15c371cde87e94e6d610b1d429443434cd02022b7e3896538404c7b3aa7fecbe

Analysis

max time kernel
150s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
05/03/2024, 17:58

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

15c371cde87e94e6d610b1d429443434cd02022b7e3896538404c7b3aa7fecbe.exe
Size

704KB
MD5

e7d9acfd1920e9be53418be25ee686a4
SHA1

ab6755a19d5cc9ed810052b4948938f90005d001
SHA256

15c371cde87e94e6d610b1d429443434cd02022b7e3896538404c7b3aa7fecbe
SHA512

c4e22eab0320c55d20047bf3ddda4410f5d49915503cb80cf709aff90e121c5617ce87791dceb6f5d59963b0e0b27ad51074db3c3e31b43af540085f177f6f10
SSDEEP

12288:jcHrQg5W/+zrWAI5KFum/+zrWAIAqWim/+zrWAI5KFHTP7rXFr/+zrWAI5KW:j+rQg5Wm0BmmvFimm0MTP7hm0b

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ifmcdblq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnfipekh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcbahlip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jdemhe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jjpeepnb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjqjih32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Laefdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mkbchk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nceonl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nbhkac32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hpbaqj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jigollag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Iannfk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ifopiajn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mjeddggd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqfbaq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Habnjm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ifhiib32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iiffen32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iikopmkd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Iinlemia.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kinemkko.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kdhbec32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ldaeka32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Habnjm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Himcoo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpmokb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ldkojb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jdhine32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnmopdep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hbhdmd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hibljoco.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Imgkql32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jjmhppqd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gpnhekgl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Icjmmg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jpaghf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nqfbaq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Njogjfoj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngcgcjnc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqmhbpba.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gcggpj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jpgdbg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ijfboafl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lnjjdgee.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hbckbepg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Icljbg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kdcijcke.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Laalifad.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkbchk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jbfpobpb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jpojcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Iidipnal.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nddkgonp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gpnhekgl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Icgqggce.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jmbklj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqklmpdd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nkqpjidj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Iffmccbi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jjmhppqd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kmlnbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ldmlpbbj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjeddggd.exe

Executes dropped EXE 64 IoCs

pid	Process
3292	Gfnnlffc.exe
3596	Gqdbiofi.exe
2636	Gcbnejem.exe
1172	Giacca32.exe
2624	Gcggpj32.exe
1464	Gidphq32.exe
3592	Gpnhekgl.exe
4512	Hclakimb.exe
3912	Hihicplj.exe
3940	Hpbaqj32.exe
1056	Hbanme32.exe
4608	Hjhfnccl.exe
392	Habnjm32.exe
2004	Hbckbepg.exe
3100	Himcoo32.exe
2496	Hfachc32.exe
1420	Hpihai32.exe
1792	Hbhdmd32.exe
5048	Hfcpncdk.exe
3860	Hibljoco.exe
2388	Haidklda.exe
1616	Icgqggce.exe
460	Iffmccbi.exe
4276	Iidipnal.exe
4396	Icjmmg32.exe
2500	Ifhiib32.exe
3228	Iiffen32.exe
916	Iannfk32.exe
4604	Icljbg32.exe
1100	Ifjfnb32.exe
1864	Ijfboafl.exe
3464	Imdnklfp.exe
740	Idofhfmm.exe
3352	Ifmcdblq.exe
4024	Iikopmkd.exe
3820	Imgkql32.exe
2340	Idacmfkj.exe
4728	Ifopiajn.exe
3884	Iinlemia.exe
852	Imihfl32.exe
4680	Jpgdbg32.exe
4432	Jbfpobpb.exe
5040	Jjmhppqd.exe
4576	Jmkdlkph.exe
2148	Jagqlj32.exe
4192	Jdemhe32.exe
1204	Jbhmdbnp.exe
4952	Jjpeepnb.exe
4640	Jmnaakne.exe
3348	Jaimbj32.exe
4184	Jdhine32.exe
4620	Jbkjjblm.exe
4100	Jidbflcj.exe
1380	Jaljgidl.exe
4632	Jpojcf32.exe
3932	Jbmfoa32.exe
1016	Jfhbppbc.exe
3144	Jigollag.exe
2304	Jmbklj32.exe
4980	Jpaghf32.exe
3760	Jiikak32.exe
4824	Kpccnefa.exe
3700	Kgmlkp32.exe
5052	Kilhgk32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Jjpeepnb.exe	Jbhmdbnp.exe
File created	C:\Windows\SysWOW64\Kdaldd32.exe	Kilhgk32.exe
File created	C:\Windows\SysWOW64\Nqfbaq32.exe	Nnhfee32.exe
File created	C:\Windows\SysWOW64\Ibooqjdb.dll	Hbckbepg.exe
File opened for modification	C:\Windows\SysWOW64\Imdnklfp.exe	Ijfboafl.exe
File created	C:\Windows\SysWOW64\Iikopmkd.exe	Ifmcdblq.exe
File created	C:\Windows\SysWOW64\Jmkdlkph.exe	Jjmhppqd.exe
File created	C:\Windows\SysWOW64\Bnckcnhb.dll	Kilhgk32.exe
File created	C:\Windows\SysWOW64\Akanejnd.dll	Kdcijcke.exe
File opened for modification	C:\Windows\SysWOW64\Giacca32.exe	Gcbnejem.exe
File opened for modification	C:\Windows\SysWOW64\Hihicplj.exe	Hclakimb.exe
File created	C:\Windows\SysWOW64\Iiffen32.exe	Ifhiib32.exe
File created	C:\Windows\SysWOW64\Ekmihm32.dll	Ijfboafl.exe
File opened for modification	C:\Windows\SysWOW64\Jbkjjblm.exe	Jdhine32.exe
File opened for modification	C:\Windows\SysWOW64\Kdhbec32.exe	Kmnjhioc.exe
File opened for modification	C:\Windows\SysWOW64\Hpbaqj32.exe	Hihicplj.exe
File created	C:\Windows\SysWOW64\Bgdnaigp.dll	Hfcpncdk.exe
File created	C:\Windows\SysWOW64\Idacmfkj.exe	Imgkql32.exe
File created	C:\Windows\SysWOW64\Ncldlbah.dll	Ifopiajn.exe
File created	C:\Windows\SysWOW64\Bgllgqcp.dll	Jdemhe32.exe
File created	C:\Windows\SysWOW64\Mnocof32.exe	Mkpgck32.exe
File created	C:\Windows\SysWOW64\Hbanme32.exe	Hpbaqj32.exe
File created	C:\Windows\SysWOW64\Ibilnj32.dll	Hbanme32.exe
File opened for modification	C:\Windows\SysWOW64\Maohkd32.exe	Mjhqjg32.exe
File opened for modification	C:\Windows\SysWOW64\Icjmmg32.exe	Iidipnal.exe
File opened for modification	C:\Windows\SysWOW64\Mjhqjg32.exe	Mgidml32.exe
File opened for modification	C:\Windows\SysWOW64\Kgmlkp32.exe	Kpccnefa.exe
File created	C:\Windows\SysWOW64\Hehifldd.dll	Kpccnefa.exe
File created	C:\Windows\SysWOW64\Laalifad.exe	Lkgdml32.exe
File opened for modification	C:\Windows\SysWOW64\Lnjjdgee.exe	Lcdegnep.exe
File created	C:\Windows\SysWOW64\Jjblifaf.dll	Mkbchk32.exe
File opened for modification	C:\Windows\SysWOW64\Ncihikcg.exe	Nqklmpdd.exe
File created	C:\Windows\SysWOW64\Ijfboafl.exe	Ifjfnb32.exe
File created	C:\Windows\SysWOW64\Mjlcankg.dll	Jagqlj32.exe
File created	C:\Windows\SysWOW64\Nnhfee32.exe	Nkjjij32.exe
File created	C:\Windows\SysWOW64\Njogjfoj.exe	Nceonl32.exe
File opened for modification	C:\Windows\SysWOW64\Nqmhbpba.exe	Nnolfdcn.exe
File opened for modification	C:\Windows\SysWOW64\Icgqggce.exe	Haidklda.exe
File created	C:\Windows\SysWOW64\Ckegia32.dll	Lnhmng32.exe
File created	C:\Windows\SysWOW64\Dempmq32.dll	Icjmmg32.exe
File created	C:\Windows\SysWOW64\Jaljgidl.exe	Jidbflcj.exe
File opened for modification	C:\Windows\SysWOW64\Jpojcf32.exe	Jaljgidl.exe
File opened for modification	C:\Windows\SysWOW64\Kdcijcke.exe	Kinemkko.exe
File created	C:\Windows\SysWOW64\Ogdimilg.dll	Kmnjhioc.exe
File created	C:\Windows\SysWOW64\Eqbmje32.dll	Ldkojb32.exe
File created	C:\Windows\SysWOW64\Habnjm32.exe	Hjhfnccl.exe
File created	C:\Windows\SysWOW64\Mlmpolji.dll	Hbhdmd32.exe
File opened for modification	C:\Windows\SysWOW64\Mjeddggd.exe	Mkbchk32.exe
File created	C:\Windows\SysWOW64\Lfcbokki.dll	Nceonl32.exe
File created	C:\Windows\SysWOW64\Kgmlkp32.exe	Kpccnefa.exe
File created	C:\Windows\SysWOW64\Nafokcol.exe	Njogjfoj.exe
File opened for modification	C:\Windows\SysWOW64\Ijfboafl.exe	Ifjfnb32.exe
File opened for modification	C:\Windows\SysWOW64\Iinlemia.exe	Ifopiajn.exe
File created	C:\Windows\SysWOW64\Ifjfnb32.exe	Icljbg32.exe
File opened for modification	C:\Windows\SysWOW64\Jmbklj32.exe	Jigollag.exe
File created	C:\Windows\SysWOW64\Kkdeek32.dll	Kgmlkp32.exe
File opened for modification	C:\Windows\SysWOW64\Kmlnbi32.exe	Kdcijcke.exe
File opened for modification	C:\Windows\SysWOW64\Ldmlpbbj.exe	Ldkojb32.exe
File created	C:\Windows\SysWOW64\Ljfemn32.dll	Nbhkac32.exe
File created	C:\Windows\SysWOW64\Jokmgc32.dll	Gqdbiofi.exe
File opened for modification	C:\Windows\SysWOW64\Gcggpj32.exe	Giacca32.exe
File created	C:\Windows\SysWOW64\Mjqjih32.exe	Lgbnmm32.exe
File opened for modification	C:\Windows\SysWOW64\Mnfipekh.exe	Mkgmcjld.exe
File created	C:\Windows\SysWOW64\Nbhkac32.exe	Nnmopdep.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
6028	5852	WerFault.exe	209

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfcbokki.dll"	Nceonl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jbmfoa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Icjmmg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nphqml32.dll"	Jiikak32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mkpgck32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mcbahlip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkckjila.dll"	Nqklmpdd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nnolfdcn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}	15c371cde87e94e6d610b1d429443434cd02022b7e3896538404c7b3aa7fecbe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Iannfk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Imdnklfp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Idacmfkj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Iinlemia.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cgkghl32.dll"	Gpnhekgl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jmbklj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jflepa32.dll"	Jpaghf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mdemcacc.dll"	Lkgdml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lcdegnep.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mglack32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fcdjjo32.dll"	Nqfbaq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Icgqggce.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jbfpobpb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghmfdf32.dll"	Jaimbj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nilhco32.dll"	Jmbklj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lkgdml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjblifaf.dll"	Mkbchk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ncihikcg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hbhdmd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Iffmccbi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jdhine32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfbhfihj.dll"	Mdfofakp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Adakia32.dll"	Hclakimb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kpccnefa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mpmokb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mgidml32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Maohkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qnoaog32.dll"	Jjmhppqd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eddbig32.dll"	Imdnklfp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bpqnnk32.dll"	Imgkql32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Epmjjbbj.dll"	Mpmokb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mnfipekh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlnpomfk.dll"	Nafokcol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dendnoah.dll"	Iannfk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ldmlpbbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jpgeph32.dll"	Laefdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gqffnmfa.dll"	Mcklgm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dngdgf32.dll"	Ldmlpbbj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jpojcf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Laalifad.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nkjjij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibimpp32.dll"	Jdhine32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hpihai32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qdhoohmo.dll"	Jbhmdbnp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jjpeepnb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hclakimb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Himcoo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jpgdbg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jaimbj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jdhine32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jaljgidl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kilhgk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Akanejnd.dll"	Kdcijcke.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hbckbepg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mjqjih32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4908 wrote to memory of 3292	4908	15c371cde87e94e6d610b1d429443434cd02022b7e3896538404c7b3aa7fecbe.exe	88
PID 4908 wrote to memory of 3292	4908	15c371cde87e94e6d610b1d429443434cd02022b7e3896538404c7b3aa7fecbe.exe	88
PID 4908 wrote to memory of 3292	4908	15c371cde87e94e6d610b1d429443434cd02022b7e3896538404c7b3aa7fecbe.exe	88
PID 3292 wrote to memory of 3596	3292	Gfnnlffc.exe	89
PID 3292 wrote to memory of 3596	3292	Gfnnlffc.exe	89
PID 3292 wrote to memory of 3596	3292	Gfnnlffc.exe	89
PID 3596 wrote to memory of 2636	3596	Gqdbiofi.exe	90
PID 3596 wrote to memory of 2636	3596	Gqdbiofi.exe	90
PID 3596 wrote to memory of 2636	3596	Gqdbiofi.exe	90
PID 2636 wrote to memory of 1172	2636	Gcbnejem.exe	91
PID 2636 wrote to memory of 1172	2636	Gcbnejem.exe	91
PID 2636 wrote to memory of 1172	2636	Gcbnejem.exe	91
PID 1172 wrote to memory of 2624	1172	Giacca32.exe	92
PID 1172 wrote to memory of 2624	1172	Giacca32.exe	92
PID 1172 wrote to memory of 2624	1172	Giacca32.exe	92
PID 2624 wrote to memory of 1464	2624	Gcggpj32.exe	93
PID 2624 wrote to memory of 1464	2624	Gcggpj32.exe	93
PID 2624 wrote to memory of 1464	2624	Gcggpj32.exe	93
PID 1464 wrote to memory of 3592	1464	Gidphq32.exe	94
PID 1464 wrote to memory of 3592	1464	Gidphq32.exe	94
PID 1464 wrote to memory of 3592	1464	Gidphq32.exe	94
PID 3592 wrote to memory of 4512	3592	Gpnhekgl.exe	95
PID 3592 wrote to memory of 4512	3592	Gpnhekgl.exe	95
PID 3592 wrote to memory of 4512	3592	Gpnhekgl.exe	95
PID 4512 wrote to memory of 3912	4512	Hclakimb.exe	96
PID 4512 wrote to memory of 3912	4512	Hclakimb.exe	96
PID 4512 wrote to memory of 3912	4512	Hclakimb.exe	96
PID 3912 wrote to memory of 3940	3912	Hihicplj.exe	97
PID 3912 wrote to memory of 3940	3912	Hihicplj.exe	97
PID 3912 wrote to memory of 3940	3912	Hihicplj.exe	97
PID 3940 wrote to memory of 1056	3940	Hpbaqj32.exe	98
PID 3940 wrote to memory of 1056	3940	Hpbaqj32.exe	98
PID 3940 wrote to memory of 1056	3940	Hpbaqj32.exe	98
PID 1056 wrote to memory of 4608	1056	Hbanme32.exe	99
PID 1056 wrote to memory of 4608	1056	Hbanme32.exe	99
PID 1056 wrote to memory of 4608	1056	Hbanme32.exe	99
PID 4608 wrote to memory of 392	4608	Hjhfnccl.exe	100
PID 4608 wrote to memory of 392	4608	Hjhfnccl.exe	100
PID 4608 wrote to memory of 392	4608	Hjhfnccl.exe	100
PID 392 wrote to memory of 2004	392	Habnjm32.exe	101
PID 392 wrote to memory of 2004	392	Habnjm32.exe	101
PID 392 wrote to memory of 2004	392	Habnjm32.exe	101
PID 2004 wrote to memory of 3100	2004	Hbckbepg.exe	102
PID 2004 wrote to memory of 3100	2004	Hbckbepg.exe	102
PID 2004 wrote to memory of 3100	2004	Hbckbepg.exe	102
PID 3100 wrote to memory of 2496	3100	Himcoo32.exe	104
PID 3100 wrote to memory of 2496	3100	Himcoo32.exe	104
PID 3100 wrote to memory of 2496	3100	Himcoo32.exe	104
PID 2496 wrote to memory of 1420	2496	Hfachc32.exe	105
PID 2496 wrote to memory of 1420	2496	Hfachc32.exe	105
PID 2496 wrote to memory of 1420	2496	Hfachc32.exe	105
PID 1420 wrote to memory of 1792	1420	Hpihai32.exe	106
PID 1420 wrote to memory of 1792	1420	Hpihai32.exe	106
PID 1420 wrote to memory of 1792	1420	Hpihai32.exe	106
PID 1792 wrote to memory of 5048	1792	Hbhdmd32.exe	107
PID 1792 wrote to memory of 5048	1792	Hbhdmd32.exe	107
PID 1792 wrote to memory of 5048	1792	Hbhdmd32.exe	107
PID 5048 wrote to memory of 3860	5048	Hfcpncdk.exe	108
PID 5048 wrote to memory of 3860	5048	Hfcpncdk.exe	108
PID 5048 wrote to memory of 3860	5048	Hfcpncdk.exe	108
PID 3860 wrote to memory of 2388	3860	Hibljoco.exe	109
PID 3860 wrote to memory of 2388	3860	Hibljoco.exe	109
PID 3860 wrote to memory of 2388	3860	Hibljoco.exe	109
PID 2388 wrote to memory of 1616	2388	Haidklda.exe	110

C:\Users\Admin\AppData\Local\Temp\15c371cde87e94e6d610b1d429443434cd02022b7e3896538404c7b3aa7fecbe.exe
"C:\Users\Admin\AppData\Local\Temp\15c371cde87e94e6d610b1d429443434cd02022b7e3896538404c7b3aa7fecbe.exe"
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4908
- C:\Windows\SysWOW64\Gfnnlffc.exe
  C:\Windows\system32\Gfnnlffc.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3292
- - C:\Windows\SysWOW64\Gqdbiofi.exe
    C:\Windows\system32\Gqdbiofi.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious use of WriteProcessMemory
    PID:3596
  - - C:\Windows\SysWOW64\Gcbnejem.exe
      C:\Windows\system32\Gcbnejem.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious use of WriteProcessMemory
      PID:2636
    - - C:\Windows\SysWOW64\Giacca32.exe
        
        C:\Windows\system32\Giacca32.exe
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1172
      - C:\Windows\SysWOW64\Gcggpj32.exe
        
        C:\Windows\system32\Gcggpj32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2624
        
        C:\Windows\SysWOW64\Gidphq32.exe
        
        C:\Windows\system32\Gidphq32.exe
        7⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1464
        
        C:\Windows\SysWOW64\Gpnhekgl.exe
        
        C:\Windows\system32\Gpnhekgl.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3592
        
        C:\Windows\SysWOW64\Hclakimb.exe
        
        C:\Windows\system32\Hclakimb.exe
        9⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4512
        
        C:\Windows\SysWOW64\Hihicplj.exe
        
        C:\Windows\system32\Hihicplj.exe
        10⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3912
        
        C:\Windows\SysWOW64\Hpbaqj32.exe
        
        C:\Windows\system32\Hpbaqj32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3940
        
        C:\Windows\SysWOW64\Hbanme32.exe
        
        C:\Windows\system32\Hbanme32.exe
        12⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1056
        
        C:\Windows\SysWOW64\Hjhfnccl.exe
        
        C:\Windows\system32\Hjhfnccl.exe
        13⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4608
        
        C:\Windows\SysWOW64\Habnjm32.exe
        
        C:\Windows\system32\Habnjm32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:392
        
        C:\Windows\SysWOW64\Hbckbepg.exe
        
        C:\Windows\system32\Hbckbepg.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2004
        
        C:\Windows\SysWOW64\Himcoo32.exe
        
        C:\Windows\system32\Himcoo32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3100
        
        C:\Windows\SysWOW64\Hfachc32.exe
        
        C:\Windows\system32\Hfachc32.exe
        17⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2496
        
        C:\Windows\SysWOW64\Hpihai32.exe
        
        C:\Windows\system32\Hpihai32.exe
        18⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1420
        
        C:\Windows\SysWOW64\Hbhdmd32.exe
        
        C:\Windows\system32\Hbhdmd32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1792
        
        C:\Windows\SysWOW64\Hfcpncdk.exe
        
        C:\Windows\system32\Hfcpncdk.exe
        20⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:5048
        
        C:\Windows\SysWOW64\Hibljoco.exe
        
        C:\Windows\system32\Hibljoco.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3860
        
        C:\Windows\SysWOW64\Haidklda.exe
        
        C:\Windows\system32\Haidklda.exe
        22⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2388
        
        C:\Windows\SysWOW64\Icgqggce.exe
        
        C:\Windows\system32\Icgqggce.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1616
        
        C:\Windows\SysWOW64\Iffmccbi.exe
        
        C:\Windows\system32\Iffmccbi.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:460
        
        C:\Windows\SysWOW64\Iidipnal.exe
        
        C:\Windows\system32\Iidipnal.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4276
        
        C:\Windows\SysWOW64\Icjmmg32.exe
        
        C:\Windows\system32\Icjmmg32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4396
        
        C:\Windows\SysWOW64\Ifhiib32.exe
        
        C:\Windows\system32\Ifhiib32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2500
        
        C:\Windows\SysWOW64\Iiffen32.exe
        
        C:\Windows\system32\Iiffen32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3228
        
        C:\Windows\SysWOW64\Iannfk32.exe
        
        C:\Windows\system32\Iannfk32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:916
        
        C:\Windows\SysWOW64\Icljbg32.exe
        
        C:\Windows\system32\Icljbg32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4604
        
        C:\Windows\SysWOW64\Ifjfnb32.exe
        
        C:\Windows\system32\Ifjfnb32.exe
        31⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1100
        
        C:\Windows\SysWOW64\Ijfboafl.exe
        
        C:\Windows\system32\Ijfboafl.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1864
        
        C:\Windows\SysWOW64\Imdnklfp.exe
        
        C:\Windows\system32\Imdnklfp.exe
        33⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3464
        
        C:\Windows\SysWOW64\Idofhfmm.exe
        
        C:\Windows\system32\Idofhfmm.exe
        34⤵
        Executes dropped EXE
        
        PID:740
        
        C:\Windows\SysWOW64\Ifmcdblq.exe
        
        C:\Windows\system32\Ifmcdblq.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3352
        
        C:\Windows\SysWOW64\Iikopmkd.exe
        
        C:\Windows\system32\Iikopmkd.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4024
        
        C:\Windows\SysWOW64\Imgkql32.exe
        
        C:\Windows\system32\Imgkql32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3820
        
        C:\Windows\SysWOW64\Idacmfkj.exe
        
        C:\Windows\system32\Idacmfkj.exe
        38⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2340
        
        C:\Windows\SysWOW64\Ifopiajn.exe
        
        C:\Windows\system32\Ifopiajn.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4728
        
        C:\Windows\SysWOW64\Iinlemia.exe
        
        C:\Windows\system32\Iinlemia.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3884
        
        C:\Windows\SysWOW64\Imihfl32.exe
        
        C:\Windows\system32\Imihfl32.exe
        41⤵
        Executes dropped EXE
        
        PID:852
        
        C:\Windows\SysWOW64\Jpgdbg32.exe
        
        C:\Windows\system32\Jpgdbg32.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4680
        
        C:\Windows\SysWOW64\Jbfpobpb.exe
        
        C:\Windows\system32\Jbfpobpb.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4432
        
        C:\Windows\SysWOW64\Jjmhppqd.exe
        
        C:\Windows\system32\Jjmhppqd.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5040
        
        C:\Windows\SysWOW64\Jmkdlkph.exe
        
        C:\Windows\system32\Jmkdlkph.exe
        45⤵
        Executes dropped EXE
        
        PID:4576
        
        C:\Windows\SysWOW64\Jagqlj32.exe
        
        C:\Windows\system32\Jagqlj32.exe
        46⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2148
        
        C:\Windows\SysWOW64\Jdemhe32.exe
        
        C:\Windows\system32\Jdemhe32.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4192
        
        C:\Windows\SysWOW64\Jbhmdbnp.exe
        
        C:\Windows\system32\Jbhmdbnp.exe
        48⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1204
        
        C:\Windows\SysWOW64\Jjpeepnb.exe
        
        C:\Windows\system32\Jjpeepnb.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4952
        
        C:\Windows\SysWOW64\Jmnaakne.exe
        
        C:\Windows\system32\Jmnaakne.exe
        50⤵
        Executes dropped EXE
        
        PID:4640
        
        C:\Windows\SysWOW64\Jaimbj32.exe
        
        C:\Windows\system32\Jaimbj32.exe
        51⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3348
        
        C:\Windows\SysWOW64\Jdhine32.exe
        
        C:\Windows\system32\Jdhine32.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4184
        
        C:\Windows\SysWOW64\Jbkjjblm.exe
        
        C:\Windows\system32\Jbkjjblm.exe
        53⤵
        Executes dropped EXE
        
        PID:4620
        
        C:\Windows\SysWOW64\Jidbflcj.exe
        
        C:\Windows\system32\Jidbflcj.exe
        54⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4100
        
        C:\Windows\SysWOW64\Jaljgidl.exe
        
        C:\Windows\system32\Jaljgidl.exe
        55⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1380
        
        C:\Windows\SysWOW64\Jpojcf32.exe
        
        C:\Windows\system32\Jpojcf32.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4632
        
        C:\Windows\SysWOW64\Jbmfoa32.exe
        
        C:\Windows\system32\Jbmfoa32.exe
        57⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3932
        
        C:\Windows\SysWOW64\Jfhbppbc.exe
        
        C:\Windows\system32\Jfhbppbc.exe
        58⤵
        Executes dropped EXE
        
        PID:1016
        
        C:\Windows\SysWOW64\Jigollag.exe
        
        C:\Windows\system32\Jigollag.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3144
        
        C:\Windows\SysWOW64\Jmbklj32.exe
        
        C:\Windows\system32\Jmbklj32.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2304
        
        C:\Windows\SysWOW64\Jpaghf32.exe
        
        C:\Windows\system32\Jpaghf32.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4980
        
        C:\Windows\SysWOW64\Jiikak32.exe
        
        C:\Windows\system32\Jiikak32.exe
        62⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3760
        
        C:\Windows\SysWOW64\Kpccnefa.exe
        
        C:\Windows\system32\Kpccnefa.exe
        63⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4824
        
        C:\Windows\SysWOW64\Kgmlkp32.exe
        
        C:\Windows\system32\Kgmlkp32.exe
        64⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3700
        
        C:\Windows\SysWOW64\Kilhgk32.exe
        
        C:\Windows\system32\Kilhgk32.exe
        65⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5052
        
        C:\Windows\SysWOW64\Kdaldd32.exe
        
        C:\Windows\system32\Kdaldd32.exe
        66⤵
        
        PID:4972
        
        C:\Windows\SysWOW64\Kinemkko.exe
        
        C:\Windows\system32\Kinemkko.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:3336
        
        C:\Windows\SysWOW64\Kdcijcke.exe
        
        C:\Windows\system32\Kdcijcke.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:3108
        
        C:\Windows\SysWOW64\Kmlnbi32.exe
        
        C:\Windows\system32\Kmlnbi32.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4460
        
        C:\Windows\SysWOW64\Kgdbkohf.exe
        
        C:\Windows\system32\Kgdbkohf.exe
        70⤵
        
        PID:2420
        
        C:\Windows\SysWOW64\Kmnjhioc.exe
        
        C:\Windows\system32\Kmnjhioc.exe
        71⤵
        Drops file in System32 directory
        
        PID:3000
        
        C:\Windows\SysWOW64\Kdhbec32.exe
        
        C:\Windows\system32\Kdhbec32.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3424
        
        C:\Windows\SysWOW64\Liekmj32.exe
        
        C:\Windows\system32\Liekmj32.exe
        73⤵
        
        PID:4764
        
        C:\Windows\SysWOW64\Ldkojb32.exe
        
        C:\Windows\system32\Ldkojb32.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:712
        
        C:\Windows\SysWOW64\Ldmlpbbj.exe
        
        C:\Windows\system32\Ldmlpbbj.exe
        75⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:2072
        
        C:\Windows\SysWOW64\Lkgdml32.exe
        
        C:\Windows\system32\Lkgdml32.exe
        76⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:3716
        
        C:\Windows\SysWOW64\Laalifad.exe
        
        C:\Windows\system32\Laalifad.exe
        77⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4384
        
        C:\Windows\SysWOW64\Lnhmng32.exe
        
        C:\Windows\system32\Lnhmng32.exe
        78⤵
        Drops file in System32 directory
        
        PID:996
        
        C:\Windows\SysWOW64\Ldaeka32.exe
        
        C:\Windows\system32\Ldaeka32.exe
        79⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4924
        
        C:\Windows\SysWOW64\Lcdegnep.exe
        
        C:\Windows\system32\Lcdegnep.exe
        80⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:3020
        
        C:\Windows\SysWOW64\Lnjjdgee.exe
        
        C:\Windows\system32\Lnjjdgee.exe
        81⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2116
        
        C:\Windows\SysWOW64\Laefdf32.exe
        
        C:\Windows\system32\Laefdf32.exe
        82⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:1432
        
        C:\Windows\SysWOW64\Lddbqa32.exe
        
        C:\Windows\system32\Lddbqa32.exe
        83⤵
        
        PID:2240
        
        C:\Windows\SysWOW64\Lgbnmm32.exe
        
        C:\Windows\system32\Lgbnmm32.exe
        84⤵
        Drops file in System32 directory
        
        PID:2396
        
        C:\Windows\SysWOW64\Mjqjih32.exe
        
        C:\Windows\system32\Mjqjih32.exe
        85⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:1496
        
        C:\Windows\SysWOW64\Mahbje32.exe
        
        C:\Windows\system32\Mahbje32.exe
        86⤵
        
        PID:5172
        
        C:\Windows\SysWOW64\Mdfofakp.exe
        
        C:\Windows\system32\Mdfofakp.exe
        87⤵
        Modifies registry class
        
        PID:5220
        
        C:\Windows\SysWOW64\Mkpgck32.exe
        
        C:\Windows\system32\Mkpgck32.exe
        88⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5268
        
        C:\Windows\SysWOW64\Mnocof32.exe
        
        C:\Windows\system32\Mnocof32.exe
        89⤵
        
        PID:5308
        
        C:\Windows\SysWOW64\Mpmokb32.exe
        
        C:\Windows\system32\Mpmokb32.exe
        90⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5348
        
        C:\Windows\SysWOW64\Mcklgm32.exe
        
        C:\Windows\system32\Mcklgm32.exe
        91⤵
        Modifies registry class
        
        PID:5396
        
        C:\Windows\SysWOW64\Mkbchk32.exe
        
        C:\Windows\system32\Mkbchk32.exe
        92⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5440
        
        C:\Windows\SysWOW64\Mjeddggd.exe
        
        C:\Windows\system32\Mjeddggd.exe
        93⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5488
        
        C:\Windows\SysWOW64\Mamleegg.exe
        
        C:\Windows\system32\Mamleegg.exe
        94⤵
        
        PID:5528
        
        C:\Windows\SysWOW64\Mdkhapfj.exe
        
        C:\Windows\system32\Mdkhapfj.exe
        95⤵
        
        PID:5572
        
        C:\Windows\SysWOW64\Mgidml32.exe
        
        C:\Windows\system32\Mgidml32.exe
        96⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5624
        
        C:\Windows\SysWOW64\Mjhqjg32.exe
        
        C:\Windows\system32\Mjhqjg32.exe
        97⤵
        Drops file in System32 directory
        
        PID:5664
        
        C:\Windows\SysWOW64\Maohkd32.exe
        
        C:\Windows\system32\Maohkd32.exe
        98⤵
        Modifies registry class
        
        PID:5704
        
        C:\Windows\SysWOW64\Mdmegp32.exe
        
        C:\Windows\system32\Mdmegp32.exe
        99⤵
        
        PID:5740
        
        C:\Windows\SysWOW64\Mglack32.exe
        
        C:\Windows\system32\Mglack32.exe
        100⤵
        Modifies registry class
        
        PID:5776
        
        C:\Windows\SysWOW64\Mkgmcjld.exe
        
        C:\Windows\system32\Mkgmcjld.exe
        101⤵
        Drops file in System32 directory
        
        PID:5820
        
        C:\Windows\SysWOW64\Mnfipekh.exe
        
        C:\Windows\system32\Mnfipekh.exe
        102⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5860
        
        C:\Windows\SysWOW64\Mpdelajl.exe
        
        C:\Windows\system32\Mpdelajl.exe
        103⤵
        
        PID:5900
        
        C:\Windows\SysWOW64\Mcbahlip.exe
        
        C:\Windows\system32\Mcbahlip.exe
        104⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5944
        
        C:\Windows\SysWOW64\Nkjjij32.exe
        
        C:\Windows\system32\Nkjjij32.exe
        105⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5980
        
        C:\Windows\SysWOW64\Nnhfee32.exe
        
        C:\Windows\system32\Nnhfee32.exe
        106⤵
        Drops file in System32 directory
        
        PID:6020
        
        C:\Windows\SysWOW64\Nqfbaq32.exe
        
        C:\Windows\system32\Nqfbaq32.exe
        107⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6064
        
        C:\Windows\SysWOW64\Nceonl32.exe
        
        C:\Windows\system32\Nceonl32.exe
        108⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6104
        
        C:\Windows\SysWOW64\Njogjfoj.exe
        
        C:\Windows\system32\Njogjfoj.exe
        109⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4356
        
        C:\Windows\SysWOW64\Nafokcol.exe
        
        C:\Windows\system32\Nafokcol.exe
        110⤵
        Modifies registry class
        
        PID:5168
        
        C:\Windows\SysWOW64\Nddkgonp.exe
        
        C:\Windows\system32\Nddkgonp.exe
        111⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5208
        
        C:\Windows\SysWOW64\Ngcgcjnc.exe
        
        C:\Windows\system32\Ngcgcjnc.exe
        112⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5296
        
        C:\Windows\SysWOW64\Nnmopdep.exe
        
        C:\Windows\system32\Nnmopdep.exe
        113⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5364
        
        C:\Windows\SysWOW64\Nbhkac32.exe
        
        C:\Windows\system32\Nbhkac32.exe
        114⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5420
        
        C:\Windows\SysWOW64\Nqklmpdd.exe
        
        C:\Windows\system32\Nqklmpdd.exe
        115⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5504
        
        C:\Windows\SysWOW64\Ncihikcg.exe
        
        C:\Windows\system32\Ncihikcg.exe
        116⤵
        Modifies registry class
        
        PID:5564
        
        C:\Windows\SysWOW64\Nkqpjidj.exe
        
        C:\Windows\system32\Nkqpjidj.exe
        117⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5644
        
        C:\Windows\SysWOW64\Nnolfdcn.exe
        
        C:\Windows\system32\Nnolfdcn.exe
        118⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5700
        
        C:\Windows\SysWOW64\Nqmhbpba.exe
        
        C:\Windows\system32\Nqmhbpba.exe
        119⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5772
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        120⤵
        
        PID:5852
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5852 -s 216
        121⤵
        Program crash
        
        PID:6028

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 5852 -ip 5852
1⤵
PID:5976

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Emhmioko.dll

Filesize
7KB

MD5
58b0c1abcd76f0e910b3f60e7a0f1fd8

SHA1
d7a42c1f9738b6d9d4c6c9b13c4aed5c66e07a7f

SHA256
e51cbcaa0c8d90ec17b427903c8c9d879ef3f35289937ba768c8721a48f1e165

SHA512
a53f6d4d03d16f7a1e9edf6769eea25bf01e2fb16a902352f8afbb459570006a64dd26340b3bc794a1c001b5d5cd995cbd3f92a37d09161b0ba4ea95358d790e

Download Submit
C:\Windows\SysWOW64\Gcbnejem.exe

Filesize
388KB

MD5
5df584bb91d3f79cab678a1b8ce21558

SHA1
34fd314e41f21c5460763d9b344468853a2aad13

SHA256
b51a0f710c6a84586cff5764c4329e6087a75da441b3da3dad6bf506beb30f72

SHA512
6c4dad88d34cdd4559f03b60764014d41791572cf8f1424b03fa305333694bfe5cafceae126428e35a71d84f137792b150cf9d72498018a6eff972f33a164dc4

Download Submit
C:\Windows\SysWOW64\Gcbnejem.exe

Filesize
384KB

MD5
8677d192adc9d4dcc1d8cd6ae83a7c33

SHA1
501630b387c8400712571b68d17ccf7e3997b2a8

SHA256
27f48af390247f5c42eb9676e35798f320c1097f5ff4990a14239cbb0426302e

SHA512
e1ea0ea99f6e8e308f0201995874043401d2c5297f41fa0f9913032dd61ec822b228a2b5b3704bf0ec9d6ff9c8749ff715d6a5c33c50c307fd970f20cbee3245

Download Submit
C:\Windows\SysWOW64\Gcggpj32.exe

Filesize
704KB

MD5
1230067e76183029661068b5bdcd1e81

SHA1
7aad18ea557130b7bb89dc4163fb59c673304a97

SHA256
c1499104fed1c070ac2c746d50df18b1ab60cd05798abeedbb4593d8b6269ff2

SHA512
eac64bfcf0c7efa55165b44e8eb100031780b0a4ba93deaf9b8052bfd5bd4159c9e50d778b148487ed789b253838cb9cd6dbd5c1aa098c96d978b1224ac7ad32

Download Submit
C:\Windows\SysWOW64\Gfnnlffc.exe

Filesize
704KB

MD5
25bf48f711139821fa486b01fd0b7f23

SHA1
821e9837f82212c152cb2c4380a83048c282b491

SHA256
3648757d3aeb226075602dec1288531b5994b02699ef21a046d1035fbe36a00d

SHA512
1393004f3b059171b9ac37043bab6b092ef6d67fee50ca9b41a031f2b945fe2672797940c98379956eda9f1646e78e43d3894cbdd4ba053a57d4e41c3448b46f

Download Submit
C:\Windows\SysWOW64\Gfnnlffc.exe

Filesize
640KB

MD5
e271f44375b6f7e25a36d2daf138c472

SHA1
4271055f2ef9f67088385b19d290b37f7ad5f41c

SHA256
5a66e64bd2ab41a3b874104ec851484eeccdc0faee233a8d5b2beb70b9c4895e

SHA512
b53b76fbe5326c52ce0b72ad9c91eaccfde14c7724162752eaf38978b1107a32c41e9e7bac6e99c16765aa2e84beed51299f67d2eb74506adfd3b2f8a6376819

Download Submit
C:\Windows\SysWOW64\Giacca32.exe

Filesize
704KB

MD5
7f3bbce77b4027415d79df0c56b00eba

SHA1
a1e1a476417b6a83485f050e9ab18acb7b977cd6

SHA256
dbf60942193285a183c022f9654da4380f00f9ca9777ec676f667e91c3b79d3f

SHA512
1ebb865a7366dba764bc5150db783f384d20383e6293437c60743391d1d1930f4f30e7ef1feb6e1817ced58bc92285ec9777c0890262ab45cbbd215716700bd9

Download Submit
C:\Windows\SysWOW64\Gidphq32.exe

Filesize
704KB

MD5
5fe2397380ecec2021bcd1ea0bfee51b

SHA1
6190b1902d282b41625f29e84f405d4f6e31193c

SHA256
f956f28e4b3711456ed2085e8d402fbbd48aed34751e20557baf75f2b6640228

SHA512
5e0dcd58e04cde928f73ec55409448f8245f848f7983de2b3f5852a01bdbfec064af30062ad4704dfcb99712a40cb7cfff021575b4dee5da8552b53493fc4248

Download Submit
C:\Windows\SysWOW64\Gidphq32.exe

Filesize
704KB

MD5
f17c324b77ebf314967edf6c14aad63c

SHA1
bc946e3006f32fceabe4530b5ee380f59c145f8a

SHA256
89bb6aa9bd66ee3828b6d9d567544881ff9d2ae19ef96d0fbf426f252b20ecae

SHA512
3c9a1d001a945ea7b5ab71d124fb0909fcca824bbe1a6a0c8f85533c602bc0ba1badf8e0b4b1374a99db134ca13da21c58547d42fb19457cfe4aedd5aab5b45d

Download Submit
C:\Windows\SysWOW64\Gpnhekgl.exe

Filesize
704KB

MD5
ab6f2f1744b8f34bc4adc7f690c8bf46

SHA1
d2cb11a82d2bd5ef02e3a05f45060a18bf9d7724

SHA256
8edefe995b796ba40b5daeac66296324853c2bf56320aeb1c625c9d8737e69cf

SHA512
e939ed75ceeb1ae9b9ef72ee5eb1f40c2c2ab9c37176a35277cbee191b21804d80ff041efa724ef2b6f3a5c991e6cc53f9ea691a55ae823da387e1007d70466c

Download Submit
C:\Windows\SysWOW64\Gqdbiofi.exe

Filesize
704KB

MD5
d60e1c355d4c6716ace556c2fd1360ab

SHA1
b47716c233330ef6298feae08f8f34aac639727b

SHA256
5418ad10416c80c530d9080d7b46d973fdedf470f4309c2086342093147c999a

SHA512
1c271b03e41ba91c0069c3a7a01fbd72eeb4d997708ff12bd8b88683d01545d3c74d49d70d607899fc6b3dc673d362fe4636ef57e8a47f124bc0bf4c196dbf25

Download Submit
C:\Windows\SysWOW64\Gqdbiofi.exe

Filesize
384KB

MD5
c2b2a9a53e72833a1de8482e67c59784

SHA1
34b5f9fc427a863fe46e2c7df7912e70713b1327

SHA256
d4b133e2f7ff82cb957e2bc9ab647ad340eed6083640f7a1956ddc4fa0f07fd1

SHA512
af5a12eeed0b40bd90bd11d56f9db33bdbb4592c1519af0d5da0ed87be34c7008f516851c8f95781e7fd9926dc98da35794ec8e0059b4b2ba39ab8a3309e2298

Download Submit
C:\Windows\SysWOW64\Habnjm32.exe

Filesize
704KB

MD5
051f876587e5792ffd1188ba9d4af2cd

SHA1
cf59ca6cfda789577e0f3170dde15a6fd6dfdb98

SHA256
26cb67cf502dbed3b5b88bc8d627793bf935a26eb782de1bd0bc262d15169ac0

SHA512
3d69dc4d47c457ffeb87db329e600217eb973382a2637be779b4bf2d153374a7863eb30f0803647bdf3d6a935a591d49b5e89605a56bdfa62c8b98c0607e6941

Download Submit
C:\Windows\SysWOW64\Haidklda.exe

Filesize
704KB

MD5
bffb127a9b2ba9fceeb8a55c3204aec9

SHA1
60d9d90d385267d505fde2c08e7ef43c22c3c8fd

SHA256
9b0f256ccf50327fb00523b79c0408c43ed12058e99ab3f0f719a123de987861

SHA512
cfd5750972c20a9b60777f6ae86c140ca494f8c2b621498e8d300644ab00113b63d551f14690d36bef94107fa559b60c4987be741f0e928010e033f23b80d3e7

Download Submit
C:\Windows\SysWOW64\Hbanme32.exe

Filesize
704KB

MD5
4faa47655bd6bc89c38c09683f2961ed

SHA1
e16207e116153934e84a79daa4b026cb5871b357

SHA256
327dfe6331baa692ab7db166e4ef98673d594d34a14a0b1d1405f62fbf298fa9

SHA512
30c51aea3a73b3dde231b6d5690a3c31d290c8acdff4a7d1add5eac1bafca49118c15cec0663334492c5e44a82b9652fc62e5ae38d2634f879ddaa20aed5a862

Download Submit
C:\Windows\SysWOW64\Hbckbepg.exe

Filesize
704KB

MD5
c2245834a717494e28fc072c309a5920

SHA1
f0a426bb5ca6ecb3c5ff8a0397d46076a3dbf732

SHA256
60298a73fbc53ddea05c81b8bef2dda40cace9a0ca2a2e1a0197c902895d63cb

SHA512
bd2dc8cf4c41f0875882cd5f9ee7030d09f26345a9bbd6068518717cac51884b654e2ae40e3ecd55d8bb85108fe65fd9ec0b32f9349eeae2d5541bd6059180df

Download Submit
C:\Windows\SysWOW64\Hbhdmd32.exe

Filesize
704KB

MD5
050b080740eccc5a1c89545e6909a985

SHA1
8f7583542b4e2d4950fdd9b0c2842d7d743c154f

SHA256
4d778664270b9c617a960782d6b528dbae6aefb36319819fe01e6f8c34fd7e55

SHA512
a7a60a685af05c01d18ffbeb3416129fb8b063929333eccdda9ed70750087cb16e4d435d030377a0f830d36b4ca857274be0bd1ad80606990db14edbd597912f

Download Submit
C:\Windows\SysWOW64\Hclakimb.exe

Filesize
704KB

MD5
6a65e10faf70d328f260a5a10133ce74

SHA1
435553fa31990ac2b7a6fae140c6440f8be5592d

SHA256
b6a4666125bb6bfd864449463f8b268e24cbda6f97ca8996a667fd2ae366c79c

SHA512
eb4c188532b84a93c91b5d7c48c01c262cdfc1578d4c62ab56661af6f97d1c4cde19f28aa0b1dd4efd49ff00b8c1456a1fbe2f6b1350297be5d9f65c482219dd

Download Submit
C:\Windows\SysWOW64\Hfachc32.exe

Filesize
704KB

MD5
cb819d2bb6808647f33e872c27c353f9

SHA1
15ed478a57ab6b9d1f437bda732981977dcea9d5

SHA256
c2c8763bc1d2806f4c3a01bbaa7b3dee468387a9574c38bec6f9cf328587a12b

SHA512
ef9fba88708bc12c7b1d66535190eb270243c5d6a0c96a1a479dbabebab7eaf6e2b67f71d9e0e22b22b94f88b31db66dc5db3ad184fa07a367859f6853677f1f

Download Submit
C:\Windows\SysWOW64\Hfcpncdk.exe

Filesize
704KB

MD5
3cd2145ea9ee2f61196d07a13c023475

SHA1
0159b697c11fa075f277e0f0c47bf1c99d153cc9

SHA256
1cbaa1f288d5356891614935f386255e1bd34c7634f9bef87dd125a16eb305f9

SHA512
ca0a5735beddbca3eda957b277849df73a088e2a017713cbd2144d60d4d483d8ff873147941ba74d41ef3bd3556cc55270cce54c1559e060fc23003a0acd3c84

Download Submit
C:\Windows\SysWOW64\Hibljoco.exe

Filesize
704KB

MD5
38b60e39abd6558f76fa003cb87f03e8

SHA1
14ab3814b96d17d97d4227ac5470ddab0e155500

SHA256
f525e5166fb58fe3555ebbf6f2527383803e5834d27a575c9b7d86c3274fe782

SHA512
3a03e3ba74ace9ea2eebd26b33ce82d199577cea669a3d96b33635e39093dc354911760c93717586bdde4362274cbf924b0cf2f19b5300a20f5d59ce8890e630

Download Submit
C:\Windows\SysWOW64\Hihicplj.exe

Filesize
704KB

MD5
f8ef2938c9fa9e0b3eeb0e79c83316ba

SHA1
e05f2a17b7a315f01a1a35fcc4b533eedf48b044

SHA256
054861f5e1ab0ebec0b5dc1fd1f4d63ce34ec64f40a116c695d6e21cd0ba34e3

SHA512
c44a89b3055c07bdbc7779f741519b260eb6d75b882240ead8dd6f022b085d4727058129db4f29aa208530817211dd8fb0a6dbc448a542be825e18b3682f3c5e

Download Submit
C:\Windows\SysWOW64\Himcoo32.exe

Filesize
704KB

MD5
111a154c1d1ae4d3ac01d388be45a918

SHA1
90a31ff2d60da5a1a010bea209632c898ed87e96

SHA256
45bf77f525a2d4cbab9556f8e7924f6d6ed5ecd272b24b2f5fd7f91e64b77e48

SHA512
82ee12e4ae9589118911094a86d1b94b40f5c3e0b3c763d22d37ec1a6cb6250acfc8afdb3db886b5f125eaee77ab87e6494036531c363c4bcdcbeada40c59397

Download Submit
C:\Windows\SysWOW64\Hjhfnccl.exe

Filesize
704KB

MD5
0a549c1b2613f6045cf176c8e2b52fb0

SHA1
0c6822416272a62218277bc02d9cf61207e3a1ea

SHA256
f3305cec20044a6c6b61f12c7a8e76ca9f60371fe76eda879470a6d9bced3af9

SHA512
262cf0988aaa64f27b0f558859e4f2f38ee356b85692a7c6d2cb14bd40debb7245b2c0087f3e4d1a6db79c5a84059005521a44c2f495a4085363d1a2ca743108

Download Submit
C:\Windows\SysWOW64\Hpbaqj32.exe

Filesize
704KB

MD5
655885d5ce5f1cd1084aac6751062a7f

SHA1
e7a1ae6ad3095e41bab5f285e97d7e386988783f

SHA256
ee5006c1d34fa400b3190c581987e98e15e7c1a28aeddf849ddfab94a83f829c

SHA512
5ec38049c3f59941408fb3079d4fb968c3f5591903b060791b4ca091deea4ebdfb7730a9c5257180b1b9bf99be2ae0de7b30f69f3874cddb3b6950dfbf82d538

Download Submit
C:\Windows\SysWOW64\Hpihai32.exe

Filesize
704KB

MD5
aefe8f1728c3c530d62722ed5191b6f8

SHA1
b5248b57070a9cc67484d83a7b1db8eeed9718c6

SHA256
9d48aaaadc81a48bb3a0e9ad82bed2802d4bcc4f72a1cc864dd349ca3c39e961

SHA512
20e5ee876a4ad79822eab181514a47df07dcff0bde146ba8b095a99040766eb274051589afa59ea3dde81cfa2874e0ea51e79030ee6a37eb7bcea291efe6810f

Download Submit
C:\Windows\SysWOW64\Iannfk32.exe

Filesize
704KB

MD5
a36d249e36e5326fdd05c7c2eba866dd

SHA1
9732c44b1735950bbd24a10e48f1f869f80cc4e6

SHA256
79d127376588a6057300053357e5ed3117f30f936031245eab2aeb331f9bba0f

SHA512
dc240d731e446094a05534aaf7ddde6810737b45d0a8db3867bfb22a4cdec4521240b3b9b0ef2809e2a2d8432de314feb3f7a019945cdd925797e98893ee35b7

Download Submit
C:\Windows\SysWOW64\Icgqggce.exe

Filesize
704KB

MD5
42e87dc55d568ca52708a220c2af81e1

SHA1
1c8cbdb695cb98b9e208bb5f9af20058adee78d0

SHA256
1a9d4485bebe0791e0dd53e5d0a8f3da1dc592461407ad76e649c9b2f6260039

SHA512
8b8689d64c2c096c3efd5c699e9210d435a869fd61d9dfc453308350aa50a0c3150a268a85150899e5afe80cdd2ac4fc676ec9ec2239fff7ad801ea5afe34aa6

Download Submit
C:\Windows\SysWOW64\Icjmmg32.exe

Filesize
704KB

MD5
36d591589a13e0986fe83fb48a237d9d

SHA1
a770f301760136c8a819195383a8755b02e86aa6

SHA256
c935721ce333ad8b89dc3ee2e829b24b11f0eb78c4fc1e9f41ff164190c9a58e

SHA512
7eb8cfceb87f5b63d29351a4f28aa2101f5ca10d1a29b17cbd1cb28ac56b9bcb43b6566a33e9e3383b6b36e262f75937484f09d7345b0f33d71e967b72a3b1df

Download Submit
C:\Windows\SysWOW64\Icljbg32.exe

Filesize
704KB

MD5
05f3b19149d13e5c0ca07a63fc148019

SHA1
4aef56806deafee2db04b877cab71283b5dd1a01

SHA256
dc5256b2981fdfd7955f0f4c706a287deb317d3f614489b76485dff4f90bf937

SHA512
b415b7f6ddf50cda6b2e31c3b1265ebd714a78d9344247f8d35639b83e9a098bd865d0ea24cbf91170d48acd2932e5440299cea809992803c4e72c5d8b283c98

Download Submit
C:\Windows\SysWOW64\Iffmccbi.exe

Filesize
704KB

MD5
d2b021af8019afe047f66c688b51903f

SHA1
7bd89fd1b78c36a14e1b48f93ab1c412cb204d60

SHA256
303f6b47dd4dd7a6167cadcc288cea22d54b4641cd4f1528d235f799236fcd0c

SHA512
a860289a254cc359e396e8be3850ef7a5e1450fb18351bb0dcd236cb7eea43e6e9dcb61517dd84f7dc7747c3674072df5a8791c12620e5d0ecae30e4ba3a37e6

Download Submit
C:\Windows\SysWOW64\Ifhiib32.exe

Filesize
704KB

MD5
01e7787db63168b740a16e9c2b967225

SHA1
f2bc68607f11f1b1b17937504a0392b0e23d2b64

SHA256
0211c30bb4384637edd332f8ead5e4c49d3ea8981502d6158bd563051be4fccc

SHA512
1479e40035ec06d226e22da9ce8e04663de1147873423235b5495922c2a3964d863213e2a999c4c13b834853c61d8e2036d703cd5f2aac42d02a5bdfff4d3c5d

Download Submit
C:\Windows\SysWOW64\Ifjfnb32.exe

Filesize
704KB

MD5
70652e672e47c3093ef1f57f98afc92b

SHA1
9cc3862ba1da1059bbc2ed44c8f3d51c8c4c4b57

SHA256
26e78c7c3e0fb53dc28771bc4598c5cf4a995c98485bf9da8b9771a6e25e8b4f

SHA512
2b947ce77e9b5483ec0cb17e9c053cf1b56295a2ee9f1d3b81aeba2c3401e6c6371842bd915bd80ad3f1147d608efc51f3436b0cbc0c24fc60df5415d2802a42

Download Submit
C:\Windows\SysWOW64\Iidipnal.exe

Filesize
704KB

MD5
5df8b332f75e27921afc818553fa3252

SHA1
f564eda73d432cc0fb11097951a98dd2b8b4c36b

SHA256
13c5f3b07d6fa5fdd80ab47d018a4a4675c406541a8f226abca2bb819fa4b766

SHA512
85cad8c882f87a7ea12336d1fa4f4f366329fab25d245dc3e7a7ff77c0de71b4223cf93b08f576382763463dece739e90c75b904e4434f1cd593b2eea2d8baf8

Download Submit
C:\Windows\SysWOW64\Iiffen32.exe

Filesize
704KB

MD5
d4c0b675f3b6f1bd0968198a6ee7c092

SHA1
f461c194eec854c59a3060d96b5076714866514c

SHA256
35c460bb01d94a8c5262deefbc230cc80e65c4725c27539af59139b19c96f1db

SHA512
5904916a5044a249938220ebff6b6e0ec3685f1f1e21551323bc0784efff42d421582d4e91b323f044a3d629eb5b3fb08f47c90be46e1993c5296793fa04400c

Download Submit
C:\Windows\SysWOW64\Ijfboafl.exe

Filesize
704KB

MD5
1f8c1e0faabc82d519246ae9211923ab

SHA1
29628d2f5efe54e757acfef694f93e83556dfc2e

SHA256
bb65e82153a46a362ee1421e51af98da9b827451f092ad4cce75a0c0567aa96d

SHA512
c55576eb5d4eed02ae59459a62285033be6c2033bc61c084520c97c1bcd8c99d26956e192d2e4816bf42285e06cdb8987fc99c321176771e8ec6f795c2817d13

Download Submit
C:\Windows\SysWOW64\Imdnklfp.exe

Filesize
704KB

MD5
ab91e94c3a99317c247bee09e8b69906

SHA1
f7c8b67e317b53d710df263cdb27686f1dee50a4

SHA256
4e88adcd29339e243f23044beae2a17575aa3d15e9eb0da91db7d523912c512c

SHA512
a3a541ee980182a84b83c1043c7bbabcbecec9d3074bd6ee9173bf44bb896b4b4189630399f5ce9aa744816f1cb4ea21da7822347a3228d616bc1b77ab99faeb

Download Submit
memory/392-109-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/460-393-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/740-427-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/852-445-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/916-413-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/1016-496-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/1056-93-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/1100-419-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/1172-31-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/1204-471-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/1380-484-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/1420-381-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/1464-48-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/1616-391-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/1792-382-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/1864-421-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2004-119-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2148-465-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2304-503-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2340-437-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2388-386-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2496-380-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2500-410-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2624-39-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2636-505-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2636-26-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/3100-506-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/3144-498-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/3228-412-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/3292-104-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/3292-7-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/3348-479-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/3352-429-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/3464-422-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/3592-56-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/3596-20-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/3820-436-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/3860-385-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/3884-444-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/3912-72-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/3932-491-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/3940-88-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/4024-435-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/4100-483-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/4184-480-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/4192-466-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/4276-399-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/4396-405-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/4432-452-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/4512-64-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/4576-458-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/4604-414-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/4608-113-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/4620-482-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/4632-485-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/4640-474-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/4680-451-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/4728-438-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/4908-0-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/4908-80-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/4952-473-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/4980-507-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/5040-457-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/5048-383-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads