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4160-117-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4328-318-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4328-386-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4376-73-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4376-161-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4420-180-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4420-269-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4548-415-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4736-215-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4736-297-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4780-352-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4780-421-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4792-379-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4792-311-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4860-298-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4860-365-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4908-90-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4908-8-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4952-143-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4952-56-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/5024-305-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/5024-372-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads