796309b8877d63e1612248c200baf9c331b3bad4588ba34a491f323bde229791

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
07/03/2024, 21:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

796309b8877d63e1612248c200baf9c331b3bad4588ba34a491f323bde229791.exe
Size

108KB
MD5

043d7fb2a99580b122237ddd98ccc260
SHA1

0da13d3fecf884121598b7fbd4827019eb8af3d8
SHA256

796309b8877d63e1612248c200baf9c331b3bad4588ba34a491f323bde229791
SHA512

0fab7500d87346a14d7d176ce3203a3b05bfa9f8dcc2c406bc0d872efd98deecebed14a454fd26d9f4b9d16d70f732fd1c2b92d33d126e841e503decc2dc3294
SSDEEP

1536:dPMD01WeSzsGFp8GJJVw71i63ePXWapNfVy2lVmkFcFmKcUsvKwF:dwB8GJc5iReapNfzqkFcFmKcUsvKwF

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lpocjdld.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdaldd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Laalifad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hfjmgdlf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jfhbppbc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jaimbj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kkkdan32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpaifalo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncldnkae.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gmmocpjk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jpjqhgol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kgbefoji.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqklmpdd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jmkdlkph.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jfdida32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnlfigcc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mdpalp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gidphq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lknjmkdo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jjmhppqd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnhfee32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gfhqbe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hjhfnccl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ibccic32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jdcpcf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kkbkamnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mkepnjng.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mjjmog32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqfbaq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hcqjfh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hmmhjm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kmlnbi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njogjfoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lgkhlnbn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdfofakp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gqkhjn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ipqnahgf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kaemnhla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mglack32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcmofolg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjjmog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Maaepd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Haggelfd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iapjlk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gqkhjn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnolfdcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ibjqcd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jfffjqdf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Majopeii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kibnhjgj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kkbkamnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kdopod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Laciofpa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kckbqpnj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nqmhbpba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Impepm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kkkdan32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jfdida32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nafokcol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Iapjlk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jpjqhgol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Laalifad.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Maaepd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jmkdlkph.exe

Executes dropped EXE 64 IoCs

pid	Process
2380	Gbgkfg32.exe
3116	Gjocgdkg.exe
940	Gmmocpjk.exe
4900	Gcggpj32.exe
3132	Gfedle32.exe
4948	Gidphq32.exe
2940	Gqkhjn32.exe
3664	Gcidfi32.exe
1612	Gfhqbe32.exe
3996	Gppekj32.exe
2444	Hboagf32.exe
4032	Hfjmgdlf.exe
4460	Hmdedo32.exe
2460	Hapaemll.exe
3520	Hbanme32.exe
3448	Hjhfnccl.exe
4040	Habnjm32.exe
3668	Hcqjfh32.exe
1804	Hjjbcbqj.exe
3672	Hmioonpn.exe
4780	Hfachc32.exe
2928	Hippdo32.exe
4256	Haggelfd.exe
2472	Hcedaheh.exe
4380	Hjolnb32.exe
1896	Hmmhjm32.exe
1816	Ibjqcd32.exe
2144	Impepm32.exe
5024	Icjmmg32.exe
760	Ifhiib32.exe
3172	Iiffen32.exe
4888	Ipqnahgf.exe
2288	Iiibkn32.exe
3892	Iapjlk32.exe
4552	Ifmcdblq.exe
4436	Imgkql32.exe
3788	Ibccic32.exe
3028	Imihfl32.exe
3716	Jpgdbg32.exe
540	Jdcpcf32.exe
752	Jjmhppqd.exe
2088	Jmkdlkph.exe
4012	Jpjqhgol.exe
768	Jfdida32.exe
388	Jaimbj32.exe
1148	Jfffjqdf.exe
4880	Jmpngk32.exe
3396	Jpojcf32.exe
4908	Jbmfoa32.exe
3228	Jfhbppbc.exe
3564	Jigollag.exe
4416	Jdmcidam.exe
4760	Jkfkfohj.exe
4212	Kmegbjgn.exe
4260	Kdopod32.exe
2904	Kgmlkp32.exe
3264	Kacphh32.exe
2660	Kdaldd32.exe
2808	Kkkdan32.exe
4472	Kaemnhla.exe
1820	Kgbefoji.exe
3036	Kmlnbi32.exe
4320	Kkpnlm32.exe
2532	Kibnhjgj.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Gmmocpjk.exe	Gjocgdkg.exe
File created	C:\Windows\SysWOW64\Jpojcf32.exe	Jmpngk32.exe
File created	C:\Windows\SysWOW64\Gcdihi32.dll	Kckbqpnj.exe
File created	C:\Windows\SysWOW64\Nqmhbpba.exe	Nnolfdcn.exe
File created	C:\Windows\SysWOW64\Jmkefnli.dll	Hjjbcbqj.exe
File opened for modification	C:\Windows\SysWOW64\Jaimbj32.exe	Jfdida32.exe
File created	C:\Windows\SysWOW64\Kaemnhla.exe	Kkkdan32.exe
File opened for modification	C:\Windows\SysWOW64\Kgbefoji.exe	Kaemnhla.exe
File created	C:\Windows\SysWOW64\Lcdegnep.exe	Laciofpa.exe
File opened for modification	C:\Windows\SysWOW64\Lklnhlfb.exe	Lcdegnep.exe
File created	C:\Windows\SysWOW64\Maaepd32.exe	Mjjmog32.exe
File created	C:\Windows\SysWOW64\Mdpalp32.exe	Maaepd32.exe
File created	C:\Windows\SysWOW64\Hcqjfh32.exe	Habnjm32.exe
File created	C:\Windows\SysWOW64\Mkbchk32.exe	Mdiklqhm.exe
File opened for modification	C:\Windows\SysWOW64\Mcpebmkb.exe	Mpaifalo.exe
File created	C:\Windows\SysWOW64\Hippdo32.exe	Hfachc32.exe
File created	C:\Windows\SysWOW64\Qcldhk32.dll	Mkbchk32.exe
File opened for modification	C:\Windows\SysWOW64\Nafokcol.exe	Njogjfoj.exe
File created	C:\Windows\SysWOW64\Nddkgonp.exe	Nafokcol.exe
File opened for modification	C:\Windows\SysWOW64\Ncihikcg.exe	Nqklmpdd.exe
File opened for modification	C:\Windows\SysWOW64\Haggelfd.exe	Hippdo32.exe
File created	C:\Windows\SysWOW64\Ibccic32.exe	Imgkql32.exe
File created	C:\Windows\SysWOW64\Jbmfoa32.exe	Jpojcf32.exe
File opened for modification	C:\Windows\SysWOW64\Lijdhiaa.exe	Lgkhlnbn.exe
File created	C:\Windows\SysWOW64\Nkqpjidj.exe	Ncihikcg.exe
File created	C:\Windows\SysWOW64\Hmmhjm32.exe	Hjolnb32.exe
File created	C:\Windows\SysWOW64\Adijolgl.dll	Gqkhjn32.exe
File created	C:\Windows\SysWOW64\Lgkhlnbn.exe	Ldmlpbbj.exe
File opened for modification	C:\Windows\SysWOW64\Ibjqcd32.exe	Hmmhjm32.exe
File opened for modification	C:\Windows\SysWOW64\Iiffen32.exe	Ifhiib32.exe
File created	C:\Windows\SysWOW64\Dakcla32.dll	Iiibkn32.exe
File created	C:\Windows\SysWOW64\Fbkmec32.dll	Jmpngk32.exe
File opened for modification	C:\Windows\SysWOW64\Nqklmpdd.exe	Njacpf32.exe
File created	C:\Windows\SysWOW64\Ibjqcd32.exe	Hmmhjm32.exe
File created	C:\Windows\SysWOW64\Hdgpjm32.dll	Hmmhjm32.exe
File opened for modification	C:\Windows\SysWOW64\Ifmcdblq.exe	Iapjlk32.exe
File created	C:\Windows\SysWOW64\Eplmgmol.dll	Kmegbjgn.exe
File created	C:\Windows\SysWOW64\Kckbqpnj.exe	Kajfig32.exe
File opened for modification	C:\Windows\SysWOW64\Kckbqpnj.exe	Kajfig32.exe
File opened for modification	C:\Windows\SysWOW64\Lkiqbl32.exe	Lpcmec32.exe
File created	C:\Windows\SysWOW64\Ekiidlll.dll	Lpcmec32.exe
File created	C:\Windows\SysWOW64\Flfmin32.dll	Mnlfigcc.exe
File created	C:\Windows\SysWOW64\Gbajhpfb.dll	Gidphq32.exe
File created	C:\Windows\SysWOW64\Lpcioj32.dll	Hboagf32.exe
File created	C:\Windows\SysWOW64\Hmioonpn.exe	Hjjbcbqj.exe
File created	C:\Windows\SysWOW64\Mlilmlna.dll	Iiffen32.exe
File opened for modification	C:\Windows\SysWOW64\Imihfl32.exe	Ibccic32.exe
File opened for modification	C:\Windows\SysWOW64\Jfdida32.exe	Jpjqhgol.exe
File opened for modification	C:\Windows\SysWOW64\Jfffjqdf.exe	Jaimbj32.exe
File opened for modification	C:\Windows\SysWOW64\Lknjmkdo.exe	Lddbqa32.exe
File created	C:\Windows\SysWOW64\Fhpdhp32.dll	Maaepd32.exe
File created	C:\Windows\SysWOW64\Ljfemn32.dll	Njacpf32.exe
File created	C:\Windows\SysWOW64\Ncihikcg.exe	Nqklmpdd.exe
File created	C:\Windows\SysWOW64\Gfedle32.exe	Gcggpj32.exe
File opened for modification	C:\Windows\SysWOW64\Hbanme32.exe	Hapaemll.exe
File opened for modification	C:\Windows\SysWOW64\Njacpf32.exe	Ngcgcjnc.exe
File created	C:\Windows\SysWOW64\Ogpnaafp.dll	Ncihikcg.exe
File created	C:\Windows\SysWOW64\Jigollag.exe	Jfhbppbc.exe
File created	C:\Windows\SysWOW64\Kacphh32.exe	Kgmlkp32.exe
File created	C:\Windows\SysWOW64\Gfhqbe32.exe	Gcidfi32.exe
File opened for modification	C:\Windows\SysWOW64\Hmdedo32.exe	Hfjmgdlf.exe
File created	C:\Windows\SysWOW64\Habnjm32.exe	Hjhfnccl.exe
File opened for modification	C:\Windows\SysWOW64\Iapjlk32.exe	Iiibkn32.exe
File created	C:\Windows\SysWOW64\Jfdida32.exe	Jpjqhgol.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5520	5300	WerFault.exe	203

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lklnhlfb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nafokcol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogpnaafp.dll"	Ncihikcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hjjbcbqj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Iiibkn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mnnkcb32.dll"	Imihfl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kacphh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mdemcacc.dll"	Lijdhiaa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bghhihab.dll"	Nnolfdcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dlddhggk.dll"	Nqmhbpba.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jkfkfohj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndclfb32.dll"	Ldmlpbbj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nkjjij32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}	796309b8877d63e1612248c200baf9c331b3bad4588ba34a491f323bde229791.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iebapp32.dll"	796309b8877d63e1612248c200baf9c331b3bad4588ba34a491f323bde229791.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hfachc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hionfema.dll"	Haggelfd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jigollag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpcioj32.dll"	Hboagf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Egqcbapl.dll"	Mcbahlip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcoegc32.dll"	Njogjfoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Gqkhjn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Gppekj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hboagf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qnoaog32.dll"	Jjmhppqd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Laalifad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ncldnkae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	796309b8877d63e1612248c200baf9c331b3bad4588ba34a491f323bde229791.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jgiacnii.dll"	Jpgdbg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jbmfoa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Baefid32.dll"	Laalifad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nnhfee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mpaifalo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Njogjfoj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nddkgonp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hippdo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dempmq32.dll"	Icjmmg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kdaldd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lcmofolg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bidjkmlh.dll"	Lknjmkdo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jfdida32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hehifldd.dll"	Kdopod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jnngob32.dll"	Lddbqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mkbchk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mdpalp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hapaemll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ceaklo32.dll"	Hippdo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Imgkql32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kdopod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mghpbg32.dll"	Kdaldd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nqfbaq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ngcgcjnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkckjila.dll"	Nqklmpdd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nnolfdcn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hmmhjm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hiaohfpc.dll"	Iapjlk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kgbefoji.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekiidlll.dll"	Lpcmec32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ljfemn32.dll"	Njacpf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mngoghpn.dll"	Gfhqbe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jibpdc32.dll"	Ibccic32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jjmhppqd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ecppdbpl.dll"	Jigollag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kaemnhla.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3736 wrote to memory of 2380	3736	796309b8877d63e1612248c200baf9c331b3bad4588ba34a491f323bde229791.exe	88
PID 3736 wrote to memory of 2380	3736	796309b8877d63e1612248c200baf9c331b3bad4588ba34a491f323bde229791.exe	88
PID 3736 wrote to memory of 2380	3736	796309b8877d63e1612248c200baf9c331b3bad4588ba34a491f323bde229791.exe	88
PID 2380 wrote to memory of 3116	2380	Gbgkfg32.exe	89
PID 2380 wrote to memory of 3116	2380	Gbgkfg32.exe	89
PID 2380 wrote to memory of 3116	2380	Gbgkfg32.exe	89
PID 3116 wrote to memory of 940	3116	Gjocgdkg.exe	90
PID 3116 wrote to memory of 940	3116	Gjocgdkg.exe	90
PID 3116 wrote to memory of 940	3116	Gjocgdkg.exe	90
PID 940 wrote to memory of 4900	940	Gmmocpjk.exe	91
PID 940 wrote to memory of 4900	940	Gmmocpjk.exe	91
PID 940 wrote to memory of 4900	940	Gmmocpjk.exe	91
PID 4900 wrote to memory of 3132	4900	Gcggpj32.exe	92
PID 4900 wrote to memory of 3132	4900	Gcggpj32.exe	92
PID 4900 wrote to memory of 3132	4900	Gcggpj32.exe	92
PID 3132 wrote to memory of 4948	3132	Gfedle32.exe	93
PID 3132 wrote to memory of 4948	3132	Gfedle32.exe	93
PID 3132 wrote to memory of 4948	3132	Gfedle32.exe	93
PID 4948 wrote to memory of 2940	4948	Gidphq32.exe	94
PID 4948 wrote to memory of 2940	4948	Gidphq32.exe	94
PID 4948 wrote to memory of 2940	4948	Gidphq32.exe	94
PID 2940 wrote to memory of 3664	2940	Gqkhjn32.exe	95
PID 2940 wrote to memory of 3664	2940	Gqkhjn32.exe	95
PID 2940 wrote to memory of 3664	2940	Gqkhjn32.exe	95
PID 3664 wrote to memory of 1612	3664	Gcidfi32.exe	96
PID 3664 wrote to memory of 1612	3664	Gcidfi32.exe	96
PID 3664 wrote to memory of 1612	3664	Gcidfi32.exe	96
PID 1612 wrote to memory of 3996	1612	Gfhqbe32.exe	97
PID 1612 wrote to memory of 3996	1612	Gfhqbe32.exe	97
PID 1612 wrote to memory of 3996	1612	Gfhqbe32.exe	97
PID 3996 wrote to memory of 2444	3996	Gppekj32.exe	98
PID 3996 wrote to memory of 2444	3996	Gppekj32.exe	98
PID 3996 wrote to memory of 2444	3996	Gppekj32.exe	98
PID 2444 wrote to memory of 4032	2444	Hboagf32.exe	99
PID 2444 wrote to memory of 4032	2444	Hboagf32.exe	99
PID 2444 wrote to memory of 4032	2444	Hboagf32.exe	99
PID 4032 wrote to memory of 4460	4032	Hfjmgdlf.exe	100
PID 4032 wrote to memory of 4460	4032	Hfjmgdlf.exe	100
PID 4032 wrote to memory of 4460	4032	Hfjmgdlf.exe	100
PID 4460 wrote to memory of 2460	4460	Hmdedo32.exe	101
PID 4460 wrote to memory of 2460	4460	Hmdedo32.exe	101
PID 4460 wrote to memory of 2460	4460	Hmdedo32.exe	101
PID 2460 wrote to memory of 3520	2460	Hapaemll.exe	102
PID 2460 wrote to memory of 3520	2460	Hapaemll.exe	102
PID 2460 wrote to memory of 3520	2460	Hapaemll.exe	102
PID 3520 wrote to memory of 3448	3520	Hbanme32.exe	103
PID 3520 wrote to memory of 3448	3520	Hbanme32.exe	103
PID 3520 wrote to memory of 3448	3520	Hbanme32.exe	103
PID 3448 wrote to memory of 4040	3448	Hjhfnccl.exe	104
PID 3448 wrote to memory of 4040	3448	Hjhfnccl.exe	104
PID 3448 wrote to memory of 4040	3448	Hjhfnccl.exe	104
PID 4040 wrote to memory of 3668	4040	Habnjm32.exe	105
PID 4040 wrote to memory of 3668	4040	Habnjm32.exe	105
PID 4040 wrote to memory of 3668	4040	Habnjm32.exe	105
PID 3668 wrote to memory of 1804	3668	Hcqjfh32.exe	106
PID 3668 wrote to memory of 1804	3668	Hcqjfh32.exe	106
PID 3668 wrote to memory of 1804	3668	Hcqjfh32.exe	106
PID 1804 wrote to memory of 3672	1804	Hjjbcbqj.exe	107
PID 1804 wrote to memory of 3672	1804	Hjjbcbqj.exe	107
PID 1804 wrote to memory of 3672	1804	Hjjbcbqj.exe	107
PID 3672 wrote to memory of 4780	3672	Hmioonpn.exe	108
PID 3672 wrote to memory of 4780	3672	Hmioonpn.exe	108
PID 3672 wrote to memory of 4780	3672	Hmioonpn.exe	108
PID 4780 wrote to memory of 2928	4780	Hfachc32.exe	110

C:\Users\Admin\AppData\Local\Temp\796309b8877d63e1612248c200baf9c331b3bad4588ba34a491f323bde229791.exe
"C:\Users\Admin\AppData\Local\Temp\796309b8877d63e1612248c200baf9c331b3bad4588ba34a491f323bde229791.exe"
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3736
- C:\Windows\SysWOW64\Gbgkfg32.exe
  C:\Windows\system32\Gbgkfg32.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2380
- - C:\Windows\SysWOW64\Gjocgdkg.exe
    C:\Windows\system32\Gjocgdkg.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious use of WriteProcessMemory
    PID:3116
  - - C:\Windows\SysWOW64\Gmmocpjk.exe
      C:\Windows\system32\Gmmocpjk.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:940
    - - C:\Windows\SysWOW64\Gcggpj32.exe
        
        C:\Windows\system32\Gcggpj32.exe
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4900
      - C:\Windows\SysWOW64\Gfedle32.exe
        
        C:\Windows\system32\Gfedle32.exe
        6⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3132
        
        C:\Windows\SysWOW64\Gidphq32.exe
        
        C:\Windows\system32\Gidphq32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4948
        
        C:\Windows\SysWOW64\Gqkhjn32.exe
        
        C:\Windows\system32\Gqkhjn32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2940
        
        C:\Windows\SysWOW64\Gcidfi32.exe
        
        C:\Windows\system32\Gcidfi32.exe
        9⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3664
        
        C:\Windows\SysWOW64\Gfhqbe32.exe
        
        C:\Windows\system32\Gfhqbe32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1612
        
        C:\Windows\SysWOW64\Gppekj32.exe
        
        C:\Windows\system32\Gppekj32.exe
        11⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3996
        
        C:\Windows\SysWOW64\Hboagf32.exe
        
        C:\Windows\system32\Hboagf32.exe
        12⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2444
        
        C:\Windows\SysWOW64\Hfjmgdlf.exe
        
        C:\Windows\system32\Hfjmgdlf.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4032
        
        C:\Windows\SysWOW64\Hmdedo32.exe
        
        C:\Windows\system32\Hmdedo32.exe
        14⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4460
        
        C:\Windows\SysWOW64\Hapaemll.exe
        
        C:\Windows\system32\Hapaemll.exe
        15⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2460
        
        C:\Windows\SysWOW64\Hbanme32.exe
        
        C:\Windows\system32\Hbanme32.exe
        16⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3520
        
        C:\Windows\SysWOW64\Hjhfnccl.exe
        
        C:\Windows\system32\Hjhfnccl.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3448
        
        C:\Windows\SysWOW64\Habnjm32.exe
        
        C:\Windows\system32\Habnjm32.exe
        18⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4040
        
        C:\Windows\SysWOW64\Hcqjfh32.exe
        
        C:\Windows\system32\Hcqjfh32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3668
        
        C:\Windows\SysWOW64\Hjjbcbqj.exe
        
        C:\Windows\system32\Hjjbcbqj.exe
        20⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1804
        
        C:\Windows\SysWOW64\Hmioonpn.exe
        
        C:\Windows\system32\Hmioonpn.exe
        21⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3672
        
        C:\Windows\SysWOW64\Hfachc32.exe
        
        C:\Windows\system32\Hfachc32.exe
        22⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4780
        
        C:\Windows\SysWOW64\Hippdo32.exe
        
        C:\Windows\system32\Hippdo32.exe
        23⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2928
        
        C:\Windows\SysWOW64\Haggelfd.exe
        
        C:\Windows\system32\Haggelfd.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4256
        
        C:\Windows\SysWOW64\Hcedaheh.exe
        
        C:\Windows\system32\Hcedaheh.exe
        25⤵
        Executes dropped EXE
        
        PID:2472
        
        C:\Windows\SysWOW64\Hjolnb32.exe
        
        C:\Windows\system32\Hjolnb32.exe
        26⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4380
        
        C:\Windows\SysWOW64\Hmmhjm32.exe
        
        C:\Windows\system32\Hmmhjm32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1896
        
        C:\Windows\SysWOW64\Ibjqcd32.exe
        
        C:\Windows\system32\Ibjqcd32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1816
        
        C:\Windows\SysWOW64\Impepm32.exe
        
        C:\Windows\system32\Impepm32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2144
        
        C:\Windows\SysWOW64\Icjmmg32.exe
        
        C:\Windows\system32\Icjmmg32.exe
        30⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:5024
        
        C:\Windows\SysWOW64\Ifhiib32.exe
        
        C:\Windows\system32\Ifhiib32.exe
        31⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:760
        
        C:\Windows\SysWOW64\Iiffen32.exe
        
        C:\Windows\system32\Iiffen32.exe
        32⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3172
        
        C:\Windows\SysWOW64\Ipqnahgf.exe
        
        C:\Windows\system32\Ipqnahgf.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4888
        
        C:\Windows\SysWOW64\Iiibkn32.exe
        
        C:\Windows\system32\Iiibkn32.exe
        34⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2288
        
        C:\Windows\SysWOW64\Iapjlk32.exe
        
        C:\Windows\system32\Iapjlk32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3892
        
        C:\Windows\SysWOW64\Ifmcdblq.exe
        
        C:\Windows\system32\Ifmcdblq.exe
        36⤵
        Executes dropped EXE
        
        PID:4552
        
        C:\Windows\SysWOW64\Imgkql32.exe
        
        C:\Windows\system32\Imgkql32.exe
        37⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4436
        
        C:\Windows\SysWOW64\Ibccic32.exe
        
        C:\Windows\system32\Ibccic32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3788
        
        C:\Windows\SysWOW64\Imihfl32.exe
        
        C:\Windows\system32\Imihfl32.exe
        39⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3028
        
        C:\Windows\SysWOW64\Jpgdbg32.exe
        
        C:\Windows\system32\Jpgdbg32.exe
        40⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3716
        
        C:\Windows\SysWOW64\Jdcpcf32.exe
        
        C:\Windows\system32\Jdcpcf32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:540
        
        C:\Windows\SysWOW64\Jjmhppqd.exe
        
        C:\Windows\system32\Jjmhppqd.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:752
        
        C:\Windows\SysWOW64\Jmkdlkph.exe
        
        C:\Windows\system32\Jmkdlkph.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2088
        
        C:\Windows\SysWOW64\Jpjqhgol.exe
        
        C:\Windows\system32\Jpjqhgol.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4012
        
        C:\Windows\SysWOW64\Jfdida32.exe
        
        C:\Windows\system32\Jfdida32.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:768
        
        C:\Windows\SysWOW64\Jaimbj32.exe
        
        C:\Windows\system32\Jaimbj32.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:388
        
        C:\Windows\SysWOW64\Jfffjqdf.exe
        
        C:\Windows\system32\Jfffjqdf.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1148
        
        C:\Windows\SysWOW64\Jmpngk32.exe
        
        C:\Windows\system32\Jmpngk32.exe
        48⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4880
        
        C:\Windows\SysWOW64\Jpojcf32.exe
        
        C:\Windows\system32\Jpojcf32.exe
        49⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3396
        
        C:\Windows\SysWOW64\Jbmfoa32.exe
        
        C:\Windows\system32\Jbmfoa32.exe
        50⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4908
        
        C:\Windows\SysWOW64\Jfhbppbc.exe
        
        C:\Windows\system32\Jfhbppbc.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3228
        
        C:\Windows\SysWOW64\Jigollag.exe
        
        C:\Windows\system32\Jigollag.exe
        52⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3564
        
        C:\Windows\SysWOW64\Jdmcidam.exe
        
        C:\Windows\system32\Jdmcidam.exe
        53⤵
        Executes dropped EXE
        
        PID:4416
        
        C:\Windows\SysWOW64\Jkfkfohj.exe
        
        C:\Windows\system32\Jkfkfohj.exe
        54⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4760
        
        C:\Windows\SysWOW64\Kmegbjgn.exe
        
        C:\Windows\system32\Kmegbjgn.exe
        55⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4212
        
        C:\Windows\SysWOW64\Kdopod32.exe
        
        C:\Windows\system32\Kdopod32.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4260
        
        C:\Windows\SysWOW64\Kgmlkp32.exe
        
        C:\Windows\system32\Kgmlkp32.exe
        57⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2904
        
        C:\Windows\SysWOW64\Kacphh32.exe
        
        C:\Windows\system32\Kacphh32.exe
        58⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3264
        
        C:\Windows\SysWOW64\Kdaldd32.exe
        
        C:\Windows\system32\Kdaldd32.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2660
        
        C:\Windows\SysWOW64\Kkkdan32.exe
        
        C:\Windows\system32\Kkkdan32.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2808
        
        C:\Windows\SysWOW64\Kaemnhla.exe
        
        C:\Windows\system32\Kaemnhla.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4472
        
        C:\Windows\SysWOW64\Kgbefoji.exe
        
        C:\Windows\system32\Kgbefoji.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1820
        
        C:\Windows\SysWOW64\Kmlnbi32.exe
        
        C:\Windows\system32\Kmlnbi32.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3036
        
        C:\Windows\SysWOW64\Kkpnlm32.exe
        
        C:\Windows\system32\Kkpnlm32.exe
        64⤵
        Executes dropped EXE
        
        PID:4320
        
        C:\Windows\SysWOW64\Kibnhjgj.exe
        
        C:\Windows\system32\Kibnhjgj.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2532
        
        C:\Windows\SysWOW64\Kajfig32.exe
        
        C:\Windows\system32\Kajfig32.exe
        66⤵
        Drops file in System32 directory
        
        PID:3080
        
        C:\Windows\SysWOW64\Kckbqpnj.exe
        
        C:\Windows\system32\Kckbqpnj.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:3296
        
        C:\Windows\SysWOW64\Kkbkamnl.exe
        
        C:\Windows\system32\Kkbkamnl.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1180
        
        C:\Windows\SysWOW64\Lpocjdld.exe
        
        C:\Windows\system32\Lpocjdld.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5020
        
        C:\Windows\SysWOW64\Lcmofolg.exe
        
        C:\Windows\system32\Lcmofolg.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4560
        
        C:\Windows\SysWOW64\Lmccchkn.exe
        
        C:\Windows\system32\Lmccchkn.exe
        71⤵
        
        PID:2908
        
        C:\Windows\SysWOW64\Ldmlpbbj.exe
        
        C:\Windows\system32\Ldmlpbbj.exe
        72⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5108
        
        C:\Windows\SysWOW64\Lgkhlnbn.exe
        
        C:\Windows\system32\Lgkhlnbn.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4600
        
        C:\Windows\SysWOW64\Lijdhiaa.exe
        
        C:\Windows\system32\Lijdhiaa.exe
        74⤵
        Modifies registry class
        
        PID:2456
        
        C:\Windows\SysWOW64\Laalifad.exe
        
        C:\Windows\system32\Laalifad.exe
        75⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4916
        
        C:\Windows\SysWOW64\Lpcmec32.exe
        
        C:\Windows\system32\Lpcmec32.exe
        76⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4076
        
        C:\Windows\SysWOW64\Lkiqbl32.exe
        
        C:\Windows\system32\Lkiqbl32.exe
        77⤵
        
        PID:1924
        
        C:\Windows\SysWOW64\Laciofpa.exe
        
        C:\Windows\system32\Laciofpa.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4216
        
        C:\Windows\SysWOW64\Lcdegnep.exe
        
        C:\Windows\system32\Lcdegnep.exe
        79⤵
        Drops file in System32 directory
        
        PID:3380
        
        C:\Windows\SysWOW64\Lklnhlfb.exe
        
        C:\Windows\system32\Lklnhlfb.exe
        80⤵
        Modifies registry class
        
        PID:4016
        
        C:\Windows\SysWOW64\Lnjjdgee.exe
        
        C:\Windows\system32\Lnjjdgee.exe
        81⤵
        
        PID:1620
        
        C:\Windows\SysWOW64\Lddbqa32.exe
        
        C:\Windows\system32\Lddbqa32.exe
        82⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:3596
        
        C:\Windows\SysWOW64\Lknjmkdo.exe
        
        C:\Windows\system32\Lknjmkdo.exe
        83⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4388
        
        C:\Windows\SysWOW64\Mnlfigcc.exe
        
        C:\Windows\system32\Mnlfigcc.exe
        84⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:460
        
        C:\Windows\SysWOW64\Mdfofakp.exe
        
        C:\Windows\system32\Mdfofakp.exe
        85⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:536
        
        C:\Windows\SysWOW64\Mkpgck32.exe
        
        C:\Windows\system32\Mkpgck32.exe
        86⤵
        
        PID:4976
        
        C:\Windows\SysWOW64\Majopeii.exe
        
        C:\Windows\system32\Majopeii.exe
        87⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5164
        
        C:\Windows\SysWOW64\Mdiklqhm.exe
        
        C:\Windows\system32\Mdiklqhm.exe
        88⤵
        Drops file in System32 directory
        
        PID:5204
        
        C:\Windows\SysWOW64\Mkbchk32.exe
        
        C:\Windows\system32\Mkbchk32.exe
        89⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5248
        
        C:\Windows\SysWOW64\Mkepnjng.exe
        
        C:\Windows\system32\Mkepnjng.exe
        90⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5292
        
        C:\Windows\SysWOW64\Mncmjfmk.exe
        
        C:\Windows\system32\Mncmjfmk.exe
        91⤵
        
        PID:5332
        
        C:\Windows\SysWOW64\Mpaifalo.exe
        
        C:\Windows\system32\Mpaifalo.exe
        92⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5372
        
        C:\Windows\SysWOW64\Mcpebmkb.exe
        
        C:\Windows\system32\Mcpebmkb.exe
        93⤵
        
        PID:5412
        
        C:\Windows\SysWOW64\Mglack32.exe
        
        C:\Windows\system32\Mglack32.exe
        94⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5452
        
        C:\Windows\SysWOW64\Mjjmog32.exe
        
        C:\Windows\system32\Mjjmog32.exe
        95⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5492
        
        C:\Windows\SysWOW64\Maaepd32.exe
        
        C:\Windows\system32\Maaepd32.exe
        96⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5536
        
        C:\Windows\SysWOW64\Mdpalp32.exe
        
        C:\Windows\system32\Mdpalp32.exe
        97⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5576
        
        C:\Windows\SysWOW64\Mcbahlip.exe
        
        C:\Windows\system32\Mcbahlip.exe
        98⤵
        Modifies registry class
        
        PID:5616
        
        C:\Windows\SysWOW64\Nkjjij32.exe
        
        C:\Windows\system32\Nkjjij32.exe
        99⤵
        Modifies registry class
        
        PID:5656
        
        C:\Windows\SysWOW64\Nnhfee32.exe
        
        C:\Windows\system32\Nnhfee32.exe
        100⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5704
        
        C:\Windows\SysWOW64\Nqfbaq32.exe
        
        C:\Windows\system32\Nqfbaq32.exe
        101⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5744
        
        C:\Windows\SysWOW64\Nceonl32.exe
        
        C:\Windows\system32\Nceonl32.exe
        102⤵
        
        PID:5788
        
        C:\Windows\SysWOW64\Njogjfoj.exe
        
        C:\Windows\system32\Njogjfoj.exe
        103⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5824
        
        C:\Windows\SysWOW64\Nafokcol.exe
        
        C:\Windows\system32\Nafokcol.exe
        104⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5868
        
        C:\Windows\SysWOW64\Nddkgonp.exe
        
        C:\Windows\system32\Nddkgonp.exe
        105⤵
        Modifies registry class
        
        PID:5904
        
        C:\Windows\SysWOW64\Ngcgcjnc.exe
        
        C:\Windows\system32\Ngcgcjnc.exe
        106⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5948
        
        C:\Windows\SysWOW64\Njacpf32.exe
        
        C:\Windows\system32\Njacpf32.exe
        107⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5988
        
        C:\Windows\SysWOW64\Nqklmpdd.exe
        
        C:\Windows\system32\Nqklmpdd.exe
        108⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6040
        
        C:\Windows\SysWOW64\Ncihikcg.exe
        
        C:\Windows\system32\Ncihikcg.exe
        109⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6076
        
        C:\Windows\SysWOW64\Nkqpjidj.exe
        
        C:\Windows\system32\Nkqpjidj.exe
        110⤵
        
        PID:6120
        
        C:\Windows\SysWOW64\Nnolfdcn.exe
        
        C:\Windows\system32\Nnolfdcn.exe
        111⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:3568
        
        C:\Windows\SysWOW64\Nqmhbpba.exe
        
        C:\Windows\system32\Nqmhbpba.exe
        112⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5196
        
        C:\Windows\SysWOW64\Ncldnkae.exe
        
        C:\Windows\system32\Ncldnkae.exe
        113⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5240
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        114⤵
        
        PID:5300
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5300 -s 420
        115⤵
        Program crash
        
        PID:5520

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 5300 -ip 5300
1⤵
PID:5420

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Gbgkfg32.exe

Filesize
108KB

MD5
b7425fdb136fcde02fc932d98c1c979b

SHA1
bfa232b1adae38eb372990722c5b61d4b42facba

SHA256
c2712f3e3ed6e2ca1e8fa82b0bfa205ee4b24e9697f6267de25a6f045b6cd5b2

SHA512
bae5e429c27d25af69ece0bceda7743c5fedfa9c000fb5c5a9a5ebe2e341a38501c14489f719abae3a82fcddf0361f4574659f815ac0580fc7db49b52af044cb

Download Submit
C:\Windows\SysWOW64\Gcggpj32.exe

Filesize
108KB

MD5
fe1e960afb95d38a8e65067d99babae2

SHA1
db63c5c8e2a31759f72b12704e0c1012904a726e

SHA256
8f88dcfa1cac12567672c3fde906303e2cede3c3b6dd000b10a62352ccbaad71

SHA512
eb73775c0ca38c7aea5e56ea1dafcff20a1b1c3965488cc72539dc593ab5873e390953f400a3ef3884d5413de819bd2cb5af03276e86be4dead104cfd9e4ce96

Download Submit
C:\Windows\SysWOW64\Gcidfi32.exe

Filesize
108KB

MD5
b845e06f6f0928dae33095ce106c65cc

SHA1
456b99014bb96fd37a982dff68e1abc0ffe81258

SHA256
bb9125aaf4831b555d88c946fa1563146a10d453cd9008f2ff5627dbec0cdd4e

SHA512
9e691e85a262b04874c07ea984c9ce347399ea055b59f82a9a92476013454f6a9740278f5c8e6af29f2a10c57902798bf853f42b3d7e0f1c0ccb8ac414949196

Download Submit
C:\Windows\SysWOW64\Gfedle32.exe

Filesize
108KB

MD5
2851fac098067fb5dce0ff23dba576db

SHA1
72a260a3ced76bf7218d83b57a2b829ec7038ce7

SHA256
ef5ee169f23edfa2c52bef7ebbb153c8d862c48fb989efe32f2efa58669121ee

SHA512
5617424e0c11acc1a8475ce4dbc71adc559f1cc1b562c5f82199127273f0116d9577dbf03f0135db5b72d8237e24959d8d7e2b4180e4e3edf69cad725136fb7c

Download Submit
C:\Windows\SysWOW64\Gfhqbe32.exe

Filesize
108KB

MD5
955ddecfe39526f2ef18800fe7c38fcc

SHA1
d73bf45599096ce2553583e365a4c19fff20132d

SHA256
2372b40465fd480cb2494ea3d8f7c403b36d3ee45f7628e6a8fc8724fdfd0330

SHA512
8785817516bc844ed1ee9530df3acd8b80043360a186a67043b280db8bde07721e1d2d60758968186895b871d852d6e54cb22fa4943b89a9f5711bbb4e3b37e1

Download Submit
C:\Windows\SysWOW64\Gidphq32.exe

Filesize
108KB

MD5
1e5c98c5ef21c35e12527ea4419873d1

SHA1
553f1d49f3c83bc58eea0bd43fb12c75d7069156

SHA256
861362087daa06fbbaf973eb8ca9036379d89619fb930d74720b370d68034e07

SHA512
8d81c644079c6eff9e2d13b83cf6a25f0c80aa04f9ba47c04de5ce704e5e694714109a73b08977b42a966d90530b4696a6fd9ec4ce2be2875b5e7664832b2fe4

Download Submit
C:\Windows\SysWOW64\Gjocgdkg.exe

Filesize
108KB

MD5
0f5e1e387407a673bfeeeb84e126a53c

SHA1
82fadd10519d6c101ba43f0ebd092aa2957f7726

SHA256
5552c403472168610ac97dda644afbeb13925abeab9f06931161ad0875c46823

SHA512
1ebacf59417398abd3ee392327456ba5976a23542f1ef9817ab5fa9eaa8c13a43af5a22dcd4e0cdc09cc7cecd9e26dbd61c0923bb0af0c2017e2e9663ae0238d

Download Submit
C:\Windows\SysWOW64\Gmmocpjk.exe

Filesize
108KB

MD5
561066fd90ea3ea1872a493bc59c3615

SHA1
ee857bec40b9a2ba16b4ddd7a62957a4bd349748

SHA256
1310831108f61f946c622c5dd73f1ac87ce016ae5f4413725ad1c8a5b5cdaeb5

SHA512
2cfa50b83ce54116326e301e467ce155110b93ac01c38d60fa593363333480cdc1767785b48936ce544f075d7343ab908cdbda452cde4f5089a3f4cf2a036cc1

Download Submit
C:\Windows\SysWOW64\Gppekj32.exe

Filesize
108KB

MD5
a0274c022ef71a08d8bff716d4062b2e

SHA1
0f053a8cf09c56a423c929635a4293e58e2be059

SHA256
d050114dbb561f7f2b7a6d828595e689a38b08622c0a0cad0b16af972de1beee

SHA512
9c55552d49ed882a10556fa95d29cc6396647fef6bac06d8dc0dbce7bf8e6a4c0be13cd91297b941846dce40fbc05f9d14c069722b1f747cd42539ebfc8dcc0e

Download Submit
C:\Windows\SysWOW64\Gqkhjn32.exe

Filesize
108KB

MD5
ca5dea8fb19a365c80c7b4a5cb9e1d5e

SHA1
ee8bfd2b210d06db3f70d3bc9fbf8bc215fa4a5d

SHA256
4b797171e746c265aa577a1057b6deccab3f117067fb73f460011218d17098bf

SHA512
1b551f8e23333ba0bb506b052efe02c2c5246394c40df0a010d8aac9a285b3a4bd6be006d1eb3619152fec5505410cc15bd8f9906f638be0f1668fc1996f6e8b

Download Submit
C:\Windows\SysWOW64\Habnjm32.exe

Filesize
108KB

MD5
98eda34cf835d8722acbd2799472b3c7

SHA1
ccab0eacf30a12bd91ec50f38caba710e34bbb59

SHA256
d7280bffc0effa32f440074dfd102e12f66a99f01c30ed33381825066121a04f

SHA512
b378e9571cdb7d152b24d6beaf73a3e74420c2eacc7b1e03746452c1d24ffc1827b7158d5236f807ac2cbc361b726642c92a5fd2080de992f349e48e06a41270

Download Submit
C:\Windows\SysWOW64\Haggelfd.exe

Filesize
108KB

MD5
f205bd9d9a6cea0310ae9b8823b01cbc

SHA1
a1aa5118ecad54bf4c3a0092e6b121fc6cfdc87d

SHA256
76d85eaff6c68fb2e86652387533f97566206b756d8558b90b7691fe9d6b08dc

SHA512
d8cee08fa44a7331e3deaf6d4555cfc9fef2b5c98f0a616321c6089533d8ae32dbf0ea629d4fb4b430690e24b728345eea80ed25aa7df94724d9c9bd8f3b2606

Download Submit
C:\Windows\SysWOW64\Hapaemll.exe

Filesize
108KB

MD5
ec2fe79f379ddba345f21c966b523eb0

SHA1
749b494e649b6b3be42b048319c7ba4fd23bd007

SHA256
14d45ff29878fde0d320e567263a60f177575de24cde3366ca364263d652b485

SHA512
4f2be573211d407ce8ad0ad1379f3ad2982b9061d2e026e231b213588bd3bc654ad36fec8814339c43f5a620ad096ab34c84fd17eacdc098dc0ba5d320aef148

Download Submit
C:\Windows\SysWOW64\Hbanme32.exe

Filesize
108KB

MD5
f2e9c97984eeefa58a8a60b24c54e632

SHA1
94c900780a6712ae67c76b0f9ecd73d3b5575bc0

SHA256
c0bf5a5ed3bd60efa9a1d957d81e442b09608a88b39e85e4835a0869800682b1

SHA512
c8dfe53cef36235d536162b7acb7bd7c44fc4b73d98809900add3bc244a1dc217b805a6d5d930376a9299be11c8b661ba16dad1749ec203577f25fdc84d1e980

Download Submit
C:\Windows\SysWOW64\Hboagf32.exe

Filesize
108KB

MD5
1b1ff8930108145429bc294ca79aacad

SHA1
0dd94dca8f073ed38d7a85a2dc3f7b29aa276156

SHA256
7373f15b537170b5c1d10c480afe432827201a934b1b9519a617bf8a8df05cf7

SHA512
2ac94bb55dc381052787df85cbe7a3dc28f0ecef7a27c23cb7c281929cf08bc33a639819d7bf81a813a515fb2dfd6fcf483afa3fc3182282e12454b19014a319

Download Submit
C:\Windows\SysWOW64\Hcedaheh.exe

Filesize
108KB

MD5
e063f925fbf1e56aa7013c80c32e6d52

SHA1
e5041c898163247c5e582d4dd6faae80089800ec

SHA256
d691e07ebc53701493591bf68a9d867bbd3bf78144daffd5fb05c36b6d63d753

SHA512
1b58fc484613e12986fb4c33b7b190ea4880d46e7dd497699e528589143485e3988253a4c7b9f34a2e5021d0b0dae9eccfaa2f0ce237d36b1d0979b71d969ba5

Download Submit
C:\Windows\SysWOW64\Hcqjfh32.exe

Filesize
108KB

MD5
54057d1630837554dee42950220c2afc

SHA1
16bf31e5dce1a7bcb2f57d4264878fec000f3fa5

SHA256
15c8da514dc8eb02b64d9e9db22affe994611e5724859fa56107662ef96f8e9c

SHA512
30fa8ad29ba161ae199f212555e5429fe46c871cf4425eddde8dc0e0fb1f77d283a5c4e710e5caa9ce5bfbe2a4b63d18d71629b3da8369e6935c4401554abac9

Download Submit
C:\Windows\SysWOW64\Hfachc32.exe

Filesize
108KB

MD5
1c358bb467f169a8fe901bb18664e60b

SHA1
46ca3d6da986075d2240b4dd72bccdfd8de16855

SHA256
f3d557e92489b9fa2b823e4740229e3c4a4057b0dd13fd67143577b2950cefd6

SHA512
e35227d1359ecf7e870079c05b45f3fe998cbccdad9b4d08b82f128feb7e58c61408fcda84c603b6cc6d654fcf0d192aaa99fbeadb6d56c12c353d04b0ce4cdd

Download Submit
C:\Windows\SysWOW64\Hfjmgdlf.exe

Filesize
108KB

MD5
440336ca83584509786e110062eaed8c

SHA1
cc8c847d74b9faa930bfc2f8a4aff60b44e24748

SHA256
0d9c5ed508bab2eced4c32081c2aa36d2726d562ace755aa29eb6e1220d182e0

SHA512
89b8594f19f11987d3244c4f7bde69aa4557b8be686f3e44e8ed204c26b7dc2de06a20264329f13f83e5e05f50d80a65b3a1b193b796574116f985a3f0757ee6

Download Submit
C:\Windows\SysWOW64\Hippdo32.exe

Filesize
108KB

MD5
8de687c63bed8811dd157551d8d7439b

SHA1
ab326be2ca78f59073559b56c362580e6fe83a18

SHA256
4d12e6efed20f04e20573688ab8f41639c68a6613bd64afe6400e28dbe2fbcb0

SHA512
f6efbe2befd7060ff522453080577bf215ed89b09c2164215f669975bff8b330a6c88abcdd9ead554b13d462a807a617dfa39629623356c960dfc7f5efc5a664

Download Submit
C:\Windows\SysWOW64\Hjhfnccl.exe

Filesize
108KB

MD5
d715b7d8ea6feb9dca299d003418a9f3

SHA1
c8ce1efcae36856548e44a606d70be8b621b1309

SHA256
b8a4b3d24f25c10e1b3f6efca5091b70f85a76817f9531f87b61084f61361159

SHA512
f33c64193eec3a1420aeb1ae930286636542ce07934d6d0e76fd49d1555e64dc393d33417f25e70a38985732599cb1301af3b235a00ac152659da798cb53f1c3

Download Submit
C:\Windows\SysWOW64\Hjjbcbqj.exe

Filesize
108KB

MD5
68bc784746f2f6be701f25c1cd391787

SHA1
959aacb47c1cdd57d24cc2ef2a4855b9d42bd866

SHA256
8b57e9524e55679dc5f92dfb2c633b340c7022d50470bf1a4a59e3176d664810

SHA512
d75f5f5ce5abe7c6cb32bd26049c721004390af3b001e10cb015efc7689f392fe048ec4952812a8e763311bc566c696f9afaf22af9bb153e42039d0e81694e63

Download Submit
C:\Windows\SysWOW64\Hjolnb32.exe

Filesize
108KB

MD5
6873874913a92ec650b5b8e0e45afc93

SHA1
a5636d955332f54c496d070b831c66cd36682b7e

SHA256
a1a3b0e1f6fe97ecc3fa3cf921a3dc3a3575bb94c2a5ca874f8a8cf611f675ce

SHA512
0a7fd26c3a012d441e116aca2f1164c629c818ec31d0062fd1dc05f0f872fbaba946bd0e21c0486d6f8e91ebeb860dd6bb331781dad9471110a11059884c0d93

Download Submit
C:\Windows\SysWOW64\Hmdedo32.exe

Filesize
108KB

MD5
9948033c62a3ae32a525836c620961f9

SHA1
c5a9110eb17e9cdde98a5c71ad3b7a65cc0b7582

SHA256
45ba193bb84700f5609a55b950108f2f05a93d7241a998289fc743abaee03670

SHA512
ad6c9916d282d8b95613895b0696ba645787a6797a350445b5cf93123f957dbd44026b2970815733ff8f0979348c56f3b9c64003c218d79549640cbfd73b7a9c

Download Submit
C:\Windows\SysWOW64\Hmioonpn.exe

Filesize
108KB

MD5
49e30030bed5c54ee513d06b48ecc753

SHA1
b17b7e328e82c66448bba3b421712031ea4dee0c

SHA256
e747bd4eca4c96c39e9c39bc4ec9bd2a5d59d4325201f25c5ce9341e66f0d9ed

SHA512
b0f6e5e9971a89a500666e6600f5d7d302be16800b68f32e8b13a5995b7042da4eaaeb6885826ea7740423cfe1b28ffe03fa64ff49a9a24c175f538cad9a20e3

Download Submit
C:\Windows\SysWOW64\Hmmhjm32.exe

Filesize
108KB

MD5
f1a3d1ef4355aa11286451b54a2936f4

SHA1
20ea6c7e50c943bb68be93d14efac34509b6c6a5

SHA256
0d1b0c44c99bcc0075417478849745a41aff5be70650bc5600f3ee04a142699f

SHA512
12dc6d5e24d4056700c2eba5d436f78ebf794483512a2daa5a750e6e61eb2f9c4027875a044c857d9e7bfbc3d3051c397f9108dc2201178ed47cf52fda0918c8

Download Submit
C:\Windows\SysWOW64\Ibccic32.exe

Filesize
108KB

MD5
3c1dc5eb35d216b61072d0e40fb6ac85

SHA1
fb82a48718889419ed70416f23922948444457c1

SHA256
8d2876dbfbc861f3e396785e6e14bd44775bf326310d8c2ff470764fa3d50773

SHA512
055a6fb4696965a72bd69e46fb2edff0dc2faae1df9b04cc60c32069a59860a86bbfeca491338af512f01dbee67cdfc2e92910e61a751774af7bab5fb2b80d90

Download Submit
C:\Windows\SysWOW64\Ibjqcd32.exe

Filesize
108KB

MD5
c8a5bd5df987ca5ed9f769f626d5eb24

SHA1
189cc26af0a93785a6bcbc3410e6c755675f093f

SHA256
fb457fd2f539cea391ed133f6321c3f6f9af6483a7b62eae1e26f1bf2ee8b931

SHA512
39b72033c16e5483dc2796f2065adef48cec2d3eacf70b605b0804b3e068521d160cc49398e8a1fcd24faad1fdd3624d8ec47b9967f4594a3bd947533a9b7b92

Download Submit
C:\Windows\SysWOW64\Icjmmg32.exe

Filesize
108KB

MD5
0b5a603b18abf22491292dbabaacc994

SHA1
04aa9f8954814dfab0ba1a851fc94d15f64b23f8

SHA256
fc59871725eee5689ed09c34ae1890aff0f3eb45fee48c93d491b80fdc92e115

SHA512
59feadc926c866503c16808a6a72d7bf4c2499aac1a707943c8ff38719fcf878c703f65b0818bf278136b9e802e1eb3cbbca0af9864dafe27d46272ef560342c

Download Submit
C:\Windows\SysWOW64\Ifhiib32.exe

Filesize
108KB

MD5
892cc5fb098efcae0dc3f5f604b4c637

SHA1
3c155af9bdca95884d2411c1d5af00a2e3881296

SHA256
4e8a4fe92a7b26dfbb4a32f9b6cdb1be4a40959924237509580182fa37782c66

SHA512
85715f7d93b3ee5f386b0259436354ddc1113b65dcc6a568f864cace03f5ca44d84f29612768e41b515ab1d27ae36f2d275017c3728aa93a315986eb56f02158

Download Submit
C:\Windows\SysWOW64\Iiffen32.exe

Filesize
108KB

MD5
aa27725159c8d9d24bc24c64227d1203

SHA1
364987242a4d2ea06f8a67a3273cbee8a9085edf

SHA256
05d5952ddab1291a28891930cbef7bec8ef09ce2e37394986a8f214fd538d183

SHA512
ee3c195797347223cc14b01020b96d9c4d1bdb05e4a6866a91fc53831cad4ad166b5f8cb4e71beea00e5b04e625aed5c6c809e4591a24eabba69553c40a9108c

Download Submit
C:\Windows\SysWOW64\Impepm32.exe

Filesize
108KB

MD5
a691f4d948c42def0cacb72fcfb4abad

SHA1
b897fb10310995530dab62ae93744c02a3acd62a

SHA256
0aef7ac3435c3c647b1486bba7ac765fd0ff509eea5a2f311defb3845160f507

SHA512
7a76215acae7155a33fa8aed36ff4d45d05271a1c4e59d2e74875e4aacef1df9368c81b69a9adb0707d09987ae40db5cbb5e1d9a6babb4df19fdcaf704a109c7

Download Submit
C:\Windows\SysWOW64\Ipqnahgf.exe

Filesize
108KB

MD5
cc09e3fc6a74e6ac981d432fa50addb4

SHA1
fa0ab42b06b7b5ff491da4b009723c70556f0053

SHA256
10a3dbccdc4f0d214b6d20cdcf6b815f8bab60a1f3de3ffd9f0d98ba09207f39

SHA512
15d653ec5bf68a3f5dc2d6a0722b9f1b882b3068cb21c7dfa864aea3f8b9ea85eab1fa9101565de0f3135031f35944a0d11b963bfab32a9368da54129068cbe1

Download Submit
C:\Windows\SysWOW64\Ldmlpbbj.exe

Filesize
108KB

MD5
83188e4cd26564a9089b385faf64ed0c

SHA1
d555f7de532d7d3f569ad86f85f967f516af57b9

SHA256
8ebf7381cbc1af13f535d975ac55f89276177caddd625655245992930d6714d1

SHA512
da5cb7b98506d6589f3634baad74b918159a297fad754fafc83b82632239b6efdba2a3bb139256a7630eaf1a36e813f9de0a7e28428e28dc12e18710a36b8284

Download Submit
C:\Windows\SysWOW64\Lpcmec32.exe

Filesize
108KB

MD5
24addb746f53bf9d5dabc9040846d451

SHA1
89a68bd939032330062a65acbdf2cb3988af27da

SHA256
cd6a8dd86da47f0eeec26444e6d3083dfe43e57d9b42513aa757c947669458d0

SHA512
4c77e1b7fd63082b2ec0bc0b793e64edb23db9f3de222375abc9e9896843f5caf710d6cbc562437f075d1a08656fcd9051a70968a19c50868da64184f7a872b1

Download Submit
C:\Windows\SysWOW64\Nphlemjl.dll

Filesize
7KB

MD5
54313937c0e8c68f89a4b4e3de0a4ffb

SHA1
401a2672bfa0dfaea3195da44b01c691f86b61e5

SHA256
767f30fbda37b1599468910c109b0b8819bdb398a1eb5255bc00b82de37b9aff

SHA512
7d90f6f241b2f92ef75277dc355d3de802735623aa81e14631b9087cfbd6b2cfae59423fa5d1ae46ce4d8f784024379a297d60c5cdf21c75a121f0c6d653807c

Download Submit
memory/388-333-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/540-303-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/752-309-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/760-240-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/768-327-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/940-28-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1148-339-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1612-71-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1804-151-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1816-215-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1820-428-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1896-208-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2088-315-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2144-223-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2288-262-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2380-8-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2444-88-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2460-112-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2472-192-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2532-446-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2660-410-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2808-416-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2904-398-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2928-176-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2940-56-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3036-434-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3116-16-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3132-40-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3172-248-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3228-362-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3264-404-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3296-461-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3448-128-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3520-120-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3564-368-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3664-68-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3668-144-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3672-159-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3716-297-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3736-0-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3788-286-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3892-268-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3996-80-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4012-321-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4032-96-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4040-136-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4212-390-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4256-184-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4260-392-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4320-440-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4380-199-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4416-374-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4436-280-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4460-108-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4472-422-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4552-278-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4760-380-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4780-172-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4880-345-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4888-255-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4900-32-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4908-356-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4948-48-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/5024-237-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads