8d173532285e7c07e393cb8cef8dea17451df025eede7325f64409ac1485ca74

Analysis

max time kernel
98s
max time network
114s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
29/02/2024, 06:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Backdoor.Win32.Padodor.exe
Size

192KB
MD5

c36b5388f3e926b75c25e21b4956d6c6
SHA1

499a9d85660720e4d2db1d53f21c4b203cd426d3
SHA256

8d173532285e7c07e393cb8cef8dea17451df025eede7325f64409ac1485ca74
SHA512

d036c398690bc7db746451d938e5c88028f00f3b0bddaa55f88220c4df2f8281ce2535dbd2adbd53e28560c73afe03589834a9ccab994a447508793f3fd01807
SSDEEP

3072:p0w1+uZ0WsXHZLITJP6w69is4Sp+7H7wWkqrifbdB7dYk1Bx8DpsV6OzrR:pj50WGLsAw+isBOHhkym/89b0

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gidphq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gmaioo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gppekj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jjmhppqd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jidbflcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kgmlkp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kacphh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kcifkp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lkgdml32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpolqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lmccchkn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgekbljc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mpdelajl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hapaemll.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Haidklda.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kbdmpqcb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nceonl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnjbke32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ijkljp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jmbklj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ncgkcl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nbkhfc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Iiffen32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jbmfoa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kphmie32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kajfig32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lkiqbl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mdkhapfj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lddbqa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Backdoor.Win32.Padodor.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jagqlj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jplmmfmi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lpcmec32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njogjfoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gidphq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gpnhekgl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hmioonpn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdopod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kdhbec32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lnepih32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lnhmng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hjhfnccl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kagichjo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lkgdml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mkbchk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkepnjng.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kilhgk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kbfiep32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lpcmec32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mncmjfmk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hboagf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hapaemll.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ijkljp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jbocea32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kaqcbi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kgmlkp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkbchk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Njljefql.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nklfoi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hmklen32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kpjjod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gbjhlfhb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Icljbg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kpjjod32.exe

Executes dropped EXE 64 IoCs

pid	Process
4764	Gbjhlfhb.exe
2796	Gidphq32.exe
4712	Gpnhekgl.exe
2080	Gfhqbe32.exe
2468	Gmaioo32.exe
1404	Gppekj32.exe
3592	Hboagf32.exe
404	Hapaemll.exe
692	Hbanme32.exe
4612	Hjhfnccl.exe
4668	Habnjm32.exe
3888	Hfofbd32.exe
1132	Hmioonpn.exe
1128	Hccglh32.exe
8	Hippdo32.exe
384	Hmklen32.exe
668	Hcedaheh.exe
1292	Hfcpncdk.exe
4320	Hibljoco.exe
4068	Haidklda.exe
2172	Ibjqcd32.exe
4576	Iidipnal.exe
2220	Iakaql32.exe
4872	Ibmmhdhm.exe
2336	Iiffen32.exe
1388	Icljbg32.exe
5084	Ijfboafl.exe
4272	Ipckgh32.exe
3964	Ibagcc32.exe
1124	Iikopmkd.exe
3932	Iabgaklg.exe
4892	Idacmfkj.exe
1488	Ijkljp32.exe
2492	Imihfl32.exe
3996	Jpgdbg32.exe
3796	Jjmhppqd.exe
4172	Jiphkm32.exe
4980	Jagqlj32.exe
4204	Jdemhe32.exe
3204	Jfdida32.exe
1996	Jibeql32.exe
2956	Jplmmfmi.exe
3220	Jdhine32.exe
452	Jidbflcj.exe
4816	Jaljgidl.exe
3240	Jbmfoa32.exe
3084	Jkdnpo32.exe
4284	Jmbklj32.exe
3848	Jpaghf32.exe
3608	Jbocea32.exe
3520	Jkfkfohj.exe
1740	Jiikak32.exe
4968	Kaqcbi32.exe
3892	Kdopod32.exe
2660	Kgmlkp32.exe
744	Kilhgk32.exe
2828	Kacphh32.exe
4844	Kbdmpqcb.exe
732	Kkkdan32.exe
3644	Kmjqmi32.exe
448	Kphmie32.exe
1344	Kbfiep32.exe
4460	Kknafn32.exe
2544	Kagichjo.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Mdiklqhm.exe	Majopeii.exe
File created	C:\Windows\SysWOW64\Jdemhe32.exe	Jagqlj32.exe
File created	C:\Windows\SysWOW64\Kknafn32.exe	Kbfiep32.exe
File created	C:\Windows\SysWOW64\Nacbfdao.exe	Njljefql.exe
File created	C:\Windows\SysWOW64\Ifegaglc.dll	Gbjhlfhb.exe
File created	C:\Windows\SysWOW64\Gpnhekgl.exe	Gidphq32.exe
File opened for modification	C:\Windows\SysWOW64\Kpjjod32.exe	Kagichjo.exe
File created	C:\Windows\SysWOW64\Kkpnlm32.exe	Kcifkp32.exe
File opened for modification	C:\Windows\SysWOW64\Lddbqa32.exe	Laefdf32.exe
File opened for modification	C:\Windows\SysWOW64\Mpolqa32.exe	Mnapdf32.exe
File created	C:\Windows\SysWOW64\Kdopod32.exe	Kaqcbi32.exe
File created	C:\Windows\SysWOW64\Cgfgaq32.dll	Nkncdifl.exe
File created	C:\Windows\SysWOW64\Hionfema.dll	Hmklen32.exe
File created	C:\Windows\SysWOW64\Nqfbaq32.exe	Nacbfdao.exe
File opened for modification	C:\Windows\SysWOW64\Ibjqcd32.exe	Haidklda.exe
File created	C:\Windows\SysWOW64\Imihfl32.exe	Ijkljp32.exe
File created	C:\Windows\SysWOW64\Jiphkm32.exe	Jjmhppqd.exe
File created	C:\Windows\SysWOW64\Ekipni32.dll	Mcpebmkb.exe
File created	C:\Windows\SysWOW64\Diefokle.dll	Gpnhekgl.exe
File created	C:\Windows\SysWOW64\Kpjjod32.exe	Kagichjo.exe
File created	C:\Windows\SysWOW64\Pdgdjjem.dll	Mkbchk32.exe
File created	C:\Windows\SysWOW64\Hboagf32.exe	Gppekj32.exe
File opened for modification	C:\Windows\SysWOW64\Kgmlkp32.exe	Kdopod32.exe
File opened for modification	C:\Windows\SysWOW64\Jpgdbg32.exe	Imihfl32.exe
File created	C:\Windows\SysWOW64\Mnnkcb32.dll	Imihfl32.exe
File opened for modification	C:\Windows\SysWOW64\Gbjhlfhb.exe	Backdoor.Win32.Padodor.exe
File created	C:\Windows\SysWOW64\Habnjm32.exe	Hjhfnccl.exe
File created	C:\Windows\SysWOW64\Mgblmpji.dll	Ibjqcd32.exe
File opened for modification	C:\Windows\SysWOW64\Kdopod32.exe	Kaqcbi32.exe
File created	C:\Windows\SysWOW64\Pponmema.dll	Nnjbke32.exe
File created	C:\Windows\SysWOW64\Gqffnmfa.dll	Mcklgm32.exe
File opened for modification	C:\Windows\SysWOW64\Mncmjfmk.exe	Mkepnjng.exe
File created	C:\Windows\SysWOW64\Gbbkdl32.dll	Maaepd32.exe
File created	C:\Windows\SysWOW64\Kmnjhioc.exe	Kkpnlm32.exe
File created	C:\Windows\SysWOW64\Kajfig32.exe	Kmnjhioc.exe
File opened for modification	C:\Windows\SysWOW64\Lcbiao32.exe	Lpcmec32.exe
File created	C:\Windows\SysWOW64\Mkpgck32.exe	Mgekbljc.exe
File opened for modification	C:\Windows\SysWOW64\Nnjbke32.exe	Njogjfoj.exe
File created	C:\Windows\SysWOW64\Bbbjnidp.dll	Jibeql32.exe
File created	C:\Windows\SysWOW64\Eeecjqkd.dll	Kcifkp32.exe
File created	C:\Windows\SysWOW64\Mgidml32.exe	Mdkhapfj.exe
File created	C:\Windows\SysWOW64\Mcpebmkb.exe	Mncmjfmk.exe
File created	C:\Windows\SysWOW64\Gkillp32.dll	Ibmmhdhm.exe
File opened for modification	C:\Windows\SysWOW64\Maaepd32.exe	Mnfipekh.exe
File opened for modification	C:\Windows\SysWOW64\Nbkhfc32.exe	Njcpee32.exe
File opened for modification	C:\Windows\SysWOW64\Ibmmhdhm.exe	Iakaql32.exe
File created	C:\Windows\SysWOW64\Hjobcj32.dll	Jpgdbg32.exe
File created	C:\Windows\SysWOW64\Jdhine32.exe	Jplmmfmi.exe
File created	C:\Windows\SysWOW64\Jaljgidl.exe	Jidbflcj.exe
File created	C:\Windows\SysWOW64\Qknpkqim.dll	Jbmfoa32.exe
File created	C:\Windows\SysWOW64\Mpdelajl.exe	Maaepd32.exe
File created	C:\Windows\SysWOW64\Kkbkamnl.exe	Kckbqpnj.exe
File created	C:\Windows\SysWOW64\Nqiogp32.exe	Nnjbke32.exe
File created	C:\Windows\SysWOW64\Kcbibebo.dll	Mpdelajl.exe
File created	C:\Windows\SysWOW64\Jkeang32.dll	Ncgkcl32.exe
File created	C:\Windows\SysWOW64\Jibeql32.exe	Jfdida32.exe
File created	C:\Windows\SysWOW64\Lidmdfdo.dll	Lpcmec32.exe
File created	C:\Windows\SysWOW64\Ockcknah.dll	Majopeii.exe
File created	C:\Windows\SysWOW64\Mncmjfmk.exe	Mkepnjng.exe
File created	C:\Windows\SysWOW64\Ciiqgjgg.dll	Mkepnjng.exe
File created	C:\Windows\SysWOW64\Njogjfoj.exe	Nklfoi32.exe
File created	C:\Windows\SysWOW64\Jkdnpo32.exe	Jbmfoa32.exe
File opened for modification	C:\Windows\SysWOW64\Kajfig32.exe	Kmnjhioc.exe
File created	C:\Windows\SysWOW64\Mbaohn32.dll	Lnhmng32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5272	5756	WerFault.exe	225

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eeecjqkd.dll"	Kcifkp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jmbklj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jkfkfohj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eagncfoj.dll"	Gppekj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Iidipnal.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lgbnmm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mahbje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ipckgh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kdopod32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kmjqmi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Iidipnal.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Iakaql32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Iiffen32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jiphkm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ichhhi32.dll"	Jiikak32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Backdoor.Win32.Padodor.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hionfema.dll"	Hmklen32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lkdggmlj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kdopod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lcbiao32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lkiqbl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hboagf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Iakaql32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mnapdf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nacbfdao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pponmema.dll"	Nnjbke32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gcdihi32.dll"	Kckbqpnj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gqffnmfa.dll"	Mcklgm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpfihl32.dll"	Ipckgh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jbocea32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kaqcbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ldmlpbbj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lgpagm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hehifldd.dll"	Kdopod32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lmccchkn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nnmopdep.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hfofbd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lcmofolg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qknpkqim.dll"	Jbmfoa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dngdgf32.dll"	Lcpllo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnibdpde.dll"	Ncldnkae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ifegaglc.dll"	Gbjhlfhb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghmfdf32.dll"	Jplmmfmi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kilhgk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mgekbljc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfbhfihj.dll"	Mgekbljc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mdkhapfj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qcldhk32.dll"	Mgidml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Habnjm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kajfig32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Laefdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bebboiqi.dll"	Mnfipekh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmalco32.dll"	Njogjfoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mgblmpji.dll"	Ibjqcd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eilljncf.dll"	Jbocea32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lpcmec32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mcpebmkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jkfkfohj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnapla32.dll"	Lkiqbl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpacnb32.dll"	Gidphq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ibagcc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jaljgidl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hfcpncdk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kacphh32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 860 wrote to memory of 4764	860	Backdoor.Win32.Padodor.exe	90
PID 860 wrote to memory of 4764	860	Backdoor.Win32.Padodor.exe	90
PID 860 wrote to memory of 4764	860	Backdoor.Win32.Padodor.exe	90
PID 4764 wrote to memory of 2796	4764	Gbjhlfhb.exe	91
PID 4764 wrote to memory of 2796	4764	Gbjhlfhb.exe	91
PID 4764 wrote to memory of 2796	4764	Gbjhlfhb.exe	91
PID 2796 wrote to memory of 4712	2796	Gidphq32.exe	92
PID 2796 wrote to memory of 4712	2796	Gidphq32.exe	92
PID 2796 wrote to memory of 4712	2796	Gidphq32.exe	92
PID 4712 wrote to memory of 2080	4712	Gpnhekgl.exe	93
PID 4712 wrote to memory of 2080	4712	Gpnhekgl.exe	93
PID 4712 wrote to memory of 2080	4712	Gpnhekgl.exe	93
PID 2080 wrote to memory of 2468	2080	Gfhqbe32.exe	94
PID 2080 wrote to memory of 2468	2080	Gfhqbe32.exe	94
PID 2080 wrote to memory of 2468	2080	Gfhqbe32.exe	94
PID 2468 wrote to memory of 1404	2468	Gmaioo32.exe	95
PID 2468 wrote to memory of 1404	2468	Gmaioo32.exe	95
PID 2468 wrote to memory of 1404	2468	Gmaioo32.exe	95
PID 1404 wrote to memory of 3592	1404	Gppekj32.exe	96
PID 1404 wrote to memory of 3592	1404	Gppekj32.exe	96
PID 1404 wrote to memory of 3592	1404	Gppekj32.exe	96
PID 3592 wrote to memory of 404	3592	Hboagf32.exe	97
PID 3592 wrote to memory of 404	3592	Hboagf32.exe	97
PID 3592 wrote to memory of 404	3592	Hboagf32.exe	97
PID 404 wrote to memory of 692	404	Hapaemll.exe	98
PID 404 wrote to memory of 692	404	Hapaemll.exe	98
PID 404 wrote to memory of 692	404	Hapaemll.exe	98
PID 692 wrote to memory of 4612	692	Hbanme32.exe	99
PID 692 wrote to memory of 4612	692	Hbanme32.exe	99
PID 692 wrote to memory of 4612	692	Hbanme32.exe	99
PID 4612 wrote to memory of 4668	4612	Hjhfnccl.exe	100
PID 4612 wrote to memory of 4668	4612	Hjhfnccl.exe	100
PID 4612 wrote to memory of 4668	4612	Hjhfnccl.exe	100
PID 4668 wrote to memory of 3888	4668	Habnjm32.exe	101
PID 4668 wrote to memory of 3888	4668	Habnjm32.exe	101
PID 4668 wrote to memory of 3888	4668	Habnjm32.exe	101
PID 3888 wrote to memory of 1132	3888	Hfofbd32.exe	102
PID 3888 wrote to memory of 1132	3888	Hfofbd32.exe	102
PID 3888 wrote to memory of 1132	3888	Hfofbd32.exe	102
PID 1132 wrote to memory of 1128	1132	Hmioonpn.exe	103
PID 1132 wrote to memory of 1128	1132	Hmioonpn.exe	103
PID 1132 wrote to memory of 1128	1132	Hmioonpn.exe	103
PID 1128 wrote to memory of 8	1128	Hccglh32.exe	104
PID 1128 wrote to memory of 8	1128	Hccglh32.exe	104
PID 1128 wrote to memory of 8	1128	Hccglh32.exe	104
PID 8 wrote to memory of 384	8	Hippdo32.exe	105
PID 8 wrote to memory of 384	8	Hippdo32.exe	105
PID 8 wrote to memory of 384	8	Hippdo32.exe	105
PID 384 wrote to memory of 668	384	Hmklen32.exe	106
PID 384 wrote to memory of 668	384	Hmklen32.exe	106
PID 384 wrote to memory of 668	384	Hmklen32.exe	106
PID 668 wrote to memory of 1292	668	Hcedaheh.exe	107
PID 668 wrote to memory of 1292	668	Hcedaheh.exe	107
PID 668 wrote to memory of 1292	668	Hcedaheh.exe	107
PID 1292 wrote to memory of 4320	1292	Hfcpncdk.exe	108
PID 1292 wrote to memory of 4320	1292	Hfcpncdk.exe	108
PID 1292 wrote to memory of 4320	1292	Hfcpncdk.exe	108
PID 4320 wrote to memory of 4068	4320	Hibljoco.exe	109
PID 4320 wrote to memory of 4068	4320	Hibljoco.exe	109
PID 4320 wrote to memory of 4068	4320	Hibljoco.exe	109
PID 4068 wrote to memory of 2172	4068	Haidklda.exe	110
PID 4068 wrote to memory of 2172	4068	Haidklda.exe	110
PID 4068 wrote to memory of 2172	4068	Haidklda.exe	110
PID 2172 wrote to memory of 4576	2172	Ibjqcd32.exe	111

C:\Users\Admin\AppData\Local\Temp\Backdoor.Win32.Padodor.exe
"C:\Users\Admin\AppData\Local\Temp\Backdoor.Win32.Padodor.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:860
- C:\Windows\SysWOW64\Gbjhlfhb.exe
  C:\Windows\system32\Gbjhlfhb.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4764
- - C:\Windows\SysWOW64\Gidphq32.exe
    C:\Windows\system32\Gidphq32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2796
  - - C:\Windows\SysWOW64\Gpnhekgl.exe
      C:\Windows\system32\Gpnhekgl.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious use of WriteProcessMemory
      PID:4712
    - - C:\Windows\SysWOW64\Gfhqbe32.exe
        
        C:\Windows\system32\Gfhqbe32.exe
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2080
      - C:\Windows\SysWOW64\Gmaioo32.exe
        
        C:\Windows\system32\Gmaioo32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2468
        
        C:\Windows\SysWOW64\Gppekj32.exe
        
        C:\Windows\system32\Gppekj32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1404
        
        C:\Windows\SysWOW64\Hboagf32.exe
        
        C:\Windows\system32\Hboagf32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3592
        
        C:\Windows\SysWOW64\Hapaemll.exe
        
        C:\Windows\system32\Hapaemll.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:404
        
        C:\Windows\SysWOW64\Hbanme32.exe
        
        C:\Windows\system32\Hbanme32.exe
        10⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:692
        
        C:\Windows\SysWOW64\Hjhfnccl.exe
        
        C:\Windows\system32\Hjhfnccl.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4612
        
        C:\Windows\SysWOW64\Habnjm32.exe
        
        C:\Windows\system32\Habnjm32.exe
        12⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4668
        
        C:\Windows\SysWOW64\Hfofbd32.exe
        
        C:\Windows\system32\Hfofbd32.exe
        13⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3888
        
        C:\Windows\SysWOW64\Hmioonpn.exe
        
        C:\Windows\system32\Hmioonpn.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1132
        
        C:\Windows\SysWOW64\Hccglh32.exe
        
        C:\Windows\system32\Hccglh32.exe
        15⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1128
        
        C:\Windows\SysWOW64\Hippdo32.exe
        
        C:\Windows\system32\Hippdo32.exe
        16⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:8
        
        C:\Windows\SysWOW64\Hmklen32.exe
        
        C:\Windows\system32\Hmklen32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:384
        
        C:\Windows\SysWOW64\Hcedaheh.exe
        
        C:\Windows\system32\Hcedaheh.exe
        18⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:668
        
        C:\Windows\SysWOW64\Hfcpncdk.exe
        
        C:\Windows\system32\Hfcpncdk.exe
        19⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1292
        
        C:\Windows\SysWOW64\Hibljoco.exe
        
        C:\Windows\system32\Hibljoco.exe
        20⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4320
        
        C:\Windows\SysWOW64\Haidklda.exe
        
        C:\Windows\system32\Haidklda.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4068
        
        C:\Windows\SysWOW64\Ibjqcd32.exe
        
        C:\Windows\system32\Ibjqcd32.exe
        22⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2172
        
        C:\Windows\SysWOW64\Iidipnal.exe
        
        C:\Windows\system32\Iidipnal.exe
        23⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4576
        
        C:\Windows\SysWOW64\Iakaql32.exe
        
        C:\Windows\system32\Iakaql32.exe
        24⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2220
        
        C:\Windows\SysWOW64\Ibmmhdhm.exe
        
        C:\Windows\system32\Ibmmhdhm.exe
        25⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4872
        
        C:\Windows\SysWOW64\Iiffen32.exe
        
        C:\Windows\system32\Iiffen32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2336
        
        C:\Windows\SysWOW64\Icljbg32.exe
        
        C:\Windows\system32\Icljbg32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1388
        
        C:\Windows\SysWOW64\Ijfboafl.exe
        
        C:\Windows\system32\Ijfboafl.exe
        28⤵
        Executes dropped EXE
        
        PID:5084
        
        C:\Windows\SysWOW64\Ipckgh32.exe
        
        C:\Windows\system32\Ipckgh32.exe
        29⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4272
        
        C:\Windows\SysWOW64\Ibagcc32.exe
        
        C:\Windows\system32\Ibagcc32.exe
        30⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3964
        
        C:\Windows\SysWOW64\Iikopmkd.exe
        
        C:\Windows\system32\Iikopmkd.exe
        31⤵
        Executes dropped EXE
        
        PID:1124
        
        C:\Windows\SysWOW64\Iabgaklg.exe
        
        C:\Windows\system32\Iabgaklg.exe
        32⤵
        Executes dropped EXE
        
        PID:3932
        
        C:\Windows\SysWOW64\Idacmfkj.exe
        
        C:\Windows\system32\Idacmfkj.exe
        33⤵
        Executes dropped EXE
        
        PID:4892
        
        C:\Windows\SysWOW64\Ijkljp32.exe
        
        C:\Windows\system32\Ijkljp32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1488
        
        C:\Windows\SysWOW64\Imihfl32.exe
        
        C:\Windows\system32\Imihfl32.exe
        35⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2492
        
        C:\Windows\SysWOW64\Jpgdbg32.exe
        
        C:\Windows\system32\Jpgdbg32.exe
        36⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3996
        
        C:\Windows\SysWOW64\Jjmhppqd.exe
        
        C:\Windows\system32\Jjmhppqd.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3796
        
        C:\Windows\SysWOW64\Jiphkm32.exe
        
        C:\Windows\system32\Jiphkm32.exe
        38⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4172
        
        C:\Windows\SysWOW64\Jagqlj32.exe
        
        C:\Windows\system32\Jagqlj32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4980
        
        C:\Windows\SysWOW64\Jdemhe32.exe
        
        C:\Windows\system32\Jdemhe32.exe
        40⤵
        Executes dropped EXE
        
        PID:4204
        
        C:\Windows\SysWOW64\Jfdida32.exe
        
        C:\Windows\system32\Jfdida32.exe
        41⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3204
        
        C:\Windows\SysWOW64\Jibeql32.exe
        
        C:\Windows\system32\Jibeql32.exe
        42⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1996
        
        C:\Windows\SysWOW64\Jplmmfmi.exe
        
        C:\Windows\system32\Jplmmfmi.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2956
        
        C:\Windows\SysWOW64\Jdhine32.exe
        
        C:\Windows\system32\Jdhine32.exe
        44⤵
        Executes dropped EXE
        
        PID:3220
        
        C:\Windows\SysWOW64\Jidbflcj.exe
        
        C:\Windows\system32\Jidbflcj.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:452
        
        C:\Windows\SysWOW64\Jaljgidl.exe
        
        C:\Windows\system32\Jaljgidl.exe
        46⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4816
        
        C:\Windows\SysWOW64\Jbmfoa32.exe
        
        C:\Windows\system32\Jbmfoa32.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3240
        
        C:\Windows\SysWOW64\Jkdnpo32.exe
        
        C:\Windows\system32\Jkdnpo32.exe
        48⤵
        Executes dropped EXE
        
        PID:3084
        
        C:\Windows\SysWOW64\Jmbklj32.exe
        
        C:\Windows\system32\Jmbklj32.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4284
        
        C:\Windows\SysWOW64\Jpaghf32.exe
        
        C:\Windows\system32\Jpaghf32.exe
        50⤵
        Executes dropped EXE
        
        PID:3848
        
        C:\Windows\SysWOW64\Jbocea32.exe
        
        C:\Windows\system32\Jbocea32.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3608
        
        C:\Windows\SysWOW64\Jkfkfohj.exe
        
        C:\Windows\system32\Jkfkfohj.exe
        52⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3520
        
        C:\Windows\SysWOW64\Jiikak32.exe
        
        C:\Windows\system32\Jiikak32.exe
        53⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1740
        
        C:\Windows\SysWOW64\Kaqcbi32.exe
        
        C:\Windows\system32\Kaqcbi32.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4968
        
        C:\Windows\SysWOW64\Kdopod32.exe
        
        C:\Windows\system32\Kdopod32.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3892
        
        C:\Windows\SysWOW64\Kgmlkp32.exe
        
        C:\Windows\system32\Kgmlkp32.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2660
        
        C:\Windows\SysWOW64\Kilhgk32.exe
        
        C:\Windows\system32\Kilhgk32.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:744
        
        C:\Windows\SysWOW64\Kacphh32.exe
        
        C:\Windows\system32\Kacphh32.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2828
        
        C:\Windows\SysWOW64\Kbdmpqcb.exe
        
        C:\Windows\system32\Kbdmpqcb.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4844
        
        C:\Windows\SysWOW64\Kkkdan32.exe
        
        C:\Windows\system32\Kkkdan32.exe
        60⤵
        Executes dropped EXE
        
        PID:732
        
        C:\Windows\SysWOW64\Kmjqmi32.exe
        
        C:\Windows\system32\Kmjqmi32.exe
        61⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3644
        
        C:\Windows\SysWOW64\Kphmie32.exe
        
        C:\Windows\system32\Kphmie32.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:448
        
        C:\Windows\SysWOW64\Kbfiep32.exe
        
        C:\Windows\system32\Kbfiep32.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1344
        
        C:\Windows\SysWOW64\Kknafn32.exe
        
        C:\Windows\system32\Kknafn32.exe
        64⤵
        Executes dropped EXE
        
        PID:4460
        
        C:\Windows\SysWOW64\Kagichjo.exe
        
        C:\Windows\system32\Kagichjo.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2544
        
        C:\Windows\SysWOW64\Kpjjod32.exe
        
        C:\Windows\system32\Kpjjod32.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4848
        
        C:\Windows\SysWOW64\Kcifkp32.exe
        
        C:\Windows\system32\Kcifkp32.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:3356
        
        C:\Windows\SysWOW64\Kkpnlm32.exe
        
        C:\Windows\system32\Kkpnlm32.exe
        68⤵
        Drops file in System32 directory
        
        PID:872
        
        C:\Windows\SysWOW64\Kmnjhioc.exe
        
        C:\Windows\system32\Kmnjhioc.exe
        69⤵
        Drops file in System32 directory
        
        PID:4584
        
        C:\Windows\SysWOW64\Kajfig32.exe
        
        C:\Windows\system32\Kajfig32.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4940
        
        C:\Windows\SysWOW64\Kdhbec32.exe
        
        C:\Windows\system32\Kdhbec32.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1968
        
        C:\Windows\SysWOW64\Kckbqpnj.exe
        
        C:\Windows\system32\Kckbqpnj.exe
        72⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:3792
        
        C:\Windows\SysWOW64\Kkbkamnl.exe
        
        C:\Windows\system32\Kkbkamnl.exe
        73⤵
        
        PID:5048
        
        C:\Windows\SysWOW64\Lmqgnhmp.exe
        
        C:\Windows\system32\Lmqgnhmp.exe
        74⤵
        
        PID:3752
        
        C:\Windows\SysWOW64\Lpocjdld.exe
        
        C:\Windows\system32\Lpocjdld.exe
        75⤵
        
        PID:4236
        
        C:\Windows\SysWOW64\Ldkojb32.exe
        
        C:\Windows\system32\Ldkojb32.exe
        76⤵
        
        PID:2472
        
        C:\Windows\SysWOW64\Lcmofolg.exe
        
        C:\Windows\system32\Lcmofolg.exe
        77⤵
        Modifies registry class
        
        PID:4448
        
        C:\Windows\SysWOW64\Lkdggmlj.exe
        
        C:\Windows\system32\Lkdggmlj.exe
        78⤵
        Modifies registry class
        
        PID:1468
        
        C:\Windows\SysWOW64\Lmccchkn.exe
        
        C:\Windows\system32\Lmccchkn.exe
        79⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5128
        
        C:\Windows\SysWOW64\Laopdgcg.exe
        
        C:\Windows\system32\Laopdgcg.exe
        80⤵
        
        PID:5172
        
        C:\Windows\SysWOW64\Ldmlpbbj.exe
        
        C:\Windows\system32\Ldmlpbbj.exe
        81⤵
        Modifies registry class
        
        PID:5208
        
        C:\Windows\SysWOW64\Lcpllo32.exe
        
        C:\Windows\system32\Lcpllo32.exe
        82⤵
        Modifies registry class
        
        PID:5252
        
        C:\Windows\SysWOW64\Lkgdml32.exe
        
        C:\Windows\system32\Lkgdml32.exe
        83⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5292
        
        C:\Windows\SysWOW64\Lnepih32.exe
        
        C:\Windows\system32\Lnepih32.exe
        84⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5340
        
        C:\Windows\SysWOW64\Lpcmec32.exe
        
        C:\Windows\system32\Lpcmec32.exe
        85⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5372
        
        C:\Windows\SysWOW64\Lcbiao32.exe
        
        C:\Windows\system32\Lcbiao32.exe
        86⤵
        Modifies registry class
        
        PID:5412
        
        C:\Windows\SysWOW64\Lkiqbl32.exe
        
        C:\Windows\system32\Lkiqbl32.exe
        87⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5460
        
        C:\Windows\SysWOW64\Lnhmng32.exe
        
        C:\Windows\system32\Lnhmng32.exe
        88⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5500
        
        C:\Windows\SysWOW64\Lpfijcfl.exe
        
        C:\Windows\system32\Lpfijcfl.exe
        89⤵
        
        PID:5548
        
        C:\Windows\SysWOW64\Lgpagm32.exe
        
        C:\Windows\system32\Lgpagm32.exe
        90⤵
        Modifies registry class
        
        PID:5596
        
        C:\Windows\SysWOW64\Laefdf32.exe
        
        C:\Windows\system32\Laefdf32.exe
        91⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5636
        
        C:\Windows\SysWOW64\Lddbqa32.exe
        
        C:\Windows\system32\Lddbqa32.exe
        92⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5684
        
        C:\Windows\SysWOW64\Lgbnmm32.exe
        
        C:\Windows\system32\Lgbnmm32.exe
        93⤵
        Modifies registry class
        
        PID:5724
        
        C:\Windows\SysWOW64\Mjqjih32.exe
        
        C:\Windows\system32\Mjqjih32.exe
        94⤵
        
        PID:5772
        
        C:\Windows\SysWOW64\Mahbje32.exe
        
        C:\Windows\system32\Mahbje32.exe
        95⤵
        Modifies registry class
        
        PID:5820
        
        C:\Windows\SysWOW64\Mdfofakp.exe
        
        C:\Windows\system32\Mdfofakp.exe
        96⤵
        
        PID:5864
        
        C:\Windows\SysWOW64\Mgekbljc.exe
        
        C:\Windows\system32\Mgekbljc.exe
        97⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5908
        
        C:\Windows\SysWOW64\Mkpgck32.exe
        
        C:\Windows\system32\Mkpgck32.exe
        98⤵
        
        PID:5960
        
        C:\Windows\SysWOW64\Mjcgohig.exe
        
        C:\Windows\system32\Mjcgohig.exe
        99⤵
        
        PID:6008
        
        C:\Windows\SysWOW64\Majopeii.exe
        
        C:\Windows\system32\Majopeii.exe
        100⤵
        Drops file in System32 directory
        
        PID:6056
        
        C:\Windows\SysWOW64\Mdiklqhm.exe
        
        C:\Windows\system32\Mdiklqhm.exe
        101⤵
        
        PID:6096
        
        C:\Windows\SysWOW64\Mcklgm32.exe
        
        C:\Windows\system32\Mcklgm32.exe
        102⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6136
        
        C:\Windows\SysWOW64\Mkbchk32.exe
        
        C:\Windows\system32\Mkbchk32.exe
        103⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5152
        
        C:\Windows\SysWOW64\Mnapdf32.exe
        
        C:\Windows\system32\Mnapdf32.exe
        104⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5240
        
        C:\Windows\SysWOW64\Mpolqa32.exe
        
        C:\Windows\system32\Mpolqa32.exe
        105⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5316
        
        C:\Windows\SysWOW64\Mdkhapfj.exe
        
        C:\Windows\system32\Mdkhapfj.exe
        106⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5388
        
        C:\Windows\SysWOW64\Mgidml32.exe
        
        C:\Windows\system32\Mgidml32.exe
        107⤵
        Modifies registry class
        
        PID:5448
        
        C:\Windows\SysWOW64\Mkepnjng.exe
        
        C:\Windows\system32\Mkepnjng.exe
        108⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5480
        
        C:\Windows\SysWOW64\Mncmjfmk.exe
        
        C:\Windows\system32\Mncmjfmk.exe
        109⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5576
        
        C:\Windows\SysWOW64\Mcpebmkb.exe
        
        C:\Windows\system32\Mcpebmkb.exe
        110⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5672
        
        C:\Windows\SysWOW64\Mkgmcjld.exe
        
        C:\Windows\system32\Mkgmcjld.exe
        111⤵
        
        PID:5740
        
        C:\Windows\SysWOW64\Mnfipekh.exe
        
        C:\Windows\system32\Mnfipekh.exe
        112⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5816
        
        C:\Windows\SysWOW64\Maaepd32.exe
        
        C:\Windows\system32\Maaepd32.exe
        113⤵
        Drops file in System32 directory
        
        PID:5892
        
        C:\Windows\SysWOW64\Mpdelajl.exe
        
        C:\Windows\system32\Mpdelajl.exe
        114⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5952
        
        C:\Windows\SysWOW64\Njljefql.exe
        
        C:\Windows\system32\Njljefql.exe
        115⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6044
        
        C:\Windows\SysWOW64\Nacbfdao.exe
        
        C:\Windows\system32\Nacbfdao.exe
        116⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6120
        
        C:\Windows\SysWOW64\Nqfbaq32.exe
        
        C:\Windows\system32\Nqfbaq32.exe
        117⤵
        
        PID:5156
        
        C:\Windows\SysWOW64\Nceonl32.exe
        
        C:\Windows\system32\Nceonl32.exe
        118⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5304
        
        C:\Windows\SysWOW64\Nklfoi32.exe
        
        C:\Windows\system32\Nklfoi32.exe
        119⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5396
        
        C:\Windows\SysWOW64\Njogjfoj.exe
        
        C:\Windows\system32\Njogjfoj.exe
        120⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5488
        
        C:\Windows\SysWOW64\Nnjbke32.exe
        
        C:\Windows\system32\Nnjbke32.exe
        121⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5588
        
        C:\Windows\SysWOW64\Nqiogp32.exe
        
        C:\Windows\system32\Nqiogp32.exe
        122⤵
        
        PID:5700
        
        C:\Windows\SysWOW64\Ncgkcl32.exe
        
        C:\Windows\system32\Ncgkcl32.exe
        123⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5884
        
        C:\Windows\SysWOW64\Nkncdifl.exe
        
        C:\Windows\system32\Nkncdifl.exe
        124⤵
        Drops file in System32 directory
        
        PID:5996
        
        C:\Windows\SysWOW64\Nnmopdep.exe
        
        C:\Windows\system32\Nnmopdep.exe
        125⤵
        Modifies registry class
        
        PID:5144
        
        C:\Windows\SysWOW64\Nqklmpdd.exe
        
        C:\Windows\system32\Nqklmpdd.exe
        126⤵
        
        PID:5332
        
        C:\Windows\SysWOW64\Ngedij32.exe
        
        C:\Windows\system32\Ngedij32.exe
        127⤵
        
        PID:5532
        
        C:\Windows\SysWOW64\Njcpee32.exe
        
        C:\Windows\system32\Njcpee32.exe
        128⤵
        Drops file in System32 directory
        
        PID:5716
        
        C:\Windows\SysWOW64\Nbkhfc32.exe
        
        C:\Windows\system32\Nbkhfc32.exe
        129⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5904
        
        C:\Windows\SysWOW64\Nqmhbpba.exe
        
        C:\Windows\system32\Nqmhbpba.exe
        130⤵
        
        PID:6108
        
        C:\Windows\SysWOW64\Ncldnkae.exe
        
        C:\Windows\system32\Ncldnkae.exe
        131⤵
        Modifies registry class
        
        PID:5364
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        132⤵
        
        PID:5756
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5756 -s 412
        133⤵
        Program crash
        
        PID:5272

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 5756 -ip 5756
1⤵
PID:5968

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Dkfpkkqa.dll

Filesize
7KB

MD5
18ca2e5787b86b73a87f3d95c206f94e

SHA1
c5c8d4885e89c76d180cc7677d15ea54dac2a98e

SHA256
e5e5aff4a00f4bc1ee588729098baefa463a4e05aaf18333782bd51864685378

SHA512
e10e8317504ad31f526edd8d78d1bc99eb0dbe7d96ee3ce4b56d735134b26a417c61b6bd3c990a36ba532c6ef74ff84638fc9dd8141dee4fa1118653e4076887

Download Submit
C:\Windows\SysWOW64\Gbjhlfhb.exe

Filesize
192KB

MD5
275bbbca706b70c67951a2dced8d8bd3

SHA1
ab25841006e0717a2ad8e7b50e754f78d910c3ae

SHA256
1f78341447aa34f0cb27aebffd81b876a1c99e56d95dca6ad26ec946042291dd

SHA512
2d7b44ae9af84a1cf7677f1899a421bcd9d7e6e264ce3c6cc828b5df7ce769f5f44cd83e782906376ef715f1735ebd8d0eee7d04d4e50e65f38ad54ee81e70ce

Download Submit
C:\Windows\SysWOW64\Gfhqbe32.exe

Filesize
192KB

MD5
05d8ca83bfde72af996b88f47cc69ccd

SHA1
f6532120acf04d4a59adbfc04ba5759cf50a8c24

SHA256
b82d06d244adb00fbbad969b54def208407684ad6c77e87c59f1f143d0bd28b7

SHA512
c1b25666bb0da3826b679231988b224f0efe6118bac4213338ae654cd82a35e91c4d84196240085ac6abb3caa8fbfb76c2f21de38f28c24c0aff7cf5bec21ac9

Download Submit
C:\Windows\SysWOW64\Gidphq32.exe

Filesize
192KB

MD5
abb520d7ab498255e4115d5c6f6c62b0

SHA1
62b1ec8652307b0bf08a481d96ccce6853ede62b

SHA256
6e0b3e5c7140fca239ead1077b74073d0624ae627d28cd9afbe07f9fc5cb60fa

SHA512
d4f776b8de43eee113acff53c52cb328e2ae1c2dbac2c227f634a380c3dedeb0e4e1179e3cddd37669b692b6c72f9119eafc26c66c4284862ebcbfdd7bbd814a

Download Submit
C:\Windows\SysWOW64\Gmaioo32.exe

Filesize
192KB

MD5
53a509656a8e5b873fb041ab5c2c4391

SHA1
3ef3084f489e241ba5bf9c91cb6c888e622eab5b

SHA256
ba5a68f9f462c801c27fa8db53c6ec3ea7afd7e1a75de79e01fe19f78eb54b04

SHA512
3bcbd53ed5726242c5470d34ad52671e9a2388409991b46db2145102381fb46e1a7184aeed6fe8accff25219020035765f2583051db45172e9ca83971392a1ef

Download Submit
C:\Windows\SysWOW64\Gpnhekgl.exe

Filesize
192KB

MD5
24ecee0fe6bb36f7ef097250cb3987ad

SHA1
395c92d36bcd502388704d8f89838328913dda0d

SHA256
37c70b322a21085e73fe7fe7ac91ad04cfe2e70547840876458b7f9311d2dfdc

SHA512
8225d622a2570714b7797f5a6912e20a445dbb69aa14eb2948c6516c8f581d833b14a442801193c8a268a151adb846efdcda2c8e350f92f1df30e8d7dd938e1a

Download Submit
C:\Windows\SysWOW64\Gppekj32.exe

Filesize
192KB

MD5
dd5961558d5fa45f0080c45527a9f251

SHA1
c8234845a8f58d50156b9cf7fdf1a56caa72eb13

SHA256
6d0db410c88a58aafff705b7bd82d17a2e663f63016ba87295b947748ef4d544

SHA512
bbd2792e8bec9a06ef1a399fc27e975d0a50783757766067ca1f656d343b59307763f55de421b8b2c6f72a1dc2266357949a5b971b0aa4b55b24d1338b1355b9

Download Submit
C:\Windows\SysWOW64\Habnjm32.exe

Filesize
192KB

MD5
87bcd83b2455851c0adb77ead69bdf1a

SHA1
c50f5a9dc3ba44b12d194a22a274859b46f0b328

SHA256
3a517b8051584060367780625bb78c2f847245a8023309f941a4d596b731a454

SHA512
6ecbd572e1affd7bb12da497ac9f4b80624cf22023fcb0cc82ec616b7ef413ace18f6ba98b8cc27bfb14e7d2a6a92748978bc2ac6b2279a6317d985d4e5fa451

Download Submit
C:\Windows\SysWOW64\Haidklda.exe

Filesize
192KB

MD5
0b079715be022abe3780b1e9997c6cbc

SHA1
69dc19a09d24ff127a5e3c7b3970384fa2f5f45d

SHA256
af025a9c61f3185f0768da1b109ff7734c21e292b08abd16f478890e9950f3f5

SHA512
8e230b5b8c4ba506ea5c67390233374ce38ed5b1bb0a637ebf078b47b72222907323c35c356fd2b942e0fda8dcb40a2acb8b83668adec5c0ad9f176a710380f8

Download Submit
C:\Windows\SysWOW64\Hapaemll.exe

Filesize
192KB

MD5
129584924ff3b6516cc30c991906f3be

SHA1
5b27bb7e521ffbfb42095eee76244f4810c0ef26

SHA256
7c31f2f53b4c4e336d9a4774213a3fdc7c4d4030ba1369444720f1b099c80f60

SHA512
9bb335a827dcb2d4301f3bef506bfaad81f155a9a1f3e442daa12bbb0fb876ab491ab58f7d377cf0d813b16ff915b19f7b16d8968c036880319688abd8ec5e4c

Download Submit
C:\Windows\SysWOW64\Hbanme32.exe

Filesize
192KB

MD5
2f280792108d7d10e8f8f2c6cf31cb55

SHA1
16a0f5b72cb010889628bc1b1fb1e7afa3229b08

SHA256
62b1651ba7e4855b9b4810bd585cffb33f12516437da48ca4dd4f915e5da2f16

SHA512
2117b88e8fc06cad1c4707d92682b2b974be4f9154278dba475053e0bca21aafda32d42b510706b5df5ee00fecb2bea0127dce13c28a71bb5d68f7331a02e2b2

Download Submit
C:\Windows\SysWOW64\Hboagf32.exe

Filesize
192KB

MD5
3b7e43f9e08dd0bfecc94c40093780a9

SHA1
aa3e0d29b5e491c950038f4ae1ceef6e9a6fc752

SHA256
e9eb4b488070d1fffaef7bcefd6597e9f792946d40919e1a8315a8265cde9adb

SHA512
611bfc1fa43cb900b2c001902e17980e77b132d9532dade70604cc2ba7442a594dfb1a5da7634f32ab0924758d692e94cd20cc2d9c4ed34a91ff21e9bedfd8da

Download Submit
C:\Windows\SysWOW64\Hccglh32.exe

Filesize
192KB

MD5
f244d385edf6e94053e7c73388521307

SHA1
90f323b8d12ae8dfedfaad3aa251a86cdcabf6dd

SHA256
b87183307fa08a81d37b175de4d936227500dfd1c3a9415fcd3bd6931e21de39

SHA512
0eaaf193a2c7c7aa960ecb9f3a1d5ba6cb44191f47b9e4235d0cf818898c736d3a96187ae65d8807bc3d161a3dccb923c165706300dd86d5f6c6c586d089a913

Download Submit
C:\Windows\SysWOW64\Hcedaheh.exe

Filesize
192KB

MD5
29359c1d1be59f53028ac0f3eb3476aa

SHA1
51d34a5b417c25ee47c82e58ad9521e6bb9bfd18

SHA256
da46f7e48b12d75b2a77a0669fb0cc4acddb720634fd2ccdf475fff50a3299fa

SHA512
52f8a27eae5b7a29491cf048719c0f052d66035271637f1693bf76a7713b2fec419c194a658effa4218d264e3dc37ce1d04b85988628e66f5aae8eb2d7bfb68b

Download Submit
C:\Windows\SysWOW64\Hfcpncdk.exe

Filesize
192KB

MD5
2fd7977ea8465072b5e8befee758fa3c

SHA1
634f9a88f1bd45ed5f845454bb0992a8415d3025

SHA256
87550784372a1442f486c9a01813281256f19efab369e962608fbc46ae860142

SHA512
cb332c0a57630175666ae54b47b3919a1169939d602245330a7b94acb44f940e826d4b9421801cf7602776cf0be60c6f15ba777c36ce6103e74c5b9336a8bdb5

Download Submit
C:\Windows\SysWOW64\Hfofbd32.exe

Filesize
192KB

MD5
98a5a2aebf523e5708388c70760e0b44

SHA1
9acd7a428d4dd8dc085d05b64bb634f28ffe9331

SHA256
ec570c203dfb4115af74c5acdfa46f3a0b270db8bc013e1a5e6e0e4a934fd7c2

SHA512
d4acfea40f695fed20319bbf2a1716fa7383fd804b38c2c7ddf691ccfd7dc9a3981fa512e555fbd1b82668efa163d1827a29e123b766e01ec1cfa0630f64f66f

Download Submit
C:\Windows\SysWOW64\Hibljoco.exe

Filesize
192KB

MD5
f793323736ec31f9eaa8e531c46db488

SHA1
5f28ca002dd050a04f7923414fd43244448f023f

SHA256
a62c2310745a3e0c0fc98409c97593bc1c4a3f7381e3883890e172fd9b83025d

SHA512
978edef82b4f3c8e5eb99179088b81e27c9c6ea0ecacf406f04252a39b7eb8799ddd0151c1de8e015d1cb10c9bc33aad36d43855859d88551403808bc97b7205

Download Submit
C:\Windows\SysWOW64\Hippdo32.exe

Filesize
192KB

MD5
7946916954ee070fc725dae5f3827fb9

SHA1
86f68c3b165101c7c031a3d9295a08e0c13e825d

SHA256
295f8ac48fd1b23fdc8313c7bb90fd390ceec098e3ef8e2dd18ed7a38a6492a9

SHA512
22ae81f6d4e5e322192b2db13ea5acd3df4480c524b23f7f37809b45ce5a167a340d1fe48a3aabc3d23ddd0947bc376126c724b5fba3c10128553272ae038a71

Download Submit
C:\Windows\SysWOW64\Hjhfnccl.exe

Filesize
192KB

MD5
ce7322aa9281866f0374457307da72b0

SHA1
6ac111de998ee05a6a205a822a6ed436d7a81675

SHA256
86d56b9499dc9c782fd4c6c90913eff0585855be74c809cb1d0ec99e5734d7a7

SHA512
fefbd997567446d9df5ed0c33b7c7450fa02ee895afa4be0793c583f48fe97535ba030492a08854d49c35b255b55522ad38298ff1c6498bd12d40de6f9bc41c0

Download Submit
C:\Windows\SysWOW64\Hmioonpn.exe

Filesize
192KB

MD5
c1c93093c84cab0986be4417e0cd65d1

SHA1
de3167107819542496a8bd32a68be3d431deae0c

SHA256
b1b758426948e9f6dfe250f6d9d34203cb8802fe5db14957e81dd7924be6fa15

SHA512
5b457f97f0c342a2ffcf67226660cbb197829d1c1694cca279ad02920f60f3efac61f14314175713a759e9400f3d6bfd53ae884e1129b2a633f97fae303c2872

Download Submit
C:\Windows\SysWOW64\Hmklen32.exe

Filesize
192KB

MD5
71f604d390f1fafd48c3c65573637622

SHA1
d981fc0c2577272a546f467d47a00275167db494

SHA256
3cdf122f725e89465599657399d64e1db0ca7748eb9922b95811b377eb663afd

SHA512
f2e8575b3ffc5dafd8fe6e7cf93f7e1f3617d13400683881e60ba4e45d243ba974b6d137ee680bdc77d20885c11796254a86397bdf2c12dcc403299a3f1c01eb

Download Submit
C:\Windows\SysWOW64\Iabgaklg.exe

Filesize
192KB

MD5
a1d29ff19bcc6ee6d5708a9dbfb17f28

SHA1
6481ae095ce1a02d3258104dc0bff2ffa48a6ffe

SHA256
1318e718b8bd84b0feed2571b92a118355504f1606eca4485c09fa5e4e01015a

SHA512
2d4294c661f4d3a7b4ccb211404b3f426885723681bae62b52d51824219d034dbca45a7f5647ec12957add89c24914d60a862a574936c258730a720f1457520b

Download Submit
C:\Windows\SysWOW64\Iakaql32.exe

Filesize
192KB

MD5
079f92cce853b0e4cb2d400000b778f0

SHA1
c8613996a9424669b8e459ec9b04545c87e91575

SHA256
9eec8715d3265413115be29112d6a1ba2deee21256697e9bec1e7ca4bb0f19e4

SHA512
6b92aacbae32d21d2a2d2edbff1fea4e01aab4fa24e08c4d8cd19edf808b63a6aab55ae7fee618040cf436ffc10edfd150cb605dd242b781271104bc4c586298

Download Submit
C:\Windows\SysWOW64\Ibagcc32.exe

Filesize
192KB

MD5
3c93ead6928aa21fe749de8ca2eb8f09

SHA1
ade6c077e3be8191d1ed0d99c60f5961e97b3a51

SHA256
32402131e8721668f130ad90bd53adaaf6af769519201ae735f4b004969b5cba

SHA512
7a8c8e4165a0d6a0e7e770e8794835608c3ebc941ea5a0f591b6439e88e481501ba43275692e840e949d222a8975c9b27e4fcc2968aaa9753d45363f1b6e3f75

Download Submit
C:\Windows\SysWOW64\Ibjqcd32.exe

Filesize
192KB

MD5
3248b067a9ff8e3ddfd18ef763e78717

SHA1
dfe1d133361ed837230e9634f4215368f05f3e28

SHA256
fff12a76312d4a76451dd578c46bec8f06b54a5c0ac0547aff8bec7ca1688920

SHA512
44f4cfcad733abb986dcc5379bdb4827ed6d257417f3d529eaf9a311010327dfbc398b39b0f93e93d328be040e14147c02528201a64894ff287a766347ac4b35

Download Submit
C:\Windows\SysWOW64\Ibmmhdhm.exe

Filesize
192KB

MD5
13e7750ce70612c3d58a145f3e045972

SHA1
618848890a900e5f2f1e24948252f1396286ed27

SHA256
66b070af92ea365931615da35ef922a516b482e3191643f75bebe61b80c4250b

SHA512
67144a28b54ca5154f0687a2b615f1e7db116819fc3737f72a7e035304431c27477f5670c9d4817621f6045a4be89ea4f183c63aa488d1da064f8073337cba24

Download Submit
C:\Windows\SysWOW64\Icljbg32.exe

Filesize
192KB

MD5
935e2a6e97292b7aed6e352aa6aec45e

SHA1
362b3f13ea7b7233f03985939ad681cc067e4ece

SHA256
76d7d88ce42ae6be60a1fbc6d18d94e3d2e45f87555216db890a65b558365fb4

SHA512
a73ce37ea4b03c3a4a21da2b5779292dfaa0edee865858cb53181c8bd23cfb4a369831f9231012c8bb53e08af0d4f384876897e386d595c995f747ca3064ed76

Download Submit
C:\Windows\SysWOW64\Idacmfkj.exe

Filesize
192KB

MD5
c07266821edc9ffdb45d49b9f8be11e9

SHA1
8cc6acc5e7875853579db69b97fd14102867f627

SHA256
f2f20f16b2780f9b76dbf93892678534fd755685061925289d3c1a2038393155

SHA512
7e4626cabd499ae288576fe53ec12c81b4d2c07e71d965c763dfdc438a34dcfe8b9f830cae083997809f4646662cba81290c86b52f0f0bb2a01c8d5a0c3c6ca2

Download Submit
C:\Windows\SysWOW64\Iidipnal.exe

Filesize
192KB

MD5
dd2602ba3d1ab820ab663a5026fd73de

SHA1
e5a204b393809ea1bfe63ddb132df14d53423e59

SHA256
b5dda00fe16239f6d207e389861a734bd65c3a61502c904179ed64d08359a815

SHA512
b43de98b0bf59ccbfe1c9b9ff3bd6dd9134639ded7328b83d3fd1558d51007b53376f0bbe46dfa0baf57a5e317745a1680401cb9026071ee14030d8138300bb3

Download Submit
C:\Windows\SysWOW64\Iiffen32.exe

Filesize
192KB

MD5
26ccabd33d278991bae593eda305b04f

SHA1
115212eb15b8504c17609247634feb1e73bf8921

SHA256
a8b43ffef806b39c1be25be55e2d5b70e60b1b1d15a7062053b45f94691a282a

SHA512
a7fed070d3f30c5ed6007b17ada5e781b4945edf3b51febef5c6eeb89d0a13e6ed4b236ffead9521a6b734989fabeacc3686d3b5befbbf9b53aa1bd2c88a96bd

Download Submit
C:\Windows\SysWOW64\Iikopmkd.exe

Filesize
192KB

MD5
223b958767b58333ef7365c2edf5acea

SHA1
37e69d515ea2141173136d745e399348cb524578

SHA256
d339108d967556d724ddfa4d66ffcb05625288652bf1fdec2b6872748cb1fd91

SHA512
91c77199f9ef6047ed6ad65e55ad2b399ecf411107de105d18072029b4871203c6f2cd464ccfb5d57a134b45dc7388ec718182c5dca25e9b8fc3d5e904b1fa00

Download Submit
C:\Windows\SysWOW64\Ijfboafl.exe

Filesize
192KB

MD5
1a7498477645b934fc89878f4e1b2f5d

SHA1
8e2240b4b8dbdced7f9da2bbc2eaca2ace35e5c7

SHA256
1e9637fdbad91ec490d1f17e5c627fc3457ea6186aad2f48e2f19db284f2db40

SHA512
506bb8bf12c1a596be0e3820d9fba2b9083bea28e40a5ff36b00ec9f8e14960b9f5027d53e4420114f23cb777933eb459b11113dd11a1c35553a0c10db659487

Download Submit
C:\Windows\SysWOW64\Ipckgh32.exe

Filesize
192KB

MD5
2cf4017850f8eccda9f3c31938c698b5

SHA1
734eb6ec8f229967da78df3914d68a0a24140458

SHA256
42d7e3dc8331c5ba590ebe4821b710927bc46d41c43850cf522921a60cc2c43e

SHA512
88dccf117d6d229dd7ef244a51b3cb95bf6d2a433aa3db6323600c743e08138ca0fed9f361b725954e9da5ba5ddb3fc48fdf27e493d952e24a9765c59eafa052

Download Submit
C:\Windows\SysWOW64\Jdhine32.exe

Filesize
192KB

MD5
04a182b9c73849852175b4b62ece3a9b

SHA1
732dae5ba3a46886a3096910f5d1fe64a0e92d5e

SHA256
b2bfc6099ec8c72cb5e25d66b4d1eb7a5a0f5e6f1bbf668b8adadf4246047f19

SHA512
47f8a9cac49882b50040c0763f8a984435674f7a35e07a97f09736122f03c638cd8d6305f084cef06148350b0c7a33abb3b17d322bbdb796bed8b140ce05cdf6

Download Submit
C:\Windows\SysWOW64\Jmbklj32.exe

Filesize
192KB

MD5
3d01ba8a800756810022b49eb9f5524c

SHA1
d9d3ad0737fe61b05fca53b3739fc8e146bf8dbf

SHA256
3fcb4500620eb239040df77fa44651d53af174879b98e2e9e2737977c8ba6f46

SHA512
3cd6291daf1f9ab972e8b1a1b9ab03a244cebbd4ece7e7ab28c5692b564b1dacc88aaa57e46664a7b10072b86a789747ebf561efffe77ac6625b29f6fc6da9f8

Download Submit
C:\Windows\SysWOW64\Kbdmpqcb.exe

Filesize
192KB

MD5
f454614e4889f80c3263a520e17b7e96

SHA1
9fc9c93b1aedacd2aa092dd64145b2c1fcd95c9b

SHA256
40e7c16c6d530bcf8e77c8237fa24e0c73b852bf9f2d505291048f96c0f85efb

SHA512
f510237f62e88b4b257c893a2c2e29ef653a709595c6d46a0691f429ac63eeab2852225b87791bbc56553249a89b9b8077fb45453ba2f5516ad117f8e930b55a

Download Submit
memory/8-119-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/384-127-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/404-64-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/448-430-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/452-332-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/668-136-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/692-71-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/732-422-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/744-400-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/860-0-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1124-240-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1128-111-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1132-104-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1292-144-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1344-436-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1388-207-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1404-47-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1488-262-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1740-376-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1996-314-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2080-31-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2172-168-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2220-184-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2336-200-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2468-40-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2492-268-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2660-398-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2796-16-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2828-406-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2956-321-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3084-346-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3204-304-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3220-322-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3240-340-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3520-370-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3592-56-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3608-365-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3644-424-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3796-280-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3848-358-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3888-96-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3892-388-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3932-252-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3964-232-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3996-274-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4068-164-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4172-286-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4204-301-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4272-224-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4284-352-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4320-152-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4460-442-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4576-176-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4612-80-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4668-87-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4712-28-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4764-7-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4816-338-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4844-412-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4872-196-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4892-256-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4968-382-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4980-296-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/5084-215-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads