675f8d7c1507ee5f046ba02c55dbbd08b141e7c9240e9a79812cb7f122a1e8f3

Analysis

max time kernel
140s
max time network
145s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
11/03/2024, 22:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

675f8d7c1507ee5f046ba02c55dbbd08b141e7c9240e9a79812cb7f122a1e8f3.exe
Size

465KB
MD5

a0156e530c38df562463642d3bc134e7
SHA1

8c64d472a8dcce7cb80ef07d1715034e445a34da
SHA256

675f8d7c1507ee5f046ba02c55dbbd08b141e7c9240e9a79812cb7f122a1e8f3
SHA512

70c561870c80be6bd140d220ec91a45ebb4333cadc5ef5b28068a6834b75d4f68a5a2b2b1e7c247c3803816b8e531480868e9217b5899b1c30d9ed5b6f84711a
SSDEEP

6144:1P/9xAKjbPQ///NR5fKr2n0MO3LPlkUCmVs5bPQ///NR5frdQt383PQ///NR5fKQ:1P1x+/Ng1/Nmr/Ng1/NSf

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cancekeo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dkbgjo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fklcgk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nmhijd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lplfcf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjidgkog.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdkifmjq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kcjjhdjb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Llcghg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdhffg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qjiipk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qfmfefni.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cgklmacf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kefiopki.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jpbjfjci.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Legben32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dgpeha32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dgpeha32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mjodla32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mjpjgj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nbebbk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qfmfefni.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cacmpj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Akblfj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fqgedh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Giljfddl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Iacngdgj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lancko32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nbphglbe.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oqklkbbi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fdlkdhnk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gicgpelg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nbebbk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ofmdio32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mfkkqmiq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fkgillpj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nfcabp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ihmfco32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Khlklj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oiagde32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pfhmjf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fkjfakng.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pfdjinjo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ofmdio32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bgpcliao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ofegni32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bgdemb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dkbgjo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fklcgk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kjeiodek.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mjidgkog.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Oqklkbbi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dgbanq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ofhknodl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lobjni32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnhgjaml.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fqgedh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ckidcpjl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qjiipk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Adkqoohc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bhblllfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hpkknmgd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mfkkqmiq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nbphglbe.exe

Executes dropped EXE 64 IoCs

pid	Process
1492	Jphkkpbp.exe
4876	Kjeiodek.exe
4784	Kflide32.exe
4700	Klhnfo32.exe
984	Lfbped32.exe
3192	Ljceqb32.exe
3612	Lobjni32.exe
4372	Mqafhl32.exe
1312	Mgnlkfal.exe
4320	Mjodla32.exe
216	Monjjgkb.exe
632	Nopfpgip.exe
2992	Ncchae32.exe
1572	Nfcabp32.exe
3408	Ofhknodl.exe
5076	Ofmdio32.exe
4348	Ohlqcagj.exe
752	Pnifekmd.exe
4076	Pfdjinjo.exe
2240	Phfcipoo.exe
2304	Qjiipk32.exe
5052	Akblfj32.exe
4708	Adkqoohc.exe
2220	Bgpcliao.exe
964	Bhblllfo.exe
4872	Cdkifmjq.exe
2864	Cdmfllhn.exe
4300	Cnhgjaml.exe
3300	Dqbcbkab.exe
1020	Eqdpgk32.exe
1440	Edionhpn.exe
2384	Fdlkdhnk.exe
2948	Foclgq32.exe
1692	Fqgedh32.exe
3848	Fbgbnkfm.exe
3928	Fgcjfbed.exe
3036	Gicgpelg.exe
2104	Gkdpbpih.exe
1212	Gihpkd32.exe
1848	Gijmad32.exe
2564	Giljfddl.exe
5124	Hnibokbd.exe
5168	Hlmchoan.exe
5212	Heegad32.exe
5256	Hpkknmgd.exe
5296	Hlblcn32.exe
5344	Hldiinke.exe
5384	Hihibbjo.exe
5428	Iacngdgj.exe
5468	Ihmfco32.exe
5512	Ibcjqgnm.exe
5556	Ipgkjlmg.exe
5596	Iehmmb32.exe
5644	Jlbejloe.exe
5684	Jifecp32.exe
5732	Jpbjfjci.exe
5776	Jhplpl32.exe
5820	Kedlip32.exe
5856	Kefiopki.exe
5916	Kcjjhdjb.exe
5960	Klbnajqc.exe
6000	Kekbjo32.exe
6044	Khlklj32.exe
6088	Kcapicdj.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Aadghn32.exe	Apeknk32.exe
File opened for modification	C:\Windows\SysWOW64\Kcjjhdjb.exe	Kefiopki.exe
File created	C:\Windows\SysWOW64\Odibfg32.dll	Ppdbgncl.exe
File opened for modification	C:\Windows\SysWOW64\Dkbgjo32.exe	Dpjfgf32.exe
File created	C:\Windows\SysWOW64\Hpceplkl.dll	Hldiinke.exe
File created	C:\Windows\SysWOW64\Ahhjomjk.dll	Oqklkbbi.exe
File opened for modification	C:\Windows\SysWOW64\Adkqoohc.exe	Akblfj32.exe
File created	C:\Windows\SysWOW64\Fallih32.dll	Heegad32.exe
File created	C:\Windows\SysWOW64\Cgogbi32.dll	Lplfcf32.exe
File opened for modification	C:\Windows\SysWOW64\Akblfj32.exe	Qjiipk32.exe
File created	C:\Windows\SysWOW64\Kedlip32.exe	Jhplpl32.exe
File created	C:\Windows\SysWOW64\Npakijcp.dll	Mjidgkog.exe
File created	C:\Windows\SysWOW64\Cancekeo.exe	Cdjblf32.exe
File created	C:\Windows\SysWOW64\Cjeejn32.dll	Dkbgjo32.exe
File created	C:\Windows\SysWOW64\Celhnb32.dll	Fkjfakng.exe
File created	C:\Windows\SysWOW64\Inmdohhp.dll	Klbnajqc.exe
File created	C:\Windows\SysWOW64\Cnhgjaml.exe	Cdmfllhn.exe
File created	C:\Windows\SysWOW64\Kefiopki.exe	Kedlip32.exe
File created	C:\Windows\SysWOW64\Kcjjhdjb.exe	Kefiopki.exe
File created	C:\Windows\SysWOW64\Lalceb32.dll	Ajdbac32.exe
File created	C:\Windows\SysWOW64\Ndnljbeg.dll	Lfbped32.exe
File opened for modification	C:\Windows\SysWOW64\Pafkgphl.exe	Pmhbqbae.exe
File created	C:\Windows\SysWOW64\Qfjjpf32.exe	Pmbegqjk.exe
File opened for modification	C:\Windows\SysWOW64\Hlblcn32.exe	Hpkknmgd.exe
File created	C:\Windows\SysWOW64\Flmlag32.dll	Jlbejloe.exe
File created	C:\Windows\SysWOW64\Oophlo32.exe	Ojcpdg32.exe
File created	C:\Windows\SysWOW64\Ajgqdaoi.dll	Edaaccbj.exe
File opened for modification	C:\Windows\SysWOW64\Lobjni32.exe	Ljceqb32.exe
File created	C:\Windows\SysWOW64\Mjaonjaj.dll	Eqdpgk32.exe
File opened for modification	C:\Windows\SysWOW64\Fbgbnkfm.exe	Fqgedh32.exe
File created	C:\Windows\SysWOW64\Biklho32.exe	Ajdbac32.exe
File created	C:\Windows\SysWOW64\Cgklmacf.exe	Cancekeo.exe
File created	C:\Windows\SysWOW64\Fohhdm32.dll	Ckidcpjl.exe
File created	C:\Windows\SysWOW64\Dkbgjo32.exe	Dpjfgf32.exe
File opened for modification	C:\Windows\SysWOW64\Kflide32.exe	Kjeiodek.exe
File opened for modification	C:\Windows\SysWOW64\Cdkifmjq.exe	Bhblllfo.exe
File opened for modification	C:\Windows\SysWOW64\Lpjjmg32.exe	Ledepn32.exe
File created	C:\Windows\SysWOW64\Hpaoan32.dll	Fbgbnkfm.exe
File created	C:\Windows\SysWOW64\Mofmobmo.exe	Mjidgkog.exe
File created	C:\Windows\SysWOW64\Pknjieep.dll	Bgdemb32.exe
File created	C:\Windows\SysWOW64\Klhnfo32.exe	Kflide32.exe
File created	C:\Windows\SysWOW64\Ifomef32.dll	Nfcabp32.exe
File created	C:\Windows\SysWOW64\Qjiipk32.exe	Phfcipoo.exe
File created	C:\Windows\SysWOW64\Ipgkjlmg.exe	Ibcjqgnm.exe
File created	C:\Windows\SysWOW64\Fkgillpj.exe	Fboecfii.exe
File created	C:\Windows\SysWOW64\Clmipm32.dll	Dqbcbkab.exe
File created	C:\Windows\SysWOW64\Ejhfdb32.dll	Kedlip32.exe
File opened for modification	C:\Windows\SysWOW64\Qfmfefni.exe	Qfjjpf32.exe
File created	C:\Windows\SysWOW64\Bgdemb32.exe	Bagmdllg.exe
File created	C:\Windows\SysWOW64\Lielhgaa.dll	Akblfj32.exe
File opened for modification	C:\Windows\SysWOW64\Oiagde32.exe	Nqfbpb32.exe
File created	C:\Windows\SysWOW64\Dkbnla32.dll	Bgpcliao.exe
File opened for modification	C:\Windows\SysWOW64\Hpkknmgd.exe	Heegad32.exe
File opened for modification	C:\Windows\SysWOW64\Bgdemb32.exe	Bagmdllg.exe
File created	C:\Windows\SysWOW64\Fcneeo32.exe	Edaaccbj.exe
File opened for modification	C:\Windows\SysWOW64\Ofegni32.exe	Oiagde32.exe
File created	C:\Windows\SysWOW64\Fklcgk32.exe	Fkjfakng.exe
File created	C:\Windows\SysWOW64\Fihgkk32.dll	Ljceqb32.exe
File created	C:\Windows\SysWOW64\Hpkknmgd.exe	Heegad32.exe
File created	C:\Windows\SysWOW64\Ncbegn32.dll	Lancko32.exe
File opened for modification	C:\Windows\SysWOW64\Bagmdllg.exe	Bkmeha32.exe
File created	C:\Windows\SysWOW64\Aldjigql.dll	Cdjblf32.exe
File created	C:\Windows\SysWOW64\Jbhfhgch.dll	Kflide32.exe
File opened for modification	C:\Windows\SysWOW64\Bhblllfo.exe	Bgpcliao.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
6640	6348	WerFault.exe	238

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cdmfllhn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hokomfqg.dll"	Ihmfco32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kcjjhdjb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ahhjomjk.dll"	Oqklkbbi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ajohfcpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jphkkpbp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kflide32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mgpilmfi.dll"	Gijmad32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hlblcn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lancko32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Khokadah.dll"	Bmidnm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cdolgfbp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Oihmedma.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Iehmmb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nbphglbe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fkgillpj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	675f8d7c1507ee5f046ba02c55dbbd08b141e7c9240e9a79812cb7f122a1e8f3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Phfcipoo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Egopbhnc.dll"	Lpjjmg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mfkkqmiq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Odibfg32.dll"	Ppdbgncl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gijmad32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ledepn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Llcghg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cdjblf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	675f8d7c1507ee5f046ba02c55dbbd08b141e7c9240e9a79812cb7f122a1e8f3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Edionhpn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fbgbnkfm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cnaqob32.dll"	Nckkfp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Oihmedma.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kjeiodek.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jbhfhgch.dll"	Kflide32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hpkknmgd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Iehmmb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ipgkjlmg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Abjmkf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bmidnm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fklcgk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nfcabp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hehhjm32.dll"	Pfdjinjo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Klhnfo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pnifekmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mjodla32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fqgedh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jclnjo32.dll"	Nqaiecjd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ncchae32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Eqdpgk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ffdihjbp.dll"	Hihibbjo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qecffhdo.dll"	Cienon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Okehmlqi.dll"	Mjodla32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cdkifmjq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mgnddp32.dll"	Cdkifmjq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nmhijd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Apeknk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fofobm32.dll"	Fkgillpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jifecp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nbebbk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Oqklkbbi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Djkpla32.dll"	Pfhmjf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fgcjfbed.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ppadalgj.dll"	Kefiopki.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hnibokbd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cmgilf32.dll"	Mbgeqmjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qjiipk32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3620 wrote to memory of 1492	3620	675f8d7c1507ee5f046ba02c55dbbd08b141e7c9240e9a79812cb7f122a1e8f3.exe	98
PID 3620 wrote to memory of 1492	3620	675f8d7c1507ee5f046ba02c55dbbd08b141e7c9240e9a79812cb7f122a1e8f3.exe	98
PID 3620 wrote to memory of 1492	3620	675f8d7c1507ee5f046ba02c55dbbd08b141e7c9240e9a79812cb7f122a1e8f3.exe	98
PID 1492 wrote to memory of 4876	1492	Jphkkpbp.exe	99
PID 1492 wrote to memory of 4876	1492	Jphkkpbp.exe	99
PID 1492 wrote to memory of 4876	1492	Jphkkpbp.exe	99
PID 4876 wrote to memory of 4784	4876	Kjeiodek.exe	100
PID 4876 wrote to memory of 4784	4876	Kjeiodek.exe	100
PID 4876 wrote to memory of 4784	4876	Kjeiodek.exe	100
PID 4784 wrote to memory of 4700	4784	Kflide32.exe	101
PID 4784 wrote to memory of 4700	4784	Kflide32.exe	101
PID 4784 wrote to memory of 4700	4784	Kflide32.exe	101
PID 4700 wrote to memory of 984	4700	Klhnfo32.exe	102
PID 4700 wrote to memory of 984	4700	Klhnfo32.exe	102
PID 4700 wrote to memory of 984	4700	Klhnfo32.exe	102
PID 984 wrote to memory of 3192	984	Lfbped32.exe	103
PID 984 wrote to memory of 3192	984	Lfbped32.exe	103
PID 984 wrote to memory of 3192	984	Lfbped32.exe	103
PID 3192 wrote to memory of 3612	3192	Ljceqb32.exe	104
PID 3192 wrote to memory of 3612	3192	Ljceqb32.exe	104
PID 3192 wrote to memory of 3612	3192	Ljceqb32.exe	104
PID 3612 wrote to memory of 4372	3612	Lobjni32.exe	105
PID 3612 wrote to memory of 4372	3612	Lobjni32.exe	105
PID 3612 wrote to memory of 4372	3612	Lobjni32.exe	105
PID 4372 wrote to memory of 1312	4372	Mqafhl32.exe	106
PID 4372 wrote to memory of 1312	4372	Mqafhl32.exe	106
PID 4372 wrote to memory of 1312	4372	Mqafhl32.exe	106
PID 1312 wrote to memory of 4320	1312	Mgnlkfal.exe	107
PID 1312 wrote to memory of 4320	1312	Mgnlkfal.exe	107
PID 1312 wrote to memory of 4320	1312	Mgnlkfal.exe	107
PID 4320 wrote to memory of 216	4320	Mjodla32.exe	108
PID 4320 wrote to memory of 216	4320	Mjodla32.exe	108
PID 4320 wrote to memory of 216	4320	Mjodla32.exe	108
PID 216 wrote to memory of 632	216	Monjjgkb.exe	109
PID 216 wrote to memory of 632	216	Monjjgkb.exe	109
PID 216 wrote to memory of 632	216	Monjjgkb.exe	109
PID 632 wrote to memory of 2992	632	Nopfpgip.exe	111
PID 632 wrote to memory of 2992	632	Nopfpgip.exe	111
PID 632 wrote to memory of 2992	632	Nopfpgip.exe	111
PID 2992 wrote to memory of 1572	2992	Ncchae32.exe	112
PID 2992 wrote to memory of 1572	2992	Ncchae32.exe	112
PID 2992 wrote to memory of 1572	2992	Ncchae32.exe	112
PID 1572 wrote to memory of 3408	1572	Nfcabp32.exe	113
PID 1572 wrote to memory of 3408	1572	Nfcabp32.exe	113
PID 1572 wrote to memory of 3408	1572	Nfcabp32.exe	113
PID 3408 wrote to memory of 5076	3408	Ofhknodl.exe	114
PID 3408 wrote to memory of 5076	3408	Ofhknodl.exe	114
PID 3408 wrote to memory of 5076	3408	Ofhknodl.exe	114
PID 5076 wrote to memory of 4348	5076	Ofmdio32.exe	115
PID 5076 wrote to memory of 4348	5076	Ofmdio32.exe	115
PID 5076 wrote to memory of 4348	5076	Ofmdio32.exe	115
PID 4348 wrote to memory of 752	4348	Ohlqcagj.exe	116
PID 4348 wrote to memory of 752	4348	Ohlqcagj.exe	116
PID 4348 wrote to memory of 752	4348	Ohlqcagj.exe	116
PID 752 wrote to memory of 4076	752	Pnifekmd.exe	117
PID 752 wrote to memory of 4076	752	Pnifekmd.exe	117
PID 752 wrote to memory of 4076	752	Pnifekmd.exe	117
PID 4076 wrote to memory of 2240	4076	Pfdjinjo.exe	118
PID 4076 wrote to memory of 2240	4076	Pfdjinjo.exe	118
PID 4076 wrote to memory of 2240	4076	Pfdjinjo.exe	118
PID 2240 wrote to memory of 2304	2240	Phfcipoo.exe	119
PID 2240 wrote to memory of 2304	2240	Phfcipoo.exe	119
PID 2240 wrote to memory of 2304	2240	Phfcipoo.exe	119
PID 2304 wrote to memory of 5052	2304	Qjiipk32.exe	120

C:\Users\Admin\AppData\Local\Temp\675f8d7c1507ee5f046ba02c55dbbd08b141e7c9240e9a79812cb7f122a1e8f3.exe
"C:\Users\Admin\AppData\Local\Temp\675f8d7c1507ee5f046ba02c55dbbd08b141e7c9240e9a79812cb7f122a1e8f3.exe"
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3620
- C:\Windows\SysWOW64\Jphkkpbp.exe
  C:\Windows\system32\Jphkkpbp.exe
  2⤵
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1492
- - C:\Windows\SysWOW64\Kjeiodek.exe
    C:\Windows\system32\Kjeiodek.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:4876
  - - C:\Windows\SysWOW64\Kflide32.exe
      C:\Windows\system32\Kflide32.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:4784
    - - C:\Windows\SysWOW64\Klhnfo32.exe
        
        C:\Windows\system32\Klhnfo32.exe
        5⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4700
      - C:\Windows\SysWOW64\Lfbped32.exe
        
        C:\Windows\system32\Lfbped32.exe
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:984
        
        C:\Windows\SysWOW64\Ljceqb32.exe
        
        C:\Windows\system32\Ljceqb32.exe
        7⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3192
        
        C:\Windows\SysWOW64\Lobjni32.exe
        
        C:\Windows\system32\Lobjni32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3612
        
        C:\Windows\SysWOW64\Mqafhl32.exe
        
        C:\Windows\system32\Mqafhl32.exe
        9⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4372
        
        C:\Windows\SysWOW64\Mgnlkfal.exe
        
        C:\Windows\system32\Mgnlkfal.exe
        10⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1312
        
        C:\Windows\SysWOW64\Mjodla32.exe
        
        C:\Windows\system32\Mjodla32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4320
        
        C:\Windows\SysWOW64\Monjjgkb.exe
        
        C:\Windows\system32\Monjjgkb.exe
        12⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:216
        
        C:\Windows\SysWOW64\Nopfpgip.exe
        
        C:\Windows\system32\Nopfpgip.exe
        13⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:632
        
        C:\Windows\SysWOW64\Ncchae32.exe
        
        C:\Windows\system32\Ncchae32.exe
        14⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2992
        
        C:\Windows\SysWOW64\Nfcabp32.exe
        
        C:\Windows\system32\Nfcabp32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1572
        
        C:\Windows\SysWOW64\Ofhknodl.exe
        
        C:\Windows\system32\Ofhknodl.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3408
        
        C:\Windows\SysWOW64\Ofmdio32.exe
        
        C:\Windows\system32\Ofmdio32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:5076
        
        C:\Windows\SysWOW64\Ohlqcagj.exe
        
        C:\Windows\system32\Ohlqcagj.exe
        18⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4348
        
        C:\Windows\SysWOW64\Pnifekmd.exe
        
        C:\Windows\system32\Pnifekmd.exe
        19⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:752
        
        C:\Windows\SysWOW64\Pfdjinjo.exe
        
        C:\Windows\system32\Pfdjinjo.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4076
        
        C:\Windows\SysWOW64\Phfcipoo.exe
        
        C:\Windows\system32\Phfcipoo.exe
        21⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2240
        
        C:\Windows\SysWOW64\Qjiipk32.exe
        
        C:\Windows\system32\Qjiipk32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2304
        
        C:\Windows\SysWOW64\Akblfj32.exe
        
        C:\Windows\system32\Akblfj32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5052
        
        C:\Windows\SysWOW64\Adkqoohc.exe
        
        C:\Windows\system32\Adkqoohc.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4708
        
        C:\Windows\SysWOW64\Bgpcliao.exe
        
        C:\Windows\system32\Bgpcliao.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2220
        
        C:\Windows\SysWOW64\Bhblllfo.exe
        
        C:\Windows\system32\Bhblllfo.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:964
        
        C:\Windows\SysWOW64\Cdkifmjq.exe
        
        C:\Windows\system32\Cdkifmjq.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4872
        
        C:\Windows\SysWOW64\Cdmfllhn.exe
        
        C:\Windows\system32\Cdmfllhn.exe
        28⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2864
        
        C:\Windows\SysWOW64\Cnhgjaml.exe
        
        C:\Windows\system32\Cnhgjaml.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4300
        
        C:\Windows\SysWOW64\Dqbcbkab.exe
        
        C:\Windows\system32\Dqbcbkab.exe
        30⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3300
        
        C:\Windows\SysWOW64\Eqdpgk32.exe
        
        C:\Windows\system32\Eqdpgk32.exe
        31⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1020
        
        C:\Windows\SysWOW64\Edionhpn.exe
        
        C:\Windows\system32\Edionhpn.exe
        32⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1440
        
        C:\Windows\SysWOW64\Fdlkdhnk.exe
        
        C:\Windows\system32\Fdlkdhnk.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2384
        
        C:\Windows\SysWOW64\Foclgq32.exe
        
        C:\Windows\system32\Foclgq32.exe
        34⤵
        Executes dropped EXE
        
        PID:2948
        
        C:\Windows\SysWOW64\Fqgedh32.exe
        
        C:\Windows\system32\Fqgedh32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1692
        
        C:\Windows\SysWOW64\Fbgbnkfm.exe
        
        C:\Windows\system32\Fbgbnkfm.exe
        36⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3848
        
        C:\Windows\SysWOW64\Fgcjfbed.exe
        
        C:\Windows\system32\Fgcjfbed.exe
        37⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3928
        
        C:\Windows\SysWOW64\Gicgpelg.exe
        
        C:\Windows\system32\Gicgpelg.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3036
        
        C:\Windows\SysWOW64\Gkdpbpih.exe
        
        C:\Windows\system32\Gkdpbpih.exe
        39⤵
        Executes dropped EXE
        
        PID:2104
        
        C:\Windows\SysWOW64\Gihpkd32.exe
        
        C:\Windows\system32\Gihpkd32.exe
        40⤵
        Executes dropped EXE
        
        PID:1212
        
        C:\Windows\SysWOW64\Gijmad32.exe
        
        C:\Windows\system32\Gijmad32.exe
        41⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1848
        
        C:\Windows\SysWOW64\Giljfddl.exe
        
        C:\Windows\system32\Giljfddl.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2564
        
        C:\Windows\SysWOW64\Hnibokbd.exe
        
        C:\Windows\system32\Hnibokbd.exe
        43⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:5124
        
        C:\Windows\SysWOW64\Hlmchoan.exe
        
        C:\Windows\system32\Hlmchoan.exe
        44⤵
        Executes dropped EXE
        
        PID:5168
        
        C:\Windows\SysWOW64\Heegad32.exe
        
        C:\Windows\system32\Heegad32.exe
        45⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5212
        
        C:\Windows\SysWOW64\Hpkknmgd.exe
        
        C:\Windows\system32\Hpkknmgd.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5256
        
        C:\Windows\SysWOW64\Hlblcn32.exe
        
        C:\Windows\system32\Hlblcn32.exe
        47⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:5296
        
        C:\Windows\SysWOW64\Hldiinke.exe
        
        C:\Windows\system32\Hldiinke.exe
        48⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5344
        
        C:\Windows\SysWOW64\Hihibbjo.exe
        
        C:\Windows\system32\Hihibbjo.exe
        49⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:5384
        
        C:\Windows\SysWOW64\Iacngdgj.exe
        
        C:\Windows\system32\Iacngdgj.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:5428
        
        C:\Windows\SysWOW64\Ihmfco32.exe
        
        C:\Windows\system32\Ihmfco32.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:5468
        
        C:\Windows\SysWOW64\Ibcjqgnm.exe
        
        C:\Windows\system32\Ibcjqgnm.exe
        52⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5512
        
        C:\Windows\SysWOW64\Ipgkjlmg.exe
        
        C:\Windows\system32\Ipgkjlmg.exe
        53⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:5556
        
        C:\Windows\SysWOW64\Iehmmb32.exe
        
        C:\Windows\system32\Iehmmb32.exe
        54⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:5596
        
        C:\Windows\SysWOW64\Jlbejloe.exe
        
        C:\Windows\system32\Jlbejloe.exe
        55⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5644
        
        C:\Windows\SysWOW64\Jifecp32.exe
        
        C:\Windows\system32\Jifecp32.exe
        56⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:5684
        
        C:\Windows\SysWOW64\Jpbjfjci.exe
        
        C:\Windows\system32\Jpbjfjci.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:5732
        
        C:\Windows\SysWOW64\Jhplpl32.exe
        
        C:\Windows\system32\Jhplpl32.exe
        58⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5776
        
        C:\Windows\SysWOW64\Kedlip32.exe
        
        C:\Windows\system32\Kedlip32.exe
        59⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5820
        
        C:\Windows\SysWOW64\Kefiopki.exe
        
        C:\Windows\system32\Kefiopki.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5856
        
        C:\Windows\SysWOW64\Kcjjhdjb.exe
        
        C:\Windows\system32\Kcjjhdjb.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:5916
        
        C:\Windows\SysWOW64\Klbnajqc.exe
        
        C:\Windows\system32\Klbnajqc.exe
        62⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5960
        
        C:\Windows\SysWOW64\Kekbjo32.exe
        
        C:\Windows\system32\Kekbjo32.exe
        63⤵
        Executes dropped EXE
        
        PID:6000
        
        C:\Windows\SysWOW64\Khlklj32.exe
        
        C:\Windows\system32\Khlklj32.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:6044
        
        C:\Windows\SysWOW64\Kcapicdj.exe
        
        C:\Windows\system32\Kcapicdj.exe
        65⤵
        Executes dropped EXE
        
        PID:6088
        
        C:\Windows\SysWOW64\Lhnhajba.exe
        
        C:\Windows\system32\Lhnhajba.exe
        66⤵
        
        PID:6136
        
        C:\Windows\SysWOW64\Lpgmhg32.exe
        
        C:\Windows\system32\Lpgmhg32.exe
        67⤵
        
        PID:5152
        
        C:\Windows\SysWOW64\Ledepn32.exe
        
        C:\Windows\system32\Ledepn32.exe
        68⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5220
        
        C:\Windows\SysWOW64\Lpjjmg32.exe
        
        C:\Windows\system32\Lpjjmg32.exe
        69⤵
        Modifies registry class
        
        PID:5284
        
        C:\Windows\SysWOW64\Legben32.exe
        
        C:\Windows\system32\Legben32.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5356
        
        C:\Windows\SysWOW64\Lplfcf32.exe
        
        C:\Windows\system32\Lplfcf32.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5436
        
        C:\Windows\SysWOW64\Lancko32.exe
        
        C:\Windows\system32\Lancko32.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5504
        
        C:\Windows\SysWOW64\Llcghg32.exe
        
        C:\Windows\system32\Llcghg32.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5576
        
        C:\Windows\SysWOW64\Mfkkqmiq.exe
        
        C:\Windows\system32\Mfkkqmiq.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5676
        
        C:\Windows\SysWOW64\Mjidgkog.exe
        
        C:\Windows\system32\Mjidgkog.exe
        75⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5740
        
        C:\Windows\SysWOW64\Mofmobmo.exe
        
        C:\Windows\system32\Mofmobmo.exe
        76⤵
        
        PID:5804
        
        C:\Windows\SysWOW64\Mbgeqmjp.exe
        
        C:\Windows\system32\Mbgeqmjp.exe
        77⤵
        Modifies registry class
        
        PID:5876
        
        C:\Windows\SysWOW64\Mjpjgj32.exe
        
        C:\Windows\system32\Mjpjgj32.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5928
        
        C:\Windows\SysWOW64\Nblolm32.exe
        
        C:\Windows\system32\Nblolm32.exe
        79⤵
        
        PID:6012
        
        C:\Windows\SysWOW64\Nckkfp32.exe
        
        C:\Windows\system32\Nckkfp32.exe
        80⤵
        Modifies registry class
        
        PID:6076
        
        C:\Windows\SysWOW64\Nhhdnf32.exe
        
        C:\Windows\system32\Nhhdnf32.exe
        81⤵
        
        PID:4236
        
        C:\Windows\SysWOW64\Nbphglbe.exe
        
        C:\Windows\system32\Nbphglbe.exe
        82⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:496
        
        C:\Windows\SysWOW64\Nqaiecjd.exe
        
        C:\Windows\system32\Nqaiecjd.exe
        83⤵
        Modifies registry class
        
        PID:5420
        
        C:\Windows\SysWOW64\Nmhijd32.exe
        
        C:\Windows\system32\Nmhijd32.exe
        84⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5584
        
        C:\Windows\SysWOW64\Nbebbk32.exe
        
        C:\Windows\system32\Nbebbk32.exe
        85⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5696
        
        C:\Windows\SysWOW64\Nqfbpb32.exe
        
        C:\Windows\system32\Nqfbpb32.exe
        86⤵
        Drops file in System32 directory
        
        PID:5812
        
        C:\Windows\SysWOW64\Oiagde32.exe
        
        C:\Windows\system32\Oiagde32.exe
        87⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5908
        
        C:\Windows\SysWOW64\Ofegni32.exe
        
        C:\Windows\system32\Ofegni32.exe
        88⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6028
        
        C:\Windows\SysWOW64\Oqklkbbi.exe
        
        C:\Windows\system32\Oqklkbbi.exe
        89⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5132
        
        C:\Windows\SysWOW64\Ojcpdg32.exe
        
        C:\Windows\system32\Ojcpdg32.exe
        90⤵
        Drops file in System32 directory
        
        PID:5380
        
        C:\Windows\SysWOW64\Oophlo32.exe
        
        C:\Windows\system32\Oophlo32.exe
        91⤵
        
        PID:5532
        
        C:\Windows\SysWOW64\Oihmedma.exe
        
        C:\Windows\system32\Oihmedma.exe
        92⤵
        Modifies registry class
        
        PID:5724
        
        C:\Windows\SysWOW64\Oflmnh32.exe
        
        C:\Windows\system32\Oflmnh32.exe
        93⤵
        
        PID:5864
        
        C:\Windows\SysWOW64\Ppdbgncl.exe
        
        C:\Windows\system32\Ppdbgncl.exe
        94⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6080
        
        C:\Windows\SysWOW64\Pmhbqbae.exe
        
        C:\Windows\system32\Pmhbqbae.exe
        95⤵
        Drops file in System32 directory
        
        PID:5452
        
        C:\Windows\SysWOW64\Pafkgphl.exe
        
        C:\Windows\system32\Pafkgphl.exe
        96⤵
        
        PID:5628
        
        C:\Windows\SysWOW64\Pjoppf32.exe
        
        C:\Windows\system32\Pjoppf32.exe
        97⤵
        
        PID:6040
        
        C:\Windows\SysWOW64\Pakdbp32.exe
        
        C:\Windows\system32\Pakdbp32.exe
        98⤵
        
        PID:5536
        
        C:\Windows\SysWOW64\Pfhmjf32.exe
        
        C:\Windows\system32\Pfhmjf32.exe
        99⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:972
        
        C:\Windows\SysWOW64\Pmbegqjk.exe
        
        C:\Windows\system32\Pmbegqjk.exe
        100⤵
        Drops file in System32 directory
        
        PID:5768
        
        C:\Windows\SysWOW64\Qfjjpf32.exe
        
        C:\Windows\system32\Qfjjpf32.exe
        101⤵
        Drops file in System32 directory
        
        PID:6156
        
        C:\Windows\SysWOW64\Qfmfefni.exe
        
        C:\Windows\system32\Qfmfefni.exe
        102⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6192
        
        C:\Windows\SysWOW64\Apeknk32.exe
        
        C:\Windows\system32\Apeknk32.exe
        103⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6252
        
        C:\Windows\SysWOW64\Aadghn32.exe
        
        C:\Windows\system32\Aadghn32.exe
        104⤵
        
        PID:6304
        
        C:\Windows\SysWOW64\Ajmladbl.exe
        
        C:\Windows\system32\Ajmladbl.exe
        105⤵
        
        PID:6368
        
        C:\Windows\SysWOW64\Adepji32.exe
        
        C:\Windows\system32\Adepji32.exe
        106⤵
        
        PID:6412
        
        C:\Windows\SysWOW64\Ajohfcpj.exe
        
        C:\Windows\system32\Ajohfcpj.exe
        107⤵
        Modifies registry class
        
        PID:6452
        
        C:\Windows\SysWOW64\Abjmkf32.exe
        
        C:\Windows\system32\Abjmkf32.exe
        108⤵
        Modifies registry class
        
        PID:6536
        
        C:\Windows\SysWOW64\Ajdbac32.exe
        
        C:\Windows\system32\Ajdbac32.exe
        109⤵
        Drops file in System32 directory
        
        PID:6616
        
        C:\Windows\SysWOW64\Biklho32.exe
        
        C:\Windows\system32\Biklho32.exe
        110⤵
        
        PID:6664
        
        C:\Windows\SysWOW64\Bmidnm32.exe
        
        C:\Windows\system32\Bmidnm32.exe
        111⤵
        Modifies registry class
        
        PID:6704
        
        C:\Windows\SysWOW64\Bkmeha32.exe
        
        C:\Windows\system32\Bkmeha32.exe
        112⤵
        Drops file in System32 directory
        
        PID:6752
        
        C:\Windows\SysWOW64\Bagmdllg.exe
        
        C:\Windows\system32\Bagmdllg.exe
        113⤵
        Drops file in System32 directory
        
        PID:6796
        
        C:\Windows\SysWOW64\Bgdemb32.exe
        
        C:\Windows\system32\Bgdemb32.exe
        114⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6836
        
        C:\Windows\SysWOW64\Cajjjk32.exe
        
        C:\Windows\system32\Cajjjk32.exe
        115⤵
        
        PID:6876
        
        C:\Windows\SysWOW64\Cdhffg32.exe
        
        C:\Windows\system32\Cdhffg32.exe
        116⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6916
        
        C:\Windows\SysWOW64\Cienon32.exe
        
        C:\Windows\system32\Cienon32.exe
        117⤵
        Modifies registry class
        
        PID:6964
        
        C:\Windows\SysWOW64\Cdjblf32.exe
        
        C:\Windows\system32\Cdjblf32.exe
        118⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:7016
        
        C:\Windows\SysWOW64\Cancekeo.exe
        
        C:\Windows\system32\Cancekeo.exe
        119⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:7060
        
        C:\Windows\SysWOW64\Cgklmacf.exe
        
        C:\Windows\system32\Cgklmacf.exe
        120⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7104
        
        C:\Windows\SysWOW64\Cdolgfbp.exe
        
        C:\Windows\system32\Cdolgfbp.exe
        121⤵
        Modifies registry class
        
        PID:7156
        
        C:\Windows\SysWOW64\Ckidcpjl.exe
        
        C:\Windows\system32\Ckidcpjl.exe
        122⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6164
        
        C:\Windows\SysWOW64\Cacmpj32.exe
        
        C:\Windows\system32\Cacmpj32.exe
        123⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6220
        
        C:\Windows\SysWOW64\Dgpeha32.exe
        
        C:\Windows\system32\Dgpeha32.exe
        124⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6356
        
        C:\Windows\SysWOW64\Daeifj32.exe
        
        C:\Windows\system32\Daeifj32.exe
        125⤵
        
        PID:6424
        
        C:\Windows\SysWOW64\Dgbanq32.exe
        
        C:\Windows\system32\Dgbanq32.exe
        126⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6496
        
        C:\Windows\SysWOW64\Dpjfgf32.exe
        
        C:\Windows\system32\Dpjfgf32.exe
        127⤵
        Drops file in System32 directory
        
        PID:6624
        
        C:\Windows\SysWOW64\Dkbgjo32.exe
        
        C:\Windows\system32\Dkbgjo32.exe
        128⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6696
        
        C:\Windows\SysWOW64\Edaaccbj.exe
        
        C:\Windows\system32\Edaaccbj.exe
        129⤵
        Drops file in System32 directory
        
        PID:6820
        
        C:\Windows\SysWOW64\Fcneeo32.exe
        
        C:\Windows\system32\Fcneeo32.exe
        130⤵
        
        PID:6892
        
        C:\Windows\SysWOW64\Fboecfii.exe
        
        C:\Windows\system32\Fboecfii.exe
        131⤵
        Drops file in System32 directory
        
        PID:6944
        
        C:\Windows\SysWOW64\Fkgillpj.exe
        
        C:\Windows\system32\Fkgillpj.exe
        132⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:7044
        
        C:\Windows\SysWOW64\Fkjfakng.exe
        
        C:\Windows\system32\Fkjfakng.exe
        133⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:7164
        
        C:\Windows\SysWOW64\Fklcgk32.exe
        
        C:\Windows\system32\Fklcgk32.exe
        134⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6180
        
        C:\Windows\SysWOW64\Gddgpqbe.exe
        
        C:\Windows\system32\Gddgpqbe.exe
        135⤵
        
        PID:6348
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6348 -s 408
        136⤵
        Program crash
        
        PID:6640

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 6348 -ip 6348
1⤵
PID:6520

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=2660 --field-trial-handle=2244,i,11878111470816612087,2265290141962607370,262144 --variations-seed-version /prefetch:8
1⤵
PID:6840

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Adkqoohc.exe

Filesize
465KB

MD5
438c18c35f07b260877ac1888255ef10

SHA1
d2d369e8f811d23591da41a73453e9f5dd3bbd3b

SHA256
e22fab3c59bbeeb10db25012c78887413c15e0361a7252912cefc1482818322f

SHA512
06649f86fa6f2263ee0e6f1eaf14abec89352230a105ce704eb43e8d846a175f85ee56a2fd7e1fe426424870fc7221462228ed3467d89ae8888e0d289497de80

Download Submit
C:\Windows\SysWOW64\Akblfj32.exe

Filesize
465KB

MD5
729e4603be5cfc83127aae710e068d0d

SHA1
474e633056dfe979c3f5116feab6e3643c9f9829

SHA256
28a7e1d3c2b6fb28bdcfb73b6089033f7bb5fe848d628b26755b9418d71b2e7c

SHA512
19f2b8fa99c11f6155c219df27e161db995102c12c43b1d99babf6ee323cf0272e09ca2823a0597626cfd73410b5af67a2a863f775318f34e094414c433fc2c9

Download Submit
C:\Windows\SysWOW64\Bgpcliao.exe

Filesize
465KB

MD5
1f359722b7cb3f012e1770730b4a469c

SHA1
28bb8a1ba6d56068f9148cff699bd81c6b99a447

SHA256
36ee21c33f38898d022458f7c02f30875a9356005bdfc50489d454449a3be5a5

SHA512
89196a0cf1616df1c87cfd84ea854e081bf512072725b01dba7dbcc34813eb991b051e346c724c2e3b30f34fdd30534f520e671f989b6b3a98fafaa7313ed0e4

Download Submit
C:\Windows\SysWOW64\Bhblllfo.exe

Filesize
465KB

MD5
3ceb19945d9e597a58bcc6c24fb178b7

SHA1
320e86e5d4af4595b1f4f17771724e89aa449753

SHA256
0bad071d7f7838cb9dd3437c7797159fd15a4aba10acab1ff72b37fa76d246f9

SHA512
3f7ac9b86b50cb5efc37102c85c5701ba63aaf48604170aa6610a190135de76bdd53d311b1e9c8f20f6c8214106548863ca2b4a8b3d452765c77ae13056f7c32

Download Submit
C:\Windows\SysWOW64\Cdkifmjq.exe

Filesize
465KB

MD5
45a3d550ce26adca7a70bf22667cf51e

SHA1
b64687a5177cfae2bab90ea52c3caffba54ef57c

SHA256
be6e13505617538e8fc36d9c22df65c10aa8a442b2fcbaf7ac22a4722ce9e9ee

SHA512
e47778d9d5385b64fe0b6629f1b69f6dfa3121313364d38e5afbbd3a9bbdcbc8b8d684f1670377020e74862bf9b676cfeea5183b3d37c92267e82021f4365003

Download Submit
C:\Windows\SysWOW64\Cdmfllhn.exe

Filesize
465KB

MD5
800a8000f146f57289bb8048a18e21b6

SHA1
6778278a97d698c11e85209d0017f1130c5d5f8e

SHA256
e9984ff745ff5262937da58fd586fa5bcb16c15612b80606c9bba727c162e659

SHA512
4a6f049acfd0f951416145d61acefc91a9e31576e09545f400a2060eabba7f7cc01a4c0794ddfeaef4c66aba0a77b83d9f45d0671b0462d9c8635fb0a25ee496

Download Submit
C:\Windows\SysWOW64\Cnhgjaml.exe

Filesize
465KB

MD5
fba472a5de67b0fbc699f2b698ea20e3

SHA1
b0b912d30a7a9144074786091ab49d799defbab0

SHA256
de6a3f399863afcbd5922aba0fcba74bf0eb00a95d9cbae42a15f791b72d3b0c

SHA512
a4d765e2e63bebdac6356ff5df92cf869f09c1b916c382c71131f3657d3ca5bc97e0a72e289b8bc1e735d4a9d36b4f78acbd917d6b7d28d05338a74504901dfa

Download Submit
C:\Windows\SysWOW64\Dqbcbkab.exe

Filesize
465KB

MD5
013c9fe2e1aa528467b1dc79783a9c13

SHA1
c3fd3a3afae2d707f6e4ac9a9d9525564618d3b6

SHA256
00d6be6a202e4c899bbd4faddefd5d69d18384556207a4d94ccaf45d35cb2c7d

SHA512
3ab26df576e965e132b0c3e20d0dbfcbea87d9e76e43836264a593a1824aa7fb0570e9d575aa2cd07516d7955048468324e4d36cee3dc4f69b46772699ea3822

Download Submit
C:\Windows\SysWOW64\Edionhpn.exe

Filesize
465KB

MD5
96e9abbb7c8138928b48b90cac0c178b

SHA1
e3242ce17886ad120099667e5e28a15604395f6d

SHA256
749b93dd67425c21168603150a29550754b817273f4da45962a7232362ff6a06

SHA512
c9bb259a6ff708be8c47876bb0a814412503f61cb3d83e1cb5fba88cc15bf54cd7f7c45666cbba62d7e0133d1dc3469befb523c2589c2ae650f623603e7b5f9e

Download Submit
C:\Windows\SysWOW64\Eqdpgk32.exe

Filesize
465KB

MD5
2501e1e99cbfea06f54bc12202ec1653

SHA1
319e7aa3da1ef08c896c24373fb141c6042c9d08

SHA256
1d02a45c977e44650a0ea8cc8c95a51b13ebe18d9f6927a5030795d08f0f503b

SHA512
8b5ed33815d623b60132362ba244adb9262b85d221c2b8c40765e2f70b98af05b4a918f8567e6e33520b96e47dc9bf0b88df2a9aa26b572e0c3bd0b26137377f

Download Submit
C:\Windows\SysWOW64\Fdlkdhnk.exe

Filesize
465KB

MD5
2f51edf3a8d82c670ec0fdfa3cc7d0df

SHA1
ce2e56d8cf4c4ba10f8189afa3ba5307e2737a81

SHA256
ecde59b01ca92e9dbc48f41784ba96e304c31b4f8482d92fd8c0f3b6688043da

SHA512
5ad30158a4641f93fc9c42fa9b14f0940f3e3c3640fbc36f022e1f5007e56b946f7b36d54c57c46cf1dbb13366cfd16a2a2ac8a21ed4aad6350ed83b7516e301

Download Submit
C:\Windows\SysWOW64\Jifecp32.exe

Filesize
465KB

MD5
15e8e7f62ec94e6e8379ca1b4734b41d

SHA1
07afb945ac200f49dc5cd3ac1131de67a631bb3c

SHA256
5c1684cc863f04fd5d84f4f9dfcaffe17a49217be3e177a7b3e615a7891615ac

SHA512
a3e6666fb3d44eacda9c59c24cbd7fc9b93c70a6013d289532fe26a22ac0fdb13cb02348294dcb98d74ebfd9e555998e30857cc1c839992c5a89abf6906703bb

Download Submit
C:\Windows\SysWOW64\Jphkkpbp.exe

Filesize
128KB

MD5
e0ff8afa7f957fad2b6ddc5df23fa4ac

SHA1
31523bf892e9eb1773793fa252b45105ff682064

SHA256
e28dae7428feed6a78145409792dda343aef6ca1db2f8a878f47fae1f806cafb

SHA512
ab3963b767a954913cfd39a6de1761d166624414326d856197bc93e8c79a799b9de69a5931e2ed3fc8a3979d32e6cb697e8bc41fdb1cd409fa257fa82b69d84d

Download Submit
C:\Windows\SysWOW64\Jphkkpbp.exe

Filesize
465KB

MD5
74c00c3dc38554c0f63241ad5a250c27

SHA1
cfdc2d8899f344ac3d7c109b87bac198840f16d8

SHA256
879cb2b31dc678f1366b3e6e481a4fee65a8407c000cfa36697d85012237dd2a

SHA512
994ddeb5e1d3b3c99b4e501821c28fdf722b63deb8a39cf15d4561dc75555c0548d28868b588bdfc0e80b68ab1adace3a27809bca4a90ca974cde37390989126

Download Submit
C:\Windows\SysWOW64\Kflide32.exe

Filesize
465KB

MD5
4756fa9b381424694237776bf2dc4825

SHA1
52fc279964ec71d5342254b779a7c27749fbdbff

SHA256
f9c1f3ca77a8d449a0093da38c38b2af9688fa64536d2b51270bb13fec6df537

SHA512
6a8e64801095071879a660f0d880e8a8a6c41785e7983320bc7c0629e8b2296a13dfcf7c2e61ffae0f30a594cd9edd67044746fa8c054e88fda9cb7f94d33b96

Download Submit
C:\Windows\SysWOW64\Kjeiodek.exe

Filesize
465KB

MD5
1607ba28cbe279a472972ad8c1be8f02

SHA1
96761396d63e1dbad9b7009995044001d1411226

SHA256
aa43aa777315a84180a26cbbb1aa9f3a7587d24b25a5fbba0a5d6473dd930890

SHA512
9a9e523820eae33c8eba7b0d59acd9decf6f61b62bd569a3d647b6a8ab9f13ea49689b6a1a4342b6c8e9dc1fc452fe8354efd88463e1d4692b39f0f92bad9427

Download Submit
C:\Windows\SysWOW64\Klhnfo32.exe

Filesize
465KB

MD5
9cf8fbcccb91b1979c5955f8134f6fd5

SHA1
01ffbdbd4747f8e6efe3310ce777dd79615323d0

SHA256
a81972e3d06494a4ed5e52dc97c75957c0c0d69f10a7c00969d362f2b12abb37

SHA512
b822c2649139a19336625b4c6217fb0d66baab1f437532a95104d61fc41d011a0c0b4167871763ccd0c20528e9b48954717c99e56e8c07fa43b4c6404c1ad41c

Download Submit
C:\Windows\SysWOW64\Lfbped32.exe

Filesize
465KB

MD5
6058e3bac126d2b0f5478cc8fe938deb

SHA1
bf00ed6b1f8f7bf65c98c8d768f196b853eedd1c

SHA256
9c4d20e1b5a297ea3a0f9afb845177bc3a49806f0fc914cd3158fbd55da19123

SHA512
a1fdb75d0a6e8029c51ad99eeee1bcc9620ca4324b0ff1acfd81e753d182d7b64af774a2c242fb799bcb3e79344e6413ad8cdc5c8e32e8cd76c6c33ce761a36d

Download Submit
C:\Windows\SysWOW64\Ljceqb32.exe

Filesize
465KB

MD5
6c3e7d9fedb432857a5d2f0097052442

SHA1
94fd6adad061bb7c3db9ab4ff468e08264390e73

SHA256
2457aa4ca369910ff22637e4a5e53a5fbeeaae0d8770e7edb1bd8917425b2fd2

SHA512
c35cc51dba3bac06aad60126288a58cddbfe07db5031c238453c9bd741ef8efd0569eb50050bc0516ffcbd1d12176a7bcec5d9691101eae706adfe4215a8df04

Download Submit
C:\Windows\SysWOW64\Lobjni32.exe

Filesize
465KB

MD5
46f083bbfd12545ed02603f0ea46b701

SHA1
26ebbabd391833a694c88310d40fea31c47d0316

SHA256
b7f9c3e55252b6f169177ba05bbd690a427e1508b152bce27c83e65908c50a19

SHA512
e0d7e7e0af858f66e9691e70da6d9a34c87f3c842a7a93edf1c743a7d61d829b5bc6b34234346f0a0d0d6adc729cf55cac8e1a7e17c44003e08d5731447f7dee

Download Submit
C:\Windows\SysWOW64\Mbgeqmjp.exe

Filesize
465KB

MD5
fbe937470cefc4dbf7332470397bbf14

SHA1
ea653559b567367369426508d42fc8500584b4fc

SHA256
02128a08c118029992404a8369efad5f3a9df7bd04fd453f80a0110b7a875803

SHA512
f56475572bcca7d65497001ee1ce525abe8a0a3a635a3090416b03bc37dd4a24ac803ddc7057ff80e688a3c1a2176bfacca9f10b9298dfc8e963a36ef0a6dd84

Download Submit
C:\Windows\SysWOW64\Mgnlkfal.exe

Filesize
465KB

MD5
b4b43f593cdc8250d5e32b0e2d66f6ab

SHA1
bccc9d0a7ce309e9d4148100d53509046fee4e0f

SHA256
cc55103da1b69145d14d311eaa94a7727c2a2dfea87e6c044a49ce48b3825f38

SHA512
1b51f14009522b0c3b589cccf5354c0cfe382a979310957d5ba35f9fd915e584b3b50ff2db402639560c2b153cd5b98988cca9a875a91d99ac77914ac9d6a58a

Download Submit
C:\Windows\SysWOW64\Mjodla32.exe

Filesize
465KB

MD5
50049c1fc60af4a9661f51c724af5ea1

SHA1
fe60b5bf046cbbeb115cb0fa821caedd668664ac

SHA256
946be468ce8400ebd6e50735bb5adb284139bef7b727df1a4880235530af2e44

SHA512
c3c53b5a49762144b58778623c269fa3d6e0b0bd9b4be59a0e5f40183c050450188d4cafd82730c43e00d837da46a39be7ce4b3060cde277dc15765fcc2d8239

Download Submit
C:\Windows\SysWOW64\Monjjgkb.exe

Filesize
465KB

MD5
2ed3f58a8ba70d381a3fa8ae116cd3f3

SHA1
27d6235923d2291526434cf3c5d1601510cf4ea5

SHA256
93b1a18555fcb3125cfb5c6942b1d903f0c32a8f5ec88e4bf015ebe47581e2f0

SHA512
fa45e79d0c9347cf0cdbcdef68eca67f41d6d871ef654e79d09d27223342b32a2bbcb590fd4a7c779616475aebfc7b01eb6bbfc89de020aa6f6e264e31d52384

Download Submit
C:\Windows\SysWOW64\Mqafhl32.exe

Filesize
465KB

MD5
44355b1864880018e3e29dc129459a8a

SHA1
a0545a109a27f72dd0cf773b4f59ad0f01daf055

SHA256
69a20a2dce98c3c013a0fe47c51e1c9c6f994cfe9af8debfedf7f7bd31b7df21

SHA512
0f5a2aa5f39992cd159395e7afc78943f1e78dc44901579048d2d5c7535d5baef07d4d9239854fa5ae6854ebd38348dbd2a7aee26428ea6eba046f69fdafc4d0

Download Submit
C:\Windows\SysWOW64\Ncchae32.exe

Filesize
465KB

MD5
65be203534fc5ad81c8100ac306c939a

SHA1
bf7268af3eaa9b5f67d5561b97af8249e3427e96

SHA256
0c0ffb4db57e7843e0a44744e90a92052b7b29058bbd4f8b6b6ad5ec541d74ee

SHA512
aeb6e227f784fe391442f602bafec953b1f6ab06885706cb3624b8dc4a19006cb6ca7131d6e726823b9f67a7ab67ffcdd6edca5c31f255d211ff6c545e258137

Download Submit
C:\Windows\SysWOW64\Nfcabp32.exe

Filesize
465KB

MD5
79238a59bffe3a8ec33696de450296a8

SHA1
3a26a05265b05192746e6b52cf8c0a43f120ccc2

SHA256
b10c88d8b1d0511dbb703ce28de11a872e89dabfb6de15b905070dc184e340c3

SHA512
358e694b9f0d92278aa85524347c6e401d60277a2104345cf026bd0dd277a50d10cff3f80b15198d068b77eca34058626c244f24dc4deecfc2eb92afe7450954

Download Submit
C:\Windows\SysWOW64\Nopfpgip.exe

Filesize
465KB

MD5
9118d5968505ec272eeb38fd303390f6

SHA1
93165e7d2ecf1b646601258a58e4ca91f8d560c7

SHA256
d29be21f397ee952a25c1493422138d6070754c1bfa2b782e0491bc33ee02929

SHA512
615d387413adc913e65378762b23026313399408ff3d9aa735091b07458014ed5203a09d8376e2d33655d20530b41b1b13afbe01da423348d606635b33453d31

Download Submit
C:\Windows\SysWOW64\Nopfpgip.exe

Filesize
233KB

MD5
2b5f026e56f32f9c7447ce5014b4327d

SHA1
d6c123d33a880fcc394edede93d07b3f4808c652

SHA256
0cb169a96f07130ccad163a603e3b3b16a6f81eca042e35ae22b1eee0eff92ea

SHA512
f12eda729d0c8409b6f0e9409661945aaf7065f52d2396aaf7ab00e375bafff271628a7f3788a3f7a6c5464c2477c29811332188e6b94faedb35b736d151e9b1

Download Submit
C:\Windows\SysWOW64\Ofhknodl.exe

Filesize
465KB

MD5
34699fc1fed8da222da01368ab77d5a6

SHA1
d5f5136bc3fa38edfc6b9816c5703f302f05d966

SHA256
065a891224b87961461f80824ceaceb849453eb146d75d0b770bdff3eb92a8b1

SHA512
1893706308261bf8ff19ccfbeb677336cdb644e1ca352c68d8b7f5d85dcc32c1c9b4fb4b5ceeeed717f55caa9f584e6221bc70ce9af9be421aba2573da3190c8

Download Submit
C:\Windows\SysWOW64\Ofmdio32.exe

Filesize
465KB

MD5
6e9981e73cd447a923c3482165eea330

SHA1
06ffda4cd6387561300530347341bac0c0293461

SHA256
8f4d7f5a1d02eace690b15d97923f635525d73a207a7ab8cb77a8125118bdcf8

SHA512
d731cc57f4a01a8be8ec653c981f7980259925fbb149af28fc62d0048f4ea72f80e793ef6ae7f7ebbef8994dd2ad220ecd1383a35d4f389eb4ebcf3653fc2c84

Download Submit
C:\Windows\SysWOW64\Ohlqcagj.exe

Filesize
465KB

MD5
d366d80304d6157d11f0132d1a355b5e

SHA1
1b640d57891095f8b00b921f34928b49717cf081

SHA256
82efb2400d97250dacc573e6a1cf3a9bd584f43ca75b7552ee1aa2cf3f690ca7

SHA512
e29f8d1106a44dedff02a86af57956d5ed4f07d645ab5bcafa9cfac04dc9f6a63a78a83a7c5b0192ea814bb57416027ffce8e907c7211abd74a24e7cbc1c8342

Download Submit
C:\Windows\SysWOW64\Pfdjinjo.exe

Filesize
465KB

MD5
7edfa4d381021e6f0228972296d2f2f4

SHA1
54827c3fec15bf05ecfccd47d09419eab0dd8dea

SHA256
04a9e13909b150e24d1c86a190d69a64a17cdce1ac16692c47ccb869e5e4359d

SHA512
2783353575aad5aebe9f50a4a027094e154f1d3634c588001fbcf4f79a48611d65170678b27a3ea40347f6fcb0ae552eec2c1ed1846dba2c56293b0f7c8ad539

Download Submit
C:\Windows\SysWOW64\Phfcipoo.exe

Filesize
465KB

MD5
2bfb8081bc7a994b86c67911f633306c

SHA1
f70377a8a528cb6ab30e00c837761be525e14e7b

SHA256
769bfec2a37a5eb59323101623104e7619372ceb8120e0ccceecf02560af16a7

SHA512
35a0d34f98a09c0d4e749e2246bd7f903e9491ad552d84fe885ea3f8c8dbef6cde68c513b7f7277bab9a3622396a118542a55f4a40d5a329b6b07b72a6a5b65b

Download Submit
C:\Windows\SysWOW64\Pnifekmd.exe

Filesize
465KB

MD5
806a5e31822da96f846a45ab6b079ba9

SHA1
6edcb505a9ad13c05ade6908faea266b648a88bf

SHA256
da4ebb33c973983b9781d2bbbbd1bb703d9b89e06c7a1d323a1f37e83451248b

SHA512
b006346e0bb27e3c919eefcb40fee395b8c4eb95b20cb3c11deed53c974be1ba8ba858d9a7f9f2f546dc1ef231669275e52237e18bdc19fd73e73569def81c9f

Download Submit
C:\Windows\SysWOW64\Qjiipk32.exe

Filesize
465KB

MD5
55d43904a876c751281ad258cea18aef

SHA1
113e98015479358a008a1c17b36765dce4438dcf

SHA256
192d8d18ed5d3a8f411697423fd17eaae94fe44958685eb3a0fca7762bb3f5b2

SHA512
c5ab4623285280241ad822fa3a9eb03d5eb1ff63fc095b4b1a59a908beea48f85628c2856f503292d9de49900aa94bcc58cd46e070b0fbda0068695ce84a2d09

Download Submit
memory/216-180-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/216-92-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/632-105-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/752-241-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/752-155-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/964-216-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/964-299-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/984-126-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/984-43-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1020-267-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1312-75-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1312-163-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1440-269-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1492-90-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1492-9-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1572-118-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1572-205-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1692-297-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2220-206-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2220-292-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2240-260-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2240-172-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2304-274-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2304-182-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2384-283-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2864-312-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2864-234-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2948-286-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2992-114-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3036-317-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3192-135-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3192-51-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3300-252-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3408-127-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3408-214-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3612-59-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3612-144-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3620-41-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3620-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3620-2-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3620-1-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3848-304-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3928-306-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4076-164-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4076-250-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4300-243-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4320-82-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4320-171-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4348-233-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4348-146-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4372-66-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4372-154-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4700-33-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4700-117-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4708-197-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4708-285-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4784-25-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4784-109-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4872-229-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4876-18-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4876-100-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5052-190-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5052-278-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5076-137-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5076-223-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/6496-990-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/6624-989-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/6820-987-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/6944-985-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/7044-984-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads