2b56c511eb015560edcdd81cdb83c90370aa7248b5569bccdc018ce2388e9d94

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
11/03/2024, 20:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2b56c511eb015560edcdd81cdb83c90370aa7248b5569bccdc018ce2388e9d94.exe
Size

488KB
MD5

b7565b1cb4386a3e5d1677b04f83fc68
SHA1

4adbf476066061fe1f0ecd9fad50754512f31059
SHA256

2b56c511eb015560edcdd81cdb83c90370aa7248b5569bccdc018ce2388e9d94
SHA512

88c4093df8fa4ba41ef64c348685091e57a1a263cdb6d8b3402b406f1cf9c9535fc2a6695c6c243e659e820e8689fcb50b611d2f72fd608c10c014b5b6c64dbb
SSDEEP

6144:xFFPMxzpon/TNId/1fon/T9P7GSon/TNId/1fon/T2oI0YokOsfY7Uon2KO:x3PRNIVyeNIVy2oIvPKiKO

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nafokcol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mgnnhk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hcedaheh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjcgohig.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jaedgjjd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ngpjnkpf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ibjqcd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ngedij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jiphkm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lkgdml32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lnhmng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mamleegg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdopod32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kbdmpqcb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kgfoan32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncihikcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gidphq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Imdnklfp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Giofnacd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hpenfjad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jbocea32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kilhgk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kbfiep32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kgdbkohf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdiklqhm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fmocba32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnhfee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Njcpee32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpaifalo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jbmfoa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kbdmpqcb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jfffjqdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kmegbjgn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnlfigcc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Majopeii.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njcpee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	2b56c511eb015560edcdd81cdb83c90370aa7248b5569bccdc018ce2388e9d94.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kgdbkohf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fqaeco32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ibccic32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jaljgidl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcpllo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mcnhmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mkgmcjld.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hpbaqj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hfcpncdk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ldkojb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mpaifalo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gqikdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fijmbb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gcpapkgp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gbjhlfhb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hmmhjm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ifmcdblq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fokbim32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kpepcedo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lkgdml32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcdegnep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nacbfdao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ncldnkae.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jaljgidl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ibjqcd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jbmfoa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kknafn32.exe

Executes dropped EXE 64 IoCs

pid	Process
2572	Eqfeha32.exe
4816	Ffbnph32.exe
3564	Fmmfmbhn.exe
4256	Fokbim32.exe
4520	Ffekegon.exe
376	Fmocba32.exe
4664	Fomonm32.exe
3088	Fcikolnh.exe
3132	Ffjdqg32.exe
4880	Fmclmabe.exe
2416	Fcnejk32.exe
4792	Fijmbb32.exe
4928	Fqaeco32.exe
3704	Gcpapkgp.exe
5040	Gjjjle32.exe
1156	Gqdbiofi.exe
4884	Gbenqg32.exe
4964	Giofnacd.exe
3532	Giacca32.exe
4676	Gqikdn32.exe
2216	Gbjhlfhb.exe
2928	Gidphq32.exe
4684	Gcidfi32.exe
1772	Gjclbc32.exe
1004	Hmdedo32.exe
4428	Hpbaqj32.exe
744	Hikfip32.exe
244	Hpenfjad.exe
4992	Hbckbepg.exe
3116	Hbeghene.exe
2684	Hjmoibog.exe
1160	Hmklen32.exe
3104	Hcedaheh.exe
1172	Hfcpncdk.exe
4780	Hmmhjm32.exe
3944	Ipldfi32.exe
1848	Ibjqcd32.exe
2692	Impepm32.exe
4660	Ipnalhii.exe
4532	Ibmmhdhm.exe
3780	Ijdeiaio.exe
3332	Iiffen32.exe
4836	Iannfk32.exe
3992	Icljbg32.exe
3044	Iiibkn32.exe
4388	Imdnklfp.exe
748	Ifmcdblq.exe
3268	Imgkql32.exe
4440	Ipegmg32.exe
224	Ibccic32.exe
1788	Jaedgjjd.exe
4016	Jdcpcf32.exe
4596	Jfaloa32.exe
116	Jiphkm32.exe
2388	Jbhmdbnp.exe
5052	Jjpeepnb.exe
3616	Jaimbj32.exe
3084	Jfffjqdf.exe
4120	Jaljgidl.exe
2536	Jbmfoa32.exe
1540	Jigollag.exe
2504	Jbocea32.exe
2752	Jkfkfohj.exe
4400	Kmegbjgn.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Hmmhjm32.exe	Hfcpncdk.exe
File created	C:\Windows\SysWOW64\Lmqgnhmp.exe	Kgfoan32.exe
File created	C:\Windows\SysWOW64\Ebaqkk32.dll	Lklnhlfb.exe
File created	C:\Windows\SysWOW64\Lkdggmlj.exe	Ldkojb32.exe
File opened for modification	C:\Windows\SysWOW64\Laopdgcg.exe	Lkdggmlj.exe
File created	C:\Windows\SysWOW64\Jaljgidl.exe	Jfffjqdf.exe
File opened for modification	C:\Windows\SysWOW64\Jkfkfohj.exe	Jbocea32.exe
File created	C:\Windows\SysWOW64\Kdopod32.exe	Kmegbjgn.exe
File opened for modification	C:\Windows\SysWOW64\Mjcgohig.exe	Mpkbebbf.exe
File opened for modification	C:\Windows\SysWOW64\Gbenqg32.exe	Gqdbiofi.exe
File created	C:\Windows\SysWOW64\Qbplof32.dll	Gcidfi32.exe
File opened for modification	C:\Windows\SysWOW64\Hikfip32.exe	Hpbaqj32.exe
File created	C:\Windows\SysWOW64\Qdhoohmo.dll	Jbhmdbnp.exe
File created	C:\Windows\SysWOW64\Dgcifj32.dll	Mamleegg.exe
File created	C:\Windows\SysWOW64\Mcnhmm32.exe	Mamleegg.exe
File created	C:\Windows\SysWOW64\Ncgkcl32.exe	Nafokcol.exe
File created	C:\Windows\SysWOW64\Ockcknah.dll	Majopeii.exe
File created	C:\Windows\SysWOW64\Gmlfmg32.dll	Hbeghene.exe
File created	C:\Windows\SysWOW64\Jdcpcf32.exe	Jaedgjjd.exe
File created	C:\Windows\SysWOW64\Plilol32.dll	Laefdf32.exe
File opened for modification	C:\Windows\SysWOW64\Mnlfigcc.exe	Lknjmkdo.exe
File opened for modification	C:\Windows\SysWOW64\Jaimbj32.exe	Jjpeepnb.exe
File opened for modification	C:\Windows\SysWOW64\Kmnjhioc.exe	Kgdbkohf.exe
File opened for modification	C:\Windows\SysWOW64\Lklnhlfb.exe	Lcdegnep.exe
File created	C:\Windows\SysWOW64\Gpnkgo32.dll	Mcnhmm32.exe
File opened for modification	C:\Windows\SysWOW64\Eqfeha32.exe	2b56c511eb015560edcdd81cdb83c90370aa7248b5569bccdc018ce2388e9d94.exe
File created	C:\Windows\SysWOW64\Hakfehok.dll	Fijmbb32.exe
File created	C:\Windows\SysWOW64\Inccjgbc.dll	Hmdedo32.exe
File created	C:\Windows\SysWOW64\Jjpeepnb.exe	Jbhmdbnp.exe
File created	C:\Windows\SysWOW64\Hlmobp32.dll	Mgnnhk32.exe
File created	C:\Windows\SysWOW64\Njogjfoj.exe	Ngpjnkpf.exe
File opened for modification	C:\Windows\SysWOW64\Ncihikcg.exe	Nbhkac32.exe
File opened for modification	C:\Windows\SysWOW64\Lkdggmlj.exe	Ldkojb32.exe
File opened for modification	C:\Windows\SysWOW64\Mkgmcjld.exe	Mcpebmkb.exe
File created	C:\Windows\SysWOW64\Jcoegc32.dll	Njogjfoj.exe
File created	C:\Windows\SysWOW64\Gbjhlfhb.exe	Gqikdn32.exe
File created	C:\Windows\SysWOW64\Ipldfi32.exe	Hmmhjm32.exe
File opened for modification	C:\Windows\SysWOW64\Kpepcedo.exe	Kilhgk32.exe
File created	C:\Windows\SysWOW64\Ldkojb32.exe	Lmqgnhmp.exe
File created	C:\Windows\SysWOW64\Gmlgol32.dll	Jigollag.exe
File created	C:\Windows\SysWOW64\Kmnjhioc.exe	Kgdbkohf.exe
File created	C:\Windows\SysWOW64\Kdhbec32.exe	Kmnjhioc.exe
File created	C:\Windows\SysWOW64\Ekipni32.dll	Mcpebmkb.exe
File opened for modification	C:\Windows\SysWOW64\Gcpapkgp.exe	Fqaeco32.exe
File created	C:\Windows\SysWOW64\Gqikdn32.exe	Giacca32.exe
File created	C:\Windows\SysWOW64\Hpbaqj32.exe	Hmdedo32.exe
File created	C:\Windows\SysWOW64\Gbledndp.dll	Ibccic32.exe
File created	C:\Windows\SysWOW64\Jbhmdbnp.exe	Jiphkm32.exe
File opened for modification	C:\Windows\SysWOW64\Mdpalp32.exe	Mkgmcjld.exe
File opened for modification	C:\Windows\SysWOW64\Fmmfmbhn.exe	Ffbnph32.exe
File created	C:\Windows\SysWOW64\Hikfip32.exe	Hpbaqj32.exe
File created	C:\Windows\SysWOW64\Hmmhjm32.exe	Hfcpncdk.exe
File created	C:\Windows\SysWOW64\Gmbkmemo.dll	Ipnalhii.exe
File created	C:\Windows\SysWOW64\Bghhihab.dll	Njcpee32.exe
File opened for modification	C:\Windows\SysWOW64\Fijmbb32.exe	Fcnejk32.exe
File created	C:\Windows\SysWOW64\Hbckbepg.exe	Hpenfjad.exe
File opened for modification	C:\Windows\SysWOW64\Hbeghene.exe	Hbckbepg.exe
File created	C:\Windows\SysWOW64\Opocad32.dll	Hfcpncdk.exe
File created	C:\Windows\SysWOW64\Eplmgmol.dll	Kmegbjgn.exe
File opened for modification	C:\Windows\SysWOW64\Kbfiep32.exe	Kphmie32.exe
File created	C:\Windows\SysWOW64\Hnfmbf32.dll	Mdpalp32.exe
File created	C:\Windows\SysWOW64\Ndbnboqb.exe	Nacbfdao.exe
File created	C:\Windows\SysWOW64\Ckfliccm.dll	Ffekegon.exe
File created	C:\Windows\SysWOW64\Kncfca32.dll	Fcnejk32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
6036	5764	WerFault.exe	216

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Neahbi32.dll"	Fmmfmbhn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hpbaqj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hpbaqj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hcedaheh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Imgkql32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kinemkko.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kphmie32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lklnhlfb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Njogjfoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Njcpee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckfliccm.dll"	Ffekegon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ffekegon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jbhmdbnp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kmlnbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bheenp32.dll"	Lcdegnep.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hmmhjm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eeopdi32.dll"	Icljbg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Imdnklfp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kdhbec32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kgfoan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ldkojb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lkgdml32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mjcgohig.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nkncdifl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kmegbjgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ojmmkpmf.dll"	Kpepcedo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ldkojb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lnohlokp.dll"	Mjcgohig.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gpnkgo32.dll"	Mcnhmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnelfilp.dll"	Mjhqjg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ndbnboqb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fokbim32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fijmbb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Klebid32.dll"	Hpbaqj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Iannfk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jaljgidl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mjcgohig.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mgnnhk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ngpjnkpf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnibdpde.dll"	Ncldnkae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hbckbepg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Impepm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kilhgk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kmnjhioc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lpappc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ocbakl32.dll"	Mpkbebbf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcgaen32.dll"	2b56c511eb015560edcdd81cdb83c90370aa7248b5569bccdc018ce2388e9d94.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fmmfmbhn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fomonm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lmbocjjm.dll"	Giacca32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hfcpncdk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ifmcdblq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jfaloa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oimhnoch.dll"	Kgdbkohf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lpfijcfl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mdiklqhm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gjjjle32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hmdedo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aqnhjk32.dll"	Impepm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Icljbg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Imdnklfp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jiphogop.dll"	Ipegmg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mjhqjg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nnmopdep.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 764 wrote to memory of 2572	764	2b56c511eb015560edcdd81cdb83c90370aa7248b5569bccdc018ce2388e9d94.exe	88
PID 764 wrote to memory of 2572	764	2b56c511eb015560edcdd81cdb83c90370aa7248b5569bccdc018ce2388e9d94.exe	88
PID 764 wrote to memory of 2572	764	2b56c511eb015560edcdd81cdb83c90370aa7248b5569bccdc018ce2388e9d94.exe	88
PID 2572 wrote to memory of 4816	2572	Eqfeha32.exe	89
PID 2572 wrote to memory of 4816	2572	Eqfeha32.exe	89
PID 2572 wrote to memory of 4816	2572	Eqfeha32.exe	89
PID 4816 wrote to memory of 3564	4816	Ffbnph32.exe	90
PID 4816 wrote to memory of 3564	4816	Ffbnph32.exe	90
PID 4816 wrote to memory of 3564	4816	Ffbnph32.exe	90
PID 3564 wrote to memory of 4256	3564	Fmmfmbhn.exe	91
PID 3564 wrote to memory of 4256	3564	Fmmfmbhn.exe	91
PID 3564 wrote to memory of 4256	3564	Fmmfmbhn.exe	91
PID 4256 wrote to memory of 4520	4256	Fokbim32.exe	92
PID 4256 wrote to memory of 4520	4256	Fokbim32.exe	92
PID 4256 wrote to memory of 4520	4256	Fokbim32.exe	92
PID 4520 wrote to memory of 376	4520	Ffekegon.exe	93
PID 4520 wrote to memory of 376	4520	Ffekegon.exe	93
PID 4520 wrote to memory of 376	4520	Ffekegon.exe	93
PID 376 wrote to memory of 4664	376	Fmocba32.exe	94
PID 376 wrote to memory of 4664	376	Fmocba32.exe	94
PID 376 wrote to memory of 4664	376	Fmocba32.exe	94
PID 4664 wrote to memory of 3088	4664	Fomonm32.exe	95
PID 4664 wrote to memory of 3088	4664	Fomonm32.exe	95
PID 4664 wrote to memory of 3088	4664	Fomonm32.exe	95
PID 3088 wrote to memory of 3132	3088	Fcikolnh.exe	96
PID 3088 wrote to memory of 3132	3088	Fcikolnh.exe	96
PID 3088 wrote to memory of 3132	3088	Fcikolnh.exe	96
PID 3132 wrote to memory of 4880	3132	Ffjdqg32.exe	97
PID 3132 wrote to memory of 4880	3132	Ffjdqg32.exe	97
PID 3132 wrote to memory of 4880	3132	Ffjdqg32.exe	97
PID 4880 wrote to memory of 2416	4880	Fmclmabe.exe	98
PID 4880 wrote to memory of 2416	4880	Fmclmabe.exe	98
PID 4880 wrote to memory of 2416	4880	Fmclmabe.exe	98
PID 2416 wrote to memory of 4792	2416	Fcnejk32.exe	99
PID 2416 wrote to memory of 4792	2416	Fcnejk32.exe	99
PID 2416 wrote to memory of 4792	2416	Fcnejk32.exe	99
PID 4792 wrote to memory of 4928	4792	Fijmbb32.exe	100
PID 4792 wrote to memory of 4928	4792	Fijmbb32.exe	100
PID 4792 wrote to memory of 4928	4792	Fijmbb32.exe	100
PID 4928 wrote to memory of 3704	4928	Fqaeco32.exe	101
PID 4928 wrote to memory of 3704	4928	Fqaeco32.exe	101
PID 4928 wrote to memory of 3704	4928	Fqaeco32.exe	101
PID 3704 wrote to memory of 5040	3704	Gcpapkgp.exe	102
PID 3704 wrote to memory of 5040	3704	Gcpapkgp.exe	102
PID 3704 wrote to memory of 5040	3704	Gcpapkgp.exe	102
PID 5040 wrote to memory of 1156	5040	Gjjjle32.exe	103
PID 5040 wrote to memory of 1156	5040	Gjjjle32.exe	103
PID 5040 wrote to memory of 1156	5040	Gjjjle32.exe	103
PID 1156 wrote to memory of 4884	1156	Gqdbiofi.exe	104
PID 1156 wrote to memory of 4884	1156	Gqdbiofi.exe	104
PID 1156 wrote to memory of 4884	1156	Gqdbiofi.exe	104
PID 4884 wrote to memory of 4964	4884	Gbenqg32.exe	105
PID 4884 wrote to memory of 4964	4884	Gbenqg32.exe	105
PID 4884 wrote to memory of 4964	4884	Gbenqg32.exe	105
PID 4964 wrote to memory of 3532	4964	Giofnacd.exe	106
PID 4964 wrote to memory of 3532	4964	Giofnacd.exe	106
PID 4964 wrote to memory of 3532	4964	Giofnacd.exe	106
PID 3532 wrote to memory of 4676	3532	Giacca32.exe	107
PID 3532 wrote to memory of 4676	3532	Giacca32.exe	107
PID 3532 wrote to memory of 4676	3532	Giacca32.exe	107
PID 4676 wrote to memory of 2216	4676	Gqikdn32.exe	108
PID 4676 wrote to memory of 2216	4676	Gqikdn32.exe	108
PID 4676 wrote to memory of 2216	4676	Gqikdn32.exe	108
PID 2216 wrote to memory of 2928	2216	Gbjhlfhb.exe	109

C:\Users\Admin\AppData\Local\Temp\2b56c511eb015560edcdd81cdb83c90370aa7248b5569bccdc018ce2388e9d94.exe
"C:\Users\Admin\AppData\Local\Temp\2b56c511eb015560edcdd81cdb83c90370aa7248b5569bccdc018ce2388e9d94.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:764
- C:\Windows\SysWOW64\Eqfeha32.exe
  C:\Windows\system32\Eqfeha32.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2572
- - C:\Windows\SysWOW64\Ffbnph32.exe
    C:\Windows\system32\Ffbnph32.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious use of WriteProcessMemory
    PID:4816
  - - C:\Windows\SysWOW64\Fmmfmbhn.exe
      C:\Windows\system32\Fmmfmbhn.exe
      4⤵
      Executes dropped EXE
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:3564
    - - C:\Windows\SysWOW64\Fokbim32.exe
        
        C:\Windows\system32\Fokbim32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4256
      - C:\Windows\SysWOW64\Ffekegon.exe
        
        C:\Windows\system32\Ffekegon.exe
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4520
        
        C:\Windows\SysWOW64\Fmocba32.exe
        
        C:\Windows\system32\Fmocba32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:376
        
        C:\Windows\SysWOW64\Fomonm32.exe
        
        C:\Windows\system32\Fomonm32.exe
        8⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4664
        
        C:\Windows\SysWOW64\Fcikolnh.exe
        
        C:\Windows\system32\Fcikolnh.exe
        9⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3088
        
        C:\Windows\SysWOW64\Ffjdqg32.exe
        
        C:\Windows\system32\Ffjdqg32.exe
        10⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3132
        
        C:\Windows\SysWOW64\Fmclmabe.exe
        
        C:\Windows\system32\Fmclmabe.exe
        11⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4880
        
        C:\Windows\SysWOW64\Fcnejk32.exe
        
        C:\Windows\system32\Fcnejk32.exe
        12⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2416
        
        C:\Windows\SysWOW64\Fijmbb32.exe
        
        C:\Windows\system32\Fijmbb32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4792
        
        C:\Windows\SysWOW64\Fqaeco32.exe
        
        C:\Windows\system32\Fqaeco32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4928
        
        C:\Windows\SysWOW64\Gcpapkgp.exe
        
        C:\Windows\system32\Gcpapkgp.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3704
        
        C:\Windows\SysWOW64\Gjjjle32.exe
        
        C:\Windows\system32\Gjjjle32.exe
        16⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5040
        
        C:\Windows\SysWOW64\Gqdbiofi.exe
        
        C:\Windows\system32\Gqdbiofi.exe
        17⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1156
        
        C:\Windows\SysWOW64\Gbenqg32.exe
        
        C:\Windows\system32\Gbenqg32.exe
        18⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4884
        
        C:\Windows\SysWOW64\Giofnacd.exe
        
        C:\Windows\system32\Giofnacd.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4964
        
        C:\Windows\SysWOW64\Giacca32.exe
        
        C:\Windows\system32\Giacca32.exe
        20⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3532
        
        C:\Windows\SysWOW64\Gqikdn32.exe
        
        C:\Windows\system32\Gqikdn32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4676
        
        C:\Windows\SysWOW64\Gbjhlfhb.exe
        
        C:\Windows\system32\Gbjhlfhb.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2216
        
        C:\Windows\SysWOW64\Gidphq32.exe
        
        C:\Windows\system32\Gidphq32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2928
        
        C:\Windows\SysWOW64\Gcidfi32.exe
        
        C:\Windows\system32\Gcidfi32.exe
        24⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4684
        
        C:\Windows\SysWOW64\Gjclbc32.exe
        
        C:\Windows\system32\Gjclbc32.exe
        25⤵
        Executes dropped EXE
        
        PID:1772
        
        C:\Windows\SysWOW64\Hmdedo32.exe
        
        C:\Windows\system32\Hmdedo32.exe
        26⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1004
        
        C:\Windows\SysWOW64\Hpbaqj32.exe
        
        C:\Windows\system32\Hpbaqj32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4428
        
        C:\Windows\SysWOW64\Hikfip32.exe
        
        C:\Windows\system32\Hikfip32.exe
        28⤵
        Executes dropped EXE
        
        PID:744
        
        C:\Windows\SysWOW64\Hpenfjad.exe
        
        C:\Windows\system32\Hpenfjad.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:244
        
        C:\Windows\SysWOW64\Hbckbepg.exe
        
        C:\Windows\system32\Hbckbepg.exe
        30⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4992
        
        C:\Windows\SysWOW64\Hbeghene.exe
        
        C:\Windows\system32\Hbeghene.exe
        31⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3116
        
        C:\Windows\SysWOW64\Hjmoibog.exe
        
        C:\Windows\system32\Hjmoibog.exe
        32⤵
        Executes dropped EXE
        
        PID:2684
        
        C:\Windows\SysWOW64\Hmklen32.exe
        
        C:\Windows\system32\Hmklen32.exe
        33⤵
        Executes dropped EXE
        
        PID:1160
        
        C:\Windows\SysWOW64\Hcedaheh.exe
        
        C:\Windows\system32\Hcedaheh.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3104
        
        C:\Windows\SysWOW64\Hfcpncdk.exe
        
        C:\Windows\system32\Hfcpncdk.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1172
        
        C:\Windows\SysWOW64\Hmmhjm32.exe
        
        C:\Windows\system32\Hmmhjm32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4780
        
        C:\Windows\SysWOW64\Ipldfi32.exe
        
        C:\Windows\system32\Ipldfi32.exe
        37⤵
        Executes dropped EXE
        
        PID:3944
        
        C:\Windows\SysWOW64\Ibjqcd32.exe
        
        C:\Windows\system32\Ibjqcd32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1848
        
        C:\Windows\SysWOW64\Impepm32.exe
        
        C:\Windows\system32\Impepm32.exe
        39⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2692
        
        C:\Windows\SysWOW64\Ipnalhii.exe
        
        C:\Windows\system32\Ipnalhii.exe
        40⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4660
        
        C:\Windows\SysWOW64\Ibmmhdhm.exe
        
        C:\Windows\system32\Ibmmhdhm.exe
        41⤵
        Executes dropped EXE
        
        PID:4532
        
        C:\Windows\SysWOW64\Ijdeiaio.exe
        
        C:\Windows\system32\Ijdeiaio.exe
        42⤵
        Executes dropped EXE
        
        PID:3780
        
        C:\Windows\SysWOW64\Iiffen32.exe
        
        C:\Windows\system32\Iiffen32.exe
        43⤵
        Executes dropped EXE
        
        PID:3332
        
        C:\Windows\SysWOW64\Iannfk32.exe
        
        C:\Windows\system32\Iannfk32.exe
        44⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4836
        
        C:\Windows\SysWOW64\Icljbg32.exe
        
        C:\Windows\system32\Icljbg32.exe
        45⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3992
        
        C:\Windows\SysWOW64\Iiibkn32.exe
        
        C:\Windows\system32\Iiibkn32.exe
        46⤵
        Executes dropped EXE
        
        PID:3044
        
        C:\Windows\SysWOW64\Imdnklfp.exe
        
        C:\Windows\system32\Imdnklfp.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4388
        
        C:\Windows\SysWOW64\Ifmcdblq.exe
        
        C:\Windows\system32\Ifmcdblq.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:748
        
        C:\Windows\SysWOW64\Imgkql32.exe
        
        C:\Windows\system32\Imgkql32.exe
        49⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3268
        
        C:\Windows\SysWOW64\Ipegmg32.exe
        
        C:\Windows\system32\Ipegmg32.exe
        50⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4440
        
        C:\Windows\SysWOW64\Ibccic32.exe
        
        C:\Windows\system32\Ibccic32.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:224
        
        C:\Windows\SysWOW64\Jaedgjjd.exe
        
        C:\Windows\system32\Jaedgjjd.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1788
        
        C:\Windows\SysWOW64\Jdcpcf32.exe
        
        C:\Windows\system32\Jdcpcf32.exe
        53⤵
        Executes dropped EXE
        
        PID:4016
        
        C:\Windows\SysWOW64\Jfaloa32.exe
        
        C:\Windows\system32\Jfaloa32.exe
        54⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4596
        
        C:\Windows\SysWOW64\Jiphkm32.exe
        
        C:\Windows\system32\Jiphkm32.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:116
        
        C:\Windows\SysWOW64\Jbhmdbnp.exe
        
        C:\Windows\system32\Jbhmdbnp.exe
        56⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2388
        
        C:\Windows\SysWOW64\Jjpeepnb.exe
        
        C:\Windows\system32\Jjpeepnb.exe
        57⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5052
        
        C:\Windows\SysWOW64\Jaimbj32.exe
        
        C:\Windows\system32\Jaimbj32.exe
        58⤵
        Executes dropped EXE
        
        PID:3616
        
        C:\Windows\SysWOW64\Jfffjqdf.exe
        
        C:\Windows\system32\Jfffjqdf.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3084
        
        C:\Windows\SysWOW64\Jaljgidl.exe
        
        C:\Windows\system32\Jaljgidl.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4120
        
        C:\Windows\SysWOW64\Jbmfoa32.exe
        
        C:\Windows\system32\Jbmfoa32.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2536
        
        C:\Windows\SysWOW64\Jigollag.exe
        
        C:\Windows\system32\Jigollag.exe
        62⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1540
        
        C:\Windows\SysWOW64\Jbocea32.exe
        
        C:\Windows\system32\Jbocea32.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2504
        
        C:\Windows\SysWOW64\Jkfkfohj.exe
        
        C:\Windows\system32\Jkfkfohj.exe
        64⤵
        Executes dropped EXE
        
        PID:2752
        
        C:\Windows\SysWOW64\Kmegbjgn.exe
        
        C:\Windows\system32\Kmegbjgn.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4400
        
        C:\Windows\SysWOW64\Kdopod32.exe
        
        C:\Windows\system32\Kdopod32.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3308
        
        C:\Windows\SysWOW64\Kgmlkp32.exe
        
        C:\Windows\system32\Kgmlkp32.exe
        67⤵
        
        PID:3540
        
        C:\Windows\SysWOW64\Kilhgk32.exe
        
        C:\Windows\system32\Kilhgk32.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5104
        
        C:\Windows\SysWOW64\Kpepcedo.exe
        
        C:\Windows\system32\Kpepcedo.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:1012
        
        C:\Windows\SysWOW64\Kbdmpqcb.exe
        
        C:\Windows\system32\Kbdmpqcb.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4712
        
        C:\Windows\SysWOW64\Kinemkko.exe
        
        C:\Windows\system32\Kinemkko.exe
        71⤵
        Modifies registry class
        
        PID:5080
        
        C:\Windows\SysWOW64\Kphmie32.exe
        
        C:\Windows\system32\Kphmie32.exe
        72⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:3180
        
        C:\Windows\SysWOW64\Kbfiep32.exe
        
        C:\Windows\system32\Kbfiep32.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1696
        
        C:\Windows\SysWOW64\Kknafn32.exe
        
        C:\Windows\system32\Kknafn32.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3052
        
        C:\Windows\SysWOW64\Kmlnbi32.exe
        
        C:\Windows\system32\Kmlnbi32.exe
        75⤵
        Modifies registry class
        
        PID:4844
        
        C:\Windows\SysWOW64\Kgdbkohf.exe
        
        C:\Windows\system32\Kgdbkohf.exe
        76⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5004
        
        C:\Windows\SysWOW64\Kmnjhioc.exe
        
        C:\Windows\system32\Kmnjhioc.exe
        77⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5132
        
        C:\Windows\SysWOW64\Kdhbec32.exe
        
        C:\Windows\system32\Kdhbec32.exe
        78⤵
        Modifies registry class
        
        PID:5172
        
        C:\Windows\SysWOW64\Kgfoan32.exe
        
        C:\Windows\system32\Kgfoan32.exe
        79⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5208
        
        C:\Windows\SysWOW64\Lmqgnhmp.exe
        
        C:\Windows\system32\Lmqgnhmp.exe
        80⤵
        Drops file in System32 directory
        
        PID:5252
        
        C:\Windows\SysWOW64\Ldkojb32.exe
        
        C:\Windows\system32\Ldkojb32.exe
        81⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5296
        
        C:\Windows\SysWOW64\Lkdggmlj.exe
        
        C:\Windows\system32\Lkdggmlj.exe
        82⤵
        Drops file in System32 directory
        
        PID:5336
        
        C:\Windows\SysWOW64\Laopdgcg.exe
        
        C:\Windows\system32\Laopdgcg.exe
        83⤵
        
        PID:5376
        
        C:\Windows\SysWOW64\Lpappc32.exe
        
        C:\Windows\system32\Lpappc32.exe
        84⤵
        Modifies registry class
        
        PID:5412
        
        C:\Windows\SysWOW64\Lcpllo32.exe
        
        C:\Windows\system32\Lcpllo32.exe
        85⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5456
        
        C:\Windows\SysWOW64\Lkgdml32.exe
        
        C:\Windows\system32\Lkgdml32.exe
        86⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5500
        
        C:\Windows\SysWOW64\Laalifad.exe
        
        C:\Windows\system32\Laalifad.exe
        87⤵
        
        PID:5540
        
        C:\Windows\SysWOW64\Lcbiao32.exe
        
        C:\Windows\system32\Lcbiao32.exe
        88⤵
        
        PID:5580
        
        C:\Windows\SysWOW64\Lnhmng32.exe
        
        C:\Windows\system32\Lnhmng32.exe
        89⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5624
        
        C:\Windows\SysWOW64\Lpfijcfl.exe
        
        C:\Windows\system32\Lpfijcfl.exe
        90⤵
        Modifies registry class
        
        PID:5660
        
        C:\Windows\SysWOW64\Lcdegnep.exe
        
        C:\Windows\system32\Lcdegnep.exe
        91⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5704
        
        C:\Windows\SysWOW64\Lklnhlfb.exe
        
        C:\Windows\system32\Lklnhlfb.exe
        92⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5748
        
        C:\Windows\SysWOW64\Laefdf32.exe
        
        C:\Windows\system32\Laefdf32.exe
        93⤵
        Drops file in System32 directory
        
        PID:5792
        
        C:\Windows\SysWOW64\Lcgblncm.exe
        
        C:\Windows\system32\Lcgblncm.exe
        94⤵
        
        PID:5832
        
        C:\Windows\SysWOW64\Lknjmkdo.exe
        
        C:\Windows\system32\Lknjmkdo.exe
        95⤵
        Drops file in System32 directory
        
        PID:5880
        
        C:\Windows\SysWOW64\Mnlfigcc.exe
        
        C:\Windows\system32\Mnlfigcc.exe
        96⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5936
        
        C:\Windows\SysWOW64\Mpkbebbf.exe
        
        C:\Windows\system32\Mpkbebbf.exe
        97⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6000
        
        C:\Windows\SysWOW64\Mjcgohig.exe
        
        C:\Windows\system32\Mjcgohig.exe
        98⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6056
        
        C:\Windows\SysWOW64\Majopeii.exe
        
        C:\Windows\system32\Majopeii.exe
        99⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6104
        
        C:\Windows\SysWOW64\Mdiklqhm.exe
        
        C:\Windows\system32\Mdiklqhm.exe
        100⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5124
        
        C:\Windows\SysWOW64\Mjeddggd.exe
        
        C:\Windows\system32\Mjeddggd.exe
        101⤵
        
        PID:5192
        
        C:\Windows\SysWOW64\Mamleegg.exe
        
        C:\Windows\system32\Mamleegg.exe
        102⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5280
        
        C:\Windows\SysWOW64\Mcnhmm32.exe
        
        C:\Windows\system32\Mcnhmm32.exe
        103⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5364
        
        C:\Windows\SysWOW64\Mjhqjg32.exe
        
        C:\Windows\system32\Mjhqjg32.exe
        104⤵
        Modifies registry class
        
        PID:5420
        
        C:\Windows\SysWOW64\Mpaifalo.exe
        
        C:\Windows\system32\Mpaifalo.exe
        105⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5492
        
        C:\Windows\SysWOW64\Mcpebmkb.exe
        
        C:\Windows\system32\Mcpebmkb.exe
        106⤵
        Drops file in System32 directory
        
        PID:5568
        
        C:\Windows\SysWOW64\Mkgmcjld.exe
        
        C:\Windows\system32\Mkgmcjld.exe
        107⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5656
        
        C:\Windows\SysWOW64\Mdpalp32.exe
        
        C:\Windows\system32\Mdpalp32.exe
        108⤵
        Drops file in System32 directory
        
        PID:5736
        
        C:\Windows\SysWOW64\Mgnnhk32.exe
        
        C:\Windows\system32\Mgnnhk32.exe
        109⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5816
        
        C:\Windows\SysWOW64\Nnhfee32.exe
        
        C:\Windows\system32\Nnhfee32.exe
        110⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5888
        
        C:\Windows\SysWOW64\Nacbfdao.exe
        
        C:\Windows\system32\Nacbfdao.exe
        111⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5952
        
        C:\Windows\SysWOW64\Ndbnboqb.exe
        
        C:\Windows\system32\Ndbnboqb.exe
        112⤵
        Modifies registry class
        
        PID:6048
        
        C:\Windows\SysWOW64\Ngpjnkpf.exe
        
        C:\Windows\system32\Ngpjnkpf.exe
        113⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6132
        
        C:\Windows\SysWOW64\Njogjfoj.exe
        
        C:\Windows\system32\Njogjfoj.exe
        114⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5216
        
        C:\Windows\SysWOW64\Nafokcol.exe
        
        C:\Windows\system32\Nafokcol.exe
        115⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5328
        
        C:\Windows\SysWOW64\Ncgkcl32.exe
        
        C:\Windows\system32\Ncgkcl32.exe
        116⤵
        
        PID:5488
        
        C:\Windows\SysWOW64\Nkncdifl.exe
        
        C:\Windows\system32\Nkncdifl.exe
        117⤵
        Modifies registry class
        
        PID:5548
        
        C:\Windows\SysWOW64\Nnmopdep.exe
        
        C:\Windows\system32\Nnmopdep.exe
        118⤵
        Modifies registry class
        
        PID:5728
        
        C:\Windows\SysWOW64\Nbhkac32.exe
        
        C:\Windows\system32\Nbhkac32.exe
        119⤵
        Drops file in System32 directory
        
        PID:5824
        
        C:\Windows\SysWOW64\Ncihikcg.exe
        
        C:\Windows\system32\Ncihikcg.exe
        120⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5920
        
        C:\Windows\SysWOW64\Ngedij32.exe
        
        C:\Windows\system32\Ngedij32.exe
        121⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6112
        
        C:\Windows\SysWOW64\Njcpee32.exe
        
        C:\Windows\system32\Njcpee32.exe
        122⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5184
        
        C:\Windows\SysWOW64\Nqmhbpba.exe
        
        C:\Windows\system32\Nqmhbpba.exe
        123⤵
        
        PID:5408
        
        C:\Windows\SysWOW64\Ncldnkae.exe
        
        C:\Windows\system32\Ncldnkae.exe
        124⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5688
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        125⤵
        
        PID:5764
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5764 -s 408
        126⤵
        Program crash
        
        PID:6036

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 5764 -ip 5764
1⤵
PID:5160

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Eqfeha32.exe

Filesize
488KB

MD5
f2090bf9b40e3c6d76000b5aa90098a6

SHA1
93f3507aec895de00012eb0203d1b94b5c406ef8

SHA256
d865a9f7befb642508da9aec4f583cc2b3377c16894a094f9e42deb8260eff30

SHA512
dd53228d326cef16c5a98a1d7ff5558bdc70f78d1e72f5d9511671a6693dd25fae54f2d83778fad7b7a2f37c579d1eb779d5e3c0530275e9463c932015cd49c2

Download Submit
C:\Windows\SysWOW64\Fcikolnh.exe

Filesize
488KB

MD5
02a6fd8f6b140f06a3f317da589cbc70

SHA1
517584353086d2b1da3bae688b3678a8b6e68664

SHA256
69d1bef596ab9cf86af9f170968e709d710f9a22d2d675b0cc501fa0553f8ae6

SHA512
727e7cef1e1daa9525ea94828c5a3702ce536bfcd90c6f3a5539a3617eea3940e8d8669197d900b2a7835d16063dc6b51cd7cc1b15dbfb0f7ac149af33453a83

Download Submit
C:\Windows\SysWOW64\Fcnejk32.exe

Filesize
488KB

MD5
35a0320003c3652ee230b2f684e2eca4

SHA1
24fd93e8fe69a36ae6e6f4a92282c0c35a958a7d

SHA256
9ef59cc7dd52fff85aad1d6ec053013b6ffe495058cf7d4c05b5f1610d21bbd1

SHA512
c89ebf615e40622a06e03d59211fb5c8c1ed38492fb1f6372ae999bf124ff8c1aeca2e692c3a01a113dcac3b896ba4124a4ebe6f33da8db175d830b8908b02b6

Download Submit
C:\Windows\SysWOW64\Ffbnph32.exe

Filesize
488KB

MD5
3e1af9df96d830454ddef5e26ca49c1f

SHA1
c510fd77392e473f97f693e269630e3db36e729a

SHA256
583ed8c30c69b9e1d30f5c7aeafbd52e4b6ea5a96f5e24477fa7942d02890753

SHA512
fd49685747c272050015597d9ee543920d293fef82ccdc334aa71f0ce07b471855bac31c58ec396d2ece3dff04ec08b85c6c7ee0c0a9022b54b36fb0069fd820

Download Submit
C:\Windows\SysWOW64\Ffekegon.exe

Filesize
128KB

MD5
fe041e230267d820734bb05a509bcb43

SHA1
9954af0cdcf32f935c177aabb88bd0843d23b4f1

SHA256
cc7f5e992befcd3298663b5d6afa33e88dd3abe2769b7cece913e24d319a0219

SHA512
9d2c1f32b817b6ccca17cae415873dfec8677c813f86b7d3386dc0b0fc58ae72b3fe33ad0342b744c71e054aaf9bbf198555b733d648b06c711f6589bdee3589

Download Submit
C:\Windows\SysWOW64\Ffekegon.exe

Filesize
93KB

MD5
f9cfdeb6e76d6a297974f5795f9bdee5

SHA1
5068258708f30a8d0a0bb3fcc15c11ca98efe473

SHA256
81e465db2ac9bae61bce6dba80733f3fef32bc7bd083278dc1380b61d00128d0

SHA512
4bf6f362364179d0f849dc0e6788c0882cf128fdd7c5af62ccf902689824aa56fe27704be7873a38c24658158ebdf84971e2b18c5007121683bb67ead9a593a9

Download Submit
C:\Windows\SysWOW64\Ffjdqg32.exe

Filesize
488KB

MD5
dd134f2ed2b06355cb5b6a6c5a88efd8

SHA1
7680a14575914ce0982d654ce1cebcb5f180c120

SHA256
4ef4906e344b3fe2e1ce428d38758f4127f257fd2b9e96ab6f202a6612e48001

SHA512
8f1e4f3931b9c45f6b19f987b1db11d5986561a01d93d34c7840e0b99394427d5e05473b7472596bc500273f396d0f7704c5e576442de818a36d20a556f3fb25

Download Submit
C:\Windows\SysWOW64\Fijmbb32.exe

Filesize
488KB

MD5
850435db2bed0f4696c47da08b3b5e68

SHA1
67bbc36594aa60904677b2a9656cc9e400884d22

SHA256
93170a598c46582f2041edd3a53f2f988ef8997fb37f1df19fa15a5cccc4d260

SHA512
0853182373f52e25b5a5f73db014bff545cc42f1b09aa96fcb9545ecacb4cf597b26c6328dca1c64b9220f6eed0f6304582458a7eced36bb0876372cea4dd711

Download Submit
C:\Windows\SysWOW64\Fmclmabe.exe

Filesize
488KB

MD5
f4e305be6f3cda963b9a8b39147b9286

SHA1
b7edd156288c04a32e833fc1eb0e0692bec5f305

SHA256
6656ba9174c789f7d808e6ebe758c57ae4259b0889f0eabecd853d4bf88d7497

SHA512
c20430d3d3e42b9e9edb29ff5ef6f98e8f90974eba928829623a400fc0e9952abe76aeb66ae79e76e6ce3c726594e5ad5acbeeb6c964cdf6fab6f8139ef22dd5

Download Submit
C:\Windows\SysWOW64\Fmmfmbhn.exe

Filesize
448KB

MD5
7da77dc012c8db95c1e9e987d6147d09

SHA1
eaac3de45f04a16089a7dcb832d7118c11ba9cc6

SHA256
40ca7dce2dd034de86df7e6f7edda8e965ceb401e50149a3d0706fd9a59cc72e

SHA512
cb0a089495a065d00596765d5a44f7143849e773f5043623241a9f79f503fab10a26acc430717dbe6f601d312c56e433b41fab77923d4a44dbc765160e9a4f99

Download Submit
C:\Windows\SysWOW64\Fmocba32.exe

Filesize
488KB

MD5
79291eebbb2a6293449b03fc6bd0c07d

SHA1
2374eca0f87119b2d3ac6259722afa6c5a70c12b

SHA256
47eddac8b9e1b625150ebcf53749afc149ecc972f29aeaf8da1d37d291fe56b6

SHA512
f97e3d100cedef1d954497b26f441eafc42b14f54095c4885dc091fc477c74af0f3cfdfada3b8c5ff6a13e72b81c427c159707dadfda1057e43e7365b497cbbc

Download Submit
C:\Windows\SysWOW64\Fokbim32.exe

Filesize
488KB

MD5
461e4b713c2c7aea4cd0932ec9889127

SHA1
a795a7a03f997ee961aa2b033812e7a445551c3a

SHA256
2fbf354ba565bf223b6d8461db72b0567ce3b93f94d95ba2eec1abe69a25998c

SHA512
8732e72966670e600e91550fdc4a87d1e7735c4d62e4ea9d9f35e76cb380a3787e727b98bc64e89949e0c8190391c7af77890362e7d5c946556b2938845b9dd6

Download Submit
C:\Windows\SysWOW64\Fokbim32.exe

Filesize
256KB

MD5
a8b5f297fade81c49c8d56b369e084e1

SHA1
50ad2c1a42a39fdfc7c5d9bf88f1a1ed47920c5f

SHA256
8934d9825d131bfbca97648cfd20809e03805da0b9a537301af72ec151488157

SHA512
106f02a3120b4d0b45bf7f147a2803f886112c42629d31efa6d730c7558b68dc1ba24499698561aaab2a0b17bdd7972cab535335904d94879c0c4b1e59b27230

Download Submit
C:\Windows\SysWOW64\Fomonm32.exe

Filesize
488KB

MD5
ce3c093cacd862949b2916d656961be5

SHA1
668463857cace22a56cb40afb33d89af52dd137d

SHA256
7091a27d602dc4090f4e36d9e8f9430f38eeed8998e2121337997ae85b92423d

SHA512
428e384a9856e0c64ba3f48c4318e4951eab8c863fa84d7059fe845056c12f435ce4e0e21f48dfbe85071802e69cc9ac89ffd41613c6141e026d2946deb571b4

Download Submit
C:\Windows\SysWOW64\Fqaeco32.exe

Filesize
488KB

MD5
8d60dcc252c6677ffdf210994ca0978f

SHA1
f549cf802a5601a071dd8f9690b3cb7742ec06de

SHA256
baaec83fcaa7e6773b9fe7eb244c0b73f2ca1f0ebc183f02e21b66e509b19843

SHA512
e61e8a4c590ae2d2211f6bba2fcd5feca5e590a69444ddb12afe0e9fcb2f8d8dc53b469db3bffac026b7828189bcc219366a67223438b808032e3417382491bf

Download Submit
C:\Windows\SysWOW64\Gbenqg32.exe

Filesize
488KB

MD5
19234e3e9371ba2313e72f370f287c63

SHA1
9cb10d610300411119b9a2c62c2ca0099f121f77

SHA256
7afc20ca1fa6e35879751f6b316165d5ad6321a00a4f84050c8737b8a6a45f53

SHA512
0232bec2dfc8ccf04ac5ca6b950139e416984705fab8aa0c3e0f14ea2f1713fad2a61dbc9e9004c80383b0884c1a3400d18adf44ffb1a29790c3a9196ba8594c

Download Submit
C:\Windows\SysWOW64\Gbjhlfhb.exe

Filesize
488KB

MD5
8873d736c1d0653133908520586953ad

SHA1
aba6f0cc957b0c7a417aaaf18e8ec10bccfd4928

SHA256
82af5bb0b3427d84ae00d2b8ce7253278aaedfe86491c0b60ca123c4064156bf

SHA512
bd57bb58c46a4bbf1895301a556065e49d75930762ba9be1e53f6d141791154ded3508cbfbd6d2ae2d93e131c73e7f9b38fa5209ebd69561a37448d311b67f8a

Download Submit
C:\Windows\SysWOW64\Gcidfi32.exe

Filesize
488KB

MD5
c6233399114e115d37b3968fd11b23ff

SHA1
54484da4ee18193be7b89ef3ed1ffbd2058908d6

SHA256
9d22645ff6323ec3d9e1bd99b24474af103126754cc584831888e6f1fa03cebd

SHA512
387849a63e461115feee23d597a82d1312339cd63e9c20080fd8ea66e89635f2f1a58dfb213325cf62384815d8cced10c52545e34f413564d0398ac0f22b8e28

Download Submit
C:\Windows\SysWOW64\Gcpapkgp.exe

Filesize
488KB

MD5
d6ab291dbec5103516602c0d48436518

SHA1
ce927021fdca805c2a3217c61f66d8140c90f101

SHA256
66fd70a533b29a50324358aefab5b72d21f66a292ae0f74f523cf41ebdbd74b3

SHA512
8efbb8eac11fa3286afbfeab8f61083caffddaa9074859a0d515592f66832e7c0c9721ab747b1a6351fe9b61b7bc23bcdcfff492580f4b56b65b16d89da7a8aa

Download Submit
C:\Windows\SysWOW64\Giacca32.exe

Filesize
488KB

MD5
f48a6704ee08c083c0e29572ab0b8ee4

SHA1
20595299856d10ef6065ce477f6747d91571b8d4

SHA256
d7b1d211b6a515b012aa111e06af594276797d76d6a91b7c670820fa534d2130

SHA512
f63e062ba770830c7a4597f330358850131a0bdaddcf3fe19665d6c129e8d5a87677911b9f719b6d4b7788ff9608f5c7a27c63714e6a8b394a02aac96eefb391

Download Submit
C:\Windows\SysWOW64\Gidphq32.exe

Filesize
488KB

MD5
429b03aaf15902db6162cfe3382abeba

SHA1
dc566696f006c6b2e432e37fe1d8938ac23756ef

SHA256
51cefa5d49a534118a44d74c2de420bef50052775f35cf476f5016b4b7ef5e3a

SHA512
91dfe46fc3e26cce116f74ef1d227d82da80c939edbdfd58028f9883f727876c7d4e0ea3a1ef9149178a013048831d3be05c4cf777312d8cf2236e2935c94e82

Download Submit
C:\Windows\SysWOW64\Giofnacd.exe

Filesize
488KB

MD5
8d4c78a76835f934fb08fc861c47f672

SHA1
fc12a7d1f3228367c61d3a7da6b0530432d8a7ba

SHA256
aff26bebcf2970403bbc471e927b46204cb1445fc80c3e0808a9a306adf3be26

SHA512
144cca7c674e0854ea61aafffd58c9123f3c856677ef7d7ca2274bb1c69ad35615d4c360e19e151dbdd5d0bfb81a938e4c5a6053fc823b4dd00805f74c8672e0

Download Submit
C:\Windows\SysWOW64\Gjclbc32.exe

Filesize
488KB

MD5
45faec905c9893d3a21585d699ef00e5

SHA1
83ec7894e0a61f9a3cfcdd552522aab88514e96f

SHA256
8232d8511d41bc339b65d808204d9db16e2e5294aad1536c5f0cd872d6aef72d

SHA512
3d157739dc2f0c18d8703942749f10675b949c26ca56a79b99b844e225db87d2656f5fbadbc0277016daad950f68944535104fcbc2dfd36f44e710e19a798928

Download Submit
C:\Windows\SysWOW64\Gjjjle32.exe

Filesize
488KB

MD5
3240b821aad8588193e5564445eddff5

SHA1
2b812e520c59121295f64a97454e73b166016241

SHA256
2622aa7fd876e5fb41a96b9331c68ceba6ab83527abd3e28696474a66f1cd83b

SHA512
5af8f4dc1bd56e1922ab703d2c70aa210de938b090f78718e00f0df3c9c66e4b86c3a1ba5c4dd3727390b0c9a5292d564708ec29acb7cc5bfbd4af9bf3c6aaa4

Download Submit
C:\Windows\SysWOW64\Gqdbiofi.exe

Filesize
488KB

MD5
c61cfd4671b65708b46d23c57b937178

SHA1
ec0ee4997885c80276370b3d4b60de67f3e9d91e

SHA256
5bbceef8de9ed0ceda048181b5a596d6d036107cdf0bf002b4be62bbc800bcaa

SHA512
8ea9fd48a1b7e0fc82bb76473c7e16b6a593394d44bf8729791b26c1f9a1924b15ba0e15151c49ded576bbc72cf41c34cb1f32c6e8d77a2ec6dc71509eb405a9

Download Submit
C:\Windows\SysWOW64\Gqikdn32.exe

Filesize
488KB

MD5
63b351b46ad3e589ac991c4d85b2767b

SHA1
c543557bb32d3cf3a051aa875614a369b9b1fdc3

SHA256
c5b2ad6f9d7f8296bfadfee75bc9fc4bb87d71a6bbfd78957ae1a3023eb1ee41

SHA512
365514c9ecf28270427e0359cd1af70d02887c6353a37def4200fd4f3c069df46bee08eae3729505d29c5f45a985b56a0d64057f38cf726a48a75cb1b2700335

Download Submit
C:\Windows\SysWOW64\Hbckbepg.exe

Filesize
488KB

MD5
15c874e74113614c3ede2aa361b29158

SHA1
ce283e7e728cb8938039e6224b16f416656dd992

SHA256
5e468d3ba1a888dcbc2f31156e5960d8ef983f108630b9cdc3d1780b02285ef8

SHA512
a85c3377e5661fb1d7841359d5dcf99d56aa8bb4b345a0be50eec75e8240be655c7774a3c4048fd2aef7e2b056a69562ef0b06c39f395ca095b68d43fe67d044

Download Submit
C:\Windows\SysWOW64\Hbeghene.exe

Filesize
488KB

MD5
3bac97cf4602cd5170617119a5c3344c

SHA1
4a7290cbfe2a51939fe3500e63c31e9bbc6bdb01

SHA256
2ae80a56b66ac83de0c1888e6dcc6b0a6ab853da73f6b08eea634b5cbbfff800

SHA512
f5918d005155fb0c97a1cb2df68abc42012d77623b3573d5988929dad789cc318b84e080f55d683e8771cd651a218835a5b3a4e313cc7b5b12e44e79e78a1ee9

Download Submit
C:\Windows\SysWOW64\Hikfip32.exe

Filesize
488KB

MD5
de1e4992eb8fda42c87356ecef689099

SHA1
cc5729e992d21e10a6dd34d0b5f1946c28ab180e

SHA256
28bb5a3f1434b42220193416f30fe610740f8a61111d97cef40ca3246420cf16

SHA512
26e25b42ef4007df23a01a32a0a81fa35c9a47fa44711c516c47eed082c42d81123bb07cb199915596e2e2b934ede487f641ae50849405521fbb7705fea0896e

Download Submit
C:\Windows\SysWOW64\Hjmoibog.exe

Filesize
488KB

MD5
7fdc1ebd2498be85b19374716829f9d7

SHA1
726ead50655fa5270f7d13c4dbc5fe5ea467f0dd

SHA256
8e1f8bd21fd4a9e5f19356879ce97f3a1192bfd56563b543e256b79f65a1d066

SHA512
08202ca8066efd886d193ac862a2eb5d304f9a04b239c164c7cddcc520c2ac97c0af1aa02a7d93a55bdc06addb40b4149e185ac70344aa2b2ec7ac4616838032

Download Submit
C:\Windows\SysWOW64\Hmdedo32.exe

Filesize
488KB

MD5
32b7367888fb35d84b3a0c37c51f4ae1

SHA1
ca273046e9533c336c5e8f66f5b387b4e093f30a

SHA256
88cff2848e541e26a156b0c91d54474fff57480ddaa925f575bc7a19959524a3

SHA512
17d8e09c196688b5861a1b00f9b73d9b6c662478347f139560dccc7946b4bb26917480da0a64e95b2b7d69523344ad969ad9844895c8516ce73ee5bc3dde3e9d

Download Submit
C:\Windows\SysWOW64\Hmklen32.exe

Filesize
488KB

MD5
0d9be55f72c9f912872c9e54b8337cfe

SHA1
06fd6ffa7233fa7fd12731c238a0b62a6a2fd9c5

SHA256
fb43cb432214a1a514775aead5c2337ece727478e8075b658e63f47f29b023ef

SHA512
08fba2217e4986c478001e4f913a46c88c12fd07490b6babc141f1238f3429f416d4801bbb650941d5ae3d27d4938cd1762e626a4fe949d3ac8895880f4c66a9

Download Submit
C:\Windows\SysWOW64\Hpbaqj32.exe

Filesize
488KB

MD5
63169b38384cb909a46507c0c5204a18

SHA1
887d66e601afd0d3ab95017cbbbf642197b89d6a

SHA256
8df53a04b927d8391e363f0a4925237b3e33bf00b24ff378e5ede12755bdecbc

SHA512
db21e43c8241630083bb648b79f15147b7c65345046b6af221e2471510293af9442188c58519d95c8119d5f488324d2ca6b90b33394dca04df57e6ad6f946a9b

Download Submit
C:\Windows\SysWOW64\Hpenfjad.exe

Filesize
488KB

MD5
be838fa1310a39b584ebb7de01779401

SHA1
25f44a76ca40035c2f0daa18ac21ba5d3fdeaa8a

SHA256
c300f1f6a11f43e8e9fbc5f027e1a0290476ad4f4487a72cded1aa75e525146e

SHA512
26828ae6d75c96644d943bebb67990d380fab26eec880e7bd5087265b5266654b25ca241afa36e9dfa5298d7d9754440078111586adff0e2011d34ed2c4f40f2

Download Submit
C:\Windows\SysWOW64\Icljbg32.exe

Filesize
488KB

MD5
c9f0376a3ac01a592b37b7967e30c0f0

SHA1
535ebbccc21d7904a1bb90f3700c8727fa2e6b30

SHA256
9102cc338e80551a4b510409f1c4879c467e545d29dc3153d3f9eb80d7a70d7f

SHA512
e70a543b58691b4a644fd866904f092eda38220edbaea85301f249b26f9414127932cd2604cb1ee4991cdb1eed72301826c42b1dce223b3b2a48efb2d22edea1

Download Submit
C:\Windows\SysWOW64\Jigollag.exe

Filesize
488KB

MD5
2637e0a105844f4892dd75e07a4bd162

SHA1
2eb1b4418fd93f97a5dbf7c0871f4b662e350a9f

SHA256
d30ef8fd04e71ea0b1f100971fd9b472e83709cd5aa26a4982bffb3500aacf82

SHA512
6844bf5526955f1f42e2fc944b923b687f1d3d000934f4f473c9dc73022c6a88f4d4305c3b211b8dac742b67c78710d27ba6dfd9170c6f39cfaa87fa3ad462fa

Download Submit
memory/116-390-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/224-366-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/244-230-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/376-59-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/744-217-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/748-348-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/764-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/764-5-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/764-109-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1004-202-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1012-889-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1156-137-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1160-257-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1172-269-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1540-436-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1696-885-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1772-194-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1788-372-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1848-288-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2216-170-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2388-396-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2416-89-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2504-895-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2536-897-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2536-426-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2572-13-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2684-254-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2692-294-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2928-178-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3044-340-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3084-414-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3084-899-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3088-64-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3104-275-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3116-246-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3132-73-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3180-886-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3268-358-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3332-322-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3532-154-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3564-25-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3616-408-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3616-900-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3704-119-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3780-312-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3944-287-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3992-330-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4016-378-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4120-898-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4120-421-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4256-33-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4388-347-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4400-893-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4428-210-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4440-365-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4520-63-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4532-310-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4596-384-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4660-304-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4664-62-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4676-166-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4684-186-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4712-888-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4780-281-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4792-97-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4816-21-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4836-328-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4844-883-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4880-81-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4884-143-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4928-112-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4964-145-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4992-234-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5040-122-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5052-402-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5080-887-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5104-890-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5208-879-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5296-877-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5408-839-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5456-873-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5488-846-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5492-853-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5500-872-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5580-870-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5624-869-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5656-851-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5688-838-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5880-863-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5936-862-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/6056-860-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/6112-841-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads