8684c962064c7dd2b2b980eb2cd25836247a9776f77ccae8204ac0e65f83ab8a

Analysis

max time kernel
146s
max time network
171s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
09-03-2024 23:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8684c962064c7dd2b2b980eb2cd25836247a9776f77ccae8204ac0e65f83ab8a.exe
Size

217KB
MD5

ad62ca9879e50ec5ffb29b0eb83b0b6b
SHA1

73de5433f6855c0e828ee96149e9c6627611cd4d
SHA256

8684c962064c7dd2b2b980eb2cd25836247a9776f77ccae8204ac0e65f83ab8a
SHA512

1cdd35be61c813c63cd53e3dceaf800745d6ab5d9af54296b1b51ac45225e45fac35a95bd67d0ff906e54b9aed15d10a8959c448879e7fa323fddbdb3460a97f
SSDEEP

3072:Iy0IOzSf2/oh3o+4HEAGKztTeS5pAgYIqGvJ6887lbyMGjXF1kqaholmtbCQVD:Il5/25ApRTdZMGXF5ahdt3

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nfohgqlg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fnjocf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kclgmq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kkgiimng.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qklmpalf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdmqmc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pldcjeia.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Anobgl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ilqoobdd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qclmck32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mhoahh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fbaahf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fgnjqm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qbajeg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fkgillpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ojigdcll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nfohgqlg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Glengm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pahilmoc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pajeam32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Akqfkp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oaplqh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aknbkjfh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ogekbb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cioilg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Glengm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jqhafffk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Igdgglfl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ickglm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Njmqnobn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Idbodn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gpecbk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jgeghp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Okkdic32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Akkffkhk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aadghn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Idbodn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Plpjoe32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmcclm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aojefobm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qklmpalf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pffgom32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qbajeg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngqagcag.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Amnebo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gbabigfj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ijqmhnko.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qachgk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ofkgcobj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pffgom32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kgninn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ogekbb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Aokkahlo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fjhmbihg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fkgillpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ijqmhnko.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jklinohd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Oaplqh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pahilmoc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fbaahf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gmdjapgb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ipoheakj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nmdgikhi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nflkbanj.exe

Executes dropped EXE 64 IoCs

pid	Process
448	Idbodn32.exe
1656	Mnnkgl32.exe
532	Poomegpf.exe
4896	Cioilg32.exe
856	Gjdaodja.exe
3276	Glengm32.exe
2652	Gfkbde32.exe
3236	Gmdjapgb.exe
972	Gbabigfj.exe
3420	Gpecbk32.exe
1452	Gipdap32.exe
3132	Iphioh32.exe
3500	Ijqmhnko.exe
4656	Igdnabjh.exe
3804	Ilafiihp.exe
2412	Icknfcol.exe
1816	Ipoopgnf.exe
4892	Igigla32.exe
4500	Jcphab32.exe
2112	Jnelok32.exe
1636	Jgnqgqan.exe
5060	Jklinohd.exe
4316	Jqhafffk.exe
5092	Jgeghp32.exe
5008	Kjccdkki.exe
4424	Kclgmq32.exe
744	Kdmqmc32.exe
552	Kkgiimng.exe
1084	Kgninn32.exe
848	Ojigdcll.exe
1904	Oacoqnci.exe
1348	Okkdic32.exe
2428	Plkpcfal.exe
1876	Pahilmoc.exe
4732	Phaahggp.exe
1952	Pajeam32.exe
5108	Plpjoe32.exe
1128	Palbgl32.exe
1388	Pmcclm32.exe
2852	Pldcjeia.exe
5036	Qaalblgi.exe
4380	Qkipkani.exe
3044	Qachgk32.exe
1932	Qklmpalf.exe
640	Aafemk32.exe
652	Ahpmjejp.exe
3868	Aojefobm.exe
1968	Aednci32.exe
4640	Akqfkp32.exe
1284	Anobgl32.exe
3788	Alpbecod.exe
3568	Anclbkbp.exe
1648	Adndoe32.exe
3292	Igdgglfl.exe
1272	Ilqoobdd.exe
3188	Ickglm32.exe
656	Iidphgcn.exe
2700	Ipoheakj.exe
4364	Nmdgikhi.exe
1400	Nflkbanj.exe
1520	Npepkf32.exe
3596	Nfohgqlg.exe
3864	Nmipdk32.exe
1288	Ncchae32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Qdaniq32.exe	Qmgelf32.exe
File created	C:\Windows\SysWOW64\Pafpga32.dll	Qmdblp32.exe
File created	C:\Windows\SysWOW64\Fjqjajoe.dll	Idbodn32.exe
File created	C:\Windows\SysWOW64\Ofkgcobj.exe	Opqofe32.exe
File created	C:\Windows\SysWOW64\Lbandhne.dll	Qmgelf32.exe
File created	C:\Windows\SysWOW64\Aaenbd32.exe	Akkffkhk.exe
File created	C:\Windows\SysWOW64\Aokkahlo.exe	Amlogfel.exe
File created	C:\Windows\SysWOW64\Dohnnkjk.dll	Abcgjg32.exe
File created	C:\Windows\SysWOW64\Aadghn32.exe	Aimogakj.exe
File created	C:\Windows\SysWOW64\Plkpcfal.exe	Okkdic32.exe
File opened for modification	C:\Windows\SysWOW64\Npepkf32.exe	Nflkbanj.exe
File created	C:\Windows\SysWOW64\Aojefobm.exe	Ahpmjejp.exe
File opened for modification	C:\Windows\SysWOW64\Oaplqh32.exe	Ofkgcobj.exe
File created	C:\Windows\SysWOW64\Aknbkjfh.exe	Ahofoogd.exe
File created	C:\Windows\SysWOW64\Bcomgibl.dll	Qclmck32.exe
File created	C:\Windows\SysWOW64\Ekojppef.dll	8684c962064c7dd2b2b980eb2cd25836247a9776f77ccae8204ac0e65f83ab8a.exe
File created	C:\Windows\SysWOW64\Ejljgqdp.dll	Jqhafffk.exe
File opened for modification	C:\Windows\SysWOW64\Ilafiihp.exe	Igdnabjh.exe
File created	C:\Windows\SysWOW64\Iophkojl.dll	Kjccdkki.exe
File created	C:\Windows\SysWOW64\Oacoqnci.exe	Ojigdcll.exe
File opened for modification	C:\Windows\SysWOW64\Aojefobm.exe	Ahpmjejp.exe
File created	C:\Windows\SysWOW64\Npiiffqe.exe	Njmqnobn.exe
File created	C:\Windows\SysWOW64\Cpkgohbq.dll	Aaenbd32.exe
File created	C:\Windows\SysWOW64\Mnnkgl32.exe	Idbodn32.exe
File opened for modification	C:\Windows\SysWOW64\Cioilg32.exe	Poomegpf.exe
File created	C:\Windows\SysWOW64\Amlogfel.exe	Aknbkjfh.exe
File created	C:\Windows\SysWOW64\Flafeh32.dll	Igigla32.exe
File created	C:\Windows\SysWOW64\Oglbla32.dll	Ompfej32.exe
File created	C:\Windows\SysWOW64\Moehgcil.dll	Anobgl32.exe
File created	C:\Windows\SysWOW64\Nmdgikhi.exe	Ipoheakj.exe
File created	C:\Windows\SysWOW64\Aabkbono.exe	Qjhbfd32.exe
File opened for modification	C:\Windows\SysWOW64\Pajeam32.exe	Phaahggp.exe
File created	C:\Windows\SysWOW64\Ieoacg32.dll	Aednci32.exe
File opened for modification	C:\Windows\SysWOW64\Qmdblp32.exe	Qjffpe32.exe
File created	C:\Windows\SysWOW64\Qcnjijoe.exe	Qmdblp32.exe
File created	C:\Windows\SysWOW64\Hnnhejgh.dll	Phaahggp.exe
File opened for modification	C:\Windows\SysWOW64\Ogekbb32.exe	Opnbae32.exe
File opened for modification	C:\Windows\SysWOW64\Qodeajbg.exe	Qhjmdp32.exe
File created	C:\Windows\SysWOW64\Mkhpmopi.dll	Fcekfnkb.exe
File opened for modification	C:\Windows\SysWOW64\Fnjocf32.exe	Fgqgfl32.exe
File created	C:\Windows\SysWOW64\Igdnabjh.exe	Ijqmhnko.exe
File opened for modification	C:\Windows\SysWOW64\Phaahggp.exe	Pahilmoc.exe
File created	C:\Windows\SysWOW64\Panhbfep.exe	Phfcipoo.exe
File opened for modification	C:\Windows\SysWOW64\Kkgiimng.exe	Kdmqmc32.exe
File created	C:\Windows\SysWOW64\Aafemk32.exe	Qklmpalf.exe
File opened for modification	C:\Windows\SysWOW64\Fkgillpj.exe	Fjhmbihg.exe
File created	C:\Windows\SysWOW64\Hponje32.dll	Oacoqnci.exe
File opened for modification	C:\Windows\SysWOW64\Aaenbd32.exe	Akkffkhk.exe
File opened for modification	C:\Windows\SysWOW64\Qklmpalf.exe	Qachgk32.exe
File created	C:\Windows\SysWOW64\Onocomdo.exe	Ogekbb32.exe
File opened for modification	C:\Windows\SysWOW64\Palklf32.exe	Pffgom32.exe
File opened for modification	C:\Windows\SysWOW64\Fgqgfl32.exe	Fcekfnkb.exe
File created	C:\Windows\SysWOW64\Ppipkl32.dll	Gbabigfj.exe
File created	C:\Windows\SysWOW64\Hemqgjog.dll	Kdmqmc32.exe
File created	C:\Windows\SysWOW64\Iidphgcn.exe	Ickglm32.exe
File created	C:\Windows\SysWOW64\Cjijid32.dll	Nflkbanj.exe
File created	C:\Windows\SysWOW64\Pffgom32.exe	Pplobcpp.exe
File created	C:\Windows\SysWOW64\Fgqgfl32.exe	Fcekfnkb.exe
File created	C:\Windows\SysWOW64\Hankellh.dll	Ilafiihp.exe
File created	C:\Windows\SysWOW64\Cfidbo32.dll	Adndoe32.exe
File created	C:\Windows\SysWOW64\Ojjhjm32.dll	Phfcipoo.exe
File created	C:\Windows\SysWOW64\Fcekfnkb.exe	Fbdnne32.exe
File created	C:\Windows\SysWOW64\Jllhpkfk.exe	Akblfj32.exe
File opened for modification	C:\Windows\SysWOW64\Aimogakj.exe	Abcgjg32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
6104	6040	WerFault.exe	214

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Qmgelf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Fkgillpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	8684c962064c7dd2b2b980eb2cd25836247a9776f77ccae8204ac0e65f83ab8a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Oacoqnci.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Baiinofi.dll"	Ncchae32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ompfej32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Qodeajbg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Fbaahf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hojpmg32.dll"	Okkdic32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jocgnlha.dll"	Pldcjeia.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Phfcipoo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ojjhjm32.dll"	Phfcipoo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lcckiibj.dll"	Aadghn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kkgiimng.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Anobgl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Oaplqh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Gjdaodja.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Gfkbde32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Icknfcol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbmock32.dll"	Jgnqgqan.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jklinohd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ondljl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Opeiadfg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Palklf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Qclmck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Fbdnne32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Poomegpf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ocjggbdl.dll"	Gmdjapgb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pmcclm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Opeiadfg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Qcnjijoe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Fgnjqm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Gjdaodja.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Plkpcfal.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pldcjeia.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dempqa32.dll"	Npiiffqe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Onocomdo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Glengm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hemqgjog.dll"	Kdmqmc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Aadghn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pajeam32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ipoheakj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Aabkbono.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dohnnkjk.dll"	Abcgjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cnidqf32.dll"	Amnebo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mnnkgl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcphdpff.dll"	Iphioh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Aojefobm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Aimogakj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cldaec32.dll"	Aimogakj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Qdaniq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qnidao32.dll"	Gipdap32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Igigla32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Phaahggp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdobpkmb.dll"	Qaalblgi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Qachgk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Aafemk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kqmfklog.dll"	Ahpmjejp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fjqjajoe.dll"	Idbodn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ecgflaec.dll"	Gjdaodja.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kjccdkki.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Plkpcfal.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imakphnc.dll"	Qachgk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hponje32.dll"	Oacoqnci.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4128 wrote to memory of 448	4128	8684c962064c7dd2b2b980eb2cd25836247a9776f77ccae8204ac0e65f83ab8a.exe	90
PID 4128 wrote to memory of 448	4128	8684c962064c7dd2b2b980eb2cd25836247a9776f77ccae8204ac0e65f83ab8a.exe	90
PID 4128 wrote to memory of 448	4128	8684c962064c7dd2b2b980eb2cd25836247a9776f77ccae8204ac0e65f83ab8a.exe	90
PID 448 wrote to memory of 1656	448	Idbodn32.exe	91
PID 448 wrote to memory of 1656	448	Idbodn32.exe	91
PID 448 wrote to memory of 1656	448	Idbodn32.exe	91
PID 1656 wrote to memory of 532	1656	Mnnkgl32.exe	92
PID 1656 wrote to memory of 532	1656	Mnnkgl32.exe	92
PID 1656 wrote to memory of 532	1656	Mnnkgl32.exe	92
PID 532 wrote to memory of 4896	532	Poomegpf.exe	93
PID 532 wrote to memory of 4896	532	Poomegpf.exe	93
PID 532 wrote to memory of 4896	532	Poomegpf.exe	93
PID 4896 wrote to memory of 856	4896	Cioilg32.exe	94
PID 4896 wrote to memory of 856	4896	Cioilg32.exe	94
PID 4896 wrote to memory of 856	4896	Cioilg32.exe	94
PID 856 wrote to memory of 3276	856	Gjdaodja.exe	95
PID 856 wrote to memory of 3276	856	Gjdaodja.exe	95
PID 856 wrote to memory of 3276	856	Gjdaodja.exe	95
PID 3276 wrote to memory of 2652	3276	Glengm32.exe	96
PID 3276 wrote to memory of 2652	3276	Glengm32.exe	96
PID 3276 wrote to memory of 2652	3276	Glengm32.exe	96
PID 2652 wrote to memory of 3236	2652	Gfkbde32.exe	97
PID 2652 wrote to memory of 3236	2652	Gfkbde32.exe	97
PID 2652 wrote to memory of 3236	2652	Gfkbde32.exe	97
PID 3236 wrote to memory of 972	3236	Gmdjapgb.exe	98
PID 3236 wrote to memory of 972	3236	Gmdjapgb.exe	98
PID 3236 wrote to memory of 972	3236	Gmdjapgb.exe	98
PID 972 wrote to memory of 3420	972	Gbabigfj.exe	99
PID 972 wrote to memory of 3420	972	Gbabigfj.exe	99
PID 972 wrote to memory of 3420	972	Gbabigfj.exe	99
PID 3420 wrote to memory of 1452	3420	Gpecbk32.exe	102
PID 3420 wrote to memory of 1452	3420	Gpecbk32.exe	102
PID 3420 wrote to memory of 1452	3420	Gpecbk32.exe	102
PID 1452 wrote to memory of 3132	1452	Gipdap32.exe	103
PID 1452 wrote to memory of 3132	1452	Gipdap32.exe	103
PID 1452 wrote to memory of 3132	1452	Gipdap32.exe	103
PID 3132 wrote to memory of 3500	3132	Iphioh32.exe	105
PID 3132 wrote to memory of 3500	3132	Iphioh32.exe	105
PID 3132 wrote to memory of 3500	3132	Iphioh32.exe	105
PID 3500 wrote to memory of 4656	3500	Ijqmhnko.exe	106
PID 3500 wrote to memory of 4656	3500	Ijqmhnko.exe	106
PID 3500 wrote to memory of 4656	3500	Ijqmhnko.exe	106
PID 4656 wrote to memory of 3804	4656	Igdnabjh.exe	107
PID 4656 wrote to memory of 3804	4656	Igdnabjh.exe	107
PID 4656 wrote to memory of 3804	4656	Igdnabjh.exe	107
PID 3804 wrote to memory of 2412	3804	Ilafiihp.exe	108
PID 3804 wrote to memory of 2412	3804	Ilafiihp.exe	108
PID 3804 wrote to memory of 2412	3804	Ilafiihp.exe	108
PID 2412 wrote to memory of 1816	2412	Icknfcol.exe	109
PID 2412 wrote to memory of 1816	2412	Icknfcol.exe	109
PID 2412 wrote to memory of 1816	2412	Icknfcol.exe	109
PID 1816 wrote to memory of 4892	1816	Ipoopgnf.exe	110
PID 1816 wrote to memory of 4892	1816	Ipoopgnf.exe	110
PID 1816 wrote to memory of 4892	1816	Ipoopgnf.exe	110
PID 4892 wrote to memory of 4500	4892	Igigla32.exe	111
PID 4892 wrote to memory of 4500	4892	Igigla32.exe	111
PID 4892 wrote to memory of 4500	4892	Igigla32.exe	111
PID 4500 wrote to memory of 2112	4500	Jcphab32.exe	112
PID 4500 wrote to memory of 2112	4500	Jcphab32.exe	112
PID 4500 wrote to memory of 2112	4500	Jcphab32.exe	112
PID 2112 wrote to memory of 1636	2112	Jnelok32.exe	113
PID 2112 wrote to memory of 1636	2112	Jnelok32.exe	113
PID 2112 wrote to memory of 1636	2112	Jnelok32.exe	113
PID 1636 wrote to memory of 5060	1636	Jgnqgqan.exe	114

C:\Users\Admin\AppData\Local\Temp\8684c962064c7dd2b2b980eb2cd25836247a9776f77ccae8204ac0e65f83ab8a.exe
"C:\Users\Admin\AppData\Local\Temp\8684c962064c7dd2b2b980eb2cd25836247a9776f77ccae8204ac0e65f83ab8a.exe"
1⤵
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4128
- C:\Windows\SysWOW64\Idbodn32.exe
  C:\Windows\system32\Idbodn32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:448
- - C:\Windows\SysWOW64\Mnnkgl32.exe
    C:\Windows\system32\Mnnkgl32.exe
    3⤵
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:1656
  - - C:\Windows\SysWOW64\Poomegpf.exe
      C:\Windows\system32\Poomegpf.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:532
    - - C:\Windows\SysWOW64\Cioilg32.exe
        
        C:\Windows\system32\Cioilg32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4896
      - C:\Windows\SysWOW64\Gjdaodja.exe
        
        C:\Windows\system32\Gjdaodja.exe
        6⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:856
        
        C:\Windows\SysWOW64\Glengm32.exe
        
        C:\Windows\system32\Glengm32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3276
        
        C:\Windows\SysWOW64\Gfkbde32.exe
        
        C:\Windows\system32\Gfkbde32.exe
        8⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2652
        
        C:\Windows\SysWOW64\Gmdjapgb.exe
        
        C:\Windows\system32\Gmdjapgb.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3236
        
        C:\Windows\SysWOW64\Gbabigfj.exe
        
        C:\Windows\system32\Gbabigfj.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:972
        
        C:\Windows\SysWOW64\Gpecbk32.exe
        
        C:\Windows\system32\Gpecbk32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3420
        
        C:\Windows\SysWOW64\Gipdap32.exe
        
        C:\Windows\system32\Gipdap32.exe
        12⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1452
        
        C:\Windows\SysWOW64\Iphioh32.exe
        
        C:\Windows\system32\Iphioh32.exe
        13⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3132
        
        C:\Windows\SysWOW64\Ijqmhnko.exe
        
        C:\Windows\system32\Ijqmhnko.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3500
        
        C:\Windows\SysWOW64\Igdnabjh.exe
        
        C:\Windows\system32\Igdnabjh.exe
        15⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4656
        
        C:\Windows\SysWOW64\Ilafiihp.exe
        
        C:\Windows\system32\Ilafiihp.exe
        16⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3804
        
        C:\Windows\SysWOW64\Icknfcol.exe
        
        C:\Windows\system32\Icknfcol.exe
        17⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2412
        
        C:\Windows\SysWOW64\Ipoopgnf.exe
        
        C:\Windows\system32\Ipoopgnf.exe
        18⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1816
        
        C:\Windows\SysWOW64\Igigla32.exe
        
        C:\Windows\system32\Igigla32.exe
        19⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4892
        
        C:\Windows\SysWOW64\Jcphab32.exe
        
        C:\Windows\system32\Jcphab32.exe
        20⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4500
        
        C:\Windows\SysWOW64\Jnelok32.exe
        
        C:\Windows\system32\Jnelok32.exe
        21⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2112
        
        C:\Windows\SysWOW64\Jgnqgqan.exe
        
        C:\Windows\system32\Jgnqgqan.exe
        22⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1636
        
        C:\Windows\SysWOW64\Jklinohd.exe
        
        C:\Windows\system32\Jklinohd.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:5060
        
        C:\Windows\SysWOW64\Jqhafffk.exe
        
        C:\Windows\system32\Jqhafffk.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4316
        
        C:\Windows\SysWOW64\Jgeghp32.exe
        
        C:\Windows\system32\Jgeghp32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:5092
        
        C:\Windows\SysWOW64\Kjccdkki.exe
        
        C:\Windows\system32\Kjccdkki.exe
        26⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5008
        
        C:\Windows\SysWOW64\Kclgmq32.exe
        
        C:\Windows\system32\Kclgmq32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4424
        
        C:\Windows\SysWOW64\Kdmqmc32.exe
        
        C:\Windows\system32\Kdmqmc32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:744
        
        C:\Windows\SysWOW64\Kkgiimng.exe
        
        C:\Windows\system32\Kkgiimng.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:552
        
        C:\Windows\SysWOW64\Kgninn32.exe
        
        C:\Windows\system32\Kgninn32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1084
        
        C:\Windows\SysWOW64\Ojigdcll.exe
        
        C:\Windows\system32\Ojigdcll.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:848
        
        C:\Windows\SysWOW64\Oacoqnci.exe
        
        C:\Windows\system32\Oacoqnci.exe
        32⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1904
        
        C:\Windows\SysWOW64\Okkdic32.exe
        
        C:\Windows\system32\Okkdic32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1348
        
        C:\Windows\SysWOW64\Plkpcfal.exe
        
        C:\Windows\system32\Plkpcfal.exe
        34⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2428
        
        C:\Windows\SysWOW64\Pahilmoc.exe
        
        C:\Windows\system32\Pahilmoc.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1876
        
        C:\Windows\SysWOW64\Phaahggp.exe
        
        C:\Windows\system32\Phaahggp.exe
        36⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4732
        
        C:\Windows\SysWOW64\Pajeam32.exe
        
        C:\Windows\system32\Pajeam32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1952
        
        C:\Windows\SysWOW64\Plpjoe32.exe
        
        C:\Windows\system32\Plpjoe32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:5108
        
        C:\Windows\SysWOW64\Palbgl32.exe
        
        C:\Windows\system32\Palbgl32.exe
        39⤵
        Executes dropped EXE
        
        PID:1128
        
        C:\Windows\SysWOW64\Pmcclm32.exe
        
        C:\Windows\system32\Pmcclm32.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1388
        
        C:\Windows\SysWOW64\Pldcjeia.exe
        
        C:\Windows\system32\Pldcjeia.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2852
        
        C:\Windows\SysWOW64\Qaalblgi.exe
        
        C:\Windows\system32\Qaalblgi.exe
        42⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:5036
        
        C:\Windows\SysWOW64\Qkipkani.exe
        
        C:\Windows\system32\Qkipkani.exe
        43⤵
        Executes dropped EXE
        
        PID:4380
        
        C:\Windows\SysWOW64\Qachgk32.exe
        
        C:\Windows\system32\Qachgk32.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3044
        
        C:\Windows\SysWOW64\Qklmpalf.exe
        
        C:\Windows\system32\Qklmpalf.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1932
        
        C:\Windows\SysWOW64\Aafemk32.exe
        
        C:\Windows\system32\Aafemk32.exe
        46⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:640
        
        C:\Windows\SysWOW64\Ahpmjejp.exe
        
        C:\Windows\system32\Ahpmjejp.exe
        47⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:652
        
        C:\Windows\SysWOW64\Aojefobm.exe
        
        C:\Windows\system32\Aojefobm.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3868
        
        C:\Windows\SysWOW64\Aednci32.exe
        
        C:\Windows\system32\Aednci32.exe
        49⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1968
        
        C:\Windows\SysWOW64\Akqfkp32.exe
        
        C:\Windows\system32\Akqfkp32.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4640
        
        C:\Windows\SysWOW64\Anobgl32.exe
        
        C:\Windows\system32\Anobgl32.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1284
        
        C:\Windows\SysWOW64\Alpbecod.exe
        
        C:\Windows\system32\Alpbecod.exe
        52⤵
        Executes dropped EXE
        
        PID:3788
        
        C:\Windows\SysWOW64\Anclbkbp.exe
        
        C:\Windows\system32\Anclbkbp.exe
        53⤵
        Executes dropped EXE
        
        PID:3568
        
        C:\Windows\SysWOW64\Adndoe32.exe
        
        C:\Windows\system32\Adndoe32.exe
        54⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1648
        
        C:\Windows\SysWOW64\Igdgglfl.exe
        
        C:\Windows\system32\Igdgglfl.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3292
        
        C:\Windows\SysWOW64\Ilqoobdd.exe
        
        C:\Windows\system32\Ilqoobdd.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1272
        
        C:\Windows\SysWOW64\Ickglm32.exe
        
        C:\Windows\system32\Ickglm32.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3188
        
        C:\Windows\SysWOW64\Iidphgcn.exe
        
        C:\Windows\system32\Iidphgcn.exe
        58⤵
        Executes dropped EXE
        
        PID:656
        
        C:\Windows\SysWOW64\Ipoheakj.exe
        
        C:\Windows\system32\Ipoheakj.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2700
        
        C:\Windows\SysWOW64\Nmdgikhi.exe
        
        C:\Windows\system32\Nmdgikhi.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4364
        
        C:\Windows\SysWOW64\Nflkbanj.exe
        
        C:\Windows\system32\Nflkbanj.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1400
        
        C:\Windows\SysWOW64\Npepkf32.exe
        
        C:\Windows\system32\Npepkf32.exe
        62⤵
        Executes dropped EXE
        
        PID:1520
        
        C:\Windows\SysWOW64\Nfohgqlg.exe
        
        C:\Windows\system32\Nfohgqlg.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3596
        
        C:\Windows\SysWOW64\Nmipdk32.exe
        
        C:\Windows\system32\Nmipdk32.exe
        64⤵
        Executes dropped EXE
        
        PID:3864
        
        C:\Windows\SysWOW64\Ncchae32.exe
        
        C:\Windows\system32\Ncchae32.exe
        65⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1288
        
        C:\Windows\SysWOW64\Njmqnobn.exe
        
        C:\Windows\system32\Njmqnobn.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:2924
        
        C:\Windows\SysWOW64\Npiiffqe.exe
        
        C:\Windows\system32\Npiiffqe.exe
        67⤵
        Modifies registry class
        
        PID:4120
        
        C:\Windows\SysWOW64\Ngqagcag.exe
        
        C:\Windows\system32\Ngqagcag.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3960
        
        C:\Windows\SysWOW64\Offnhpfo.exe
        
        C:\Windows\system32\Offnhpfo.exe
        69⤵
        
        PID:4028
        
        C:\Windows\SysWOW64\Ompfej32.exe
        
        C:\Windows\system32\Ompfej32.exe
        70⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4780
        
        C:\Windows\SysWOW64\Opnbae32.exe
        
        C:\Windows\system32\Opnbae32.exe
        71⤵
        Drops file in System32 directory
        
        PID:3048
        
        C:\Windows\SysWOW64\Ogekbb32.exe
        
        C:\Windows\system32\Ogekbb32.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5172
        
        C:\Windows\SysWOW64\Onocomdo.exe
        
        C:\Windows\system32\Onocomdo.exe
        73⤵
        Modifies registry class
        
        PID:5212
        
        C:\Windows\SysWOW64\Opqofe32.exe
        
        C:\Windows\system32\Opqofe32.exe
        74⤵
        Drops file in System32 directory
        
        PID:5252
        
        C:\Windows\SysWOW64\Ofkgcobj.exe
        
        C:\Windows\system32\Ofkgcobj.exe
        75⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5300
        
        C:\Windows\SysWOW64\Oaplqh32.exe
        
        C:\Windows\system32\Oaplqh32.exe
        76⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5336
        
        C:\Windows\SysWOW64\Ofmdio32.exe
        
        C:\Windows\system32\Ofmdio32.exe
        77⤵
        
        PID:5380
        
        C:\Windows\SysWOW64\Ondljl32.exe
        
        C:\Windows\system32\Ondljl32.exe
        78⤵
        Modifies registry class
        
        PID:5428
        
        C:\Windows\SysWOW64\Opeiadfg.exe
        
        C:\Windows\system32\Opeiadfg.exe
        79⤵
        Modifies registry class
        
        PID:5472
        
        C:\Windows\SysWOW64\Pplobcpp.exe
        
        C:\Windows\system32\Pplobcpp.exe
        80⤵
        Drops file in System32 directory
        
        PID:5512
        
        C:\Windows\SysWOW64\Pffgom32.exe
        
        C:\Windows\system32\Pffgom32.exe
        81⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5556
        
        C:\Windows\SysWOW64\Palklf32.exe
        
        C:\Windows\system32\Palklf32.exe
        82⤵
        Modifies registry class
        
        PID:5596
        
        C:\Windows\SysWOW64\Phfcipoo.exe
        
        C:\Windows\system32\Phfcipoo.exe
        83⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5636
        
        C:\Windows\SysWOW64\Panhbfep.exe
        
        C:\Windows\system32\Panhbfep.exe
        84⤵
        
        PID:5680
        
        C:\Windows\SysWOW64\Qhjmdp32.exe
        
        C:\Windows\system32\Qhjmdp32.exe
        85⤵
        Drops file in System32 directory
        
        PID:5716
        
        C:\Windows\SysWOW64\Qodeajbg.exe
        
        C:\Windows\system32\Qodeajbg.exe
        86⤵
        Modifies registry class
        
        PID:5772
        
        C:\Windows\SysWOW64\Qmgelf32.exe
        
        C:\Windows\system32\Qmgelf32.exe
        87⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5812
        
        C:\Windows\SysWOW64\Qdaniq32.exe
        
        C:\Windows\system32\Qdaniq32.exe
        88⤵
        Modifies registry class
        
        PID:5852
        
        C:\Windows\SysWOW64\Akkffkhk.exe
        
        C:\Windows\system32\Akkffkhk.exe
        89⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5892
        
        C:\Windows\SysWOW64\Aaenbd32.exe
        
        C:\Windows\system32\Aaenbd32.exe
        90⤵
        Drops file in System32 directory
        
        PID:5936
        
        C:\Windows\SysWOW64\Ahofoogd.exe
        
        C:\Windows\system32\Ahofoogd.exe
        91⤵
        Drops file in System32 directory
        
        PID:5972
        
        C:\Windows\SysWOW64\Aknbkjfh.exe
        
        C:\Windows\system32\Aknbkjfh.exe
        92⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6016
        
        C:\Windows\SysWOW64\Amlogfel.exe
        
        C:\Windows\system32\Amlogfel.exe
        93⤵
        Drops file in System32 directory
        
        PID:6056
        
        C:\Windows\SysWOW64\Aokkahlo.exe
        
        C:\Windows\system32\Aokkahlo.exe
        94⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6096
        
        C:\Windows\SysWOW64\Akblfj32.exe
        
        C:\Windows\system32\Akblfj32.exe
        95⤵
        Drops file in System32 directory
        
        PID:5160
        
        C:\Windows\SysWOW64\Jllhpkfk.exe
        
        C:\Windows\system32\Jllhpkfk.exe
        96⤵
        
        PID:5416
        
        C:\Windows\SysWOW64\Mhoahh32.exe
        
        C:\Windows\system32\Mhoahh32.exe
        97⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5488
        
        C:\Windows\SysWOW64\Qclmck32.exe
        
        C:\Windows\system32\Qclmck32.exe
        98⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5548
        
        C:\Windows\SysWOW64\Qjffpe32.exe
        
        C:\Windows\system32\Qjffpe32.exe
        99⤵
        Drops file in System32 directory
        
        PID:5632
        
        C:\Windows\SysWOW64\Qmdblp32.exe
        
        C:\Windows\system32\Qmdblp32.exe
        100⤵
        Drops file in System32 directory
        
        PID:5708
        
        C:\Windows\SysWOW64\Qcnjijoe.exe
        
        C:\Windows\system32\Qcnjijoe.exe
        101⤵
        Modifies registry class
        
        PID:5804
        
        C:\Windows\SysWOW64\Qbajeg32.exe
        
        C:\Windows\system32\Qbajeg32.exe
        102⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5868
        
        C:\Windows\SysWOW64\Qjhbfd32.exe
        
        C:\Windows\system32\Qjhbfd32.exe
        103⤵
        Drops file in System32 directory
        
        PID:5964
        
        C:\Windows\SysWOW64\Aabkbono.exe
        
        C:\Windows\system32\Aabkbono.exe
        104⤵
        Modifies registry class
        
        PID:6052
        
        C:\Windows\SysWOW64\Abcgjg32.exe
        
        C:\Windows\system32\Abcgjg32.exe
        105⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4504
        
        C:\Windows\SysWOW64\Aimogakj.exe
        
        C:\Windows\system32\Aimogakj.exe
        106⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:2068
        
        C:\Windows\SysWOW64\Aadghn32.exe
        
        C:\Windows\system32\Aadghn32.exe
        107⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5660
        
        C:\Windows\SysWOW64\Amnebo32.exe
        
        C:\Windows\system32\Amnebo32.exe
        108⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5200
        
        C:\Windows\SysWOW64\Fjhmbihg.exe
        
        C:\Windows\system32\Fjhmbihg.exe
        109⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5308
        
        C:\Windows\SysWOW64\Fkgillpj.exe
        
        C:\Windows\system32\Fkgillpj.exe
        110⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5376
        
        C:\Windows\SysWOW64\Fbaahf32.exe
        
        C:\Windows\system32\Fbaahf32.exe
        111⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5408
        
        C:\Windows\SysWOW64\Fgnjqm32.exe
        
        C:\Windows\system32\Fgnjqm32.exe
        112⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4448
        
        C:\Windows\SysWOW64\Fbdnne32.exe
        
        C:\Windows\system32\Fbdnne32.exe
        113⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5544
        
        C:\Windows\SysWOW64\Fcekfnkb.exe
        
        C:\Windows\system32\Fcekfnkb.exe
        114⤵
        Drops file in System32 directory
        
        PID:5672
        
        C:\Windows\SysWOW64\Fgqgfl32.exe
        
        C:\Windows\system32\Fgqgfl32.exe
        115⤵
        Drops file in System32 directory
        
        PID:5800
        
        C:\Windows\SysWOW64\Fnjocf32.exe
        
        C:\Windows\system32\Fnjocf32.exe
        116⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5904
        
        C:\Windows\SysWOW64\Gddgpqbe.exe
        
        C:\Windows\system32\Gddgpqbe.exe
        117⤵
        
        PID:6040
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6040 -s 420
        118⤵
        Program crash
        
        PID:6104

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 6040 -ip 6040
1⤵
PID:4104

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aednci32.exe

Filesize
217KB

MD5
6c1a8c19caf8a62ff23894a26c535767

SHA1
7c00505b11615e3614f6ac602c73e37cee24a069

SHA256
3166cfbcc5f9c383f0818b7099799883bc057fbda285b764c2e0dda7d8e3fcc8

SHA512
09c77b27beb2df57d8b7b98b9b650c79feced03ba24b3aa2d1a88e0aba4f0fc7d9411a5a5aed81873f322af3b8a5c3e238165318e9457ad513434f7ba8eec738

Download Submit
C:\Windows\SysWOW64\Alpbecod.exe

Filesize
217KB

MD5
77dec52e95028b7c728fa9aa502d3dbf

SHA1
ecabcac480310bd098f396e5f60effa6fd04c317

SHA256
17986f83dc319457117651625885cfd32ecfc9dcbbc920695924e00e7fe4a9a6

SHA512
115b45df1b1aaf09309ad7dd4b33ded5425943101dc052bad085f84480bad9af8e9a88e71242e8d42b5111f95a6204e98c3a4ec3b86cfee510e74aeb6ac7c456

Download Submit
C:\Windows\SysWOW64\Cioilg32.exe

Filesize
217KB

MD5
55b07a3eb7679c1efd4cdd642effdc5b

SHA1
2882aaf2fc8e675a116ff1f790278ec549597cc4

SHA256
37f9c6b011a7a9c15be13460495f2c7d0bf39be995bc816d8fe22503b16889d8

SHA512
4daf11af766407ea73bb49b13f5154b02debb46be394e3a93c3fb3dadda50a8135ad4ff7d405b7d4c20e15100c703f86155a0646dfa8d15f2ce9ab191f82a522

Download Submit
C:\Windows\SysWOW64\Dakdmb32.dll

Filesize
7KB

MD5
8f569b54e7948b278b2ec1d85765e25b

SHA1
ce3e9b021191ad5b444adc532f56fe3dd6a45db4

SHA256
e51d54793deb31292d971c6f43d512b3f1f96cf32974b1bb405eeaa1d9fd22c0

SHA512
303b92c2956020a7f5a74228b81da5dad2cccb93054165de4a76280e85d1cbd495a7e4e5b112257784bf489ae6d83b81827fad8eb479a1de58c17b237129035a

Download Submit
C:\Windows\SysWOW64\Fjhmbihg.exe

Filesize
217KB

MD5
26889f8c2d10ae7144ae966ad34a32e5

SHA1
130df9896b571f13657031b39dd35be172f05a6f

SHA256
eb528c1f25fe0c2f7810e36d2c0042b620644fcbf7d111522dd9c42053403257

SHA512
e476387d17b9317fe60e0c9a33ce09c16e8948aa3c82a21db200367ce082a3537cc253518927bfd7a1066722841599842bfe70c520532fa7156c4641a7865e06

Download Submit
C:\Windows\SysWOW64\Gbabigfj.exe

Filesize
217KB

MD5
028389573060c7b79a9e58e59855d816

SHA1
69786e941561eebb246c5cddc5c897383a463eaf

SHA256
aaabb2517e1feb910725a6493c79ad8c8f409b254e1f4f0bf5a48fed3f5d16b8

SHA512
853900706a0a8c291d7a5cdd3e2559cccc7a8fbb400ad535b3ff547e1570f7153ba3cd65853f9d4d597c8bcce3635aa460479e70ed45f2778036660cc1c1db32

Download Submit
C:\Windows\SysWOW64\Gfkbde32.exe

Filesize
217KB

MD5
0b8e0145cfc553c860b6713544619847

SHA1
2fd63a6d66aa414147df670e1544042985bdff94

SHA256
0a06a070d6db7f378e0f1b9eea2de0c72951acc1327d12ac00bde4934fc13509

SHA512
bf4be4b52e8b7bcb7dee9b8ae50960067d70762fe0ccc3e227994558489f61087561e4deaa198f8c4354d5be0d5c529f9dac72b733167ca5884f37a62b6950a8

Download Submit
C:\Windows\SysWOW64\Gipdap32.exe

Filesize
217KB

MD5
5c80c46915624c6d2507567f95fb9cad

SHA1
c322ca74d0b478501450b4bb63e89bcf8d7e9f4f

SHA256
5cffbb39ef2a03bbf7abcee929574976e2cb91927350cf0e2befc71dce7a69c3

SHA512
9bcfc57fbc7ac9bc1ed8eaefa6f640fc84d922c78656b6b0c4724ed5f08f5dc5f49eb8e385e31306fb95c9322637be18b48da12b13669ce4c7faa323aa2c5be2

Download Submit
C:\Windows\SysWOW64\Gjdaodja.exe

Filesize
217KB

MD5
70b48dbaddf39c2cb829900bfc1619c7

SHA1
c069c59977c147ccacc5ae24c98d00548d6a6c8f

SHA256
3101ed5f378e954645afcf5a1edd6101942f553ba6a373d01ac417911cfd00e8

SHA512
224b5837beda700e534115c42dd507e4caaa46b931fc6d82b99042758a1ac59d384c58172741fd15c2be912a98db8b2c7d2fc1a31d4827bc44b515937723bca0

Download Submit
C:\Windows\SysWOW64\Glengm32.exe

Filesize
217KB

MD5
b189cc9afb21427c7ba68d9ee902aaa8

SHA1
159db1eff81cae1b8e670c6721cb2e69f2fe29c8

SHA256
011734c69fd950ea68238c3d0221540756810ab3b4b61c98e5ab937da34ab412

SHA512
f6eb3f50d0a233716e6f25e56dbafc7c36200a39499009b119b050e9ec0677987095759df2d0444709c973fde27fc8b65f054e734bd3eb8c68d3d006d690bc82

Download Submit
C:\Windows\SysWOW64\Gmdjapgb.exe

Filesize
217KB

MD5
6025e5d4de74496e9d6431979eb3c3c4

SHA1
e0ba90d812ca9f005863b7fd27c9fabfa6ce0efd

SHA256
8bd456cc9ef9ccfa3aab26b4ef3e14527120def1e9683bb241dfe63acf07ddcc

SHA512
93856c722d700e2d759a19a3ff7c700e36003789edc923c0576018f28aeb55ec72897760537d288400b155b0b73f97b233beba946f33778b496e2f12d6249cc3

Download Submit
C:\Windows\SysWOW64\Gpecbk32.exe

Filesize
217KB

MD5
e1cd605e2ffea061ede9bc3e9dc2d950

SHA1
b21f40abac739b899093e7e9f713d4b111e74b68

SHA256
a673f7be7eb73afdd116ff237f31d1fb2721a03217b20894463fa8ee6344a5e4

SHA512
30a4097139972764018619cbbb21750ac162e8c0738cb2beae90ab599047407f4c2ee0d658d7f0c639d0269d7af8cdc9617ff77e1d9d79df590bfac7c5665861

Download Submit
C:\Windows\SysWOW64\Icknfcol.exe

Filesize
217KB

MD5
2cc84be4287a6aa539c5d1a8e762b80b

SHA1
92a4270024b757ac72b29475b00ed48cf7f4d393

SHA256
0a09b5058cb19b4c5952b4b5c5bd17ba3bc73f9fa2986e2fdf2c77dfcf810d14

SHA512
b8c22a95d3451bc761c2d767c28456d77997f0818aed380dca385e4cca9fb511942077da71f0a5886c6f0c63fef587b4cd5b0e216941fba69e21261d9e93327a

Download Submit
C:\Windows\SysWOW64\Idbodn32.exe

Filesize
217KB

MD5
f1693312e65aa2e335403a085cc4e6d5

SHA1
4dd159ae537a53f94d5c16a9fb298ddcc23a2f9d

SHA256
4240d8537b0b9f0bf54144864415070f24515bcdd7247e7a41db508f0fe7ee21

SHA512
95242f40072191cf7ba16a1d0cf90aab6e424414ae6e1747a1d2f87e7665c12e4821ae4edbc7d1ac1e0a9445e11487f9985ed3a6806989751b82c395eb9b54ba

Download Submit
C:\Windows\SysWOW64\Igdnabjh.exe

Filesize
217KB

MD5
fed172982b74106033f93e32ce1a4edd

SHA1
8c7e9de16c55d106ca59abc507db3f31f3c03635

SHA256
642a3e250d1b8693c819905975fafea3c1f00a038389d17f4866d13046ccebd1

SHA512
2934f735434d66c20c437f3b46b0b5b66c5a3180cabc61fdceffb6122da596d87b25b1123ffcb851a38fd0e9ee96f0d7f92cacd9dc8fc1dad8cd9e547f604293

Download Submit
C:\Windows\SysWOW64\Igigla32.exe

Filesize
217KB

MD5
4fba00e97ab6beabbf3434b9dc43800a

SHA1
6dd379b54e9feeb39cd8ccbe9a0901fb1bf1c69b

SHA256
742937d44e3b3000f59d4641cd281df98cc719f32c1308715862947f57a422ed

SHA512
1b21ee40e0c1d38416a029893709000263a4d79b334ccffba34f7ae82a180c97917cf29ce30e8cfcc195b9765b694dfc184dae3d23123eef34d40cdfa979864d

Download Submit
C:\Windows\SysWOW64\Ijqmhnko.exe

Filesize
217KB

MD5
e9d148f3047682282611b864560da745

SHA1
f041a15db18e17d685231c0faff01bbe13312bae

SHA256
0d913fd4ebca05cc5fe20fddf7b2b8b9e223a5e3bf03bb5416b1c687865568a5

SHA512
e0f21e68c841a9b5d69cefc97360fcf1e41818888d96b9baf1c521e4c7d30ee71630d2482007adf1cd2bec3614505a911bccc96a27e814170ce8980091fccc94

Download Submit
C:\Windows\SysWOW64\Ilafiihp.exe

Filesize
217KB

MD5
677b0bd7222c736025c8bc4dbba14f2a

SHA1
81716b27e5c7b438e73de4c85ebbcbe26f04171b

SHA256
a6a1d825efd53c289aa2bd9516adc478b32781f18eb611bff13b31f57d781b8d

SHA512
d62ca88f1a6b6e971f315fb5ac3ec4c4d07ab7ac940f74dec325f11946434dc361bd63cfa08a19118b4b4df14b7d4cff7885091412005589befba2d75aff4678

Download Submit
C:\Windows\SysWOW64\Iphioh32.exe

Filesize
217KB

MD5
84fadce5491874514671bd7c07e75c61

SHA1
6fb18c0979002574791240f912111a584fc95269

SHA256
f340ca71e88f9a7abdce568c32565a872df4329ad4832925ab0c47bc973cb3cb

SHA512
49dc22cedf807ae7cb380b87c44a32594d682f01d452c44b602f166385b7bf734cc9069204805bf1f139c90e64f3ec51cc80911a5a10b5261dc965d8b382ca76

Download Submit
C:\Windows\SysWOW64\Ipoopgnf.exe

Filesize
217KB

MD5
91457f39df54d9ea3e6c8c028c39be46

SHA1
acde3fe26f2e8b20949f6d24975b939244b2cb41

SHA256
2c84e8804937b8e0ed020f762ab1390aabe3610e47de9d30c05827f29d792ced

SHA512
cee822ade6f4b0e2499c7a7ab0bc0741f2d2842a995408689cb8919d74265841963bdfdee9029e67672f56184d37390947e29ad89613cc342940e0dafd3ba628

Download Submit
C:\Windows\SysWOW64\Jcphab32.exe

Filesize
217KB

MD5
792b19e608010855466dfbe748eb9240

SHA1
bfcb1bae8c244438c8f57e584fabbb313e30026f

SHA256
672a172a38ab8a6b9fe4effa3c8071dffbfc40dabd13e0770d418011bcff63d2

SHA512
98336a9512f0bb07e8ecd369cdbbac9290893bad4897475eb5adafcc08fbc72265d1cb32cbc1f8e142ef355d580ba48124563543bcf2181926b16990574fe98a

Download Submit
C:\Windows\SysWOW64\Jgeghp32.exe

Filesize
217KB

MD5
929f1bc97ed3aa61f77f92b27f7e44b3

SHA1
83e08a39bd2f681bb8df7d5312cb71d5506b348b

SHA256
6701f3e5aad65480be7e59734552d3107de6394251b57314ea47e6ec228e6e27

SHA512
664aaf8070a0f9969ea5e9b0bb518c7cd70aca6cc5c59a8e0f593555ef6606de01af6117372aff4d1cfc5d3cf470a9ecf2c6b82874148c896fa6b6139a41c8ce

Download Submit
C:\Windows\SysWOW64\Jgnqgqan.exe

Filesize
217KB

MD5
d06689fe45fa17cac031b4718042c55a

SHA1
906c7a7d9b96a5750c8ee768e8385e3512cf5b9c

SHA256
f89b44ea1971b8e3be62285a515995cc6e6bb6b16a7eb08bc604d2d75fc6b513

SHA512
61d0d6eaae2af9eb71a3c5afac118f622b638bd9adbdf6846d472745ab844c24e2f2a64fd8f6ab4078d4cfc1e581fa450fd7c4204b0596fb5e65f2e219716dd6

Download Submit
C:\Windows\SysWOW64\Jklinohd.exe

Filesize
217KB

MD5
ea3d4b5bff7cea2fd98f1a3bf131e4df

SHA1
518fe7a0fa45b55ed772eb0cc131e6a14f4daf3a

SHA256
ff533d78c2cafcac54d88a2e90a40c976e478b957d8496590c6732cc6828da76

SHA512
4597a7e84d94f6deb7992e1e5fa23b1ebf012d03fe6a85988ad0e01a481409589a8ddb0daf272b00bf829c7d670b54171088ed32d3c0714cd5895160c70289c2

Download Submit
C:\Windows\SysWOW64\Jnelok32.exe

Filesize
217KB

MD5
2d8df7c870b4a9dd166f3063e7f9440d

SHA1
260096aa2fc7784a3f951fc47617ab97b43e803f

SHA256
b114d5e1f301db1d07dbcfbabf5a0ecac836ba5c7d268b7fb8a34ef85074b841

SHA512
abd37e71a5a6c456db435d2f2907d3a3abd232b3e0d971073722dc0fabf3eb899584c5c1bb99c8fc57a8984b0c87b609dbbcf7fe2f2eaad81017b8ad60828879

Download Submit
C:\Windows\SysWOW64\Jqhafffk.exe

Filesize
217KB

MD5
7e99e554042cd05833a02b9200c907aa

SHA1
51a635760a1870b8e4e70d78488d78fb5679885d

SHA256
cf45b65222ab48acd5e264e1da0441da15d4b3ed0f6b470b930fe62bd67ec0a6

SHA512
7948e33e7aea77ccc2400cff008d19c680ca556b029aeadf754c25f0d3cc22b6faf5f07e3e8ea79d339210d76b49e16a2910a5f649f901f4d4d7d26b7db3604a

Download Submit
C:\Windows\SysWOW64\Kclgmq32.exe

Filesize
217KB

MD5
dff3113fcfd725d1c168db8fc1ce4788

SHA1
06b78865e3606aa9fc75d716eeb7d69c75611f3a

SHA256
217a9b2acbcc86c54049bb74213159b1147f58170fddb7a64d1ebadddddabfbe

SHA512
56be4e916bf6f2f8c33aa2d024ec4da08a4ed634fc474c52b9883d1c8f699cf9a29f1a9de2d1a14c0852f98fad03441ded4d535927b72269b14ad2b3f872fc79

Download Submit
C:\Windows\SysWOW64\Kdmqmc32.exe

Filesize
217KB

MD5
4dafc29b8ef6c588c7c80d88535093fe

SHA1
c2c2cd40a6da748a4982f6c6c178be6b43626c76

SHA256
1cee201ddcb2ee8c0187dac2f8196112a5ecc7891499774a8e81a437551c3b5c

SHA512
bc1ba7e369f629b822460a260e2745bd16321a827c9e5b0d92637604e681a1f8db4633154e02aa1b32ddcaedbc115e354bfb593e8e715fb1f7282ee0fc44687d

Download Submit
C:\Windows\SysWOW64\Kgninn32.exe

Filesize
217KB

MD5
29acef736a695d1fc46a79a0030984ea

SHA1
e6897a89b2a23c680aa106969d825d6b450f78f8

SHA256
8029bb755337e8acca1a1181382a814734a430b480ef1ae478117cc985f2d367

SHA512
0a9c68d72a9d78f938a1bd72d2e0c957c58919c8255c2c99f1ada3474e32661831aa0dcd15f14cdbb79eb2069cf8e552688624e57fe87248edbfc038ca53cdb7

Download Submit
C:\Windows\SysWOW64\Kjccdkki.exe

Filesize
217KB

MD5
d2e9d09a50d0e5398fde7c8d0013fa64

SHA1
02587286c47236e1cc57503587c1d763ae2ea3ae

SHA256
3d09f7ed7fb62140a1d43154a2670532fb08e49637bf3a4986edef492f5aa36b

SHA512
6b2791b65002dcd84d552457571ba27ad982073c15fa685813a0cfc4838ced56e4535f7c1083b760913142af699bf27c92be9a176a5bb286fbceab4e54fe9d95

Download Submit
C:\Windows\SysWOW64\Kkgiimng.exe

Filesize
217KB

MD5
3fb27a22f508f6e0703c4305c6ee3236

SHA1
d1b6729670912de6285b1d9990b0decbafa806d5

SHA256
e2b7c0b6857672ffa15a0e23855183c5d390b240e0bc39c4a04cf7c804b10dc8

SHA512
369c29b063745ca88c923142558f31566da1b2bdbb557a8ff30917889d95ec702685250bd46306bd240de6dbb93ebf4249d8e6ddc1e90a4e7088e57614f135b0

Download Submit
C:\Windows\SysWOW64\Mnnkgl32.exe

Filesize
217KB

MD5
1d19adee7aa0c4a3ba7245de19263c01

SHA1
92136a8ebbf9c1eccc762cb24b9d7c5d2d443a47

SHA256
9604867a6de73278674bee13397bd5262b950dc04e44683a849be5da429754c1

SHA512
fbd1b3591c7f2521c7e7e3d61e7e6e7be47149ab7220d03b71aa35aefbe9fcae0588d014efaefda0c23a6e1ad2f32fe2a6b796dc6a609be39a7392a913f44138

Download Submit
C:\Windows\SysWOW64\Ngqagcag.exe

Filesize
217KB

MD5
7de91e6d22d80f07d929d8e5cec7559a

SHA1
2e06541bb90e1a1ab990d6da5ebbf59c90dd4197

SHA256
a3ad9bf539cca415572984509c1c6ba0a88cf94fb3c4f7384364df5618c80d08

SHA512
ca0a81113ab6bdd7e7b066c10adc4d8a0fd0f5855a8cf87228748ea7cf625316400e9b2bf90e623c3e3265c2c8757edaa13729f12078328cbdc43614a91de10a

Download Submit
C:\Windows\SysWOW64\Oacoqnci.exe

Filesize
217KB

MD5
f4545ecb51da1d603b31c22eb667df0e

SHA1
ee68eba5a633a13198c7ac56e69d54d63721df3e

SHA256
fa33d4f5f1ef43543e22dacc917f52d421a8c01d78a1c73f04c0ef7ef14718c6

SHA512
2b59c562f0f4d61593ea2d3b9a3a291d22febf158443d448357c9287330d98213da101e4ef14228286a257dafa5f7512f66cd7ec2d708d7b875409e0357e682d

Download Submit
C:\Windows\SysWOW64\Ojigdcll.exe

Filesize
217KB

MD5
ad586a2b55cdc9b80d8de5b2b5941d25

SHA1
941afd0edb5c41d357a78c3860e26154a3e88754

SHA256
434dfea571bf03a9fd3840cb26fa3f9cedb83cf3f39a6a002cbe925d491b51db

SHA512
31114d6000a83a264c457fbf696d838f9c31576dd0bac96a5b6f937898cbd1386a16dce8b25167ddf3edbfaaba07949086c9b8cdd3fe9db21315c216721ba534

Download Submit
C:\Windows\SysWOW64\Okkdic32.exe

Filesize
217KB

MD5
871a11c00d71ae714cd86567071e4328

SHA1
4cd0d9d48ab4df1cf61137f4aee69ae33e67be9d

SHA256
31d1e36bcfbf6760cd562597d157d70ef15210dc599277d413e93f74592bf7f5

SHA512
8758910b46d756cf4223101ab47e6a5f9513d8959b786d9c6caee12398658b9f5b97bd8beab21e12b0db369b860f28d36416a1b260c21971504ba1ca1d6cda0d

Download Submit
C:\Windows\SysWOW64\Poomegpf.exe

Filesize
217KB

MD5
379359933f47609c7e9238d7de278d91

SHA1
b44e496bf9d132f032e05454915a618e38eca897

SHA256
99a1e2b5253f4278dff6fe1f31fa0f16211d2066c8b47a5f66faea71adec72e9

SHA512
bde695e76f9fee3987050e9bea4b81646a30d5a68a6afe3dcf965e83033650da780782c38f7d71d04c08744c6937477f2899ed9c8be5fa436d1b350014aa3cf4

Download Submit
memory/448-8-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/448-233-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/532-384-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/532-24-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/552-447-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/552-225-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/640-340-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/652-344-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/656-433-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/744-446-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/744-217-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/848-247-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/856-46-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/972-407-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/972-73-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1084-242-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1128-296-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1272-431-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1284-368-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1348-258-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1388-302-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1400-465-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1452-414-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1452-89-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1520-466-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1636-429-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1636-168-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1648-428-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1656-21-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1816-424-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1816-137-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1876-271-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1904-555-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1904-251-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1932-332-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1952-284-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1968-361-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2112-161-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2112-427-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2412-128-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2412-423-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2428-265-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2652-395-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2652-57-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2700-457-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2852-312-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3044-326-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3132-97-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3132-419-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3188-432-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3236-69-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3276-394-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3276-49-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3292-430-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3420-80-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3420-408-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3500-420-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3500-105-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3568-382-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3596-472-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3788-374-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3804-125-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3864-473-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3868-350-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4128-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4128-15-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4316-184-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4316-437-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4364-458-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4380-320-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4424-208-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4424-445-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4500-153-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4500-426-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4640-362-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4656-113-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4656-421-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4732-278-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4892-145-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4892-425-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4896-390-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4896-33-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5008-443-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5008-201-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5036-314-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5060-181-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5092-197-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5108-290-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads