2ee2643761df0a89cd4004489d33cca9a69c2fafab1c1561c988130bef78786e

Analysis

max time kernel
150s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
12/03/2024, 19:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2ee2643761df0a89cd4004489d33cca9a69c2fafab1c1561c988130bef78786e.exe
Size

100KB
MD5

4a3f0ded578e7b7a7541747c03d10f23
SHA1

36d37bf01ee73e87d9e8d49c3a682eccd70a7595
SHA256

2ee2643761df0a89cd4004489d33cca9a69c2fafab1c1561c988130bef78786e
SHA512

c05254c8066029f009b3da313a208f29cfd911008c263c8f477722fe389ae055ef692982fd42fff44a16d68cd361902c5b9ea7ec604bfe0bef6c783cc317a737
SSDEEP

3072:PI2KtHO1kAEpPjg1D/hffsfTu7Q/gb3a3+X13XRzT:AZu1k9+E347aOl3BzT

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lgmngglp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdckfk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mmnldp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddonekbl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ilidbbgl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jpppnp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lfkaag32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bffkij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ceqnmpfo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fllpbldb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lekehdgp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oneklm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Afoeiklb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Odmgcgbi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Oneklm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aeklkchg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gdhmnlcj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgimcebb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Beihma32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nebdoa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ocbddc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjmnoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gfpcgpae.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hkikkeeo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lingibiq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ffddka32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ojgbfocc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Daconoae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Flceckoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Iihkpg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pmannhhj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pggbkagp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cnicfe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ecandfpd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nphhmj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnqbanmo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnicfe32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fhemmlhc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kebbafoj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nphhmj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Menjdbgj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pmdkch32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hmhhehlb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kpeiioac.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lpebpm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pdfjifjo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cdabcm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jpppnp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hbpgbo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgfqmfde.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mlcifmbl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ecandfpd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ffkjlp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hfifmnij.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Andqdh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gdqgmmjb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ildkgc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nfgmjqop.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhfajjoj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daekdooc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nebdoa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnlhfn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ocbddc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kpeiioac.exe

Executes dropped EXE 64 IoCs

pid	Process
4616	Ecandfpd.exe
388	Fljcmlfd.exe
4920	Fcckif32.exe
2284	Fllpbldb.exe
2256	Ffddka32.exe
1444	Fchddejl.exe
2428	Fhemmlhc.exe
5020	Fckajehi.exe
1748	Flceckoj.exe
2536	Ffkjlp32.exe
3428	Gkhbdg32.exe
3384	Gdqgmmjb.exe
3200	Gfpcgpae.exe
2276	Gcddpdpo.exe
3076	Gcfqfc32.exe
2720	Gdhmnlcj.exe
3500	Gomakdcp.exe
1016	Hfifmnij.exe
1512	Hmcojh32.exe
1896	Hbpgbo32.exe
552	Hkikkeeo.exe
1480	Hmhhehlb.exe
3936	Hcbpab32.exe
3976	Hfqlnm32.exe
3092	Hbgmcnhf.exe
1292	Iiaephpc.exe
4452	Iicbehnq.exe
4368	Iblfnn32.exe
4244	Ildkgc32.exe
3772	Ibnccmbo.exe
1392	Iihkpg32.exe
2808	Ifllil32.exe
3408	Ilidbbgl.exe
3620	Ibcmom32.exe
1956	Jlkagbej.exe
1040	Jplfcpin.exe
404	Jmpgldhg.exe
2960	Jifhaenk.exe
3020	Jpppnp32.exe
4588	Kdnidn32.exe
4544	Kepelfam.exe
784	Kpeiioac.exe
2372	Kebbafoj.exe
4388	Kedoge32.exe
4020	Kmkfhc32.exe
1712	Kfckahdj.exe
2864	Kplpjn32.exe
4004	Liddbc32.exe
3040	Ldjhpl32.exe
3180	Lekehdgp.exe
548	Lmbmibhb.exe
2160	Lfkaag32.exe
556	Lgmngglp.exe
1532	Lpebpm32.exe
2260	Lingibiq.exe
4824	Mdckfk32.exe
4916	Medgncoe.exe
3372	Mgddhf32.exe
4092	Mmnldp32.exe
840	Mgfqmfde.exe
2208	Mlcifmbl.exe
4008	Mgimcebb.exe
2712	Mmbfpp32.exe
1456	Mdmnlj32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Medgncoe.exe	Mdckfk32.exe
File created	C:\Windows\SysWOW64\Kedoge32.exe	Kebbafoj.exe
File opened for modification	C:\Windows\SysWOW64\Medgncoe.exe	Mdckfk32.exe
File created	C:\Windows\SysWOW64\Nfgmjqop.exe	Nnlhfn32.exe
File opened for modification	C:\Windows\SysWOW64\Agjhgngj.exe	Aeklkchg.exe
File created	C:\Windows\SysWOW64\Gdqgmmjb.exe	Gkhbdg32.exe
File opened for modification	C:\Windows\SysWOW64\Hfifmnij.exe	Gomakdcp.exe
File created	C:\Windows\SysWOW64\Icpnnd32.dll	Kpeiioac.exe
File created	C:\Windows\SysWOW64\Gokgpogl.dll	Pfolbmje.exe
File opened for modification	C:\Windows\SysWOW64\Beihma32.exe	Beglgani.exe
File created	C:\Windows\SysWOW64\Fchddejl.exe	Ffddka32.exe
File created	C:\Windows\SysWOW64\Llmglb32.dll	Oneklm32.exe
File created	C:\Windows\SysWOW64\Pdfjifjo.exe	Pmoahijl.exe
File created	C:\Windows\SysWOW64\Hdoemjgn.dll	Pdfjifjo.exe
File created	C:\Windows\SysWOW64\Ceqnmpfo.exe	Cnffqf32.exe
File created	C:\Windows\SysWOW64\Dhfajjoj.exe	Chcddk32.exe
File opened for modification	C:\Windows\SysWOW64\Daconoae.exe	Dkifae32.exe
File created	C:\Windows\SysWOW64\Kmdjdl32.dll	Daconoae.exe
File created	C:\Windows\SysWOW64\Jifhaenk.exe	Jmpgldhg.exe
File created	C:\Windows\SysWOW64\Nnqbanmo.exe	Nckndeni.exe
File created	C:\Windows\SysWOW64\Mnodjf32.dll	Ocnjidkf.exe
File created	C:\Windows\SysWOW64\Pemfincl.dll	Nebdoa32.exe
File opened for modification	C:\Windows\SysWOW64\Pmoahijl.exe	Oddmdf32.exe
File created	C:\Windows\SysWOW64\Qfcfml32.exe	Pfolbmje.exe
File opened for modification	C:\Windows\SysWOW64\Chcddk32.exe	Cnicfe32.exe
File created	C:\Windows\SysWOW64\Mfadpi32.dll	Iblfnn32.exe
File created	C:\Windows\SysWOW64\Dlkhie32.dll	Ilidbbgl.exe
File opened for modification	C:\Windows\SysWOW64\Lfkaag32.exe	Lmbmibhb.exe
File created	C:\Windows\SysWOW64\Lingibiq.exe	Lpebpm32.exe
File created	C:\Windows\SysWOW64\Nphhmj32.exe	Nebdoa32.exe
File created	C:\Windows\SysWOW64\Oneklm32.exe	Odmgcgbi.exe
File created	C:\Windows\SysWOW64\Ffcnippo.dll	Aeklkchg.exe
File created	C:\Windows\SysWOW64\Fpnnia32.dll	Bchomn32.exe
File created	C:\Windows\SysWOW64\Gblnkg32.dll	Beglgani.exe
File created	C:\Windows\SysWOW64\Ibcmom32.exe	Ilidbbgl.exe
File created	C:\Windows\SysWOW64\Canidb32.dll	Kedoge32.exe
File created	C:\Windows\SysWOW64\Jlineehd.dll	Liddbc32.exe
File created	C:\Windows\SysWOW64\Mjelcfha.dll	Dmefhako.exe
File opened for modification	C:\Windows\SysWOW64\Ecandfpd.exe	2ee2643761df0a89cd4004489d33cca9a69c2fafab1c1561c988130bef78786e.exe
File created	C:\Windows\SysWOW64\Ocdqjceo.exe	Onhhamgg.exe
File created	C:\Windows\SysWOW64\Bnbmefbg.exe	Beihma32.exe
File created	C:\Windows\SysWOW64\Nnlhfn32.exe	Nphhmj32.exe
File created	C:\Windows\SysWOW64\Ocnjidkf.exe	Nnqbanmo.exe
File created	C:\Windows\SysWOW64\Cogflbdn.dll	Dmcibama.exe
File created	C:\Windows\SysWOW64\Ebinhj32.dll	Medgncoe.exe
File opened for modification	C:\Windows\SysWOW64\Nfgmjqop.exe	Nnlhfn32.exe
File created	C:\Windows\SysWOW64\Icfpbq32.dll	Fhemmlhc.exe
File created	C:\Windows\SysWOW64\Gdhmnlcj.exe	Gcfqfc32.exe
File created	C:\Windows\SysWOW64\Fplmmdoj.dll	Lfkaag32.exe
File opened for modification	C:\Windows\SysWOW64\Gdqgmmjb.exe	Gkhbdg32.exe
File created	C:\Windows\SysWOW64\Hcbpab32.exe	Hmhhehlb.exe
File created	C:\Windows\SysWOW64\Bdjinlko.dll	Pmoahijl.exe
File created	C:\Windows\SysWOW64\Dmefhako.exe	Dfknkg32.exe
File created	C:\Windows\SysWOW64\Fljcmlfd.exe	Ecandfpd.exe
File opened for modification	C:\Windows\SysWOW64\Fcckif32.exe	Fljcmlfd.exe
File created	C:\Windows\SysWOW64\Fiknll32.dll	Fcckif32.exe
File created	C:\Windows\SysWOW64\Liddbc32.exe	Kplpjn32.exe
File created	C:\Windows\SysWOW64\Mmbfpp32.exe	Mgimcebb.exe
File created	C:\Windows\SysWOW64\Gdeahgnm.dll	Qfcfml32.exe
File created	C:\Windows\SysWOW64\Beihma32.exe	Beglgani.exe
File created	C:\Windows\SysWOW64\Flceckoj.exe	Fckajehi.exe
File created	C:\Windows\SysWOW64\Ffkjlp32.exe	Flceckoj.exe
File opened for modification	C:\Windows\SysWOW64\Gomakdcp.exe	Gdhmnlcj.exe
File opened for modification	C:\Windows\SysWOW64\Pmfhig32.exe	Pmdkch32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
6044	5908	WerFault.exe	207

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gnpllc32.dll"	Nckndeni.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ojgbfocc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Oddmdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Popodg32.dll"	Pmannhhj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nnlhfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Gdqgmmjb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Iicbehnq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Medgncoe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bchomn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfjhbihm.dll"	Cdabcm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Fljcmlfd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Oneklm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pmfhig32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ocnjidkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Gcddpdpo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hbpgbo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Iicbehnq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kedoge32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mdckfk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nebdoa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ojgbfocc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	2ee2643761df0a89cd4004489d33cca9a69c2fafab1c1561c988130bef78786e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Iiaephpc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kdnidn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lgmngglp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nngokoej.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmdkpdef.dll"	Onjegled.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pdfjifjo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Gcddpdpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Fchddejl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dkcfedla.dll"	Hkikkeeo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jmpgldhg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fplmmdoj.dll"	Lfkaag32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mfilim32.dll"	Pggbkagp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Aeklkchg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Afoeiklb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fiknll32.dll"	Fcckif32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bnbmefbg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkfcej32.dll"	Lpebpm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nphhmj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohbkfake.dll"	Ojgbfocc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hbpgbo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlgbon32.dll"	Kplpjn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nckndeni.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckmllpik.dll"	Ceqnmpfo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ilidbbgl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Namdcd32.dll"	Kfckahdj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bchdhnom.dll"	Mdmnlj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ocnjidkf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Agjhgngj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Beglgani.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Beihma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohfjnoma.dll"	Ildkgc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elikfp32.dll"	Gcddpdpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ibcmom32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jplfcpin.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bejfanad.dll"	2ee2643761df0a89cd4004489d33cca9a69c2fafab1c1561c988130bef78786e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eiecmmbf.dll"	Ldjhpl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dmgabj32.dll"	Onhhamgg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kedoge32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mmnldp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jgefkimp.dll"	Mmbfpp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ceqnmpfo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hbgmcnhf.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3592 wrote to memory of 4616	3592	2ee2643761df0a89cd4004489d33cca9a69c2fafab1c1561c988130bef78786e.exe	86
PID 3592 wrote to memory of 4616	3592	2ee2643761df0a89cd4004489d33cca9a69c2fafab1c1561c988130bef78786e.exe	86
PID 3592 wrote to memory of 4616	3592	2ee2643761df0a89cd4004489d33cca9a69c2fafab1c1561c988130bef78786e.exe	86
PID 4616 wrote to memory of 388	4616	Ecandfpd.exe	87
PID 4616 wrote to memory of 388	4616	Ecandfpd.exe	87
PID 4616 wrote to memory of 388	4616	Ecandfpd.exe	87
PID 388 wrote to memory of 4920	388	Fljcmlfd.exe	88
PID 388 wrote to memory of 4920	388	Fljcmlfd.exe	88
PID 388 wrote to memory of 4920	388	Fljcmlfd.exe	88
PID 4920 wrote to memory of 2284	4920	Fcckif32.exe	89
PID 4920 wrote to memory of 2284	4920	Fcckif32.exe	89
PID 4920 wrote to memory of 2284	4920	Fcckif32.exe	89
PID 2284 wrote to memory of 2256	2284	Fllpbldb.exe	90
PID 2284 wrote to memory of 2256	2284	Fllpbldb.exe	90
PID 2284 wrote to memory of 2256	2284	Fllpbldb.exe	90
PID 2256 wrote to memory of 1444	2256	Ffddka32.exe	91
PID 2256 wrote to memory of 1444	2256	Ffddka32.exe	91
PID 2256 wrote to memory of 1444	2256	Ffddka32.exe	91
PID 1444 wrote to memory of 2428	1444	Fchddejl.exe	92
PID 1444 wrote to memory of 2428	1444	Fchddejl.exe	92
PID 1444 wrote to memory of 2428	1444	Fchddejl.exe	92
PID 2428 wrote to memory of 5020	2428	Fhemmlhc.exe	93
PID 2428 wrote to memory of 5020	2428	Fhemmlhc.exe	93
PID 2428 wrote to memory of 5020	2428	Fhemmlhc.exe	93
PID 5020 wrote to memory of 1748	5020	Fckajehi.exe	94
PID 5020 wrote to memory of 1748	5020	Fckajehi.exe	94
PID 5020 wrote to memory of 1748	5020	Fckajehi.exe	94
PID 1748 wrote to memory of 2536	1748	Flceckoj.exe	95
PID 1748 wrote to memory of 2536	1748	Flceckoj.exe	95
PID 1748 wrote to memory of 2536	1748	Flceckoj.exe	95
PID 2536 wrote to memory of 3428	2536	Ffkjlp32.exe	96
PID 2536 wrote to memory of 3428	2536	Ffkjlp32.exe	96
PID 2536 wrote to memory of 3428	2536	Ffkjlp32.exe	96
PID 3428 wrote to memory of 3384	3428	Gkhbdg32.exe	98
PID 3428 wrote to memory of 3384	3428	Gkhbdg32.exe	98
PID 3428 wrote to memory of 3384	3428	Gkhbdg32.exe	98
PID 3384 wrote to memory of 3200	3384	Gdqgmmjb.exe	99
PID 3384 wrote to memory of 3200	3384	Gdqgmmjb.exe	99
PID 3384 wrote to memory of 3200	3384	Gdqgmmjb.exe	99
PID 3200 wrote to memory of 2276	3200	Gfpcgpae.exe	100
PID 3200 wrote to memory of 2276	3200	Gfpcgpae.exe	100
PID 3200 wrote to memory of 2276	3200	Gfpcgpae.exe	100
PID 2276 wrote to memory of 3076	2276	Gcddpdpo.exe	101
PID 2276 wrote to memory of 3076	2276	Gcddpdpo.exe	101
PID 2276 wrote to memory of 3076	2276	Gcddpdpo.exe	101
PID 3076 wrote to memory of 2720	3076	Gcfqfc32.exe	102
PID 3076 wrote to memory of 2720	3076	Gcfqfc32.exe	102
PID 3076 wrote to memory of 2720	3076	Gcfqfc32.exe	102
PID 2720 wrote to memory of 3500	2720	Gdhmnlcj.exe	103
PID 2720 wrote to memory of 3500	2720	Gdhmnlcj.exe	103
PID 2720 wrote to memory of 3500	2720	Gdhmnlcj.exe	103
PID 3500 wrote to memory of 1016	3500	Gomakdcp.exe	105
PID 3500 wrote to memory of 1016	3500	Gomakdcp.exe	105
PID 3500 wrote to memory of 1016	3500	Gomakdcp.exe	105
PID 1016 wrote to memory of 1512	1016	Hfifmnij.exe	106
PID 1016 wrote to memory of 1512	1016	Hfifmnij.exe	106
PID 1016 wrote to memory of 1512	1016	Hfifmnij.exe	106
PID 1512 wrote to memory of 1896	1512	Hmcojh32.exe	107
PID 1512 wrote to memory of 1896	1512	Hmcojh32.exe	107
PID 1512 wrote to memory of 1896	1512	Hmcojh32.exe	107
PID 1896 wrote to memory of 552	1896	Hbpgbo32.exe	108
PID 1896 wrote to memory of 552	1896	Hbpgbo32.exe	108
PID 1896 wrote to memory of 552	1896	Hbpgbo32.exe	108
PID 552 wrote to memory of 1480	552	Hkikkeeo.exe	109

C:\Users\Admin\AppData\Local\Temp\2ee2643761df0a89cd4004489d33cca9a69c2fafab1c1561c988130bef78786e.exe
"C:\Users\Admin\AppData\Local\Temp\2ee2643761df0a89cd4004489d33cca9a69c2fafab1c1561c988130bef78786e.exe"
1⤵
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3592
- C:\Windows\SysWOW64\Ecandfpd.exe
  C:\Windows\system32\Ecandfpd.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:4616
- - C:\Windows\SysWOW64\Fljcmlfd.exe
    C:\Windows\system32\Fljcmlfd.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:388
  - - C:\Windows\SysWOW64\Fcckif32.exe
      C:\Windows\system32\Fcckif32.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:4920
    - - C:\Windows\SysWOW64\Fllpbldb.exe
        
        C:\Windows\system32\Fllpbldb.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2284
      - C:\Windows\SysWOW64\Ffddka32.exe
        
        C:\Windows\system32\Ffddka32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2256
        
        C:\Windows\SysWOW64\Fchddejl.exe
        
        C:\Windows\system32\Fchddejl.exe
        7⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1444
        
        C:\Windows\SysWOW64\Fhemmlhc.exe
        
        C:\Windows\system32\Fhemmlhc.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2428
        
        C:\Windows\SysWOW64\Fckajehi.exe
        
        C:\Windows\system32\Fckajehi.exe
        9⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:5020
        
        C:\Windows\SysWOW64\Flceckoj.exe
        
        C:\Windows\system32\Flceckoj.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1748
        
        C:\Windows\SysWOW64\Ffkjlp32.exe
        
        C:\Windows\system32\Ffkjlp32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2536
        
        C:\Windows\SysWOW64\Gkhbdg32.exe
        
        C:\Windows\system32\Gkhbdg32.exe
        12⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3428
        
        C:\Windows\SysWOW64\Gdqgmmjb.exe
        
        C:\Windows\system32\Gdqgmmjb.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3384
        
        C:\Windows\SysWOW64\Gfpcgpae.exe
        
        C:\Windows\system32\Gfpcgpae.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3200
        
        C:\Windows\SysWOW64\Gcddpdpo.exe
        
        C:\Windows\system32\Gcddpdpo.exe
        15⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2276
        
        C:\Windows\SysWOW64\Gcfqfc32.exe
        
        C:\Windows\system32\Gcfqfc32.exe
        16⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3076
        
        C:\Windows\SysWOW64\Gdhmnlcj.exe
        
        C:\Windows\system32\Gdhmnlcj.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2720
        
        C:\Windows\SysWOW64\Gomakdcp.exe
        
        C:\Windows\system32\Gomakdcp.exe
        18⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3500
        
        C:\Windows\SysWOW64\Hfifmnij.exe
        
        C:\Windows\system32\Hfifmnij.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1016
        
        C:\Windows\SysWOW64\Hmcojh32.exe
        
        C:\Windows\system32\Hmcojh32.exe
        20⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1512
        
        C:\Windows\SysWOW64\Hbpgbo32.exe
        
        C:\Windows\system32\Hbpgbo32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1896
        
        C:\Windows\SysWOW64\Hkikkeeo.exe
        
        C:\Windows\system32\Hkikkeeo.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:552
        
        C:\Windows\SysWOW64\Hmhhehlb.exe
        
        C:\Windows\system32\Hmhhehlb.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1480
        
        C:\Windows\SysWOW64\Hcbpab32.exe
        
        C:\Windows\system32\Hcbpab32.exe
        24⤵
        Executes dropped EXE
        
        PID:3936
        
        C:\Windows\SysWOW64\Hfqlnm32.exe
        
        C:\Windows\system32\Hfqlnm32.exe
        25⤵
        Executes dropped EXE
        
        PID:3976
        
        C:\Windows\SysWOW64\Hbgmcnhf.exe
        
        C:\Windows\system32\Hbgmcnhf.exe
        26⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3092
        
        C:\Windows\SysWOW64\Iiaephpc.exe
        
        C:\Windows\system32\Iiaephpc.exe
        27⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1292
        
        C:\Windows\SysWOW64\Iicbehnq.exe
        
        C:\Windows\system32\Iicbehnq.exe
        28⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4452
        
        C:\Windows\SysWOW64\Iblfnn32.exe
        
        C:\Windows\system32\Iblfnn32.exe
        29⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4368
        
        C:\Windows\SysWOW64\Ildkgc32.exe
        
        C:\Windows\system32\Ildkgc32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4244
        
        C:\Windows\SysWOW64\Ibnccmbo.exe
        
        C:\Windows\system32\Ibnccmbo.exe
        31⤵
        Executes dropped EXE
        
        PID:3772
        
        C:\Windows\SysWOW64\Iihkpg32.exe
        
        C:\Windows\system32\Iihkpg32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1392
        
        C:\Windows\SysWOW64\Ifllil32.exe
        
        C:\Windows\system32\Ifllil32.exe
        33⤵
        Executes dropped EXE
        
        PID:2808
        
        C:\Windows\SysWOW64\Ilidbbgl.exe
        
        C:\Windows\system32\Ilidbbgl.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3408
        
        C:\Windows\SysWOW64\Ibcmom32.exe
        
        C:\Windows\system32\Ibcmom32.exe
        35⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3620
        
        C:\Windows\SysWOW64\Jlkagbej.exe
        
        C:\Windows\system32\Jlkagbej.exe
        36⤵
        Executes dropped EXE
        
        PID:1956
        
        C:\Windows\SysWOW64\Jplfcpin.exe
        
        C:\Windows\system32\Jplfcpin.exe
        37⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1040
        
        C:\Windows\SysWOW64\Jmpgldhg.exe
        
        C:\Windows\system32\Jmpgldhg.exe
        38⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:404
        
        C:\Windows\SysWOW64\Jifhaenk.exe
        
        C:\Windows\system32\Jifhaenk.exe
        39⤵
        Executes dropped EXE
        
        PID:2960
        
        C:\Windows\SysWOW64\Jpppnp32.exe
        
        C:\Windows\system32\Jpppnp32.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3020
        
        C:\Windows\SysWOW64\Kdnidn32.exe
        
        C:\Windows\system32\Kdnidn32.exe
        41⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4588
        
        C:\Windows\SysWOW64\Kepelfam.exe
        
        C:\Windows\system32\Kepelfam.exe
        42⤵
        Executes dropped EXE
        
        PID:4544
        
        C:\Windows\SysWOW64\Kpeiioac.exe
        
        C:\Windows\system32\Kpeiioac.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:784
        
        C:\Windows\SysWOW64\Kebbafoj.exe
        
        C:\Windows\system32\Kebbafoj.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2372
        
        C:\Windows\SysWOW64\Kedoge32.exe
        
        C:\Windows\system32\Kedoge32.exe
        45⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4388
        
        C:\Windows\SysWOW64\Kmkfhc32.exe
        
        C:\Windows\system32\Kmkfhc32.exe
        46⤵
        Executes dropped EXE
        
        PID:4020
        
        C:\Windows\SysWOW64\Kfckahdj.exe
        
        C:\Windows\system32\Kfckahdj.exe
        47⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1712
        
        C:\Windows\SysWOW64\Kplpjn32.exe
        
        C:\Windows\system32\Kplpjn32.exe
        48⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2864
        
        C:\Windows\SysWOW64\Liddbc32.exe
        
        C:\Windows\system32\Liddbc32.exe
        49⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4004
        
        C:\Windows\SysWOW64\Ldjhpl32.exe
        
        C:\Windows\system32\Ldjhpl32.exe
        50⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3040
        
        C:\Windows\SysWOW64\Lekehdgp.exe
        
        C:\Windows\system32\Lekehdgp.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3180
        
        C:\Windows\SysWOW64\Lmbmibhb.exe
        
        C:\Windows\system32\Lmbmibhb.exe
        52⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:548
        
        C:\Windows\SysWOW64\Lfkaag32.exe
        
        C:\Windows\system32\Lfkaag32.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2160
        
        C:\Windows\SysWOW64\Lgmngglp.exe
        
        C:\Windows\system32\Lgmngglp.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:556
        
        C:\Windows\SysWOW64\Lpebpm32.exe
        
        C:\Windows\system32\Lpebpm32.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1532
        
        C:\Windows\SysWOW64\Lingibiq.exe
        
        C:\Windows\system32\Lingibiq.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2260
        
        C:\Windows\SysWOW64\Mdckfk32.exe
        
        C:\Windows\system32\Mdckfk32.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4824
        
        C:\Windows\SysWOW64\Medgncoe.exe
        
        C:\Windows\system32\Medgncoe.exe
        58⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4916
        
        C:\Windows\SysWOW64\Mgddhf32.exe
        
        C:\Windows\system32\Mgddhf32.exe
        59⤵
        Executes dropped EXE
        
        PID:3372
        
        C:\Windows\SysWOW64\Mmnldp32.exe
        
        C:\Windows\system32\Mmnldp32.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4092
        
        C:\Windows\SysWOW64\Mgfqmfde.exe
        
        C:\Windows\system32\Mgfqmfde.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:840
        
        C:\Windows\SysWOW64\Mlcifmbl.exe
        
        C:\Windows\system32\Mlcifmbl.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2208
        
        C:\Windows\SysWOW64\Mgimcebb.exe
        
        C:\Windows\system32\Mgimcebb.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4008
        
        C:\Windows\SysWOW64\Mmbfpp32.exe
        
        C:\Windows\system32\Mmbfpp32.exe
        64⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2712
        
        C:\Windows\SysWOW64\Mdmnlj32.exe
        
        C:\Windows\system32\Mdmnlj32.exe
        65⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1456
        
        C:\Windows\SysWOW64\Menjdbgj.exe
        
        C:\Windows\system32\Menjdbgj.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1088
        
        C:\Windows\SysWOW64\Npcoakfp.exe
        
        C:\Windows\system32\Npcoakfp.exe
        67⤵
        
        PID:4792
        
        C:\Windows\SysWOW64\Ngmgne32.exe
        
        C:\Windows\system32\Ngmgne32.exe
        68⤵
        
        PID:3340
        
        C:\Windows\SysWOW64\Nngokoej.exe
        
        C:\Windows\system32\Nngokoej.exe
        69⤵
        Modifies registry class
        
        PID:3424
        
        C:\Windows\SysWOW64\Ndaggimg.exe
        
        C:\Windows\system32\Ndaggimg.exe
        70⤵
        
        PID:5004
        
        C:\Windows\SysWOW64\Nebdoa32.exe
        
        C:\Windows\system32\Nebdoa32.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:3920
        
        C:\Windows\SysWOW64\Nphhmj32.exe
        
        C:\Windows\system32\Nphhmj32.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:3852
        
        C:\Windows\SysWOW64\Nnlhfn32.exe
        
        C:\Windows\system32\Nnlhfn32.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:3616
        
        C:\Windows\SysWOW64\Nfgmjqop.exe
        
        C:\Windows\system32\Nfgmjqop.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4448
        
        C:\Windows\SysWOW64\Nckndeni.exe
        
        C:\Windows\system32\Nckndeni.exe
        75⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:2764
        
        C:\Windows\SysWOW64\Nnqbanmo.exe
        
        C:\Windows\system32\Nnqbanmo.exe
        76⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:2828
        
        C:\Windows\SysWOW64\Ocnjidkf.exe
        
        C:\Windows\system32\Ocnjidkf.exe
        77⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4032
        
        C:\Windows\SysWOW64\Ojgbfocc.exe
        
        C:\Windows\system32\Ojgbfocc.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4856
        
        C:\Windows\SysWOW64\Odmgcgbi.exe
        
        C:\Windows\system32\Odmgcgbi.exe
        79⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:2844
        
        C:\Windows\SysWOW64\Oneklm32.exe
        
        C:\Windows\system32\Oneklm32.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:3176
        
        C:\Windows\SysWOW64\Ocbddc32.exe
        
        C:\Windows\system32\Ocbddc32.exe
        81⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4460
        
        C:\Windows\SysWOW64\Onhhamgg.exe
        
        C:\Windows\system32\Onhhamgg.exe
        82⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:2132
        
        C:\Windows\SysWOW64\Ocdqjceo.exe
        
        C:\Windows\system32\Ocdqjceo.exe
        83⤵
        
        PID:4732
        
        C:\Windows\SysWOW64\Onjegled.exe
        
        C:\Windows\system32\Onjegled.exe
        84⤵
        Modifies registry class
        
        PID:1504
        
        C:\Windows\SysWOW64\Oddmdf32.exe
        
        C:\Windows\system32\Oddmdf32.exe
        85⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4992
        
        C:\Windows\SysWOW64\Pmoahijl.exe
        
        C:\Windows\system32\Pmoahijl.exe
        86⤵
        Drops file in System32 directory
        
        PID:4060
        
        C:\Windows\SysWOW64\Pdfjifjo.exe
        
        C:\Windows\system32\Pdfjifjo.exe
        87⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5144
        
        C:\Windows\SysWOW64\Pmannhhj.exe
        
        C:\Windows\system32\Pmannhhj.exe
        88⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5188
        
        C:\Windows\SysWOW64\Pggbkagp.exe
        
        C:\Windows\system32\Pggbkagp.exe
        89⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5232
        
        C:\Windows\SysWOW64\Pmdkch32.exe
        
        C:\Windows\system32\Pmdkch32.exe
        90⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5276
        
        C:\Windows\SysWOW64\Pmfhig32.exe
        
        C:\Windows\system32\Pmfhig32.exe
        91⤵
        Modifies registry class
        
        PID:5320
        
        C:\Windows\SysWOW64\Pfolbmje.exe
        
        C:\Windows\system32\Pfolbmje.exe
        92⤵
        Drops file in System32 directory
        
        PID:5364
        
        C:\Windows\SysWOW64\Qfcfml32.exe
        
        C:\Windows\system32\Qfcfml32.exe
        93⤵
        Drops file in System32 directory
        
        PID:5412
        
        C:\Windows\SysWOW64\Aeklkchg.exe
        
        C:\Windows\system32\Aeklkchg.exe
        94⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5452
        
        C:\Windows\SysWOW64\Agjhgngj.exe
        
        C:\Windows\system32\Agjhgngj.exe
        95⤵
        Modifies registry class
        
        PID:5504
        
        C:\Windows\SysWOW64\Andqdh32.exe
        
        C:\Windows\system32\Andqdh32.exe
        96⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5548
        
        C:\Windows\SysWOW64\Afoeiklb.exe
        
        C:\Windows\system32\Afoeiklb.exe
        97⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5592
        
        C:\Windows\SysWOW64\Bjmnoi32.exe
        
        C:\Windows\system32\Bjmnoi32.exe
        98⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5636
        
        C:\Windows\SysWOW64\Bganhm32.exe
        
        C:\Windows\system32\Bganhm32.exe
        99⤵
        
        PID:5676
        
        C:\Windows\SysWOW64\Bnkgeg32.exe
        
        C:\Windows\system32\Bnkgeg32.exe
        100⤵
        
        PID:5724
        
        C:\Windows\SysWOW64\Bchomn32.exe
        
        C:\Windows\system32\Bchomn32.exe
        101⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5764
        
        C:\Windows\SysWOW64\Bffkij32.exe
        
        C:\Windows\system32\Bffkij32.exe
        102⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5812
        
        C:\Windows\SysWOW64\Beglgani.exe
        
        C:\Windows\system32\Beglgani.exe
        103⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5860
        
        C:\Windows\SysWOW64\Beihma32.exe
        
        C:\Windows\system32\Beihma32.exe
        104⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5900
        
        C:\Windows\SysWOW64\Bnbmefbg.exe
        
        C:\Windows\system32\Bnbmefbg.exe
        105⤵
        Modifies registry class
        
        PID:5944
        
        C:\Windows\SysWOW64\Cjinkg32.exe
        
        C:\Windows\system32\Cjinkg32.exe
        106⤵
        
        PID:5984
        
        C:\Windows\SysWOW64\Cdabcm32.exe
        
        C:\Windows\system32\Cdabcm32.exe
        107⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6032
        
        C:\Windows\SysWOW64\Cnffqf32.exe
        
        C:\Windows\system32\Cnffqf32.exe
        108⤵
        Drops file in System32 directory
        
        PID:6076
        
        C:\Windows\SysWOW64\Ceqnmpfo.exe
        
        C:\Windows\system32\Ceqnmpfo.exe
        109⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6120
        
        C:\Windows\SysWOW64\Cnicfe32.exe
        
        C:\Windows\system32\Cnicfe32.exe
        110⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5136
        
        C:\Windows\SysWOW64\Chcddk32.exe
        
        C:\Windows\system32\Chcddk32.exe
        111⤵
        Drops file in System32 directory
        
        PID:5228
        
        C:\Windows\SysWOW64\Dhfajjoj.exe
        
        C:\Windows\system32\Dhfajjoj.exe
        112⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5284
        
        C:\Windows\SysWOW64\Dmcibama.exe
        
        C:\Windows\system32\Dmcibama.exe
        113⤵
        Drops file in System32 directory
        
        PID:5348
        
        C:\Windows\SysWOW64\Dfknkg32.exe
        
        C:\Windows\system32\Dfknkg32.exe
        114⤵
        Drops file in System32 directory
        
        PID:5420
        
        C:\Windows\SysWOW64\Dmefhako.exe
        
        C:\Windows\system32\Dmefhako.exe
        115⤵
        Drops file in System32 directory
        
        PID:5480
        
        C:\Windows\SysWOW64\Ddonekbl.exe
        
        C:\Windows\system32\Ddonekbl.exe
        116⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5556
        
        C:\Windows\SysWOW64\Dkifae32.exe
        
        C:\Windows\system32\Dkifae32.exe
        117⤵
        Drops file in System32 directory
        
        PID:5628
        
        C:\Windows\SysWOW64\Daconoae.exe
        
        C:\Windows\system32\Daconoae.exe
        118⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5704
        
        C:\Windows\SysWOW64\Dfpgffpm.exe
        
        C:\Windows\system32\Dfpgffpm.exe
        119⤵
        
        PID:5776
        
        C:\Windows\SysWOW64\Daekdooc.exe
        
        C:\Windows\system32\Daekdooc.exe
        120⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5852
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        121⤵
        
        PID:5908
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5908 -s 224
        122⤵
        Program crash
        
        PID:6044

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 5908 -ip 5908
1⤵
PID:6012

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Bjmnoi32.exe

Filesize
100KB

MD5
07be8db42718be75a0d0bc4e24980fe1

SHA1
957c726d85387c620c7b3783da7d5b6e524bf8e3

SHA256
1b2a48ed38953743fcefe6b6b49940cb8ec98205f1290a1339c8bf67aaf2946f

SHA512
f5afde0f6eea22cb51a30ae3365434ff95df2af30ac97ecabeb0c81570c6e5ba91f0d7f0910b923c16c54d332c8e3f7fa05b4e34d66d63e434de2fb77251ee87

Download Submit
C:\Windows\SysWOW64\Ecandfpd.exe

Filesize
100KB

MD5
b690498c4430f0e1899f8e8359097d35

SHA1
f6c8135aeeb5bdea0440b9b4893ec9c2f4c46216

SHA256
8f5fc1b094fc7b31b8665f5dcd304546791e00c716b1b9afbd2bee7b4e1e3edd

SHA512
bd97ecd08b7afec5105927c550cf98d5ca59e71edf210ba812c79fd93488f0c5de74cc8471e57f9f1f3d5108e3cc4622c539ca6b6c6672aadbae66b86abded93

Download Submit
C:\Windows\SysWOW64\Fcckif32.exe

Filesize
100KB

MD5
f5f7707191916007b5154cec9aa488eb

SHA1
4f48f7fbd7e3b578402828b8023fa878b4a0a300

SHA256
13e723749a1ab842fc86fc722f52f788011aaf561872b3db458993e2403914ff

SHA512
e835c284cbcc9e40f3cd05a94369e7b5a042f20c5c24bab8ff7545d96924940dfe8abc2ae3efaec60e44f30b8a524e03fbd42112e276e9399991dfbc5cb223be

Download Submit
C:\Windows\SysWOW64\Fchddejl.exe

Filesize
100KB

MD5
ae0d4b32f9ea80d5af10f6a2e518ddfe

SHA1
c74a49838d86b924b6c06d8690dbb22b345d0dfc

SHA256
003d055223bf010f2c82d7464f4d44d7efe52a9a94f6be0a62f9fdabc7195801

SHA512
147726d6e0ad2d2d7089b0c28784051109e56f72558b8a7154377d04b878ab1146d7e20703681ecc86c347f1794748361a7668aab3ccce86fbc50c656dba90b6

Download Submit
C:\Windows\SysWOW64\Fckajehi.exe

Filesize
100KB

MD5
25bdbaffffbe841796b5692fd21b5275

SHA1
9090e1fe0d1e34f7c686db32e6f47aa9938463c1

SHA256
3220bd566febc1d1b2b9791e3f8e1fa1fbbd4692d0ef82c53c5707796c2116a5

SHA512
0f21163f88490ad198cd3f06b728a081b74c246792e38606ef55c462209cd09edae3ee5bfec760a5fe6dd305318c41120400beacf28d003ad302abc1065c118f

Download Submit
C:\Windows\SysWOW64\Ffddka32.exe

Filesize
100KB

MD5
86eba68a60c41d41f2bc58955d71c327

SHA1
a1d999178f8148b37e96c28bfaea87b7ec86df36

SHA256
ad1e3a80b909ea1306bc33ee587b7410231a94ddc3d9609bd9d331d06c9c4f27

SHA512
8db22292c1b9ebc2f16b33e0944cfbb9a396697ed622ab9cfc7890fdc0fff21abbbab7490c939931e4a5f0252dae044547e71b08c7697c4d7240d4d325141e5c

Download Submit
C:\Windows\SysWOW64\Ffkjlp32.exe

Filesize
100KB

MD5
162cdb5d2f18b2678e2bd04e2d5070a9

SHA1
770b8f6e9f9fd87b7ec8ceef1dd979f196922fec

SHA256
01acd45588c3ac7638f4aebcc3c812d871dc9e62b256ff8509e28b5b3e39a10e

SHA512
b42a85f19d21626b18bff62a448c6ad67ff899a0690d482937f2d190bc2a357f02a647da369081512393e2e991eac263a16b73eab4f99729f1f0d7944ea30eaa

Download Submit
C:\Windows\SysWOW64\Fhemmlhc.exe

Filesize
100KB

MD5
7194b3f43f428cbf72f71217b8901512

SHA1
fb8a4d91a79b0fe5154ed1664ba048a7e112b375

SHA256
e4453bd4c32cc004aa4a0b7ec9b3042533b51feb07d0af2ac71d2966493c25b7

SHA512
a973a225ddfd7b2043d83193abc552fff013e4a9ddf77164c189bd36b9e79b5057f7c9998d7c08ec78f9cb616ad01023f0c4ff94bcffd6c234982889b58e95cb

Download Submit
C:\Windows\SysWOW64\Flceckoj.exe

Filesize
100KB

MD5
839c9f93cb3177d187e222dcd270f329

SHA1
99bd880af03723d2b369d9cde33e65109e51b2f3

SHA256
d4ba6ab5fa6071c2e55de7655c188a39fd6ab1d6add145e1a50d68ce60614a91

SHA512
77dbf9fe72ecd2eae0c11f1cbfe5747a68328e3e88e86640e298173c556c04c0359b264a2836be4b540c9c4d6a96f3ed78510666eeaf8dcff32cf379ee97c588

Download Submit
C:\Windows\SysWOW64\Flceckoj.exe

Filesize
100KB

MD5
80a619a9e2ce9109896c2f03de3651a3

SHA1
a494db3571e2509c1fb3ea5b5603f01ebce8344d

SHA256
8c6536c5e1ff36689ca30b0922d0938f7f0eb6bbe622da1e26ae6072987c9e54

SHA512
6c615b4565a24cef836345cd3a8acb118e2e622b6a70c0550906cfb9cbe6a0fcb6f399bce098f11534ea70e10727555883f969f8785f239e00f01cd2b09dc2ba

Download Submit
C:\Windows\SysWOW64\Fljcmlfd.exe

Filesize
100KB

MD5
9182ddeafb93cb541dbcec3a07090f7d

SHA1
ba76fc9922f40ce9d2c487dc9f4b474279c15d5e

SHA256
cba79bd3b1fcecde0d0eefaa04bfe7da3eb0907c1eb5f05d1872326c163b9e83

SHA512
3e343b813367c3a4f3c7cf3f3f63bc15008b4be60bc60e7db268731904f14cb49d0d2c47858c07b882b82abd54a64c606879007b6d3532ea81e7481cdff0c99e

Download Submit
C:\Windows\SysWOW64\Fllpbldb.exe

Filesize
100KB

MD5
cc4fa66ae16d87993702c426c7ac2902

SHA1
74aa83f5345ca018dba7e6e53d8bebcb6dba4d4d

SHA256
d90646dec0fb228f3197b4772b46162bdc9a6626e211b9b60f39f179008ffa1c

SHA512
cf68b17db2c4f4f6728dcf8380d738e32c9ccacb0cd940dbda622a1770ec07419e3c63d9dad6c85e9bcfc2f2e07304ffe5572b8bbb4f41ebdf4a43f6bbfd48be

Download Submit
C:\Windows\SysWOW64\Gcddpdpo.exe

Filesize
100KB

MD5
ed6f7c98cb3f28ba0b529f9d5205d446

SHA1
855dc83b58a6990875fa4697557c1c49fcaf7bc0

SHA256
2dc8bcd118b5e0d33c6f82c5fb313f57208feb37ec6f2629ab432078919a7c5d

SHA512
88982e5cb10e5ab86754d07e30bbf09b52fb91cca5a941bfc3bc68c9a8c33ad5ebc949bc42bb32473df482660554fec4be922d4455091d5ceb089937c4294e73

Download Submit
C:\Windows\SysWOW64\Gcfqfc32.exe

Filesize
100KB

MD5
02ff8669a802d083628ede7fb938a8e6

SHA1
2d2ce31471199c87b611c2c2bbec3e0d42d1e598

SHA256
7ba3977343a785a985825b49f4dbb4a1f72b791041d2168733865cd1fcb1c5de

SHA512
cec64ad3e3ad1018590f191b9881e0d5d72fa9443c13d3c6426b52247231ed5393bbc50d4672ffe9e1d03aeddbed5447ae6cee1088656e8a6707990e2fcf79ed

Download Submit
C:\Windows\SysWOW64\Gdhmnlcj.exe

Filesize
100KB

MD5
d953807514b5ab5a4403f13fea7b3bae

SHA1
b10bea1d6cc8869732e291193c57253c23d186ad

SHA256
2be3442dfd8610b0c225d4a29db4aeb17da860b96d2aafd9173391d48010b43b

SHA512
062a041233b9d68c400daa8488090171546e54a4d043d9a3d835a7a7f094f085cd570ea23c21ff2ef1ae5c2a911e9e05a75d50c37e1ba55ec02c883b33989141

Download Submit
C:\Windows\SysWOW64\Gdqgmmjb.exe

Filesize
100KB

MD5
91826d46d761a996d5c777b98d7e934e

SHA1
6bc404b0ad920e9b300c4669f30105e1903f7394

SHA256
aca2554537dfd6d4aac6f13f3b549989ce4d7e992403a3b67e36de92deaf5781

SHA512
ce15aa4f932fbe70a47d04180fa6eb448813e477d04902201c0098ce10d965e7afaf39f0fd4e57b62cc8d4a73146f2439dd7114bc5e4ef94138e829c560ffd74

Download Submit
C:\Windows\SysWOW64\Gfpcgpae.exe

Filesize
100KB

MD5
cd7528f1e483c0914adb3cc43b55daff

SHA1
6a700b454479059bc1f5df3d7bf5595d67f94a49

SHA256
528f7d283e539a543d54e7d9d98b57e0c918d995c30fd4233f284c29619286e3

SHA512
3c2165fa190c55088880356018888ea84013a0429bd824f5689207c0570dff1ecacc42de8c22a53426b4f52419ea4afa1d5c82823dae57b12461cd4d9d6e1cf1

Download Submit
C:\Windows\SysWOW64\Gkhbdg32.exe

Filesize
100KB

MD5
4f696d9eb22e4315d4312d2befe20fe2

SHA1
6661980caea3f829728bf6f6e9396e1213ac5c01

SHA256
ecd80b09541103a5f7ebbfcbbf89b3ca2e27afdaa4fb5516974c053755615061

SHA512
dbaca3fab3e6379283a40c55974e2739de924533187a0941e5a48635394392544f0ed8c5c590b247c98c8589e1d9e7231aef98a4d2b08755d872dec7e878a520

Download Submit
C:\Windows\SysWOW64\Gomakdcp.exe

Filesize
100KB

MD5
84caf711f8b3b67691ecd79dac9ba87f

SHA1
60e24ef7e03d21287d07cb9b3f3e3eb4a868f1db

SHA256
5c71df12a2a5e71f07c645811c8fe8f0d79ec2e6f344d1a6371c8bbf04539483

SHA512
6299af0a25537f77ba39fae43885612c692042d0a580f3ea4ab4186834c435f96ae6299d388b54a2b716201fce37057b392fcb5ca4778c4321e9b1c8419481bf

Download Submit
C:\Windows\SysWOW64\Hbgmcnhf.exe

Filesize
100KB

MD5
5588ab3e3d47114c2d9e49d4616f0cf5

SHA1
e976283d0c311b06902e3050fa05a251c3977e9a

SHA256
985bc976d60215fa57cc38923d0787e5bc1082a281c130748bae91cb81b0739e

SHA512
33a9ef34fd0d71a8659b88d336f9df7645b05c18dcb948ed8fc82dfdf366e76cceda45cc0e4069ba4bee9cc881c39c6702e546f8e0fdfd3707cd79802b338a13

Download Submit
C:\Windows\SysWOW64\Hbpgbo32.exe

Filesize
100KB

MD5
6730cbf16c80f2d37c54e745759bfbf7

SHA1
758d1836aed42265f2052d93e1ef3eea4cfa306b

SHA256
ca3b492b470157d73352b4bb22041482bde1e1812fba2bac895064397d2558db

SHA512
aae76593f73dab33a0f9c772bfd18fb9a77edea4523b830e90cba8d7d3a90f8f93af09fbe17ace23bb9c22b814ff60b7890a4ee08eddcecac3893592b5596d6e

Download Submit
C:\Windows\SysWOW64\Hcbpab32.exe

Filesize
100KB

MD5
a4950f3507480013d288f61653c02d43

SHA1
361d7ed99557550d34d7e628c4c590c31b4b9fe3

SHA256
97f05520591433a5a83d5d437872d2c13a5de9f4fc2533eb9c6fb92b06e24588

SHA512
6006b3db00df05ff1e4eba54d92140c8bf8fbc7070157fa65215f5562777effc1ae41498f5f2d8f78da6b962b77530741b3ed37bdebd5ade5a82e7b1c4eb03a0

Download Submit
C:\Windows\SysWOW64\Heomgj32.dll

Filesize
7KB

MD5
f778c825ffde75092f6c74a33c5919d7

SHA1
84d98e570188e76d1845080eff01850f3de8e465

SHA256
3ab6db33ac5fc6c8a00e87d61f9c746f7f8bc968780e92be3fb903ccade0b0a0

SHA512
faebce1a540c35a01727652085ddee34817e1bd71593949792663584d01e8b6938492a6e3ee8ccf519078cca589fc8a9e3fd08fb5daf88e4ea5d76f38b126795

Download Submit
C:\Windows\SysWOW64\Hfifmnij.exe

Filesize
100KB

MD5
ed696205d549af742769fab06d9695f8

SHA1
5030e24bf26d36eb0e730c80939857396362934e

SHA256
51743fe33c92a89a41da13f7931d517b367d23c400f0da540fbab304f27c1984

SHA512
e1071fc4c72a4ecf6abe5b620ddc1f9cdecad435ccc911470daaafbb7d7046de2d08717fe3bf0342a3f95e4dbc0af3d97d575fdebb767cb4c8bbbf2417a05cb7

Download Submit
C:\Windows\SysWOW64\Hfqlnm32.exe

Filesize
100KB

MD5
6e86ea489acdd40ad3329bef1079b5ce

SHA1
8365e38aac79bc67f8c53104e9db686940ac516f

SHA256
bc2d4c5228f74e3b58adfcbf46a697fb57d8b5d8a8fdc177b1b5de2a9924b1a2

SHA512
98457ebd1e39af6307086e4b4d63ef332dd4735e61c0a9fba33125cb8a3f4a8815584db0e6b3571dcfc668ba83b06563e36f3d16cefdc10edcf42ce8311dc739

Download Submit
C:\Windows\SysWOW64\Hkikkeeo.exe

Filesize
100KB

MD5
3e71ebd0787ff6eae1dae5a2e801d77a

SHA1
bd0a2b0e5948be9f3a905ff9faddb3b6ce6bdeb9

SHA256
c226e8c8924db1151f71f5bfa087070deaba236b38f107318392b9560a302c00

SHA512
f3686f5ef6838219d05fd21e5deb957d55a1477c3ba999542f8e34c693f5bee315d99a8c3d3a64d167f55232a1d06b24852522e20805de774e0a2c305c083188

Download Submit
C:\Windows\SysWOW64\Hmcojh32.exe

Filesize
100KB

MD5
545b859698e1c2e33b12e693fd960ff3

SHA1
83e1f05be790d1cb8bb411933abf65bfb495ac91

SHA256
4313ba6ebc1c5ffe34d250ce50aa1252f0e2a75acc0fc21da83b7191570b2340

SHA512
3ae11b4b40986b4e57d94cdf8cacabe8ffeb273fa696fb9d893b6e5f6900626b3625d730600b4a422a4adb442632916156a8720c78021806b38147ffbfb6aebb

Download Submit
C:\Windows\SysWOW64\Hmhhehlb.exe

Filesize
100KB

MD5
ba7cffdad0e97d7bd4faf211fc66bc4b

SHA1
373109b2e0c96178fe57c943ae65809b2be6bf4e

SHA256
eb62af1bde70f2f36ada4ec9280aec49ca28995f2db70e05a2e9668406244fbf

SHA512
a4439c5d224925759c33fb9919569cdaf20e16cca2d9425ceeabc34e17ebf6e063eeb4259fa239943af84899ebefc4dba0f5dc2a058bdd81e0f5d67b965a75fb

Download Submit
C:\Windows\SysWOW64\Iblfnn32.exe

Filesize
100KB

MD5
900dac2cd0dfccef61fbcdc6136f4c51

SHA1
c08c357b300239df9210eb8f069c731a66f78fe2

SHA256
abd2135afd58c12dc66a45d1635eb5754ca9eb42a76c318e12e4771e74b0f91e

SHA512
296799ac2a2b54ca51d2e2bed96950d532f889fd5dddd36b129b1df3bf26cc82b824b8191e4a3bf242eec7087874fa2f426d90ce65ae4f0aa1a6a080c516854f

Download Submit
C:\Windows\SysWOW64\Ibnccmbo.exe

Filesize
100KB

MD5
6e66b814314554ea36d595d40bc83419

SHA1
99f0741bbe3afd5285c4b108e55ec303ee4ea1be

SHA256
b5f42f77c2f4592ed01ab1d22eae74ae9b18ee0a76114f12a22dff96b48e807f

SHA512
004c0d68810e6f0f83908160a4c30c5ff7837d7474b14a82bad757863fdae7cd72798c8f2d149514b2a0313f5fe3450795ad378fc43a7882c47047ace3a8494d

Download Submit
C:\Windows\SysWOW64\Ifllil32.exe

Filesize
100KB

MD5
2ec2780fe44c759ae9f4da32918de6b8

SHA1
c5b5e239af72872c766bb97258e90e44c73a0222

SHA256
624fb16f8c64547e03f012bbf57448db5284a1413f5be68bb67da3b724ec8fbe

SHA512
5443045bc58416994268dae64a6ce60dc417c567991c76fd47437163e0246fffea9298652e26d431534bcf067258c966c6952fdbf4ab6be0bb4aed299dd140c9

Download Submit
C:\Windows\SysWOW64\Iiaephpc.exe

Filesize
100KB

MD5
45e297aae5f93d7505a532ab149b9ea7

SHA1
290d8f6a716a3b9e627bf18f8ebb82efb7b8ce75

SHA256
52cd41e78d5c4948deb9c15ce9af9f6f42e72f7d034448b8e1b1e0945ab6f82f

SHA512
86c0b4d6401d6f70c71ce4a36d1b52fe50a401ae9f13d312867765fa3d45a8f3f6ea3e38e2fd717e68a660d47024027f88af4cf22a2c3f9802190175e721afa1

Download Submit
C:\Windows\SysWOW64\Iicbehnq.exe

Filesize
100KB

MD5
2642b6836648ad7d61965c133607d489

SHA1
3963c70856ac1225581f0dbe3fd69ec7b3fee407

SHA256
3594a1607a8335c5e837f0a7097d996203a2507eebb3ac8da9ebb200c9942dc4

SHA512
d3d3e0aba3514edfa3c7f7b43609ac2e3b05ee317f61809247b5b898987a4c5d1ce2084ff3af0c7c823744fe664f12d87864b953215c07bd36fd978b338ec046

Download Submit
C:\Windows\SysWOW64\Iihkpg32.exe

Filesize
100KB

MD5
200e479d6f8aeee752a9983df0df82a2

SHA1
0ea7518965608875f5ad7c4f947486c557d5dc9d

SHA256
aad7e18b68ab83a5926f647027607f7aa9cc89a377011041720bfb7a75d195c2

SHA512
a91e02499e3d1ada6e40feeddfde0b73ef84b9edb0492d0d4fcdc7fe5464a15eb537b73edb046bee74cd333f3756ec9e6d6935857ba4dd6e24fff1c0787f8ac6

Download Submit
C:\Windows\SysWOW64\Ildkgc32.exe

Filesize
100KB

MD5
a76f4cb41625df957fcc2e635143e646

SHA1
307a58dba387073bda9abdf94561e8094e50263f

SHA256
c67221b8287ac9ddadbf7602240c29c8b1581bdcb9c8a591d234ac670d10e024

SHA512
160db38c9d23250b074e51e81a1bfd98efd4b1e42f13e30a920da18666c547d925c2f3dec799df1191ad39deb52cd6cb4f3ace09c5546fc9dfc51364369e1c36

Download Submit
C:\Windows\SysWOW64\Jlkagbej.exe

Filesize
100KB

MD5
bc39822618f17ab6163eae5fa099f59a

SHA1
57af0085898bba7ee048b5bd47bd182a0ae19cef

SHA256
8a10ff38937a0a56f32e44c597e18c4bce5f0de8d00611e161cfcacc20de0866

SHA512
6040b43a2812b73679bf3c4d8d747e408b72b1e6abdc02af1601c42ca7a7e0b3bf397c03474ed18e6f97ba1ca8ab5775138acb0a423fdb3e594776ec0aafbefc

Download Submit
C:\Windows\SysWOW64\Jpppnp32.exe

Filesize
100KB

MD5
d8e29da11fbc2318c9e4a724f8a59221

SHA1
55d8cc6f090c0d1f17688c4e008071903a6dd355

SHA256
d7183941424e8440086d0c0742e3ac5d336140d14c0d254e959f2543bc71a099

SHA512
64cb5e67a322cccfb2e698e35fc9d38203ed437a1f99730f01053cca278872662d2a0f87bcd1183e2171addaaa248920a8b086eaac1dd7fb97a1416e11ee8e99

Download Submit
C:\Windows\SysWOW64\Nnlhfn32.exe

Filesize
100KB

MD5
45d0b3a105c1dd3e3aca1ca765474b3f

SHA1
9bd6b98e6e21da0b962a3059446a4f5e1d961d8c

SHA256
beb97a04213672b67a2d6636239bd9a529dd98cc945e9c3226d1a845678b53fa

SHA512
9738d7ef3f9f8a89ddead2e75b94bd54c5b07747263a7478330a849dcc544cce9542bb2eb0e913e767d4ddb146add85df14b6e219fb994c766ed55d5247a9766

Download Submit
memory/388-16-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/404-286-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/548-370-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/552-168-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/556-382-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/784-316-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/840-424-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1016-144-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1040-280-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1292-208-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1392-247-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1444-47-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1480-176-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1512-152-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1532-388-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1712-340-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1748-72-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1896-160-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1956-278-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2160-376-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2208-430-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2256-39-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2260-394-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2276-111-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2284-32-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2372-322-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2428-56-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2536-80-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2712-442-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2720-127-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2808-256-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2864-346-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2960-292-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3020-298-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3040-358-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3076-120-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3092-199-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3180-364-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3200-104-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3372-412-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3384-95-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3408-262-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3428-88-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3500-135-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3592-0-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3620-268-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3772-240-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3936-184-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3976-192-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4004-352-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4008-438-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4020-334-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4092-418-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4244-232-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4368-223-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4388-328-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4452-216-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4544-314-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4588-304-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4616-7-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4824-400-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4916-406-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4920-24-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5020-63-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads