gozi | bf306b010921ee28b49bff7387808fbb99e25661ba89f0a434d0ad42ebd8c774

Analysis

max time kernel
140s
max time network
139s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
29-06-2024 02:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bf306b010921ee28b49bff7387808fbb99e25661ba89f0a434d0ad42ebd8c774.exe
Size

163KB
MD5

33bd089dc09d81015f951857587642fc
SHA1

e010a67f0f0f4b6118d29e227c9017387012fc6d
SHA256

bf306b010921ee28b49bff7387808fbb99e25661ba89f0a434d0ad42ebd8c774
SHA512

2a68a5af7d96445611fb5f73e996b8733c863f578393de9ffdfc9c61ef8884b7af5074052bde63d86e9af240529868d6d7f22cc157c26aa1a0e083b87e2ed5bf
SSDEEP

1536:PU4emvacCR8jDca0FxIG1Qotzst3lProNVU4qNVUrk/9QbfBr+7GwKrPAsqNVU:BDU8EaMIG1QkIt3ltOrWKDBr+yJb

Score

10^/10

gozi banker isfb persistence trojan

Malware Config

Extracted

Family

gozi

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 50 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

Fjeplijj.exeEaaiahei.exeEjccgi32.exeFclhpo32.exeFgiaemic.exebf306b010921ee28b49bff7387808fbb99e25661ba89f0a434d0ad42ebd8c774.exeDdfbgelh.exeDickplko.exeFnhbmgmk.exeDknnoofg.exeFgnjqm32.exeFboecfii.exeFgqgfl32.exeDckoia32.exeEdaaccbj.exeEdfknb32.exeDkbgjo32.exeEnhifi32.exeDaollh32.exeEnlcahgh.exeFdpnda32.exeDajbaika.exeDjgdkk32.exeFglnkm32.exeEjjaqk32.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fjeplijj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eaaiahei.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ejccgi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fclhpo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fgiaemic.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	bf306b010921ee28b49bff7387808fbb99e25661ba89f0a434d0ad42ebd8c774.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddfbgelh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dickplko.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fnhbmgmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dknnoofg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dickplko.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fgnjqm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fboecfii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fgqgfl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dckoia32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Edaaccbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ejccgi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Edfknb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fclhpo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Edaaccbj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dkbgjo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Enhifi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fjeplijj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fgiaemic.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fnhbmgmk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dknnoofg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daollh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Enlcahgh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fdpnda32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fgqgfl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fgnjqm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddfbgelh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dajbaika.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Enlcahgh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Eaaiahei.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Enhifi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dkbgjo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Djgdkk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Daollh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	bf306b010921ee28b49bff7387808fbb99e25661ba89f0a434d0ad42ebd8c774.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fdpnda32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fglnkm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fglnkm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fboecfii.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dajbaika.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ejjaqk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dckoia32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Djgdkk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Edfknb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ejjaqk32.exe

Gozi
Gozi is a well-known and widely distributed banking trojan.
banker trojan gozi

Executes dropped EXE 25 IoCs

Processes:

Dknnoofg.exeDdfbgelh.exeDickplko.exeDajbaika.exeDckoia32.exeDkbgjo32.exeDjgdkk32.exeDaollh32.exeEjjaqk32.exeEaaiahei.exeEnhifi32.exeEdaaccbj.exeEnlcahgh.exeEdfknb32.exeEjccgi32.exeFclhpo32.exeFjeplijj.exeFgiaemic.exeFboecfii.exeFglnkm32.exeFdpnda32.exeFgnjqm32.exeFnhbmgmk.exeFgqgfl32.exeGddgpqbe.exe

pid	process
2316	Dknnoofg.exe
976	Ddfbgelh.exe
4916	Dickplko.exe
2704	Dajbaika.exe
3576	Dckoia32.exe
2708	Dkbgjo32.exe
2604	Djgdkk32.exe
3916	Daollh32.exe
4176	Ejjaqk32.exe
3060	Eaaiahei.exe
2312	Enhifi32.exe
3716	Edaaccbj.exe
3124	Enlcahgh.exe
2520	Edfknb32.exe
1416	Ejccgi32.exe
3268	Fclhpo32.exe
4616	Fjeplijj.exe
1496	Fgiaemic.exe
4372	Fboecfii.exe
1820	Fglnkm32.exe
3328	Fdpnda32.exe
2820	Fgnjqm32.exe
2392	Fnhbmgmk.exe
4236	Fgqgfl32.exe
996	Gddgpqbe.exe

Drops file in System32 directory 64 IoCs

Processes:

Dknnoofg.exeDajbaika.exeDkbgjo32.exeFgqgfl32.exebf306b010921ee28b49bff7387808fbb99e25661ba89f0a434d0ad42ebd8c774.exeDdfbgelh.exeEdfknb32.exeEjccgi32.exeFclhpo32.exeFboecfii.exeDaollh32.exeEdaaccbj.exeFjeplijj.exeFgnjqm32.exeFnhbmgmk.exeDjgdkk32.exeEjjaqk32.exeFglnkm32.exeFdpnda32.exeDckoia32.exeEnlcahgh.exeDickplko.exeEaaiahei.exeEnhifi32.exeFgiaemic.exe

description	ioc	process
File created	C:\Windows\SysWOW64\Ddfbgelh.exe	Dknnoofg.exe
File created	C:\Windows\SysWOW64\Efehkimj.dll	Dajbaika.exe
File opened for modification	C:\Windows\SysWOW64\Djgdkk32.exe	Dkbgjo32.exe
File created	C:\Windows\SysWOW64\Jcggmk32.dll	Fgqgfl32.exe
File opened for modification	C:\Windows\SysWOW64\Dknnoofg.exe	bf306b010921ee28b49bff7387808fbb99e25661ba89f0a434d0ad42ebd8c774.exe
File opened for modification	C:\Windows\SysWOW64\Dickplko.exe	Ddfbgelh.exe
File created	C:\Windows\SysWOW64\Ejccgi32.exe	Edfknb32.exe
File opened for modification	C:\Windows\SysWOW64\Fclhpo32.exe	Ejccgi32.exe
File opened for modification	C:\Windows\SysWOW64\Fjeplijj.exe	Fclhpo32.exe
File created	C:\Windows\SysWOW64\Gokfdpdo.dll	Fboecfii.exe
File opened for modification	C:\Windows\SysWOW64\Dckoia32.exe	Dajbaika.exe
File created	C:\Windows\SysWOW64\Ejjaqk32.exe	Daollh32.exe
File opened for modification	C:\Windows\SysWOW64\Enlcahgh.exe	Edaaccbj.exe
File created	C:\Windows\SysWOW64\Okkbgpmc.dll	Fjeplijj.exe
File opened for modification	C:\Windows\SysWOW64\Fnhbmgmk.exe	Fgnjqm32.exe
File opened for modification	C:\Windows\SysWOW64\Fgqgfl32.exe	Fnhbmgmk.exe
File opened for modification	C:\Windows\SysWOW64\Daollh32.exe	Djgdkk32.exe
File created	C:\Windows\SysWOW64\Dikifc32.dll	Ejjaqk32.exe
File opened for modification	C:\Windows\SysWOW64\Fdpnda32.exe	Fglnkm32.exe
File created	C:\Windows\SysWOW64\Fgnjqm32.exe	Fdpnda32.exe
File created	C:\Windows\SysWOW64\Mkhpmopi.dll	Fnhbmgmk.exe
File created	C:\Windows\SysWOW64\Foolmeif.dll	Ddfbgelh.exe
File created	C:\Windows\SysWOW64\Ohjckodg.dll	Dckoia32.exe
File created	C:\Windows\SysWOW64\Djgdkk32.exe	Dkbgjo32.exe
File created	C:\Windows\SysWOW64\Ahkdgl32.dll	Djgdkk32.exe
File opened for modification	C:\Windows\SysWOW64\Edfknb32.exe	Enlcahgh.exe
File created	C:\Windows\SysWOW64\Kplqhmfl.dll	Edfknb32.exe
File created	C:\Windows\SysWOW64\Kdfepi32.dll	bf306b010921ee28b49bff7387808fbb99e25661ba89f0a434d0ad42ebd8c774.exe
File created	C:\Windows\SysWOW64\Elkodmbe.dll	Dickplko.exe
File opened for modification	C:\Windows\SysWOW64\Ejjaqk32.exe	Daollh32.exe
File opened for modification	C:\Windows\SysWOW64\Enhifi32.exe	Eaaiahei.exe
File created	C:\Windows\SysWOW64\Cjeejn32.dll	Enhifi32.exe
File created	C:\Windows\SysWOW64\Enlcahgh.exe	Edaaccbj.exe
File created	C:\Windows\SysWOW64\Gihfoi32.dll	Fdpnda32.exe
File created	C:\Windows\SysWOW64\Dckoia32.exe	Dajbaika.exe
File created	C:\Windows\SysWOW64\Dkbgjo32.exe	Dckoia32.exe
File created	C:\Windows\SysWOW64\Edaaccbj.exe	Enhifi32.exe
File created	C:\Windows\SysWOW64\Aehojk32.dll	Enlcahgh.exe
File created	C:\Windows\SysWOW64\Bejceb32.dll	Fglnkm32.exe
File opened for modification	C:\Windows\SysWOW64\Ddfbgelh.exe	Dknnoofg.exe
File created	C:\Windows\SysWOW64\Icembg32.dll	Eaaiahei.exe
File created	C:\Windows\SysWOW64\Mfikmmob.dll	Edaaccbj.exe
File created	C:\Windows\SysWOW64\Fgiaemic.exe	Fjeplijj.exe
File opened for modification	C:\Windows\SysWOW64\Fgnjqm32.exe	Fdpnda32.exe
File created	C:\Windows\SysWOW64\Gddgpqbe.exe	Fgqgfl32.exe
File opened for modification	C:\Windows\SysWOW64\Ejccgi32.exe	Edfknb32.exe
File created	C:\Windows\SysWOW64\Fdpnda32.exe	Fglnkm32.exe
File created	C:\Windows\SysWOW64\Enhifi32.exe	Eaaiahei.exe
File created	C:\Windows\SysWOW64\Edfknb32.exe	Enlcahgh.exe
File created	C:\Windows\SysWOW64\Fglnkm32.exe	Fboecfii.exe
File opened for modification	C:\Windows\SysWOW64\Gddgpqbe.exe	Fgqgfl32.exe
File created	C:\Windows\SysWOW64\Gfbhcl32.dll	Daollh32.exe
File created	C:\Windows\SysWOW64\Eaaiahei.exe	Ejjaqk32.exe
File created	C:\Windows\SysWOW64\Eclbio32.dll	Ejccgi32.exe
File opened for modification	C:\Windows\SysWOW64\Dajbaika.exe	Dickplko.exe
File created	C:\Windows\SysWOW64\Daollh32.exe	Djgdkk32.exe
File created	C:\Windows\SysWOW64\Eacdhhjj.dll	Fclhpo32.exe
File created	C:\Windows\SysWOW64\Agecdgmk.dll	Dknnoofg.exe
File opened for modification	C:\Windows\SysWOW64\Eaaiahei.exe	Ejjaqk32.exe
File created	C:\Windows\SysWOW64\Adbofa32.dll	Fgiaemic.exe
File created	C:\Windows\SysWOW64\Fclhpo32.exe	Ejccgi32.exe
File opened for modification	C:\Windows\SysWOW64\Fboecfii.exe	Fgiaemic.exe
File created	C:\Windows\SysWOW64\Dajbaika.exe	Dickplko.exe
File opened for modification	C:\Windows\SysWOW64\Dkbgjo32.exe	Dckoia32.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

4536 996 WerFault.exe Gddgpqbe.exe

pid	pid_target	process	target process
4536	996	WerFault.exe	Gddgpqbe.exe

Modifies registry class 64 IoCs

Processes:

bf306b010921ee28b49bff7387808fbb99e25661ba89f0a434d0ad42ebd8c774.exeFjeplijj.exeFgiaemic.exeFboecfii.exeDdfbgelh.exeDckoia32.exeDjgdkk32.exeEjccgi32.exeFnhbmgmk.exeDkbgjo32.exeEjjaqk32.exeEdaaccbj.exeDknnoofg.exeEdfknb32.exeFglnkm32.exeFgqgfl32.exeDickplko.exeEnhifi32.exeFgnjqm32.exeFdpnda32.exeDaollh32.exeEnlcahgh.exeDajbaika.exeEaaiahei.exeFclhpo32.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	bf306b010921ee28b49bff7387808fbb99e25661ba89f0a434d0ad42ebd8c774.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fjeplijj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fgiaemic.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fboecfii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kdfepi32.dll"	bf306b010921ee28b49bff7387808fbb99e25661ba89f0a434d0ad42ebd8c774.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Foolmeif.dll"	Ddfbgelh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dckoia32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Djgdkk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ejccgi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mkhpmopi.dll"	Fnhbmgmk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dkbgjo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ejjaqk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mfikmmob.dll"	Edaaccbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fjeplijj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fgiaemic.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dknnoofg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kplqhmfl.dll"	Edfknb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bejceb32.dll"	Fglnkm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fgqgfl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Okkbgpmc.dll"	Fjeplijj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	bf306b010921ee28b49bff7387808fbb99e25661ba89f0a434d0ad42ebd8c774.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Agecdgmk.dll"	Dknnoofg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dickplko.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohjckodg.dll"	Dckoia32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Enhifi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	bf306b010921ee28b49bff7387808fbb99e25661ba89f0a434d0ad42ebd8c774.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dknnoofg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ejjaqk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iolgql32.dll"	Fgnjqm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ddfbgelh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elkodmbe.dll"	Dickplko.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gokfdpdo.dll"	Fboecfii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcggmk32.dll"	Fgqgfl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Djgdkk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fboecfii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fdpnda32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ahkdgl32.dll"	Djgdkk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Daollh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Edaaccbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aehojk32.dll"	Enlcahgh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dajbaika.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nmlpen32.dll"	Dkbgjo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Icembg32.dll"	Eaaiahei.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Enhifi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Enlcahgh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eclbio32.dll"	Ejccgi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Adbofa32.dll"	Fgiaemic.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fglnkm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fgnjqm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dickplko.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cjeejn32.dll"	Enhifi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Edfknb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dajbaika.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Eaaiahei.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fclhpo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Edfknb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eacdhhjj.dll"	Fclhpo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fglnkm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dkbgjo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Daollh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Eaaiahei.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Edaaccbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Enlcahgh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fnhbmgmk.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

bf306b010921ee28b49bff7387808fbb99e25661ba89f0a434d0ad42ebd8c774.exeDknnoofg.exeDdfbgelh.exeDickplko.exeDajbaika.exeDckoia32.exeDkbgjo32.exeDjgdkk32.exeDaollh32.exeEjjaqk32.exeEaaiahei.exeEnhifi32.exeEdaaccbj.exeEnlcahgh.exeEdfknb32.exeEjccgi32.exeFclhpo32.exeFjeplijj.exeFgiaemic.exeFboecfii.exeFglnkm32.exeFdpnda32.exe

description	pid	process	target process
PID 4960 wrote to memory of 2316	4960	bf306b010921ee28b49bff7387808fbb99e25661ba89f0a434d0ad42ebd8c774.exe	Dknnoofg.exe
PID 4960 wrote to memory of 2316	4960	bf306b010921ee28b49bff7387808fbb99e25661ba89f0a434d0ad42ebd8c774.exe	Dknnoofg.exe
PID 4960 wrote to memory of 2316	4960	bf306b010921ee28b49bff7387808fbb99e25661ba89f0a434d0ad42ebd8c774.exe	Dknnoofg.exe
PID 2316 wrote to memory of 976	2316	Dknnoofg.exe	Ddfbgelh.exe
PID 2316 wrote to memory of 976	2316	Dknnoofg.exe	Ddfbgelh.exe
PID 2316 wrote to memory of 976	2316	Dknnoofg.exe	Ddfbgelh.exe
PID 976 wrote to memory of 4916	976	Ddfbgelh.exe	Dickplko.exe
PID 976 wrote to memory of 4916	976	Ddfbgelh.exe	Dickplko.exe
PID 976 wrote to memory of 4916	976	Ddfbgelh.exe	Dickplko.exe
PID 4916 wrote to memory of 2704	4916	Dickplko.exe	Dajbaika.exe
PID 4916 wrote to memory of 2704	4916	Dickplko.exe	Dajbaika.exe
PID 4916 wrote to memory of 2704	4916	Dickplko.exe	Dajbaika.exe
PID 2704 wrote to memory of 3576	2704	Dajbaika.exe	Dckoia32.exe
PID 2704 wrote to memory of 3576	2704	Dajbaika.exe	Dckoia32.exe
PID 2704 wrote to memory of 3576	2704	Dajbaika.exe	Dckoia32.exe
PID 3576 wrote to memory of 2708	3576	Dckoia32.exe	Dkbgjo32.exe
PID 3576 wrote to memory of 2708	3576	Dckoia32.exe	Dkbgjo32.exe
PID 3576 wrote to memory of 2708	3576	Dckoia32.exe	Dkbgjo32.exe
PID 2708 wrote to memory of 2604	2708	Dkbgjo32.exe	Djgdkk32.exe
PID 2708 wrote to memory of 2604	2708	Dkbgjo32.exe	Djgdkk32.exe
PID 2708 wrote to memory of 2604	2708	Dkbgjo32.exe	Djgdkk32.exe
PID 2604 wrote to memory of 3916	2604	Djgdkk32.exe	Daollh32.exe
PID 2604 wrote to memory of 3916	2604	Djgdkk32.exe	Daollh32.exe
PID 2604 wrote to memory of 3916	2604	Djgdkk32.exe	Daollh32.exe
PID 3916 wrote to memory of 4176	3916	Daollh32.exe	Ejjaqk32.exe
PID 3916 wrote to memory of 4176	3916	Daollh32.exe	Ejjaqk32.exe
PID 3916 wrote to memory of 4176	3916	Daollh32.exe	Ejjaqk32.exe
PID 4176 wrote to memory of 3060	4176	Ejjaqk32.exe	Eaaiahei.exe
PID 4176 wrote to memory of 3060	4176	Ejjaqk32.exe	Eaaiahei.exe
PID 4176 wrote to memory of 3060	4176	Ejjaqk32.exe	Eaaiahei.exe
PID 3060 wrote to memory of 2312	3060	Eaaiahei.exe	Enhifi32.exe
PID 3060 wrote to memory of 2312	3060	Eaaiahei.exe	Enhifi32.exe
PID 3060 wrote to memory of 2312	3060	Eaaiahei.exe	Enhifi32.exe
PID 2312 wrote to memory of 3716	2312	Enhifi32.exe	Edaaccbj.exe
PID 2312 wrote to memory of 3716	2312	Enhifi32.exe	Edaaccbj.exe
PID 2312 wrote to memory of 3716	2312	Enhifi32.exe	Edaaccbj.exe
PID 3716 wrote to memory of 3124	3716	Edaaccbj.exe	Enlcahgh.exe
PID 3716 wrote to memory of 3124	3716	Edaaccbj.exe	Enlcahgh.exe
PID 3716 wrote to memory of 3124	3716	Edaaccbj.exe	Enlcahgh.exe
PID 3124 wrote to memory of 2520	3124	Enlcahgh.exe	Edfknb32.exe
PID 3124 wrote to memory of 2520	3124	Enlcahgh.exe	Edfknb32.exe
PID 3124 wrote to memory of 2520	3124	Enlcahgh.exe	Edfknb32.exe
PID 2520 wrote to memory of 1416	2520	Edfknb32.exe	Ejccgi32.exe
PID 2520 wrote to memory of 1416	2520	Edfknb32.exe	Ejccgi32.exe
PID 2520 wrote to memory of 1416	2520	Edfknb32.exe	Ejccgi32.exe
PID 1416 wrote to memory of 3268	1416	Ejccgi32.exe	Fclhpo32.exe
PID 1416 wrote to memory of 3268	1416	Ejccgi32.exe	Fclhpo32.exe
PID 1416 wrote to memory of 3268	1416	Ejccgi32.exe	Fclhpo32.exe
PID 3268 wrote to memory of 4616	3268	Fclhpo32.exe	Fjeplijj.exe
PID 3268 wrote to memory of 4616	3268	Fclhpo32.exe	Fjeplijj.exe
PID 3268 wrote to memory of 4616	3268	Fclhpo32.exe	Fjeplijj.exe
PID 4616 wrote to memory of 1496	4616	Fjeplijj.exe	Fgiaemic.exe
PID 4616 wrote to memory of 1496	4616	Fjeplijj.exe	Fgiaemic.exe
PID 4616 wrote to memory of 1496	4616	Fjeplijj.exe	Fgiaemic.exe
PID 1496 wrote to memory of 4372	1496	Fgiaemic.exe	Fboecfii.exe
PID 1496 wrote to memory of 4372	1496	Fgiaemic.exe	Fboecfii.exe
PID 1496 wrote to memory of 4372	1496	Fgiaemic.exe	Fboecfii.exe
PID 4372 wrote to memory of 1820	4372	Fboecfii.exe	Fglnkm32.exe
PID 4372 wrote to memory of 1820	4372	Fboecfii.exe	Fglnkm32.exe
PID 4372 wrote to memory of 1820	4372	Fboecfii.exe	Fglnkm32.exe
PID 1820 wrote to memory of 3328	1820	Fglnkm32.exe	Fdpnda32.exe
PID 1820 wrote to memory of 3328	1820	Fglnkm32.exe	Fdpnda32.exe
PID 1820 wrote to memory of 3328	1820	Fglnkm32.exe	Fdpnda32.exe
PID 3328 wrote to memory of 2820	3328	Fdpnda32.exe	Fgnjqm32.exe

C:\Users\Admin\AppData\Local\Temp\bf306b010921ee28b49bff7387808fbb99e25661ba89f0a434d0ad42ebd8c774.exe
"C:\Users\Admin\AppData\Local\Temp\bf306b010921ee28b49bff7387808fbb99e25661ba89f0a434d0ad42ebd8c774.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4960

C:\Windows\SysWOW64\Dknnoofg.exe
C:\Windows\system32\Dknnoofg.exe
2⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2316

C:\Windows\SysWOW64\Ddfbgelh.exe
C:\Windows\system32\Ddfbgelh.exe
3⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:976

C:\Windows\SysWOW64\Dickplko.exe
C:\Windows\system32\Dickplko.exe
4⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4916

C:\Windows\SysWOW64\Dajbaika.exe
C:\Windows\system32\Dajbaika.exe
5⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2704

C:\Windows\SysWOW64\Dckoia32.exe
C:\Windows\system32\Dckoia32.exe
6⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3576

C:\Windows\SysWOW64\Dkbgjo32.exe
C:\Windows\system32\Dkbgjo32.exe
7⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2708

C:\Windows\SysWOW64\Djgdkk32.exe
C:\Windows\system32\Djgdkk32.exe
8⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2604

C:\Windows\SysWOW64\Daollh32.exe
C:\Windows\system32\Daollh32.exe
9⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3916

C:\Windows\SysWOW64\Ejjaqk32.exe
C:\Windows\system32\Ejjaqk32.exe
10⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4176

C:\Windows\SysWOW64\Eaaiahei.exe
C:\Windows\system32\Eaaiahei.exe
11⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3060

C:\Windows\SysWOW64\Enhifi32.exe
C:\Windows\system32\Enhifi32.exe
12⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2312

C:\Windows\SysWOW64\Edaaccbj.exe
C:\Windows\system32\Edaaccbj.exe
13⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3716

C:\Windows\SysWOW64\Enlcahgh.exe
C:\Windows\system32\Enlcahgh.exe
14⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3124

C:\Windows\SysWOW64\Edfknb32.exe
C:\Windows\system32\Edfknb32.exe
15⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2520

C:\Windows\SysWOW64\Ejccgi32.exe
C:\Windows\system32\Ejccgi32.exe
16⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1416

C:\Windows\SysWOW64\Fclhpo32.exe
C:\Windows\system32\Fclhpo32.exe
17⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3268

C:\Windows\SysWOW64\Fjeplijj.exe
C:\Windows\system32\Fjeplijj.exe
18⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4616

C:\Windows\SysWOW64\Fgiaemic.exe
C:\Windows\system32\Fgiaemic.exe
19⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1496

C:\Windows\SysWOW64\Fboecfii.exe
C:\Windows\system32\Fboecfii.exe
20⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4372

C:\Windows\SysWOW64\Fglnkm32.exe
C:\Windows\system32\Fglnkm32.exe
21⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1820

C:\Windows\SysWOW64\Fdpnda32.exe
C:\Windows\system32\Fdpnda32.exe
22⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3328

C:\Windows\SysWOW64\Fgnjqm32.exe
C:\Windows\system32\Fgnjqm32.exe
23⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2820

C:\Windows\SysWOW64\Fnhbmgmk.exe
C:\Windows\system32\Fnhbmgmk.exe
24⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2392

C:\Windows\SysWOW64\Fgqgfl32.exe
C:\Windows\system32\Fgqgfl32.exe
25⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:4236

C:\Windows\SysWOW64\Gddgpqbe.exe
C:\Windows\system32\Gddgpqbe.exe
26⤵
- Executes dropped EXE
PID:996

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 996 -s 400
27⤵
- Program crash
PID:4536

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 996 -ip 996
1⤵
PID:2688

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4440,i,6870419347051655189,5491911050420577193,262144 --variations-seed-version --mojo-platform-channel-handle=4420 /prefetch:8
1⤵
PID:4840

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Dajbaika.exe
Filesize
163KB

MD5
09bf575a75ac8de1905cfebce3adb528

SHA1
4a7ce8033c6e21dfe17b244c5b5b2163a3a6773e

SHA256
35a6a07ab9b6f48abf0380bdc8736b29ab2f6ef21095e685a289e66a9a3a7fef

SHA512
ef7d808e815ebf2178f4ea0fdc3c49198b98586ef49652725fabf568b91d9c34ffd396cf0daac27b65ec43398f951da1a316b91322f86b5cf301b559f95e4b88

Download Submit
C:\Windows\SysWOW64\Daollh32.exe
Filesize
163KB

MD5
785794bff91dc29eced89a439ceff22f

SHA1
41d29d7f45a25424811243e9e53d619a0f8f4a21

SHA256
c2b5099b8665d7bd769c7d518f80d3bdd9afb6c9ca3457d836d3dc0f03c3f2fb

SHA512
5c63fd4b533555fcdf540a89f510117494a137c6ae73cb887a8f90a8445e3ea54748c69ec46ae036adc1640c58ad7b966e6c4eb3ed2c839e3154af350c513621

Download Submit
C:\Windows\SysWOW64\Dckoia32.exe
Filesize
163KB

MD5
f3c36172eb310081516cb76be9f4cbd6

SHA1
a9b3bc8e6619729859ef032b79c46aa555de408e

SHA256
987cf5525b7489079babb371d7561a92b8365253306e97116cb3fcd7b65ef7b5

SHA512
5bf4948496988710deac1a09d926f0d63e8847f4888785edca2748d131b714205de91a97be35119dafd1d212d4882affb7574f34d526259546164e25febcae4d

Download Submit
C:\Windows\SysWOW64\Ddfbgelh.exe
Filesize
163KB

MD5
fb427f536ef957d479472644a2259558

SHA1
25596c0e2de9e1169dfe1a05564a2c1154aac9b9

SHA256
40ff95d0693a32c5bed3faf1c123156996b654d227f659f61b076e3e3cbd24a7

SHA512
8ed7c4e3eddebc7a37a604dbabbe6b60f88924f0d1406a39ac3df11e7ddd33eed7b07be198d8fa525c683bd532f2353f347b998076e9b114617c3b6839fffdf5

Download Submit
C:\Windows\SysWOW64\Dickplko.exe
Filesize
163KB

MD5
f6c5ff60962d4f9c69721446b530ef36

SHA1
a28d129378eee030412a1b580e1c3d92ac12dc8f

SHA256
367f0d497d0514a9af485ea388af1d52c36398ad89e3b85e8949db9fafcae639

SHA512
09f2b30a138b599460c8f2d5af7b1ca1bf5354f09ef5a0a522cd063ac25d8942aa13cedef2fdb3cae77ed9065fc831a2045992d8c6f88b977835707407c5326f

Download Submit
C:\Windows\SysWOW64\Djgdkk32.exe
Filesize
163KB

MD5
f93253a06e7dbd3bd56752815a3ff5b5

SHA1
64fc739fa128bc1c0323dfe0474ba151ceb0cda8

SHA256
72f7b41fb41425f688286c367472528c3cc019250e362c30eaeb5237d60e7fea

SHA512
18c8b94990f05c098467871bb3ae6e26b265df8e06abb4f0e77b15249b7d1361fe719ea97e7661f44ac09e43ce0955069e5c955c38b7703c61891900590b896a

Download Submit
C:\Windows\SysWOW64\Dkbgjo32.exe
Filesize
163KB

MD5
57a6e9041f967e5bd4abbe66f0c2915c

SHA1
dc6dd118cab7506081c505b38029b1ad2dc7f01b

SHA256
4cf4af8d953a16e6b38ec6732e12f2468db688cac14198c399e6cc33669cc581

SHA512
91d7824f87fc19da18c95153a0d9205e2356f723c36c9d08c05a3164eb3b9d51420f199926255c307297bce96a4f7a64ffc42c8e491997debe37310412f3a72a

Download Submit
C:\Windows\SysWOW64\Dknnoofg.exe
Filesize
163KB

MD5
88a909064f8c5af6cddf4d0f6ec3c336

SHA1
a8a937e6949c48b8c96c8ab5a7e469d4dd4f93e7

SHA256
68fefcc4071f23cafe69255903b26ffb5fd37048a49f4ea9c475bb8fd5445284

SHA512
6e9ba986163d5787d57a258d24b470b4058df62da7179b1b46efa2327908e6235a27beaa1d25760719e0efe9017f00d78c3dbb5a93de31b92abd4a1229d7e1c1

Download Submit
C:\Windows\SysWOW64\Eaaiahei.exe
Filesize
163KB

MD5
48c6d5486ef73e1b5b3d2b52c611183b

SHA1
2d36874d43643fff0b1d56c86111afd343cdf0d9

SHA256
3fefe07448106b7963e66bc14d7652c3057ff5bf93c714fb3678dea3cd3ad563

SHA512
b472164a2f4690044b90c10a046561b1391910f310fdfe79f1cd7594dac2ed8226b7ce0306adcf7648d64612b40f7ffb8f2c6874dead1032ea7f5768fd2905d2

Download Submit
C:\Windows\SysWOW64\Edaaccbj.exe
Filesize
163KB

MD5
a3ac3e93847a3cefd03e7196b780a00f

SHA1
ad4b095f0df435afa5dee95c70d2a54d302fa26a

SHA256
da068f5f72378e28b8281edc377ecf6b1f4e73a0976940b7e75f3c4a20fd77c5

SHA512
69310e145626642795e34d3e9397494aeed67bd4ba720cd99ffbfc4fae9476d36bf29c8f01383add11087dad7fa715ee8976086402240dd2cd72ad59176a0dad

Download Submit
C:\Windows\SysWOW64\Edfknb32.exe
Filesize
163KB

MD5
2865ee0df246b99ffa70ae3d793a6bf9

SHA1
7031f844a299c60779470f3cfadb8532f4711fd4

SHA256
37249754d53f738b24c126fc4f6aa4e1ccc33b07f72774dfa05503fb65004b53

SHA512
5b2e9609ebc8c5d398ebbc36e64f41bc264907b4bd80473ee520e7db02ea8a697e4c87c947cd1a579f7afbd9b67b8423e189d645cb8adfe3e6c43b3e146b6b37

Download Submit
C:\Windows\SysWOW64\Ejccgi32.exe
Filesize
163KB

MD5
819faf9b3a8f5cafa8a1a9ab5f9a08ad

SHA1
5fe9baf24defe4a34d342f60ce25269f0efa65f8

SHA256
54317e783380cb3f93042a671c09afa979a48664df36c9a0dc02c0ca07c90758

SHA512
852a3db3c838d84fd2a7adc12184d4d8cdc0c96631481b7b9a20a5502a0c35672699c14897aa7fbe50cc179d5bc65354339edb65fcb7f214f0840fdda2a8269a

Download Submit
C:\Windows\SysWOW64\Ejjaqk32.exe
Filesize
163KB

MD5
cbe852ed0c17f87704bfdf1b12c49818

SHA1
2ff47ce7fc2cebac6480357c2eccda7d2db15d66

SHA256
b69d7228fb10b48deb3d77b60d37e5c100b9eaede227b401b2a9c78ca18fb036

SHA512
adb59b1dbc2262fc9475495b23487456f7ddb33d87d08253d03c6b38ffdde2ccf450793415374f1f43496dd85a301e92abffe9bdbe151265919ed9e5cff14613

Download Submit
C:\Windows\SysWOW64\Enhifi32.exe
Filesize
163KB

MD5
8fc3d28ec242c7c1d15861609af9e26e

SHA1
16429a5ebd3ac6c4e891d5f7f5b18a12719ec553

SHA256
dda9b051ad3cec81cc057c7b5c6e4f8f78d1cd91061a0371d63e90838b7eb328

SHA512
35ea445f30fef08e9d833882d0ea52078671316374476166ae376a603ab0f40aba6add46f920e0827e5a4fbd8f8fdc22e9dde1679e6b54f6debed85e12e46077

Download Submit
C:\Windows\SysWOW64\Enlcahgh.exe
Filesize
163KB

MD5
3dfdcf53492ebdade62b651b8dfd894e

SHA1
b1cb95919b609feb49a38bef747c74befe84876b

SHA256
190a93c41a69444a0c7fc12bdf8bf883d3aac080bd9267c6522cdb0303237460

SHA512
af7be808a8f7bc6cbdd2542ab5bfa34b7fd73eeaa6248703340216d06d4c56b3dcf175312a3d0b0f742604af3a54ee1a26350553e87000022cf3394490652ae6

Download Submit
C:\Windows\SysWOW64\Fboecfii.exe
Filesize
163KB

MD5
9248d0b81aaf10d70d1f25fb554b7afd

SHA1
1c2f6ee0aea0910063981c8bfa5537e5b3ada1ab

SHA256
83bdeb4a67f84c683d3aaa3efce4f75f940535dc8d0cd094333a79c1c530197c

SHA512
939bd0c4a02c5a0e8bf1ae564bb0417d3a3437e2c0fa7ceac7da5980f911043abd38b9bcbc07982b3edbfb160414cdd78689316bde0b7977a4de84deeedf2ee2

Download Submit
C:\Windows\SysWOW64\Fclhpo32.exe
Filesize
163KB

MD5
56dc9a750ee5a2e081ed77d35b8344d0

SHA1
19a39f0ab56e33080888e56aec77923ed3755969

SHA256
6bd3972ff8b580ec624b6384b151e27611ead6450fb973528b0202b41a889876

SHA512
3ccd7d93efdd27b3464291d507468aee606849e849ce500f2cd268e4b65b5d6527d8d726d40cd1aaade194bd7f115ffb04a8f5120ada9ca931ad9571b4cb0495

Download Submit
C:\Windows\SysWOW64\Fdpnda32.exe
Filesize
163KB

MD5
8ce386b97b153c7019bd8a3ca3c00e6b

SHA1
14482ca7d2ad908e09cab52f98f735026fbed07c

SHA256
2ce0636a05659b79a5c8f66af8043287b10c44c0d2a3f9e394ec9f7eff450fd2

SHA512
b150473abdfc85e199b189c777604f139be4b2e8a52d6f78d3380ca4e77c5d86a407da9282d243615cf011e3e2505fdfe2311da0c710ade1e3685437a0e19afe

Download Submit
C:\Windows\SysWOW64\Fgiaemic.exe
Filesize
163KB

MD5
44e2c9af85bf7a5f828dff9b7aa751f9

SHA1
804b41d6b56f9004bf65d0e6da7bbb13657cc41b

SHA256
82e6e4a55b8c0daf45de809115cb9581f0d7e79f389bdcc4937c76e37232e100

SHA512
06a6ff9908dd7aea76b488e347d68ca558f5252eafd3ef0134ff87721d8102c3eccc6e172e2e9dbd9c90ea3ea41aeb6a1ad1efcfdafd06fb8598c8ec67a3404d

Download Submit
C:\Windows\SysWOW64\Fglnkm32.exe
Filesize
163KB

MD5
ce37f6103147bc3abbfce44eca3a9014

SHA1
4261e2b56925b8d7b03ee32710b76e33ca17eff4

SHA256
074a380f6b3e5112b6f09399ff4b575242982c1e8754e6bc31794e9c8e218806

SHA512
d170ccd781ac272e6b0cc022b3ac061e744caddc48b5c88202c64d0989f04e56659a2079287c95a6e53baf518f5c964f37217cfd0dff705536be035eff63eefc

Download Submit
C:\Windows\SysWOW64\Fgnjqm32.exe
Filesize
163KB

MD5
5bb2abc496b7e4be1898b4ab5875763e

SHA1
ea605c0f47b7bf5ee87747f9c9e3cb8660c6a707

SHA256
fdd03819cc00318f102261a9ee12bc0551505ada33aea69f9495c1e59554165a

SHA512
a94c470f525fc1b9fde4c8572461f504ea1be8bc1f09eaa8f8c9b4d354adc85350a5b1f4cdbb0dd176aa06b7632aa60293d8a0885d22e72e0983f90b217fbca6

Download Submit
C:\Windows\SysWOW64\Fgqgfl32.exe
Filesize
163KB

MD5
1b478c80635ca79a9076d91c00337b3b

SHA1
ca96b425e859a48a647718564a8a0e311374f274

SHA256
6b4ccf9368ac7155d6c67bd8245151f74f722d99639b1c223aa00a60a979a7fd

SHA512
1f5fa1fbd14d3956cc81eaaa34139bfdfc788f6990e2a37c060f83d31d1d12b9061052dfda2c0094a4c65de29387b75e6a315e7c8006d4561e00446a1fef9104

Download Submit
C:\Windows\SysWOW64\Fjeplijj.exe
Filesize
163KB

MD5
02529b707dc444a164bea634cba7ea07

SHA1
cf6118c46cf2317a6f23928273dbe9e422ea6ea7

SHA256
5bb33a28f5dcc64bb51f154f86d22449891acde434848eb5584ca6c0665fbd74

SHA512
c38e8ce37f05f9eea96f36f8d66f21ceba5be7457513ed9f5a719ab9351cff76fcf8fcba80a9ca7cde4b5be21fb2c58d0299380867775837992d35f2eb40a53d

Download Submit
C:\Windows\SysWOW64\Fnhbmgmk.exe
Filesize
163KB

MD5
b8ec4af40e1f8ff56219ebbfc5249b83

SHA1
0bc6c92d26a718c8882038241518f165ae5dc7c5

SHA256
8753c14fec7265f89724bb8a3b371289a897a18cee29c3f12ea336677e6104ff

SHA512
73891d92179dde12a9c7b02a00079d3bb1ec7653b344d099fbb60e9a2591c9f1d66c4771f22bbfa1e27cb58afc21a906d0704f694413d2dac9141cc4ff8fc861

Download Submit
C:\Windows\SysWOW64\Gddgpqbe.exe
Filesize
163KB

MD5
25f0207c949cb4f5cdaf6ec3fc86367b

SHA1
ac8e6927e670691bda57431a76afc5e61486e758

SHA256
5f728ebe562dd48718d059d5d685bd2e2a03325278fd63ae552ad8bf361fbe61

SHA512
398cf79c7a6959fb7a34189cf70a978060e358697b0181aeb59efb84c26f2c54f096c71973e94167a2f80bfe095ae2efb8cbd449c99210469adee6424f073682

Download Submit
memory/976-20-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/976-249-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/996-200-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/996-204-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1416-121-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1416-223-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1496-145-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1496-217-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1820-161-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1820-213-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2312-231-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2312-89-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2316-9-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2316-251-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2392-207-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2392-189-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2520-225-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2520-113-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2604-61-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2604-239-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2704-245-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2704-40-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2708-48-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2708-241-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2820-209-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2820-177-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3060-233-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3060-81-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3124-227-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3124-105-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3268-221-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3268-129-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3328-173-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3328-211-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3576-41-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3576-243-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3716-97-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3716-229-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3916-237-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3916-64-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4176-235-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4176-72-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4236-193-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4236-206-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4372-153-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4372-215-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4616-219-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4616-137-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4916-29-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4916-247-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4960-5-0x0000000000432000-0x0000000000433000-memory.dmp

Filesize
4KB

Download
memory/4960-4-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4960-253-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download