4feeb29d0cd1316f1a5aa98638787dc2f55f887f3bf11604deb255a3f9796123

Analysis

max time kernel
104s
max time network
105s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
26/08/2024, 06:10

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

4d5b0212ea6a728e4766a85c7cede020N.exe
Size

290KB
MD5

4d5b0212ea6a728e4766a85c7cede020
SHA1

17bac400e79ab9c68209bfe8661b046d782663bc
SHA256

4feeb29d0cd1316f1a5aa98638787dc2f55f887f3bf11604deb255a3f9796123
SHA512

19d63f77f03a1cdcfdbd8910eb700f8242270567dd66da3fec4224db1e5b5318b4c51b6fb918523650f144e135c7646cec8225ff11e1d6c7ff345de255975b03
SSDEEP

6144:I1cBK3UsUmKyIxLDXXoq9FJZCUmKyIxL:6cBQ532XXf9Do3

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cgknlj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dajien32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ehbmcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fmmbmkqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jhknhona.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bcfoelbm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Caafop32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Eafhamig.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Eiameofb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hhhhla32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jngfqe32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Epnbgill.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fhlpie32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hanpoggj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jgkanl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gdjgoefc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gkcolo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hkoogn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hnnkcibf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jbnifd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ejlpdbbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Eiffpn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fhqiddba.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gkkelngg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Igbohm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Inndjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jbnifd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gkhhgoij.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gkkelngg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hnknni32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Igdknmmf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jdjimqjm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cflaag32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ciljcbij.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ekcfealb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gdjgoefc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hniahj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jgnndk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fppomhjj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fhqiddba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gplnigpl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hdefkcle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Haigdh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jgkanl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jqhpbq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bichmcae.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cgfdqjga.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Djejcc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Igfhclkd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cacbdoil.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhijmh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Edpkbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Emoekm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fppomhjj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fkhppa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fmkeglbk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fkmikpcg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fkoeqpae.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ikknclie.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ibgcef32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eimcjp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gpeaoeha.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hnknni32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jqaiaaoa.exe

Executes dropped EXE 64 IoCs

pid	Process
3160	Bcfoelbm.exe
5036	Bichmcae.exe
2928	Bpmpjm32.exe
1856	Cfghfgpo.exe
2332	Cmapca32.exe
4064	Cgfdqjga.exe
1828	Cjeamffe.exe
3436	Caoiip32.exe
4984	Cflaag32.exe
4112	Caafop32.exe
3108	Cgknlj32.exe
4912	Ciljcbij.exe
2312	Cacbdoil.exe
4280	Cgmkai32.exe
4444	Cmjcip32.exe
4156	Dcdkfjfm.exe
2072	Dfbhbf32.exe
4164	Dpklkkla.exe
3496	Dgbdlimd.exe
1916	Djqphdlg.exe
2436	Dajien32.exe
3904	Dcieaj32.exe
3340	Diemiqqp.exe
5020	Dckagiqe.exe
2088	Djejcc32.exe
2068	Dpbblj32.exe
3552	Dhijmh32.exe
1808	Dmfceoec.exe
704	Edpkbi32.exe
564	Eimcjp32.exe
2196	Edbhgh32.exe
1360	Ejlpdbbj.exe
3992	Eafhamig.exe
1332	Edddmhhk.exe
1204	Ehppng32.exe
3376	Efcqicgo.exe
872	Eiameofb.exe
1236	Eaheflgd.exe
1876	Edgabhfh.exe
5000	Ehbmcf32.exe
1848	Eicjkodp.exe
2472	Emoekm32.exe
1112	Epnbgill.exe
988	Edinhg32.exe
404	Ekcfealb.exe
3228	Eiffpn32.exe
180	Famnal32.exe
3960	Fppomhjj.exe
4524	Fhgfnfjl.exe
224	Ffjgjb32.exe
4908	Fihcfn32.exe
4496	Fapkgk32.exe
2820	Fdngcgpp.exe
1664	Fflcobod.exe
2556	Fkhppa32.exe
5108	Fmflll32.exe
4068	Fpehhh32.exe
2100	Fhlpie32.exe
1500	Fimlamle.exe
1968	Faddbkmg.exe
4636	Fdbqnflk.exe
3716	Fgamja32.exe
2216	Fkmikpcg.exe
984	Fmkeglbk.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Ihmbgqja.exe	Ijlaiibb.exe
File opened for modification	C:\Windows\SysWOW64\Jbnifd32.exe	Jjgaeg32.exe
File opened for modification	C:\Windows\SysWOW64\Cgknlj32.exe	Caafop32.exe
File opened for modification	C:\Windows\SysWOW64\Dcieaj32.exe	Dajien32.exe
File created	C:\Windows\SysWOW64\Eimcjp32.exe	Edpkbi32.exe
File created	C:\Windows\SysWOW64\Kppjofdi.dll	Fapkgk32.exe
File created	C:\Windows\SysWOW64\Hdefkcle.exe	Hnknni32.exe
File created	C:\Windows\SysWOW64\Aenqilml.dll	Jkkgjj32.exe
File created	C:\Windows\SysWOW64\Jpnqml32.dll	Jqhpbq32.exe
File created	C:\Windows\SysWOW64\Eicjkodp.exe	Ehbmcf32.exe
File created	C:\Windows\SysWOW64\Epnbgill.exe	Emoekm32.exe
File created	C:\Windows\SysWOW64\Iqhfkcgl.exe	Ikknclie.exe
File created	C:\Windows\SysWOW64\Knlpldhc.exe	Kkndpi32.exe
File opened for modification	C:\Windows\SysWOW64\Jjgaeg32.exe	Jdjimqjm.exe
File created	C:\Windows\SysWOW64\Cgfdqjga.exe	Cmapca32.exe
File opened for modification	C:\Windows\SysWOW64\Emoekm32.exe	Eicjkodp.exe
File created	C:\Windows\SysWOW64\Nooalmcf.dll	Famnal32.exe
File created	C:\Windows\SysWOW64\Fmkeglbk.exe	Fkmikpcg.exe
File created	C:\Windows\SysWOW64\Gcnafppn.dll	Gakjcjgo.exe
File created	C:\Windows\SysWOW64\Ggjpqpcd.exe	Ghgpec32.exe
File opened for modification	C:\Windows\SysWOW64\Gkkelngg.exe	Ghlipchd.exe
File opened for modification	C:\Windows\SysWOW64\Jgkanl32.exe	Jhhacopd.exe
File opened for modification	C:\Windows\SysWOW64\Hnpgiipc.exe	Hgfolo32.exe
File created	C:\Windows\SysWOW64\Hanpoggj.exe	Hdjpfc32.exe
File opened for modification	C:\Windows\SysWOW64\Jqhpbq32.exe	Jnjcfe32.exe
File created	C:\Windows\SysWOW64\Fjlmeh32.dll	Kbhllc32.exe
File created	C:\Windows\SysWOW64\Cgknlj32.exe	Caafop32.exe
File created	C:\Windows\SysWOW64\Hhahpnbq.dll	Fkoeqpae.exe
File opened for modification	C:\Windows\SysWOW64\Gpqgdf32.exe	Gmbkhk32.exe
File created	C:\Windows\SysWOW64\Lilnblem.dll	Ggjpqpcd.exe
File created	C:\Windows\SysWOW64\Hpodedpg.exe	Hnpgiipc.exe
File created	C:\Windows\SysWOW64\Ciglff32.dll	Iqhfkcgl.exe
File opened for modification	C:\Windows\SysWOW64\Jkkgjj32.exe	Jhmknn32.exe
File created	C:\Windows\SysWOW64\Anccjplk.dll	Fdbqnflk.exe
File created	C:\Windows\SysWOW64\Bplfgeal.dll	Gmbkhk32.exe
File opened for modification	C:\Windows\SysWOW64\Cgmkai32.exe	Cacbdoil.exe
File created	C:\Windows\SysWOW64\Edddmhhk.exe	Eafhamig.exe
File created	C:\Windows\SysWOW64\Llkdceme.dll	Fppomhjj.exe
File created	C:\Windows\SysWOW64\Cdhlne32.dll	Kjcqqf32.exe
File opened for modification	C:\Windows\SysWOW64\Bcfoelbm.exe	4d5b0212ea6a728e4766a85c7cede020N.exe
File opened for modification	C:\Windows\SysWOW64\Dcdkfjfm.exe	Cmjcip32.exe
File opened for modification	C:\Windows\SysWOW64\Gmbkhk32.exe	Gkcolo32.exe
File opened for modification	C:\Windows\SysWOW64\Ikknclie.exe	Ihmbgqja.exe
File created	C:\Windows\SysWOW64\Jkkgjj32.exe	Jhmknn32.exe
File opened for modification	C:\Windows\SysWOW64\Kjcqqf32.exe	Kgdddj32.exe
File created	C:\Windows\SysWOW64\Dajien32.exe	Djqphdlg.exe
File created	C:\Windows\SysWOW64\Hmphhook.dll	Eimcjp32.exe
File opened for modification	C:\Windows\SysWOW64\Ehppng32.exe	Edddmhhk.exe
File created	C:\Windows\SysWOW64\Pmakpc32.dll	Dpklkkla.exe
File opened for modification	C:\Windows\SysWOW64\Edbhgh32.exe	Eimcjp32.exe
File created	C:\Windows\SysWOW64\Emoekm32.exe	Eicjkodp.exe
File created	C:\Windows\SysWOW64\Kepjpn32.dll	Fpehhh32.exe
File created	C:\Windows\SysWOW64\Fndcgc32.dll	Iqjcabej.exe
File created	C:\Windows\SysWOW64\Jdjimqjm.exe	Jjedohjg.exe
File opened for modification	C:\Windows\SysWOW64\Kginpjjo.exe	Knaigd32.exe
File created	C:\Windows\SysWOW64\Lefmpg32.dll	4d5b0212ea6a728e4766a85c7cede020N.exe
File created	C:\Windows\SysWOW64\Bichmcae.exe	Bcfoelbm.exe
File opened for modification	C:\Windows\SysWOW64\Eafhamig.exe	Ejlpdbbj.exe
File opened for modification	C:\Windows\SysWOW64\Gikibk32.exe	Gkhhgoij.exe
File opened for modification	C:\Windows\SysWOW64\Kbhllc32.exe	Knlpldhc.exe
File opened for modification	C:\Windows\SysWOW64\Fdngcgpp.exe	Fapkgk32.exe
File created	C:\Windows\SysWOW64\Gpqgdf32.exe	Gmbkhk32.exe
File opened for modification	C:\Windows\SysWOW64\Bpmpjm32.exe	Bichmcae.exe
File created	C:\Windows\SysWOW64\Cmhchomj.dll	Haigdh32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
6268	6172	WerFault.exe	229

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dcdkfjfm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Edbhgh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Edgabhfh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ikknclie.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jqcfgamo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ghgpec32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cacbdoil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmjcip32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmfceoec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Famnal32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fkhppa32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fdngcgpp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hjpbmklp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Idhlgalp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jqhpbq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kginpjjo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Diemiqqp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fimlamle.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fpiacgbo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hniahj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bpmpjm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhijmh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jnjcfe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bichmcae.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gakjcjgo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ghlipchd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gkkelngg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hgfolo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jdaompce.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kbhllc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jhknhona.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fhgfnfjl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fmmbmkqi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ghcfjd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gmbkhk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ggjpqpcd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gkhhgoij.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hdefkcle.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jbcbadda.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gndhmjjq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hanpoggj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ihmbgqja.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jngfqe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jkkgjj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dpbblj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Eiameofb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gikibk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hnknni32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hdjpfc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Igfhclkd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jkijdj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Eaheflgd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Eicjkodp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ekcfealb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Faddbkmg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gpeaoeha.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Igdknmmf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kjhjlejb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dcieaj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Eafhamig.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ehbmcf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hnpgiipc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Caoiip32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Caafop32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jhknhona.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ejlpdbbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Epnbgill.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dgnloa32.dll"	Fhlpie32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ibgcef32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Inndjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Flhjnn32.dll"	Dcdkfjfm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Fdngcgpp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jdjimqjm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mpccbm32.dll"	Gdjgoefc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ghgpec32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ciglff32.dll"	Iqhfkcgl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Emoekm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Inndjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cmapca32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Efcqicgo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dlcehe32.dll"	Ikknclie.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jobcfmff.dll"	Jqaiaaoa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ehppng32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Gmbkhk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hdcjednh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Knaigd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Edgabhfh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fmlecf32.dll"	Fmflll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Fhqiddba.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Gplnigpl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Gpeaoeha.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	4d5b0212ea6a728e4766a85c7cede020N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Anccjplk.dll"	Fdbqnflk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hanpoggj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qeplkhba.dll"	Cgmkai32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ajnbjo32.dll"	Fkhppa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Fkoeqpae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dedajf32.dll"	Djqphdlg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Fdbqnflk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Fhlpie32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iokegd32.dll"	Gplnigpl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Gpqgdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Plbllp32.dll"	Jhhacopd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iikink32.dll"	Jqcfgamo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Fppomhjj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mhqnog32.dll"	Dhijmh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Igfhclkd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jgkanl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Idhlgalp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aenqilml.dll"	Jkkgjj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pmakpc32.dll"	Dpklkkla.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dgbdlimd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pidhkddf.dll"	Fpiacgbo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Fmmbmkqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hdjpfc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pigekejb.dll"	Cfghfgpo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Epnbgill.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ekcfealb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Fmkeglbk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jnpkpobi.dll"	Knaigd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bhkpom32.dll"	Caoiip32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cgmkai32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hkaeea32.dll"	Kkndpi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qajchh32.dll"	Efcqicgo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Knlpldhc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Caoiip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Gkhhgoij.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Gikibk32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1320 wrote to memory of 3160	1320	4d5b0212ea6a728e4766a85c7cede020N.exe	84
PID 1320 wrote to memory of 3160	1320	4d5b0212ea6a728e4766a85c7cede020N.exe	84
PID 1320 wrote to memory of 3160	1320	4d5b0212ea6a728e4766a85c7cede020N.exe	84
PID 3160 wrote to memory of 5036	3160	Bcfoelbm.exe	85
PID 3160 wrote to memory of 5036	3160	Bcfoelbm.exe	85
PID 3160 wrote to memory of 5036	3160	Bcfoelbm.exe	85
PID 5036 wrote to memory of 2928	5036	Bichmcae.exe	86
PID 5036 wrote to memory of 2928	5036	Bichmcae.exe	86
PID 5036 wrote to memory of 2928	5036	Bichmcae.exe	86
PID 2928 wrote to memory of 1856	2928	Bpmpjm32.exe	87
PID 2928 wrote to memory of 1856	2928	Bpmpjm32.exe	87
PID 2928 wrote to memory of 1856	2928	Bpmpjm32.exe	87
PID 1856 wrote to memory of 2332	1856	Cfghfgpo.exe	88
PID 1856 wrote to memory of 2332	1856	Cfghfgpo.exe	88
PID 1856 wrote to memory of 2332	1856	Cfghfgpo.exe	88
PID 2332 wrote to memory of 4064	2332	Cmapca32.exe	90
PID 2332 wrote to memory of 4064	2332	Cmapca32.exe	90
PID 2332 wrote to memory of 4064	2332	Cmapca32.exe	90
PID 4064 wrote to memory of 1828	4064	Cgfdqjga.exe	91
PID 4064 wrote to memory of 1828	4064	Cgfdqjga.exe	91
PID 4064 wrote to memory of 1828	4064	Cgfdqjga.exe	91
PID 1828 wrote to memory of 3436	1828	Cjeamffe.exe	92
PID 1828 wrote to memory of 3436	1828	Cjeamffe.exe	92
PID 1828 wrote to memory of 3436	1828	Cjeamffe.exe	92
PID 3436 wrote to memory of 4984	3436	Caoiip32.exe	94
PID 3436 wrote to memory of 4984	3436	Caoiip32.exe	94
PID 3436 wrote to memory of 4984	3436	Caoiip32.exe	94
PID 4984 wrote to memory of 4112	4984	Cflaag32.exe	96
PID 4984 wrote to memory of 4112	4984	Cflaag32.exe	96
PID 4984 wrote to memory of 4112	4984	Cflaag32.exe	96
PID 4112 wrote to memory of 3108	4112	Caafop32.exe	97
PID 4112 wrote to memory of 3108	4112	Caafop32.exe	97
PID 4112 wrote to memory of 3108	4112	Caafop32.exe	97
PID 3108 wrote to memory of 4912	3108	Cgknlj32.exe	98
PID 3108 wrote to memory of 4912	3108	Cgknlj32.exe	98
PID 3108 wrote to memory of 4912	3108	Cgknlj32.exe	98
PID 4912 wrote to memory of 2312	4912	Ciljcbij.exe	99
PID 4912 wrote to memory of 2312	4912	Ciljcbij.exe	99
PID 4912 wrote to memory of 2312	4912	Ciljcbij.exe	99
PID 2312 wrote to memory of 4280	2312	Cacbdoil.exe	100
PID 2312 wrote to memory of 4280	2312	Cacbdoil.exe	100
PID 2312 wrote to memory of 4280	2312	Cacbdoil.exe	100
PID 4280 wrote to memory of 4444	4280	Cgmkai32.exe	101
PID 4280 wrote to memory of 4444	4280	Cgmkai32.exe	101
PID 4280 wrote to memory of 4444	4280	Cgmkai32.exe	101
PID 4444 wrote to memory of 4156	4444	Cmjcip32.exe	102
PID 4444 wrote to memory of 4156	4444	Cmjcip32.exe	102
PID 4444 wrote to memory of 4156	4444	Cmjcip32.exe	102
PID 4156 wrote to memory of 2072	4156	Dcdkfjfm.exe	103
PID 4156 wrote to memory of 2072	4156	Dcdkfjfm.exe	103
PID 4156 wrote to memory of 2072	4156	Dcdkfjfm.exe	103
PID 2072 wrote to memory of 4164	2072	Dfbhbf32.exe	104
PID 2072 wrote to memory of 4164	2072	Dfbhbf32.exe	104
PID 2072 wrote to memory of 4164	2072	Dfbhbf32.exe	104
PID 4164 wrote to memory of 3496	4164	Dpklkkla.exe	105
PID 4164 wrote to memory of 3496	4164	Dpklkkla.exe	105
PID 4164 wrote to memory of 3496	4164	Dpklkkla.exe	105
PID 3496 wrote to memory of 1916	3496	Dgbdlimd.exe	106
PID 3496 wrote to memory of 1916	3496	Dgbdlimd.exe	106
PID 3496 wrote to memory of 1916	3496	Dgbdlimd.exe	106
PID 1916 wrote to memory of 2436	1916	Djqphdlg.exe	107
PID 1916 wrote to memory of 2436	1916	Djqphdlg.exe	107
PID 1916 wrote to memory of 2436	1916	Djqphdlg.exe	107
PID 2436 wrote to memory of 3904	2436	Dajien32.exe	108

C:\Users\Admin\AppData\Local\Temp\4d5b0212ea6a728e4766a85c7cede020N.exe
"C:\Users\Admin\AppData\Local\Temp\4d5b0212ea6a728e4766a85c7cede020N.exe"
1⤵
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1320
- C:\Windows\SysWOW64\Bcfoelbm.exe
  C:\Windows\system32\Bcfoelbm.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:3160
- - C:\Windows\SysWOW64\Bichmcae.exe
    C:\Windows\system32\Bichmcae.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:5036
  - - C:\Windows\SysWOW64\Bpmpjm32.exe
      C:\Windows\system32\Bpmpjm32.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2928
    - - C:\Windows\SysWOW64\Cfghfgpo.exe
        
        C:\Windows\system32\Cfghfgpo.exe
        5⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1856
      - C:\Windows\SysWOW64\Cmapca32.exe
        
        C:\Windows\system32\Cmapca32.exe
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2332
        
        C:\Windows\SysWOW64\Cgfdqjga.exe
        
        C:\Windows\system32\Cgfdqjga.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4064
        
        C:\Windows\SysWOW64\Cjeamffe.exe
        
        C:\Windows\system32\Cjeamffe.exe
        8⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1828
        
        C:\Windows\SysWOW64\Caoiip32.exe
        
        C:\Windows\system32\Caoiip32.exe
        9⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3436
        
        C:\Windows\SysWOW64\Cflaag32.exe
        
        C:\Windows\system32\Cflaag32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4984
        
        C:\Windows\SysWOW64\Caafop32.exe
        
        C:\Windows\system32\Caafop32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4112
        
        C:\Windows\SysWOW64\Cgknlj32.exe
        
        C:\Windows\system32\Cgknlj32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3108
        
        C:\Windows\SysWOW64\Ciljcbij.exe
        
        C:\Windows\system32\Ciljcbij.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4912
        
        C:\Windows\SysWOW64\Cacbdoil.exe
        
        C:\Windows\system32\Cacbdoil.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2312
        
        C:\Windows\SysWOW64\Cgmkai32.exe
        
        C:\Windows\system32\Cgmkai32.exe
        15⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4280
        
        C:\Windows\SysWOW64\Cmjcip32.exe
        
        C:\Windows\system32\Cmjcip32.exe
        16⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4444
        
        C:\Windows\SysWOW64\Dcdkfjfm.exe
        
        C:\Windows\system32\Dcdkfjfm.exe
        17⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4156
        
        C:\Windows\SysWOW64\Dfbhbf32.exe
        
        C:\Windows\system32\Dfbhbf32.exe
        18⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2072
        
        C:\Windows\SysWOW64\Dpklkkla.exe
        
        C:\Windows\system32\Dpklkkla.exe
        19⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4164
        
        C:\Windows\SysWOW64\Dgbdlimd.exe
        
        C:\Windows\system32\Dgbdlimd.exe
        20⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3496
        
        C:\Windows\SysWOW64\Djqphdlg.exe
        
        C:\Windows\system32\Djqphdlg.exe
        21⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1916
        
        C:\Windows\SysWOW64\Dajien32.exe
        
        C:\Windows\system32\Dajien32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2436
        
        C:\Windows\SysWOW64\Dcieaj32.exe
        
        C:\Windows\system32\Dcieaj32.exe
        23⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3904
        
        C:\Windows\SysWOW64\Diemiqqp.exe
        
        C:\Windows\system32\Diemiqqp.exe
        24⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3340
        
        C:\Windows\SysWOW64\Dckagiqe.exe
        
        C:\Windows\system32\Dckagiqe.exe
        25⤵
        Executes dropped EXE
        
        PID:5020
        
        C:\Windows\SysWOW64\Djejcc32.exe
        
        C:\Windows\system32\Djejcc32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2088
        
        C:\Windows\SysWOW64\Dpbblj32.exe
        
        C:\Windows\system32\Dpbblj32.exe
        27⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2068
        
        C:\Windows\SysWOW64\Dhijmh32.exe
        
        C:\Windows\system32\Dhijmh32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3552
        
        C:\Windows\SysWOW64\Dmfceoec.exe
        
        C:\Windows\system32\Dmfceoec.exe
        29⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1808
        
        C:\Windows\SysWOW64\Edpkbi32.exe
        
        C:\Windows\system32\Edpkbi32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:704
        
        C:\Windows\SysWOW64\Eimcjp32.exe
        
        C:\Windows\system32\Eimcjp32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:564
        
        C:\Windows\SysWOW64\Edbhgh32.exe
        
        C:\Windows\system32\Edbhgh32.exe
        32⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2196
        
        C:\Windows\SysWOW64\Ejlpdbbj.exe
        
        C:\Windows\system32\Ejlpdbbj.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1360
        
        C:\Windows\SysWOW64\Eafhamig.exe
        
        C:\Windows\system32\Eafhamig.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3992
        
        C:\Windows\SysWOW64\Edddmhhk.exe
        
        C:\Windows\system32\Edddmhhk.exe
        35⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1332
        
        C:\Windows\SysWOW64\Ehppng32.exe
        
        C:\Windows\system32\Ehppng32.exe
        36⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1204
        
        C:\Windows\SysWOW64\Efcqicgo.exe
        
        C:\Windows\system32\Efcqicgo.exe
        37⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3376
        
        C:\Windows\SysWOW64\Eiameofb.exe
        
        C:\Windows\system32\Eiameofb.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:872
        
        C:\Windows\SysWOW64\Eaheflgd.exe
        
        C:\Windows\system32\Eaheflgd.exe
        39⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1236
        
        C:\Windows\SysWOW64\Edgabhfh.exe
        
        C:\Windows\system32\Edgabhfh.exe
        40⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1876
        
        C:\Windows\SysWOW64\Ehbmcf32.exe
        
        C:\Windows\system32\Ehbmcf32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5000
        
        C:\Windows\SysWOW64\Eicjkodp.exe
        
        C:\Windows\system32\Eicjkodp.exe
        42⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1848
        
        C:\Windows\SysWOW64\Emoekm32.exe
        
        C:\Windows\system32\Emoekm32.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2472
        
        C:\Windows\SysWOW64\Epnbgill.exe
        
        C:\Windows\system32\Epnbgill.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1112
        
        C:\Windows\SysWOW64\Edinhg32.exe
        
        C:\Windows\system32\Edinhg32.exe
        45⤵
        Executes dropped EXE
        
        PID:988
        
        C:\Windows\SysWOW64\Ekcfealb.exe
        
        C:\Windows\system32\Ekcfealb.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:404
        
        C:\Windows\SysWOW64\Eiffpn32.exe
        
        C:\Windows\system32\Eiffpn32.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3228
        
        C:\Windows\SysWOW64\Famnal32.exe
        
        C:\Windows\system32\Famnal32.exe
        48⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:180
        
        C:\Windows\SysWOW64\Fppomhjj.exe
        
        C:\Windows\system32\Fppomhjj.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3960
        
        C:\Windows\SysWOW64\Fhgfnfjl.exe
        
        C:\Windows\system32\Fhgfnfjl.exe
        50⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4524
        
        C:\Windows\SysWOW64\Ffjgjb32.exe
        
        C:\Windows\system32\Ffjgjb32.exe
        51⤵
        Executes dropped EXE
        
        PID:224
        
        C:\Windows\SysWOW64\Fihcfn32.exe
        
        C:\Windows\system32\Fihcfn32.exe
        52⤵
        Executes dropped EXE
        
        PID:4908
        
        C:\Windows\SysWOW64\Fapkgk32.exe
        
        C:\Windows\system32\Fapkgk32.exe
        53⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4496
        
        C:\Windows\SysWOW64\Fdngcgpp.exe
        
        C:\Windows\system32\Fdngcgpp.exe
        54⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2820
        
        C:\Windows\SysWOW64\Fflcobod.exe
        
        C:\Windows\system32\Fflcobod.exe
        55⤵
        Executes dropped EXE
        
        PID:1664
        
        C:\Windows\SysWOW64\Fkhppa32.exe
        
        C:\Windows\system32\Fkhppa32.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2556
        
        C:\Windows\SysWOW64\Fmflll32.exe
        
        C:\Windows\system32\Fmflll32.exe
        57⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:5108
        
        C:\Windows\SysWOW64\Fpehhh32.exe
        
        C:\Windows\system32\Fpehhh32.exe
        58⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4068
        
        C:\Windows\SysWOW64\Fhlpie32.exe
        
        C:\Windows\system32\Fhlpie32.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2100
        
        C:\Windows\SysWOW64\Fimlamle.exe
        
        C:\Windows\system32\Fimlamle.exe
        60⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1500
        
        C:\Windows\SysWOW64\Faddbkmg.exe
        
        C:\Windows\system32\Faddbkmg.exe
        61⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1968
        
        C:\Windows\SysWOW64\Fdbqnflk.exe
        
        C:\Windows\system32\Fdbqnflk.exe
        62⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4636
        
        C:\Windows\SysWOW64\Fgamja32.exe
        
        C:\Windows\system32\Fgamja32.exe
        63⤵
        Executes dropped EXE
        
        PID:3716
        
        C:\Windows\SysWOW64\Fkmikpcg.exe
        
        C:\Windows\system32\Fkmikpcg.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2216
        
        C:\Windows\SysWOW64\Fmkeglbk.exe
        
        C:\Windows\system32\Fmkeglbk.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:984
        
        C:\Windows\SysWOW64\Fpiacgbo.exe
        
        C:\Windows\system32\Fpiacgbo.exe
        66⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1472
        
        C:\Windows\SysWOW64\Fhqiddba.exe
        
        C:\Windows\system32\Fhqiddba.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4184
        
        C:\Windows\SysWOW64\Fkoeqpae.exe
        
        C:\Windows\system32\Fkoeqpae.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:3240
        
        C:\Windows\SysWOW64\Fmmbmkqi.exe
        
        C:\Windows\system32\Fmmbmkqi.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4632
        
        C:\Windows\SysWOW64\Gplnigpl.exe
        
        C:\Windows\system32\Gplnigpl.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:1100
        
        C:\Windows\SysWOW64\Ghcfjd32.exe
        
        C:\Windows\system32\Ghcfjd32.exe
        71⤵
        System Location Discovery: System Language Discovery
        
        PID:4560
        
        C:\Windows\SysWOW64\Gakjcjgo.exe
        
        C:\Windows\system32\Gakjcjgo.exe
        72⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:808
        
        C:\Windows\SysWOW64\Gdjgoefc.exe
        
        C:\Windows\system32\Gdjgoefc.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4268
        
        C:\Windows\SysWOW64\Gkcolo32.exe
        
        C:\Windows\system32\Gkcolo32.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:3440
        
        C:\Windows\SysWOW64\Gmbkhk32.exe
        
        C:\Windows\system32\Gmbkhk32.exe
        75⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4416
        
        C:\Windows\SysWOW64\Gpqgdf32.exe
        
        C:\Windows\system32\Gpqgdf32.exe
        76⤵
        Modifies registry class
        
        PID:2648
        
        C:\Windows\SysWOW64\Ghgpec32.exe
        
        C:\Windows\system32\Ghgpec32.exe
        77⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2412
        
        C:\Windows\SysWOW64\Ggjpqpcd.exe
        
        C:\Windows\system32\Ggjpqpcd.exe
        78⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:560
        
        C:\Windows\SysWOW64\Gndhmjjq.exe
        
        C:\Windows\system32\Gndhmjjq.exe
        79⤵
        System Location Discovery: System Language Discovery
        
        PID:2264
        
        C:\Windows\SysWOW64\Gpcdifjd.exe
        
        C:\Windows\system32\Gpcdifjd.exe
        80⤵
        
        PID:3748
        
        C:\Windows\SysWOW64\Gkhhgoij.exe
        
        C:\Windows\system32\Gkhhgoij.exe
        81⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4668
        
        C:\Windows\SysWOW64\Gikibk32.exe
        
        C:\Windows\system32\Gikibk32.exe
        82⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3500
        
        C:\Windows\SysWOW64\Gpeaoeha.exe
        
        C:\Windows\system32\Gpeaoeha.exe
        83⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1812
        
        C:\Windows\SysWOW64\Ghlipchd.exe
        
        C:\Windows\system32\Ghlipchd.exe
        84⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4564
        
        C:\Windows\SysWOW64\Gkkelngg.exe
        
        C:\Windows\system32\Gkkelngg.exe
        85⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:4880
        
        C:\Windows\SysWOW64\Hniahj32.exe
        
        C:\Windows\system32\Hniahj32.exe
        86⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:1792
        
        C:\Windows\SysWOW64\Hdcjednh.exe
        
        C:\Windows\system32\Hdcjednh.exe
        87⤵
        Modifies registry class
        
        PID:2212
        
        C:\Windows\SysWOW64\Hjpbmklp.exe
        
        C:\Windows\system32\Hjpbmklp.exe
        88⤵
        System Location Discovery: System Language Discovery
        
        PID:4520
        
        C:\Windows\SysWOW64\Hnknni32.exe
        
        C:\Windows\system32\Hnknni32.exe
        89⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4284
        
        C:\Windows\SysWOW64\Hdefkcle.exe
        
        C:\Windows\system32\Hdefkcle.exe
        90⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5136
        
        C:\Windows\SysWOW64\Hkoogn32.exe
        
        C:\Windows\system32\Hkoogn32.exe
        91⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5180
        
        C:\Windows\SysWOW64\Hnnkcibf.exe
        
        C:\Windows\system32\Hnnkcibf.exe
        92⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5216
        
        C:\Windows\SysWOW64\Haigdh32.exe
        
        C:\Windows\system32\Haigdh32.exe
        93⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5268
        
        C:\Windows\SysWOW64\Hgfolo32.exe
        
        C:\Windows\system32\Hgfolo32.exe
        94⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5316
        
        C:\Windows\SysWOW64\Hnpgiipc.exe
        
        C:\Windows\system32\Hnpgiipc.exe
        95⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5360
        
        C:\Windows\SysWOW64\Hpodedpg.exe
        
        C:\Windows\system32\Hpodedpg.exe
        96⤵
        
        PID:5432
        
        C:\Windows\SysWOW64\Hdjpfc32.exe
        
        C:\Windows\system32\Hdjpfc32.exe
        97⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5488
        
        C:\Windows\SysWOW64\Hanpoggj.exe
        
        C:\Windows\system32\Hanpoggj.exe
        98⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5536
        
        C:\Windows\SysWOW64\Hhhhla32.exe
        
        C:\Windows\system32\Hhhhla32.exe
        99⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5580
        
        C:\Windows\SysWOW64\Ineadh32.exe
        
        C:\Windows\system32\Ineadh32.exe
        100⤵
        
        PID:5624
        
        C:\Windows\SysWOW64\Ijlaiibb.exe
        
        C:\Windows\system32\Ijlaiibb.exe
        101⤵
        Drops file in System32 directory
        
        PID:5664
        
        C:\Windows\SysWOW64\Ihmbgqja.exe
        
        C:\Windows\system32\Ihmbgqja.exe
        102⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5708
        
        C:\Windows\SysWOW64\Ikknclie.exe
        
        C:\Windows\system32\Ikknclie.exe
        103⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5748
        
        C:\Windows\SysWOW64\Iqhfkcgl.exe
        
        C:\Windows\system32\Iqhfkcgl.exe
        104⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5792
        
        C:\Windows\SysWOW64\Igbohm32.exe
        
        C:\Windows\system32\Igbohm32.exe
        105⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5840
        
        C:\Windows\SysWOW64\Ibgcef32.exe
        
        C:\Windows\system32\Ibgcef32.exe
        106⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5880
        
        C:\Windows\SysWOW64\Iqjcabej.exe
        
        C:\Windows\system32\Iqjcabej.exe
        107⤵
        Drops file in System32 directory
        
        PID:5924
        
        C:\Windows\SysWOW64\Igdknmmf.exe
        
        C:\Windows\system32\Igdknmmf.exe
        108⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5968
        
        C:\Windows\SysWOW64\Inndjg32.exe
        
        C:\Windows\system32\Inndjg32.exe
        109⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6012
        
        C:\Windows\SysWOW64\Idhlgalp.exe
        
        C:\Windows\system32\Idhlgalp.exe
        110⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6056
        
        C:\Windows\SysWOW64\Igfhclkd.exe
        
        C:\Windows\system32\Igfhclkd.exe
        111⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6100
        
        C:\Windows\SysWOW64\Jjedohjg.exe
        
        C:\Windows\system32\Jjedohjg.exe
        112⤵
        Drops file in System32 directory
        
        PID:3972
        
        C:\Windows\SysWOW64\Jdjimqjm.exe
        
        C:\Windows\system32\Jdjimqjm.exe
        113⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5188
        
        C:\Windows\SysWOW64\Jjgaeg32.exe
        
        C:\Windows\system32\Jjgaeg32.exe
        114⤵
        Drops file in System32 directory
        
        PID:5244
        
        C:\Windows\SysWOW64\Jbnifd32.exe
        
        C:\Windows\system32\Jbnifd32.exe
        115⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5332
        
        C:\Windows\SysWOW64\Jqaiaaoa.exe
        
        C:\Windows\system32\Jqaiaaoa.exe
        116⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5468
        
        C:\Windows\SysWOW64\Jhhacopd.exe
        
        C:\Windows\system32\Jhhacopd.exe
        117⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5524
        
        C:\Windows\SysWOW64\Jgkanl32.exe
        
        C:\Windows\system32\Jgkanl32.exe
        118⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5648
        
        C:\Windows\SysWOW64\Jjjnjg32.exe
        
        C:\Windows\system32\Jjjnjg32.exe
        119⤵
        
        PID:5760
        
        C:\Windows\SysWOW64\Jnejkfnk.exe
        
        C:\Windows\system32\Jnejkfnk.exe
        120⤵
        
        PID:5824
        
        C:\Windows\SysWOW64\Jqcfgamo.exe
        
        C:\Windows\system32\Jqcfgamo.exe
        121⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5892
        
        C:\Windows\SysWOW64\Jhknhona.exe
        
        C:\Windows\system32\Jhknhona.exe
        122⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5980
        
        C:\Windows\SysWOW64\Jgnndk32.exe
        
        C:\Windows\system32\Jgnndk32.exe
        123⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6084
        
        C:\Windows\SysWOW64\Jkijdj32.exe
        
        C:\Windows\system32\Jkijdj32.exe
        124⤵
        System Location Discovery: System Language Discovery
        
        PID:5172
        
        C:\Windows\SysWOW64\Jngfqe32.exe
        
        C:\Windows\system32\Jngfqe32.exe
        125⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5356
        
        C:\Windows\SysWOW64\Jbcbadda.exe
        
        C:\Windows\system32\Jbcbadda.exe
        126⤵
        System Location Discovery: System Language Discovery
        
        PID:5576
        
        C:\Windows\SysWOW64\Jdaompce.exe
        
        C:\Windows\system32\Jdaompce.exe
        127⤵
        System Location Discovery: System Language Discovery
        
        PID:5744
        
        C:\Windows\SysWOW64\Jhmknn32.exe
        
        C:\Windows\system32\Jhmknn32.exe
        128⤵
        Drops file in System32 directory
        
        PID:5872
        
        C:\Windows\SysWOW64\Jkkgjj32.exe
        
        C:\Windows\system32\Jkkgjj32.exe
        129⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5996
        
        C:\Windows\SysWOW64\Jnjcfe32.exe
        
        C:\Windows\system32\Jnjcfe32.exe
        130⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6140
        
        C:\Windows\SysWOW64\Jqhpbq32.exe
        
        C:\Windows\system32\Jqhpbq32.exe
        131⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5520
        
        C:\Windows\SysWOW64\Kkndpi32.exe
        
        C:\Windows\system32\Kkndpi32.exe
        132⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5852
        
        C:\Windows\SysWOW64\Knlpldhc.exe
        
        C:\Windows\system32\Knlpldhc.exe
        133⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6044
        
        C:\Windows\SysWOW64\Kbhllc32.exe
        
        C:\Windows\system32\Kbhllc32.exe
        134⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5500
        
        C:\Windows\SysWOW64\Kgdddj32.exe
        
        C:\Windows\system32\Kgdddj32.exe
        135⤵
        Drops file in System32 directory
        
        PID:5848
        
        C:\Windows\SysWOW64\Kjcqqf32.exe
        
        C:\Windows\system32\Kjcqqf32.exe
        136⤵
        Drops file in System32 directory
        
        PID:5368
        
        C:\Windows\SysWOW64\Kqmimped.exe
        
        C:\Windows\system32\Kqmimped.exe
        137⤵
        
        PID:5508
        
        C:\Windows\SysWOW64\Knaigd32.exe
        
        C:\Windows\system32\Knaigd32.exe
        138⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5260
        
        C:\Windows\SysWOW64\Kginpjjo.exe
        
        C:\Windows\system32\Kginpjjo.exe
        139⤵
        System Location Discovery: System Language Discovery
        
        PID:5888
        
        C:\Windows\SysWOW64\Kjhjlejb.exe
        
        C:\Windows\system32\Kjhjlejb.exe
        140⤵
        System Location Discovery: System Language Discovery
        
        PID:6172
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6172 -s 220
        141⤵
        Program crash
        
        PID:6268

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 204 -p 6172 -ip 6172
1⤵
PID:6240

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Bcfoelbm.exe

Filesize
290KB

MD5
bb3e9ac0fb577793a7e9ce64e2c64175

SHA1
8166d98a50484e68b0e679613548bcdcd38e63dd

SHA256
80bc8aa3b94efff44eb6d24a5ae8f0bd4b04769378a39a2e6feed9633cd6446e

SHA512
7daeaadd186d6378c5b2278fba9dc6520127ebdc84cc9c98bb88cbd646ca619f422859b726847c741f2fb9d2e86185616c2917261b3bab447536a128bd8a8db5

Download Submit
C:\Windows\SysWOW64\Bichmcae.exe

Filesize
290KB

MD5
dde694ea45d8fb7528db43cf5428a0a8

SHA1
27629d628e6beca07295a1fa9a092c759a33a2e8

SHA256
53bb68bd26239d11436398c962b89d40c02756f78b301920ce07d6fbd1c10086

SHA512
265a80be6a7c63788e6e84e461135a42d199b7e22b8a0dbcf2bcfaca1ff3a6b92c11b63d8ffea9ae396f04c305cce3702ceb8c5170e1787ee5e3a0b2e48fadc8

Download Submit
C:\Windows\SysWOW64\Bpmpjm32.exe

Filesize
290KB

MD5
c888543a40cb4262e5d55321f736ceda

SHA1
ec108f32be75306a7980a9b156b69ca690b34861

SHA256
7da4af7ba3af3cebf113c8446481fc16da32c077089e169d27f254871cbe2270

SHA512
3fd0952d89e30430474a1a18ca6002235b9e3bd00db85b9d4f146c922b9b4594be1824642fa3c46fb2ca75adfbd43bafbf34fb26c0e36968743e9f8ce305beb7

Download Submit
C:\Windows\SysWOW64\Caafop32.exe

Filesize
290KB

MD5
53fc497cc9b25798000467ce6e93c0f8

SHA1
ff6f606ba02cf4130e430c0a2fd7b1480ae5a322

SHA256
5c09966bf6c5c0f57a253aa61f126fc126c2d1dd51391cab51f6b5513e8f4e0a

SHA512
a9122c2f912d43ca79d32ed6a9d2b71c07bd82bc29d40223e9cec6e1f360e8e80cbeb409ca767c807fc8479668179218a3f6327e58cb54e4e5a28e04f3f177b4

Download Submit
C:\Windows\SysWOW64\Cacbdoil.exe

Filesize
290KB

MD5
982074d14c93a39b5b65c3633d814490

SHA1
1f05a99d801bf3efc0fe49fc21ff8e0d2b667d70

SHA256
58b20ffbf4e38c9f14a0c3d11ea236bae64444c3fa3e2567e4dcc94949a8fa88

SHA512
e3480f4202eb170e76e99a8f059bf17fd4987ffad3ffecbb47df22a2c2f8328e42b9b4f328495dc421756a79f9d82049cd5d5a607151fd66e3e3e0dbdaf75ab2

Download Submit
C:\Windows\SysWOW64\Caoiip32.exe

Filesize
290KB

MD5
bf4976b0a09bb43efb29da6fc17c05aa

SHA1
3987f363032d4c4783abf4ad9c4b12ec38ecd7fc

SHA256
ba93e6215192df2b5a72b7cc0597fe6e4e69b99c1269029b784dbfb5a3aadb44

SHA512
e4916c7487ff062380b475385924d0021ba9b22bc0bf644eb0cad3c06772ee1ef6b7da541f2761994be88e662803eb105bbd2e1f1650d22fe263d58442a7c874

Download Submit
C:\Windows\SysWOW64\Cfghfgpo.exe

Filesize
290KB

MD5
6a03b462583368fee3472e65d90c60d0

SHA1
65de3b31d1c4e912917287f0c6bee19f3ddd16d5

SHA256
66c520d2e9e34c20ada59a622830347a9c572e1cb71504edcb0b6f3c1ff556b0

SHA512
f8d633fbec759a38fcff7f954691cdd5c7327d066243741248517cb47e93406ebb85c538a0a626d8ddfce86a32bdcfb8c2f51926468f9759dc6583fab40d5485

Download Submit
C:\Windows\SysWOW64\Cflaag32.exe

Filesize
290KB

MD5
b6c6a57b01ed3ec7650f6746a288691c

SHA1
dcf2dd7b7ae323ab5bbb930a332e7e6d0a160bbc

SHA256
0bd2b1c4e874f9bd5f8aeff46a627830c954b101e0445b6acfc457984217a6a0

SHA512
179cb1eae11c010bd4b7eb19f92136e0b56afd7ff06acedb7e0807c0e6c15e630ebac0d7e25954f78fdf2200bc1420dd3321b1eeab3aa59f10dc1194ec57a1ea

Download Submit
C:\Windows\SysWOW64\Cgfdqjga.exe

Filesize
290KB

MD5
250a4076291a74e5f72e0af6fc55c6fa

SHA1
4e451d2cdae7cbc2d16239dcdce1e6359ccceb04

SHA256
15b6b401e6d71e3ca7904b2d462954bb67a3db18a3faea6cfa83edab7f1a4092

SHA512
12a125119f3e6e19239a13db5661162f67530d87cf67c7f38d34e4b1a4fb33858c9af5de24659b2b4169841b5c0bb7cfe14f5487af3f72a5bddeab320d51bf80

Download Submit
C:\Windows\SysWOW64\Cgknlj32.exe

Filesize
290KB

MD5
ec042987d9e37d2b5b6f85f2b2a0a1cd

SHA1
9f3d60b6054cf6c7f075b70ccd5244f7e6e32096

SHA256
4bb5259968836b64e6fb4f4442387b40e9270b2c27e80b95c685a58c82edaa5b

SHA512
15211b45b8d7e6d4f8cc294a2a5c7905c8760d509ab64fa40e92ab217b4cde07e3cfa6688da35d6e7177dcd3dd59de9024d36eaef376b145585f0a1c28f6a903

Download Submit
C:\Windows\SysWOW64\Cgmkai32.exe

Filesize
290KB

MD5
83af53850ae180882935d802fcc8448e

SHA1
1c346962149b9f78360135dcdc250910bcd04f39

SHA256
be7b451e922fe6c563e77da274653417444367785665af8850edec6075035e57

SHA512
57ea44aa570c038f44b0f7a7a3fee713148973bda0e475529e6a04726f598c3bf4b2bc22b834c76281183c35ce4a3419b8cd25dce03715f2b9ce1246749eeec6

Download Submit
C:\Windows\SysWOW64\Ciljcbij.exe

Filesize
290KB

MD5
1084769391b1be23590e2faaf1975a69

SHA1
3e489751168df641ae1523d3850784726999db45

SHA256
cc6c0fee0f28b34b725d7dc5eca3f1d2b81340ee620c527adab79ad61a53c0a6

SHA512
d21d443b80b8e6bc8b039dda18d60e0837497b589b5415cfbb0603f3628b8b01e2bb1978e73dc69fec7a7a4fa4cd04386281dce952b1ce4f3d3e501bc6124663

Download Submit
C:\Windows\SysWOW64\Cjeamffe.exe

Filesize
290KB

MD5
518717d7f9c44d71a6f1c6be08c8e541

SHA1
4cd33082da218a5ac6972747b9b07e1ccbcc3896

SHA256
5cd8c2421cf43294343f895ff9f2ff258a22a6216acde54cd72ac72afaa7d0cb

SHA512
72a342ffb26d1f000d19a4571e639a31f665fe817285170da1bb1d3b483d96462239e0186ed85c09c8b699f6eadbcbc209892d306c00d38d7d1b080eb9ea2266

Download Submit
C:\Windows\SysWOW64\Cmapca32.exe

Filesize
290KB

MD5
0f7fcfc521a4019093648f575b84d278

SHA1
8be9720737be4fb0022acef9a3ff547c69c245da

SHA256
d698277d3eec43cb200e0a9f27947310b5c3445023f7c6eae106e23cf321f9fb

SHA512
944013cdb4b6e2d503c2444726f9c02a2f26ee6206104c229421f1c92d1c2121b904bc851bff1baa1d4bf6719d530eff84cbcc4a50d261e4a34d01500b0b7e3d

Download Submit
C:\Windows\SysWOW64\Cmjcip32.exe

Filesize
290KB

MD5
1599734e231501a844ef7b9ddb396d01

SHA1
c2ca6402f4ad8fa5c418d45acfae30037df0d5c7

SHA256
c7ad2a5135d6b3f0487b2f3bc0a443aff034a49f598380659eacb6dd04348519

SHA512
95c5f1adf650fa8d46d72495dadd392d918e304004b249c13dd2c4ad7e1561479d33cd536a5d85d78b2994a5da632cf936a7471c8c21d5d61f38e8077b31d750

Download Submit
C:\Windows\SysWOW64\Dajien32.exe

Filesize
290KB

MD5
ee6a4ae77831a7f7ae6b0b4eb20ddc12

SHA1
3d98bd4155f72ef6169da3555bb50ef39046bd40

SHA256
b087f473701ecc48da7d1e0b676b744c369315295ca9050a9774b2d89625cb26

SHA512
f81631b212eb5a29b7d02a12f3310f6b43bbd3940d890967af3d8b8228ec6e16b7f38f3898b684c7467e72cc02098bcb175802ef0ec8e44ec06930f6c1d71f99

Download Submit
C:\Windows\SysWOW64\Dcdkfjfm.exe

Filesize
290KB

MD5
819ebfc659a5b99102dc79834c8e9a77

SHA1
d0c5e32b939d25a356c81e9dafdcd28b35dc006b

SHA256
134a6b9947bf392a9b2164156421423049561ceefe1475700dd06ec9e5fd44aa

SHA512
eb4a75958669b366b4c308e0ae224c9affdc319bddae6c06779616b5b0eeddc62c826cc83b1a069a50b8b1e1d2a706bca276996c6dd0bd13fea42f17d64e8377

Download Submit
C:\Windows\SysWOW64\Dcieaj32.exe

Filesize
290KB

MD5
8ce9fcd6a560c1bfbc21fa5c171886e5

SHA1
a4cc9da6aa79dd6c9ac2b75a0a76b64f7d29d4ff

SHA256
267fd6a43d4cbbd701f1b7c0d4a383a9609b9ec5c2f15b7e67cf1e5c9e7dad71

SHA512
8499c3135b1c956c0641bf4ef90518bf45183ba3cb697eaa147f92c5662345cecc998eb708224e9602360d4aabae355215f3f8a8bcfa30a5cb77e6e60e8e0eb7

Download Submit
C:\Windows\SysWOW64\Dckagiqe.exe

Filesize
290KB

MD5
b579650e08d09966575286f4096ba857

SHA1
6800df3be29f8bf539c79a19a773ef1a1ec7dd9a

SHA256
65dbb05372573df07958f3ce3ec94b9e6a951328606aba923edc8f889db56130

SHA512
ba11d77f00f990a501cc6e7384f281535654ce933aeeeb1252f6a265aa99ee96e3aecfd9c94e435dff2e368d109977156ac5b13a7c158dd0badf49f53d13875a

Download Submit
C:\Windows\SysWOW64\Dfbhbf32.exe

Filesize
290KB

MD5
14e43e704b7d519d0d0c5a8a04b786e1

SHA1
8d32e6feda6b50bc7a330cd85efa039d4ca87055

SHA256
19805634241d5d94fb6276819a46cba88f1d1908adc2b8c4cf085ea2ae022fdc

SHA512
96cd7eaeb1a22afe5ef9e315c5f07c01502ce40f92eb2dd17c260006766305f79c61604d490bdf42004bef63bf3e24d767aebcb416857763c56f9144620ad323

Download Submit
C:\Windows\SysWOW64\Dgbdlimd.exe

Filesize
290KB

MD5
936040e2770d64dc1986c97723db38dd

SHA1
2377c8ec65928b879d9cdab38182eef4e892f1c7

SHA256
7cad743ef3db4e76126f5eefc3b7d982ead87465310a079ff9715c07b4d53350

SHA512
60671778099d2bf296ddde583f56f25467f7e675414f8877eeb7c3c7cab7a4f215bc3a4ec3fab37d7b7129191230fd2f4e8415b80441c2f8ced0e7048ce9665d

Download Submit
C:\Windows\SysWOW64\Dhijmh32.exe

Filesize
290KB

MD5
ed99577e68f89e96fcad5c1488cf5dc5

SHA1
853511acdafec94e0f66d70a46c09545f2d1c26d

SHA256
7720099f4b3beca8ff8c0bf31b24e005017972dabc85495880d22f1f85f4e582

SHA512
cd6131c6d4e0a3b12ad9863c886ebcf2ade77378dbb77e6838ac760540317f2cfc3ffc1f2037474924cb277b6b9fc6971298f1dc2d7cf0b09b88e0f50c227a66

Download Submit
C:\Windows\SysWOW64\Diemiqqp.exe

Filesize
290KB

MD5
103fee64110ced4768aec3463e21cec0

SHA1
ace95650dd72b6f4ba627a53988043ea228db322

SHA256
f7cbe93c63c8c5b537fce24e084b1739e64bf854fc3650e93d9797e80164f991

SHA512
1343029a6958897345c67ed75f80355dd9fc912960cd4b8681267daf4387d63a2f9ea80cb7863e2cceb9252d6a4e9c4181c25adccf9dcd0102c87db5c4808cd0

Download Submit
C:\Windows\SysWOW64\Djejcc32.exe

Filesize
290KB

MD5
2e8a5f7d79f7d3a47bdff8e8eb31ffb6

SHA1
04af3ee23d70140f156efffb76ec056346fa4637

SHA256
f4533bdf435765fbecbac0f4a8d130ebb5a7e340009c8b9ef524d95573dd13e0

SHA512
df117f77c67db3ea6e527e5841e90a0e7a928bbd45ff04c0d937c96d6cff984fe892d1130d7343dd36f564aa6befba20ce96f09b405d4a170f6f97514f3aebce

Download Submit
C:\Windows\SysWOW64\Djqphdlg.exe

Filesize
290KB

MD5
b487d5662519f4835d9f7317616cf914

SHA1
0644d789faacbf49b55e1c43d0e5d68d41bbd7bc

SHA256
0d0d41ba3c640956bea1400a27b2cbdcbc12ac9117cbbc0f6e09b848c53660ed

SHA512
a15a4ee70aabaf85cb9a7ee7979c2bd13cad47bcafead8ebe68eadd3d92b9b8cca1c3059095a30d379083f634181353d5f6cc12cf846b4a75fe161c8887e0c82

Download Submit
C:\Windows\SysWOW64\Dmfceoec.exe

Filesize
290KB

MD5
7bd929cc7bb23edca802ba0afde270d0

SHA1
0982f16a09036fbfb6d02ecb40de85ba36ef2afa

SHA256
f74e055bb2562be624105ba2904e871a199464ccab28dfd0d853009fa5f4823c

SHA512
600c5ab1629cf4cdf5784ba18b3d4cc7e2a33ad362e99fbf343a8d028dd012fe49088a17816f1139c0507843a634e495719debf96bf1e3fb11f758f42bb3f791

Download Submit
C:\Windows\SysWOW64\Dpbblj32.exe

Filesize
290KB

MD5
dcdf1e63c44ba6c4b55c9913511dc3e4

SHA1
652062ae715e8e1097ef3846aa399a9c26057fb9

SHA256
d9c3f3193e08ad016ba451f1e0b47637c23f43dda1c7c24d6ab12dd074b533a8

SHA512
fd0608628f3c7d1ecee7861f35c713324a818ab6e86401b4b5ce0a71d4824549c56c863a14ccf4beff6bf2d0a1048e1b9f281686e49f2aa49c606f9aee4fc2a7

Download Submit
C:\Windows\SysWOW64\Dpklkkla.exe

Filesize
290KB

MD5
37579b3cede2055b85d1d147d0da5f5f

SHA1
f6cfb0f91c2d1c2a9f559d7fb04446fcdee731a1

SHA256
64fe70ab14b360da46a76bebfd1dbc6fb77124df34beb959e2ee236a8a858e6c

SHA512
f0ab0a12b3d38660fb6541839bee071b2c0625f01d888d0835a2a2b5009dbcb88ac6f6fd934d09799a4549a49252561661ba9da94a180e8e65bcc7fb8522b986

Download Submit
C:\Windows\SysWOW64\Edbhgh32.exe

Filesize
290KB

MD5
779ba945be4aaf6d59c0e093bd99b0fe

SHA1
726bc447c7d754c96838111c396222d7d9a4303a

SHA256
a39441907ad380a64cf3c69f7db6e3efe4e3be06261e83de27db8672273fb8fd

SHA512
ba30337ed50110b311cad919b12e419ead6c0bba7a17336555044f7403013ec242b093a5f19464850693b65441ab1a5c15a1b10f0cd7eca0c8f5051f1109a709

Download Submit
C:\Windows\SysWOW64\Edpkbi32.exe

Filesize
290KB

MD5
5a3c67c24a1575faea0fbf0eddc56d7b

SHA1
23d2d8e023b1f652eb49019ce7ebc679b794af8a

SHA256
da5d2f408f7886309f8dd04ffbdaa8b40e5a161994012582c58cb445f424aa1e

SHA512
bd3a6426b9a97ed21b7dc984c9e3ce74846b4c4f66331d925277b3bec68e3f017eeffde9e47a62a252419b36efbf8495650b8636d8cb0bde24791c40cd6e3c75

Download Submit
C:\Windows\SysWOW64\Eimcjp32.exe

Filesize
290KB

MD5
212eb3f999404e4657e39de1fa1d55a4

SHA1
bab3a4ef48dd56bfcee92b643fd0c442bf7661bb

SHA256
0ab3914ebadeaf7d1f7b93dd424815384361bb4f030c5a445020bf02dd890d3d

SHA512
c3eb98d9a3088eaf69a3bfca97e55b44901a8f89cb5d86798d0c7c95624fed5207a68c633f7c8a507eec563dfe26b2a350630233c0649d394a04c8383bcaf8d7

Download Submit
C:\Windows\SysWOW64\Ejlpdbbj.exe

Filesize
290KB

MD5
559238a12aaae3be87b455b5edf8ed3e

SHA1
97b2b1c2fc91da38c1bd1d99916db463df5c724f

SHA256
0be344b618e60fa08a0af7017f180241996cbd1e3ef8515e51fc01cd27515374

SHA512
78a2e07509a0e27f9bad27004c2fc69a257422aedf301c89fd3df58ea120adbdc1d5cdb115eb5ec2fd6ebe432bea036eafcc51d8d876250387b8ca82542aff68

Download Submit
C:\Windows\SysWOW64\Gkhhgoij.exe

Filesize
290KB

MD5
29b5fed032a477e31b32d509dfd2035d

SHA1
6feb34d2d838dd2873c8b9acdfa55f170f757504

SHA256
f2337c38cad8c93544bb639bef2e8db765ed47292d71a6c4109961928d2da6f9

SHA512
e5d16850f5d4bc2e9164a9a687fb90870ae14287bda335362c9e6b234f2a8e62c618ff6e184387cd20aacd72ed6803eca4fd4f515cbf4a58acf31f6a39273fd6

Download Submit
C:\Windows\SysWOW64\Gmbkhk32.exe

Filesize
290KB

MD5
5c838d1170ce942f325f710ca1d059a6

SHA1
5caeadd2ad19bf933bdbbad7ef63cff66de5998d

SHA256
03483a2b3e37bedf53595baa055770cf5cf698ffa76df8b096e19219d350750c

SHA512
3dd0667ebb0a016431e8257946b789690f2f45e3943df2a5dc11850fa75681d6ead85e0dafe85eda8929d0d3cb53fc65b313ed73e8ba0a257ce250af121169a6

Download Submit
C:\Windows\SysWOW64\Gpeaoeha.exe

Filesize
290KB

MD5
d406828c9e858c1bc444ba10c3ed5acd

SHA1
293516ab47d099e96ef84b0176a3192c06940a62

SHA256
f636eb4743042886bf140ef79a056b7ca535701e6a16535527c58c9f54d5e421

SHA512
1ee8dc6c59654a6e52a0c389535a30131141bfb7e8c1f172dc80e2898c55449c812afb7a13a8dee8847c3169ad5e5786b075b51b3240cdb0d4246e51bb1f87d3

Download Submit
C:\Windows\SysWOW64\Hgfolo32.exe

Filesize
290KB

MD5
cd3f0c43673b618a97f1a4763e58d68c

SHA1
4de3d276a0e3109cdd271190e9b5efc8a7254ff5

SHA256
78c7f9c685d10f9401dce1fbf5d003eabf24b560bbf06a6e686f12818f4c2cd9

SHA512
8efb2f3e3fe0d81ed76bf00c2cf93a198f57c5be67db2963a36b15c392818176a4d113c4a6f0a2237f3bafd31d707a282598ed5a880d7ba9a66655bebc278c42

Download Submit
C:\Windows\SysWOW64\Jjedohjg.exe

Filesize
290KB

MD5
b039a5da4b9c6b0f82bf2885ffc95dab

SHA1
336d2017e09b878fc8d7459c6314fc5005f91022

SHA256
71d313361c3cbc734f181f8132feaf27640ba1630c6bde4b0c454244e7d58cbd

SHA512
3d02854ba8c524b949b68f3f13450b959c49836c1ff1fa8cf5af5edec512874e4028fcf938d9a0762f607bdeac58aa79d16e7c3aae3256fe5662ce0a837529a8

Download Submit
C:\Windows\SysWOW64\Jqcfgamo.exe

Filesize
290KB

MD5
335614800c31ac9a4838430834ffce98

SHA1
57fc789611c59b1bcc27a03d27f033e410f9aaf0

SHA256
5588f1570242cefd353a2179b3044ffdf04039bfca94622cda6199b915679f6b

SHA512
7ddc6f20bae47c94032ebf905283de52718bc12d3ae7d49cd6e176cd3ed165991c06bd195fa95c2ed0ab316616cc76944d25ddd4bbb8177b8e06e753b1a11e11

Download Submit
C:\Windows\SysWOW64\Jqhpbq32.exe

Filesize
290KB

MD5
1e587e7e0e5e66239af42362c029fc60

SHA1
9a111c07f0d756bbb8a3cd7031fe2115b8ef5140

SHA256
97dc41ef70651d9d6cc53f2d36da2fb0be7aec292bca300b0547557555d7c275

SHA512
44f6fd4578935b7ac8ac63ba5f55bb638f0c36c1f815a80a6442e0c223cc1751f47ce14d0878cf75339ea08e4388ffe8d1ea5fd46382037589308fe71f2133cd

Download Submit
C:\Windows\SysWOW64\Knaigd32.exe

Filesize
290KB

MD5
d81530f173beda971455f784165dadbb

SHA1
ad4a7b6d5d8b958c5e23de0dadf2cfb592f7231c

SHA256
23d1c35173bfd8cb492cbf092a1603dddda239358498a9895e889faa297e4223

SHA512
45f596834461a580d734631afb5ea563958ddb24f7f7f2dddec5be1ba6e12fa626397f028822750c97620fad9b8861d8bb7576de3ec0e71ade4c92b0572d19c4

Download Submit
C:\Windows\SysWOW64\Pigekejb.dll

Filesize
7KB

MD5
5a21395932d919ddc1324e12c00e4679

SHA1
3302beb0ca58b93009be17a4d1c8a6efe2c5e73f

SHA256
ab5b92210852455a73bb4c8404c0853c0edafae36c9f04f8b6cbcbe507af13d3

SHA512
e3a91f670f2b48647bc1067e144b2535d3b6cc48c6be4ad646388420a8be55e7fc04bb36bdd1360ce71419de7b23a0ea609dfc06bd02c50041b7a61a88851294

Download Submit
memory/180-346-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/224-364-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/404-334-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/560-526-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/564-240-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/704-231-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/808-490-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/872-286-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/984-448-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/988-328-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1100-478-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1112-322-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1204-274-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1236-292-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1320-548-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1320-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1332-268-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1360-255-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1472-454-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1500-418-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1664-388-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1792-580-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1808-223-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1812-563-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1828-593-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1828-55-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1848-310-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1856-572-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1856-31-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1876-298-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1916-164-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1968-424-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2068-207-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2072-136-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2088-200-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2100-412-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2196-247-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2212-587-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2216-442-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2264-532-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2312-104-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2332-39-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2332-579-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2412-520-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2436-172-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2472-316-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2556-394-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2648-514-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2820-382-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2928-23-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2928-565-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3108-87-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3160-551-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3160-7-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3228-340-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3240-466-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3340-183-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3376-280-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3436-63-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3440-502-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3496-156-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3500-552-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3552-215-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3716-436-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3748-538-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3748-1065-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3904-176-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3960-356-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3992-262-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4064-47-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4064-586-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4068-406-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4112-79-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4156-128-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4164-144-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4184-460-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4268-496-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4280-111-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4284-1050-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4416-508-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4444-119-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4496-376-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4520-596-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4524-358-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4560-484-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4564-566-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4632-472-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4636-430-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4668-550-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4880-573-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4908-370-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4912-95-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4984-71-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5000-304-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5020-191-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5036-15-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5036-558-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5108-400-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5648-998-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5924-1019-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads