a2d36ec3ec4a21eb1453cfe4deacdbb5b73a414bce3805d1d6f56bcd1a56709d

Analysis

max time kernel
149s
max time network
140s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
13-03-2024 07:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c5523257cf695500064c3af3de69ff83.exe
Size

55KB
MD5

c5523257cf695500064c3af3de69ff83
SHA1

e13e9735e2dfbdf96b7e02de33d2e0afee6b1f2e
SHA256

a2d36ec3ec4a21eb1453cfe4deacdbb5b73a414bce3805d1d6f56bcd1a56709d
SHA512

49d5aae5cbba11ff8925d706565368e74524921dd6bb0afefe62da7ccad5cead678dea51769fa492dbfb72b12c79fcf8e8959a19fa2c121c8cdc0f99b6c6b4b8
SSDEEP

1536:UQgMj/Bn3oVnIkZfREI1WkHwO/QNEco2LX:UQDjJn3cJDxHwOoCgX

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nggqoj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hpihai32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Imihfl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jbfpobpb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jfhbppbc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcklgm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ijaida32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jfhbppbc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fcgoilpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fjhmgeao.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Giacca32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdmegp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fbqefhpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ijdeiaio.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lnepih32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mkbchk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mjhqjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Icjmmg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jpgdbg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kinemkko.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mpkbebbf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgnnhk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ipqnahgf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jagqlj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jplmmfmi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kajfig32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kckbqpnj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fmocba32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iakaql32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Idacmfkj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lpappc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kmjqmi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nceonl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fomonm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fopldmcl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fobiilai.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Iabgaklg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kaqcbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fbllkh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fmapha32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mcklgm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mdmegp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqfbaq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kbapjafe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kinemkko.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lkgdml32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fjqgff32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hpgkkioa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Iakaql32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jibeql32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jplmmfmi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnlfigcc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mgghhlhq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkbchk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mnfipekh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	c5523257cf695500064c3af3de69ff83.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gcbnejem.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hjfihc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nnolfdcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fjqgff32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fjcclf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hmfbjnbp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Haidklda.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkgmcjld.exe

Executes dropped EXE 64 IoCs

pid	Process
1660	Fcgoilpj.exe
3292	Fjqgff32.exe
3608	Fmocba32.exe
1348	Fomonm32.exe
3732	Fbllkh32.exe
1184	Fjcclf32.exe
1120	Fmapha32.exe
228	Fopldmcl.exe
3720	Fjepaecb.exe
560	Fmclmabe.exe
856	Fobiilai.exe
4816	Fbqefhpm.exe
1288	Fjhmgeao.exe
3104	Fqaeco32.exe
1144	Fodeolof.exe
4548	Gfnnlffc.exe
4140	Gimjhafg.exe
4732	Gogbdl32.exe
3740	Gcbnejem.exe
4564	Gjlfbd32.exe
3152	Gmkbnp32.exe
1724	Gcekkjcj.exe
4332	Gfcgge32.exe
1372	Giacca32.exe
4516	Gcggpj32.exe
428	Gfedle32.exe
4072	Gidphq32.exe
4412	Gcidfi32.exe
4004	Gbldaffp.exe
928	Gjclbc32.exe
2268	Gmaioo32.exe
4780	Hboagf32.exe
3996	Hjfihc32.exe
4340	Hmdedo32.exe
3332	Hpbaqj32.exe
4356	Hcnnaikp.exe
3508	Hfljmdjc.exe
1252	Hmfbjnbp.exe
840	Hcqjfh32.exe
520	Hfofbd32.exe
1732	Himcoo32.exe
1836	Hpgkkioa.exe
3620	Hbeghene.exe
1804	Hjmoibog.exe
216	Hpihai32.exe
3776	Hibljoco.exe
3672	Haidklda.exe
1336	Icgqggce.exe
4916	Ijaida32.exe
4640	Iakaql32.exe
4168	Icjmmg32.exe
4464	Ijdeiaio.exe
412	Imbaemhc.exe
4580	Ipqnahgf.exe
4192	Iapjlk32.exe
1680	Ipckgh32.exe
4656	Ibagcc32.exe
3576	Iabgaklg.exe
2968	Idacmfkj.exe
2520	Ibccic32.exe
1304	Imihfl32.exe
5060	Jpgdbg32.exe
3528	Jbfpobpb.exe
2856	Jiphkm32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Kmdigkkd.dll	Mnlfigcc.exe
File created	C:\Windows\SysWOW64\Mdkhapfj.exe	Mkbchk32.exe
File created	C:\Windows\SysWOW64\Lcglnp32.dll	Fqaeco32.exe
File created	C:\Windows\SysWOW64\Gddfpk32.dll	Fomonm32.exe
File created	C:\Windows\SysWOW64\Hcnnaikp.exe	Hpbaqj32.exe
File created	C:\Windows\SysWOW64\Mbaohn32.dll	Lkiqbl32.exe
File opened for modification	C:\Windows\SysWOW64\Gfnnlffc.exe	Fodeolof.exe
File created	C:\Windows\SysWOW64\Gfedle32.exe	Gcggpj32.exe
File created	C:\Windows\SysWOW64\Ifegaglc.dll	Gfedle32.exe
File created	C:\Windows\SysWOW64\Hfofbd32.exe	Hcqjfh32.exe
File opened for modification	C:\Windows\SysWOW64\Jfhbppbc.exe	Jaljgidl.exe
File created	C:\Windows\SysWOW64\Jkfkfohj.exe	Jbocea32.exe
File opened for modification	C:\Windows\SysWOW64\Fmapha32.exe	Fjcclf32.exe
File created	C:\Windows\SysWOW64\Cmddeh32.dll	Fjcclf32.exe
File opened for modification	C:\Windows\SysWOW64\Iapjlk32.exe	Ipqnahgf.exe
File opened for modification	C:\Windows\SysWOW64\Nkjjij32.exe	Mgnnhk32.exe
File created	C:\Windows\SysWOW64\Hpgkkioa.exe	Himcoo32.exe
File created	C:\Windows\SysWOW64\Iabgaklg.exe	Ibagcc32.exe
File created	C:\Windows\SysWOW64\Cknpkhch.dll	Nceonl32.exe
File created	C:\Windows\SysWOW64\Pmcglkid.dll	Fodeolof.exe
File created	C:\Windows\SysWOW64\Fojjgcdm.dll	Gcbnejem.exe
File created	C:\Windows\SysWOW64\Hbeghene.exe	Hpgkkioa.exe
File created	C:\Windows\SysWOW64\Iakaql32.exe	Ijaida32.exe
File created	C:\Windows\SysWOW64\Fopldmcl.exe	Fmapha32.exe
File opened for modification	C:\Windows\SysWOW64\Ipqnahgf.exe	Imbaemhc.exe
File opened for modification	C:\Windows\SysWOW64\Jaljgidl.exe	Jidbflcj.exe
File opened for modification	C:\Windows\SysWOW64\Kibnhjgj.exe	Kgdbkohf.exe
File created	C:\Windows\SysWOW64\Haidklda.exe	Hibljoco.exe
File created	C:\Windows\SysWOW64\Iljnde32.dll	Jkfkfohj.exe
File created	C:\Windows\SysWOW64\Addjcmqn.dll	Ncldnkae.exe
File created	C:\Windows\SysWOW64\Nkcmohbg.exe	Nggqoj32.exe
File created	C:\Windows\SysWOW64\Fomonm32.exe	Fmocba32.exe
File created	C:\Windows\SysWOW64\Ipqnahgf.exe	Imbaemhc.exe
File created	C:\Windows\SysWOW64\Nngcpm32.dll	Lkgdml32.exe
File opened for modification	C:\Windows\SysWOW64\Maaepd32.exe	Mnfipekh.exe
File opened for modification	C:\Windows\SysWOW64\Jdemhe32.exe	Jagqlj32.exe
File created	C:\Windows\SysWOW64\Kinemkko.exe	Kdaldd32.exe
File opened for modification	C:\Windows\SysWOW64\Hibljoco.exe	Hpihai32.exe
File opened for modification	C:\Windows\SysWOW64\Ijaida32.exe	Icgqggce.exe
File created	C:\Windows\SysWOW64\Jfdida32.exe	Jdemhe32.exe
File created	C:\Windows\SysWOW64\Fmocba32.exe	Fjqgff32.exe
File opened for modification	C:\Windows\SysWOW64\Kajfig32.exe	Kibnhjgj.exe
File created	C:\Windows\SysWOW64\Mkbchk32.exe	Mgghhlhq.exe
File opened for modification	C:\Windows\SysWOW64\Fmclmabe.exe	Fjepaecb.exe
File created	C:\Windows\SysWOW64\Pglanoaq.dll	Iakaql32.exe
File created	C:\Windows\SysWOW64\Bkmdbdbp.dll	Gfcgge32.exe
File created	C:\Windows\SysWOW64\Mbgaem32.dll	Himcoo32.exe
File created	C:\Windows\SysWOW64\Ibadbaha.dll	Hjmoibog.exe
File created	C:\Windows\SysWOW64\Fodeolof.exe	Fqaeco32.exe
File opened for modification	C:\Windows\SysWOW64\Ipckgh32.exe	Iapjlk32.exe
File opened for modification	C:\Windows\SysWOW64\Idacmfkj.exe	Iabgaklg.exe
File opened for modification	C:\Windows\SysWOW64\Hfofbd32.exe	Hcqjfh32.exe
File created	C:\Windows\SysWOW64\Nkjjij32.exe	Mgnnhk32.exe
File created	C:\Windows\SysWOW64\Hnfmbf32.dll	Maaepd32.exe
File created	C:\Windows\SysWOW64\Dlddhggk.dll	Nnolfdcn.exe
File created	C:\Windows\SysWOW64\Dofqcl32.dll	c5523257cf695500064c3af3de69ff83.exe
File created	C:\Windows\SysWOW64\Icgqggce.exe	Haidklda.exe
File opened for modification	C:\Windows\SysWOW64\Jibeql32.exe	Jfdida32.exe
File created	C:\Windows\SysWOW64\Qekdppan.dll	Jidbflcj.exe
File opened for modification	C:\Windows\SysWOW64\Lpappc32.exe	Lmccchkn.exe
File created	C:\Windows\SysWOW64\Oggipmfe.dll	Fcgoilpj.exe
File opened for modification	C:\Windows\SysWOW64\Fbqefhpm.exe	Fobiilai.exe
File created	C:\Windows\SysWOW64\Idacmfkj.exe	Iabgaklg.exe
File opened for modification	C:\Windows\SysWOW64\Lgpagm32.exe	Ldaeka32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5572	6032	WerFault.exe	224

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mecaoggc.dll"	Lphfpbdi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mjcgohig.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cmddeh32.dll"	Fjcclf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bkmdbdbp.dll"	Gfcgge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Epmjjbbj.dll"	Mpmokb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ipqnahgf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cmafhe32.dll"	Lcmofolg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mdmegp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gcekkjcj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gmaioo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mbgaem32.dll"	Himcoo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cqncfneo.dll"	Kkihknfg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lkgdml32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Iakaql32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oeahce32.dll"	Gcekkjcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibadbaha.dll"	Hjmoibog.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckegia32.dll"	Lpfijcfl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hmdedo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jdmcidam.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hefffnbk.dll"	Kmlnbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jplifcqp.dll"	Kajfig32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckfliccm.dll"	Fjqgff32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fbqefhpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hdgohg32.dll"	Fbqefhpm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hboagf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Idacmfkj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kmegbjgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kkihknfg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kgdbkohf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lcmofolg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lghekack.dll"	Fobiilai.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hakfehok.dll"	Fjhmgeao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jdemhe32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kgdbkohf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nkjjij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lalcng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hfljmdjc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjcfkp32.dll"	Hpgkkioa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hibljoco.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ipqnahgf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jpgdbg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gjclbc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hpbaqj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ibagcc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Impoan32.dll"	Ibagcc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mkbchk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hibljoco.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gddfpk32.dll"	Fomonm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fcgoilpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fjqgff32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mgghhlhq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qbplof32.dll"	Gbldaffp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Himcoo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qfiapa32.dll"	Fbllkh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gedmgfjd.dll"	Fopldmcl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gimjhafg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gcbnejem.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jibeql32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nngcpm32.dll"	Lkgdml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bebboiqi.dll"	Mnfipekh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	c5523257cf695500064c3af3de69ff83.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gjlfbd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fjhmgeao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bclhoo32.dll"	Jfdida32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4512 wrote to memory of 1660	4512	c5523257cf695500064c3af3de69ff83.exe	87
PID 4512 wrote to memory of 1660	4512	c5523257cf695500064c3af3de69ff83.exe	87
PID 4512 wrote to memory of 1660	4512	c5523257cf695500064c3af3de69ff83.exe	87
PID 1660 wrote to memory of 3292	1660	Fcgoilpj.exe	88
PID 1660 wrote to memory of 3292	1660	Fcgoilpj.exe	88
PID 1660 wrote to memory of 3292	1660	Fcgoilpj.exe	88
PID 3292 wrote to memory of 3608	3292	Fjqgff32.exe	89
PID 3292 wrote to memory of 3608	3292	Fjqgff32.exe	89
PID 3292 wrote to memory of 3608	3292	Fjqgff32.exe	89
PID 3608 wrote to memory of 1348	3608	Fmocba32.exe	90
PID 3608 wrote to memory of 1348	3608	Fmocba32.exe	90
PID 3608 wrote to memory of 1348	3608	Fmocba32.exe	90
PID 1348 wrote to memory of 3732	1348	Fomonm32.exe	91
PID 1348 wrote to memory of 3732	1348	Fomonm32.exe	91
PID 1348 wrote to memory of 3732	1348	Fomonm32.exe	91
PID 3732 wrote to memory of 1184	3732	Fbllkh32.exe	92
PID 3732 wrote to memory of 1184	3732	Fbllkh32.exe	92
PID 3732 wrote to memory of 1184	3732	Fbllkh32.exe	92
PID 1184 wrote to memory of 1120	1184	Fjcclf32.exe	93
PID 1184 wrote to memory of 1120	1184	Fjcclf32.exe	93
PID 1184 wrote to memory of 1120	1184	Fjcclf32.exe	93
PID 1120 wrote to memory of 228	1120	Fmapha32.exe	96
PID 1120 wrote to memory of 228	1120	Fmapha32.exe	96
PID 1120 wrote to memory of 228	1120	Fmapha32.exe	96
PID 228 wrote to memory of 3720	228	Fopldmcl.exe	98
PID 228 wrote to memory of 3720	228	Fopldmcl.exe	98
PID 228 wrote to memory of 3720	228	Fopldmcl.exe	98
PID 3720 wrote to memory of 560	3720	Fjepaecb.exe	99
PID 3720 wrote to memory of 560	3720	Fjepaecb.exe	99
PID 3720 wrote to memory of 560	3720	Fjepaecb.exe	99
PID 560 wrote to memory of 856	560	Fmclmabe.exe	100
PID 560 wrote to memory of 856	560	Fmclmabe.exe	100
PID 560 wrote to memory of 856	560	Fmclmabe.exe	100
PID 856 wrote to memory of 4816	856	Fobiilai.exe	101
PID 856 wrote to memory of 4816	856	Fobiilai.exe	101
PID 856 wrote to memory of 4816	856	Fobiilai.exe	101
PID 4816 wrote to memory of 1288	4816	Fbqefhpm.exe	102
PID 4816 wrote to memory of 1288	4816	Fbqefhpm.exe	102
PID 4816 wrote to memory of 1288	4816	Fbqefhpm.exe	102
PID 1288 wrote to memory of 3104	1288	Fjhmgeao.exe	104
PID 1288 wrote to memory of 3104	1288	Fjhmgeao.exe	104
PID 1288 wrote to memory of 3104	1288	Fjhmgeao.exe	104
PID 3104 wrote to memory of 1144	3104	Fqaeco32.exe	105
PID 3104 wrote to memory of 1144	3104	Fqaeco32.exe	105
PID 3104 wrote to memory of 1144	3104	Fqaeco32.exe	105
PID 1144 wrote to memory of 4548	1144	Fodeolof.exe	106
PID 1144 wrote to memory of 4548	1144	Fodeolof.exe	106
PID 1144 wrote to memory of 4548	1144	Fodeolof.exe	106
PID 4548 wrote to memory of 4140	4548	Gfnnlffc.exe	107
PID 4548 wrote to memory of 4140	4548	Gfnnlffc.exe	107
PID 4548 wrote to memory of 4140	4548	Gfnnlffc.exe	107
PID 4140 wrote to memory of 4732	4140	Gimjhafg.exe	108
PID 4140 wrote to memory of 4732	4140	Gimjhafg.exe	108
PID 4140 wrote to memory of 4732	4140	Gimjhafg.exe	108
PID 4732 wrote to memory of 3740	4732	Gogbdl32.exe	109
PID 4732 wrote to memory of 3740	4732	Gogbdl32.exe	109
PID 4732 wrote to memory of 3740	4732	Gogbdl32.exe	109
PID 3740 wrote to memory of 4564	3740	Gcbnejem.exe	110
PID 3740 wrote to memory of 4564	3740	Gcbnejem.exe	110
PID 3740 wrote to memory of 4564	3740	Gcbnejem.exe	110
PID 4564 wrote to memory of 3152	4564	Gjlfbd32.exe	111
PID 4564 wrote to memory of 3152	4564	Gjlfbd32.exe	111
PID 4564 wrote to memory of 3152	4564	Gjlfbd32.exe	111
PID 3152 wrote to memory of 1724	3152	Gmkbnp32.exe	112

C:\Users\Admin\AppData\Local\Temp\c5523257cf695500064c3af3de69ff83.exe
"C:\Users\Admin\AppData\Local\Temp\c5523257cf695500064c3af3de69ff83.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4512
- C:\Windows\SysWOW64\Fcgoilpj.exe
  C:\Windows\system32\Fcgoilpj.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1660
- - C:\Windows\SysWOW64\Fjqgff32.exe
    C:\Windows\system32\Fjqgff32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:3292
  - - C:\Windows\SysWOW64\Fmocba32.exe
      C:\Windows\system32\Fmocba32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious use of WriteProcessMemory
      PID:3608
    - - C:\Windows\SysWOW64\Fomonm32.exe
        
        C:\Windows\system32\Fomonm32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1348
      - C:\Windows\SysWOW64\Fbllkh32.exe
        
        C:\Windows\system32\Fbllkh32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3732
        
        C:\Windows\SysWOW64\Fjcclf32.exe
        
        C:\Windows\system32\Fjcclf32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1184
        
        C:\Windows\SysWOW64\Fmapha32.exe
        
        C:\Windows\system32\Fmapha32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1120
        
        C:\Windows\SysWOW64\Fopldmcl.exe
        
        C:\Windows\system32\Fopldmcl.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:228
        
        C:\Windows\SysWOW64\Fjepaecb.exe
        
        C:\Windows\system32\Fjepaecb.exe
        10⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3720
        
        C:\Windows\SysWOW64\Fmclmabe.exe
        
        C:\Windows\system32\Fmclmabe.exe
        11⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:560
        
        C:\Windows\SysWOW64\Fobiilai.exe
        
        C:\Windows\system32\Fobiilai.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:856
        
        C:\Windows\SysWOW64\Fbqefhpm.exe
        
        C:\Windows\system32\Fbqefhpm.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4816
        
        C:\Windows\SysWOW64\Fjhmgeao.exe
        
        C:\Windows\system32\Fjhmgeao.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1288
        
        C:\Windows\SysWOW64\Fqaeco32.exe
        
        C:\Windows\system32\Fqaeco32.exe
        15⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3104
        
        C:\Windows\SysWOW64\Fodeolof.exe
        
        C:\Windows\system32\Fodeolof.exe
        16⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1144
        
        C:\Windows\SysWOW64\Gfnnlffc.exe
        
        C:\Windows\system32\Gfnnlffc.exe
        17⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4548
        
        C:\Windows\SysWOW64\Gimjhafg.exe
        
        C:\Windows\system32\Gimjhafg.exe
        18⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4140
        
        C:\Windows\SysWOW64\Gogbdl32.exe
        
        C:\Windows\system32\Gogbdl32.exe
        19⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4732
        
        C:\Windows\SysWOW64\Gcbnejem.exe
        
        C:\Windows\system32\Gcbnejem.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3740
        
        C:\Windows\SysWOW64\Gjlfbd32.exe
        
        C:\Windows\system32\Gjlfbd32.exe
        21⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4564
        
        C:\Windows\SysWOW64\Gmkbnp32.exe
        
        C:\Windows\system32\Gmkbnp32.exe
        22⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3152
        
        C:\Windows\SysWOW64\Gcekkjcj.exe
        
        C:\Windows\system32\Gcekkjcj.exe
        23⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1724
        
        C:\Windows\SysWOW64\Gfcgge32.exe
        
        C:\Windows\system32\Gfcgge32.exe
        24⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4332
        
        C:\Windows\SysWOW64\Giacca32.exe
        
        C:\Windows\system32\Giacca32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1372
        
        C:\Windows\SysWOW64\Gcggpj32.exe
        
        C:\Windows\system32\Gcggpj32.exe
        26⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4516
        
        C:\Windows\SysWOW64\Gfedle32.exe
        
        C:\Windows\system32\Gfedle32.exe
        27⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:428
        
        C:\Windows\SysWOW64\Gidphq32.exe
        
        C:\Windows\system32\Gidphq32.exe
        28⤵
        Executes dropped EXE
        
        PID:4072
        
        C:\Windows\SysWOW64\Gcidfi32.exe
        
        C:\Windows\system32\Gcidfi32.exe
        29⤵
        Executes dropped EXE
        
        PID:4412
        
        C:\Windows\SysWOW64\Gbldaffp.exe
        
        C:\Windows\system32\Gbldaffp.exe
        30⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4004
        
        C:\Windows\SysWOW64\Gjclbc32.exe
        
        C:\Windows\system32\Gjclbc32.exe
        31⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:928
        
        C:\Windows\SysWOW64\Gmaioo32.exe
        
        C:\Windows\system32\Gmaioo32.exe
        32⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2268
        
        C:\Windows\SysWOW64\Hboagf32.exe
        
        C:\Windows\system32\Hboagf32.exe
        33⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4780
        
        C:\Windows\SysWOW64\Hjfihc32.exe
        
        C:\Windows\system32\Hjfihc32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3996
        
        C:\Windows\SysWOW64\Hmdedo32.exe
        
        C:\Windows\system32\Hmdedo32.exe
        35⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4340
        
        C:\Windows\SysWOW64\Hpbaqj32.exe
        
        C:\Windows\system32\Hpbaqj32.exe
        36⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3332
        
        C:\Windows\SysWOW64\Hcnnaikp.exe
        
        C:\Windows\system32\Hcnnaikp.exe
        37⤵
        Executes dropped EXE
        
        PID:4356
        
        C:\Windows\SysWOW64\Hfljmdjc.exe
        
        C:\Windows\system32\Hfljmdjc.exe
        38⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3508
        
        C:\Windows\SysWOW64\Hmfbjnbp.exe
        
        C:\Windows\system32\Hmfbjnbp.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1252
        
        C:\Windows\SysWOW64\Hcqjfh32.exe
        
        C:\Windows\system32\Hcqjfh32.exe
        40⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:840
        
        C:\Windows\SysWOW64\Hfofbd32.exe
        
        C:\Windows\system32\Hfofbd32.exe
        41⤵
        Executes dropped EXE
        
        PID:520
        
        C:\Windows\SysWOW64\Himcoo32.exe
        
        C:\Windows\system32\Himcoo32.exe
        42⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1732
        
        C:\Windows\SysWOW64\Hpgkkioa.exe
        
        C:\Windows\system32\Hpgkkioa.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1836
        
        C:\Windows\SysWOW64\Hbeghene.exe
        
        C:\Windows\system32\Hbeghene.exe
        44⤵
        Executes dropped EXE
        
        PID:3620
        
        C:\Windows\SysWOW64\Hjmoibog.exe
        
        C:\Windows\system32\Hjmoibog.exe
        45⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1804
        
        C:\Windows\SysWOW64\Hpihai32.exe
        
        C:\Windows\system32\Hpihai32.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:216
        
        C:\Windows\SysWOW64\Hibljoco.exe
        
        C:\Windows\system32\Hibljoco.exe
        47⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3776
        
        C:\Windows\SysWOW64\Haidklda.exe
        
        C:\Windows\system32\Haidklda.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3672
        
        C:\Windows\SysWOW64\Icgqggce.exe
        
        C:\Windows\system32\Icgqggce.exe
        49⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1336
        
        C:\Windows\SysWOW64\Ijaida32.exe
        
        C:\Windows\system32\Ijaida32.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4916
        
        C:\Windows\SysWOW64\Iakaql32.exe
        
        C:\Windows\system32\Iakaql32.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4640
        
        C:\Windows\SysWOW64\Icjmmg32.exe
        
        C:\Windows\system32\Icjmmg32.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4168
        
        C:\Windows\SysWOW64\Ijdeiaio.exe
        
        C:\Windows\system32\Ijdeiaio.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4464
        
        C:\Windows\SysWOW64\Imbaemhc.exe
        
        C:\Windows\system32\Imbaemhc.exe
        54⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:412
        
        C:\Windows\SysWOW64\Ipqnahgf.exe
        
        C:\Windows\system32\Ipqnahgf.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4580
        
        C:\Windows\SysWOW64\Iapjlk32.exe
        
        C:\Windows\system32\Iapjlk32.exe
        56⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4192
        
        C:\Windows\SysWOW64\Ipckgh32.exe
        
        C:\Windows\system32\Ipckgh32.exe
        57⤵
        Executes dropped EXE
        
        PID:1680
        
        C:\Windows\SysWOW64\Ibagcc32.exe
        
        C:\Windows\system32\Ibagcc32.exe
        58⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4656
        
        C:\Windows\SysWOW64\Iabgaklg.exe
        
        C:\Windows\system32\Iabgaklg.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3576
        
        C:\Windows\SysWOW64\Idacmfkj.exe
        
        C:\Windows\system32\Idacmfkj.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2968
        
        C:\Windows\SysWOW64\Ibccic32.exe
        
        C:\Windows\system32\Ibccic32.exe
        61⤵
        Executes dropped EXE
        
        PID:2520
        
        C:\Windows\SysWOW64\Imihfl32.exe
        
        C:\Windows\system32\Imihfl32.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1304
        
        C:\Windows\SysWOW64\Jpgdbg32.exe
        
        C:\Windows\system32\Jpgdbg32.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:5060
        
        C:\Windows\SysWOW64\Jbfpobpb.exe
        
        C:\Windows\system32\Jbfpobpb.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3528
        
        C:\Windows\SysWOW64\Jiphkm32.exe
        
        C:\Windows\system32\Jiphkm32.exe
        65⤵
        Executes dropped EXE
        
        PID:2856
        
        C:\Windows\SysWOW64\Jagqlj32.exe
        
        C:\Windows\system32\Jagqlj32.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:440
        
        C:\Windows\SysWOW64\Jdemhe32.exe
        
        C:\Windows\system32\Jdemhe32.exe
        67⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4124
        
        C:\Windows\SysWOW64\Jfdida32.exe
        
        C:\Windows\system32\Jfdida32.exe
        68⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:2716
        
        C:\Windows\SysWOW64\Jibeql32.exe
        
        C:\Windows\system32\Jibeql32.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:1216
        
        C:\Windows\SysWOW64\Jplmmfmi.exe
        
        C:\Windows\system32\Jplmmfmi.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4388
        
        C:\Windows\SysWOW64\Jidbflcj.exe
        
        C:\Windows\system32\Jidbflcj.exe
        71⤵
        Drops file in System32 directory
        
        PID:3752
        
        C:\Windows\SysWOW64\Jaljgidl.exe
        
        C:\Windows\system32\Jaljgidl.exe
        72⤵
        Drops file in System32 directory
        
        PID:2664
        
        C:\Windows\SysWOW64\Jfhbppbc.exe
        
        C:\Windows\system32\Jfhbppbc.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1048
        
        C:\Windows\SysWOW64\Jmbklj32.exe
        
        C:\Windows\system32\Jmbklj32.exe
        74⤵
        
        PID:1196
        
        C:\Windows\SysWOW64\Jpaghf32.exe
        
        C:\Windows\system32\Jpaghf32.exe
        75⤵
        
        PID:3668
        
        C:\Windows\SysWOW64\Jdmcidam.exe
        
        C:\Windows\system32\Jdmcidam.exe
        76⤵
        Modifies registry class
        
        PID:3096
        
        C:\Windows\SysWOW64\Jbocea32.exe
        
        C:\Windows\system32\Jbocea32.exe
        77⤵
        Drops file in System32 directory
        
        PID:2584
        
        C:\Windows\SysWOW64\Jkfkfohj.exe
        
        C:\Windows\system32\Jkfkfohj.exe
        78⤵
        Drops file in System32 directory
        
        PID:3304
        
        C:\Windows\SysWOW64\Kmegbjgn.exe
        
        C:\Windows\system32\Kmegbjgn.exe
        79⤵
        Modifies registry class
        
        PID:776
        
        C:\Windows\SysWOW64\Kaqcbi32.exe
        
        C:\Windows\system32\Kaqcbi32.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5124
        
        C:\Windows\SysWOW64\Kbapjafe.exe
        
        C:\Windows\system32\Kbapjafe.exe
        81⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5172
        
        C:\Windows\SysWOW64\Kkihknfg.exe
        
        C:\Windows\system32\Kkihknfg.exe
        82⤵
        Modifies registry class
        
        PID:5204
        
        C:\Windows\SysWOW64\Kmgdgjek.exe
        
        C:\Windows\system32\Kmgdgjek.exe
        83⤵
        
        PID:5248
        
        C:\Windows\SysWOW64\Kdaldd32.exe
        
        C:\Windows\system32\Kdaldd32.exe
        84⤵
        Drops file in System32 directory
        
        PID:5288
        
        C:\Windows\SysWOW64\Kinemkko.exe
        
        C:\Windows\system32\Kinemkko.exe
        85⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5336
        
        C:\Windows\SysWOW64\Kmjqmi32.exe
        
        C:\Windows\system32\Kmjqmi32.exe
        86⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5376
        
        C:\Windows\SysWOW64\Kbfiep32.exe
        
        C:\Windows\system32\Kbfiep32.exe
        87⤵
        
        PID:5420
        
        C:\Windows\SysWOW64\Kgbefoji.exe
        
        C:\Windows\system32\Kgbefoji.exe
        88⤵
        
        PID:5456
        
        C:\Windows\SysWOW64\Kmlnbi32.exe
        
        C:\Windows\system32\Kmlnbi32.exe
        89⤵
        Modifies registry class
        
        PID:5504
        
        C:\Windows\SysWOW64\Kagichjo.exe
        
        C:\Windows\system32\Kagichjo.exe
        90⤵
        
        PID:5548
        
        C:\Windows\SysWOW64\Kdffocib.exe
        
        C:\Windows\system32\Kdffocib.exe
        91⤵
        
        PID:5588
        
        C:\Windows\SysWOW64\Kgdbkohf.exe
        
        C:\Windows\system32\Kgdbkohf.exe
        92⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5628
        
        C:\Windows\SysWOW64\Kibnhjgj.exe
        
        C:\Windows\system32\Kibnhjgj.exe
        93⤵
        Drops file in System32 directory
        
        PID:5668
        
        C:\Windows\SysWOW64\Kajfig32.exe
        
        C:\Windows\system32\Kajfig32.exe
        94⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5712
        
        C:\Windows\SysWOW64\Kckbqpnj.exe
        
        C:\Windows\system32\Kckbqpnj.exe
        95⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5760
        
        C:\Windows\SysWOW64\Liekmj32.exe
        
        C:\Windows\system32\Liekmj32.exe
        96⤵
        
        PID:5804
        
        C:\Windows\SysWOW64\Lalcng32.exe
        
        C:\Windows\system32\Lalcng32.exe
        97⤵
        Modifies registry class
        
        PID:5844
        
        C:\Windows\SysWOW64\Lcmofolg.exe
        
        C:\Windows\system32\Lcmofolg.exe
        98⤵
        Modifies registry class
        
        PID:5884
        
        C:\Windows\SysWOW64\Lmccchkn.exe
        
        C:\Windows\system32\Lmccchkn.exe
        99⤵
        Drops file in System32 directory
        
        PID:5932
        
        C:\Windows\SysWOW64\Lpappc32.exe
        
        C:\Windows\system32\Lpappc32.exe
        100⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5984
        
        C:\Windows\SysWOW64\Lkgdml32.exe
        
        C:\Windows\system32\Lkgdml32.exe
        101⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6024
        
        C:\Windows\SysWOW64\Lnepih32.exe
        
        C:\Windows\system32\Lnepih32.exe
        102⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6068
        
        C:\Windows\SysWOW64\Laalifad.exe
        
        C:\Windows\system32\Laalifad.exe
        103⤵
        
        PID:6108
        
        C:\Windows\SysWOW64\Lkiqbl32.exe
        
        C:\Windows\system32\Lkiqbl32.exe
        104⤵
        Drops file in System32 directory
        
        PID:3196
        
        C:\Windows\SysWOW64\Lpfijcfl.exe
        
        C:\Windows\system32\Lpfijcfl.exe
        105⤵
        Modifies registry class
        
        PID:5188
        
        C:\Windows\SysWOW64\Ldaeka32.exe
        
        C:\Windows\system32\Ldaeka32.exe
        106⤵
        Drops file in System32 directory
        
        PID:5260
        
        C:\Windows\SysWOW64\Lgpagm32.exe
        
        C:\Windows\system32\Lgpagm32.exe
        107⤵
        
        PID:5328
        
        C:\Windows\SysWOW64\Lphfpbdi.exe
        
        C:\Windows\system32\Lphfpbdi.exe
        108⤵
        Modifies registry class
        
        PID:5372
        
        C:\Windows\SysWOW64\Lgbnmm32.exe
        
        C:\Windows\system32\Lgbnmm32.exe
        109⤵
        
        PID:5464
        
        C:\Windows\SysWOW64\Mjqjih32.exe
        
        C:\Windows\system32\Mjqjih32.exe
        110⤵
        
        PID:5536
        
        C:\Windows\SysWOW64\Mnlfigcc.exe
        
        C:\Windows\system32\Mnlfigcc.exe
        111⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5620
        
        C:\Windows\SysWOW64\Mpkbebbf.exe
        
        C:\Windows\system32\Mpkbebbf.exe
        112⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5644
        
        C:\Windows\SysWOW64\Mgekbljc.exe
        
        C:\Windows\system32\Mgekbljc.exe
        113⤵
        
        PID:5744
        
        C:\Windows\SysWOW64\Mjcgohig.exe
        
        C:\Windows\system32\Mjcgohig.exe
        114⤵
        Modifies registry class
        
        PID:5852
        
        C:\Windows\SysWOW64\Mpmokb32.exe
        
        C:\Windows\system32\Mpmokb32.exe
        115⤵
        Modifies registry class
        
        PID:5904
        
        C:\Windows\SysWOW64\Mcklgm32.exe
        
        C:\Windows\system32\Mcklgm32.exe
        116⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5972
        
        C:\Windows\SysWOW64\Mgghhlhq.exe
        
        C:\Windows\system32\Mgghhlhq.exe
        117⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6048
        
        C:\Windows\SysWOW64\Mkbchk32.exe
        
        C:\Windows\system32\Mkbchk32.exe
        118⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6128
        
        C:\Windows\SysWOW64\Mdkhapfj.exe
        
        C:\Windows\system32\Mdkhapfj.exe
        119⤵
        
        PID:5160
        
        C:\Windows\SysWOW64\Mjhqjg32.exe
        
        C:\Windows\system32\Mjhqjg32.exe
        120⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5316
        
        C:\Windows\SysWOW64\Mdmegp32.exe
        
        C:\Windows\system32\Mdmegp32.exe
        121⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5412
        
        C:\Windows\SysWOW64\Mkgmcjld.exe
        
        C:\Windows\system32\Mkgmcjld.exe
        122⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5500
        
        C:\Windows\SysWOW64\Mnfipekh.exe
        
        C:\Windows\system32\Mnfipekh.exe
        123⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5612
        
        C:\Windows\SysWOW64\Maaepd32.exe
        
        C:\Windows\system32\Maaepd32.exe
        124⤵
        Drops file in System32 directory
        
        PID:5720
        
        C:\Windows\SysWOW64\Mgnnhk32.exe
        
        C:\Windows\system32\Mgnnhk32.exe
        125⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5824
        
        C:\Windows\SysWOW64\Nkjjij32.exe
        
        C:\Windows\system32\Nkjjij32.exe
        126⤵
        Modifies registry class
        
        PID:5928
        
        C:\Windows\SysWOW64\Nqfbaq32.exe
        
        C:\Windows\system32\Nqfbaq32.exe
        127⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6096
        
        C:\Windows\SysWOW64\Nceonl32.exe
        
        C:\Windows\system32\Nceonl32.exe
        128⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5244
        
        C:\Windows\SysWOW64\Nnolfdcn.exe
        
        C:\Windows\system32\Nnolfdcn.exe
        129⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5488
        
        C:\Windows\SysWOW64\Ncldnkae.exe
        
        C:\Windows\system32\Ncldnkae.exe
        130⤵
        Drops file in System32 directory
        
        PID:5708
        
        C:\Windows\SysWOW64\Nggqoj32.exe
        
        C:\Windows\system32\Nggqoj32.exe
        131⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5864
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        132⤵
        
        PID:6032
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6032 -s 408
        133⤵
        Program crash
        
        PID:5572

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 6032 -ip 6032
1⤵
PID:5440

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Fbllkh32.exe

Filesize
55KB

MD5
0374cf37123dbd6ac67d464f82a41e63

SHA1
b1e955c7f3b6a47c6512c02269c28f4043b1fd06

SHA256
2701dc39d904334ccd73614a55b3baeb93235f3c9b731f424237ecb4208893ae

SHA512
ed7394fe04e2333cf0ebc61972870a8a2f14e721bc0a3ea6d7ca5f01f11bbfe62db85de03c75db53489ee1509c87d6ec2dfd2e01fcbc7d60bc7a11e3fa0e261d

Download Submit
C:\Windows\SysWOW64\Fbqefhpm.exe

Filesize
55KB

MD5
9d0042ac145b7b7336b1b55791949f29

SHA1
b2f13b6cdcdfe85c24b163dd60acc6e355fd5332

SHA256
36ac1c9b2abdcb5ecf2c22ecb531c7f61d2bef864cb5d899b2751dd95770cb6f

SHA512
1d351bb6f6989a012d79a5898a5e0e1af38e3a6f79b20d82607fbe613f382e4ca0fb007ae47c9d4bc5ff8953792e087b1f058a0a65c56ff1a23ebe79fcb10ed3

Download Submit
C:\Windows\SysWOW64\Fcgoilpj.exe

Filesize
55KB

MD5
e9041402abc5b09b620b45c25b30b1e9

SHA1
785ebcd69f6aca5c3367217975e47b73d1ffa374

SHA256
0ff0d661cf8052e6b3ce6474734615208d1b5e5b5735879b5ec716a8654102af

SHA512
bb8b1cc1f6e24bea9f1298d7a06a9ca3b2c75a75ccfaaabd347c0d1881243ef6aa1a9c1f9ef468e5b701c03fa7b50cb76d111901fb660b1fcb853533936cf206

Download Submit
C:\Windows\SysWOW64\Fjcclf32.exe

Filesize
55KB

MD5
3e25ce93320bbd95381cb8dd5789daaf

SHA1
559b82edaa6cb83ec66c10397a64ec0f0a457eb5

SHA256
8f73a115d15da54da3c2f8eef7fc6367a5456850e540f9c6e30f24e1e5779315

SHA512
ad223ed3f867f77121da025d86f61b6e7a33c3a11e167d50ced7e79e597223789319a42d47064c6d577b5f2151590a410e167fd150fb6a2483b057024a88f7e7

Download Submit
C:\Windows\SysWOW64\Fjepaecb.exe

Filesize
55KB

MD5
537e036bedf4d5f23a16b358222704a4

SHA1
682e57d74b674f55ad33885dbfa1dec13ded2326

SHA256
616a903336eedb6f701d1736fdfc8fbc959a26335f5e5fcf84cbf3de51e08a31

SHA512
bd90e503dfd36a0e324ae75207938e8f98fb2a4aab7acf10fc645ed6d3e0068c291473f981bd84e4aefadefce4bd3ebc8ac4d7348a935c3a4b9781c6594e51b2

Download Submit
C:\Windows\SysWOW64\Fjhmgeao.exe

Filesize
55KB

MD5
b9b72f44ca5c63bfd6f02add530e3b13

SHA1
302a5ff92373d3726db97f61c6d2b238b040a635

SHA256
6731814f3f1b35019c9601be2b4b942a115ea59258b72552444becc62303b81c

SHA512
c457f4bc89c6ded9f7f260029acdf69b582730b111f26ca5447abee9460c16ec773b067b3a59c8a012f0d3323eba7d638040eaab4e8c95f7ef9288cb9694abcb

Download Submit
C:\Windows\SysWOW64\Fjqgff32.exe

Filesize
55KB

MD5
88f2ad1474a2bd727e7b8fe168896872

SHA1
b739dea65b175d8c345338d5d5ab51cc75fb135f

SHA256
d5735dedf6e03c7d66b8939d5838e969ac1066dc9d571c1fdf41edeb09806e24

SHA512
aa33b99582cd5c3bc3ea4e89094955fcbb7cb7c62916453678848b41bfc6536ab3e8275be6c939baf70670302a03484aaab33c0d428d6c8961858e7fb59476cd

Download Submit
C:\Windows\SysWOW64\Fmapha32.exe

Filesize
55KB

MD5
fe63ac7703c958a4fdd86cead1b1deb2

SHA1
ffa16becc8691359e0ad0d8cd1b5df3585d37310

SHA256
dac4029e2607f4a5ec7a210c5c9cbb75e774f91dd6d9e3119e1aa657942ff0ae

SHA512
14f60f2657f73d43ea5106ac08b399a08f9dbb6036420c2443ce18524a00170606399cf667f5e94a3c8de97bb6e8e79cc3fa3a4e8aedf4a963e8a48c906d9c2b

Download Submit
C:\Windows\SysWOW64\Fmclmabe.exe

Filesize
55KB

MD5
5ff56aabfc8d084b65489a3d27afabab

SHA1
f21b5c488b1501e626e76af6ead7bf6ae97369b8

SHA256
cce87c5ac369883e67835a9243adbdf4d21ead43d3d79170df27d17cb4f2a43a

SHA512
59914e2d3ec50fd2bc7c87c16907871b93e0d4f24b861a67f130440f070ba8833cf86ce9fdd461bdd3c5065ae0cab411a07a44e797f8e59e6dc41438cf0df29e

Download Submit
C:\Windows\SysWOW64\Fmocba32.exe

Filesize
55KB

MD5
42617ac47523752a89b5856a7595421f

SHA1
0c65ea8d0623b261d20cae4221c2a0e6ea4ee14d

SHA256
e4b593b58cdfc1534d4d719ff0ad445f92cfa286195d1dc88a8e8fffc185f6ff

SHA512
a2aefd552b48ede16e2f715c67cc82c39475c27f879dec96c38899f3d68ee81a0f184292bc32418cde6e42b0d23cf1136d1827d30a751dddc6c1da8a2f90862d

Download Submit
C:\Windows\SysWOW64\Fobiilai.exe

Filesize
55KB

MD5
a98e51d1bfeb4bad34e39b4b40e0a4bf

SHA1
c6a5de021a9c535f3b402810c3319711b2c63864

SHA256
ccc49d7818cee0c9e6caec6da58a46011647cee11c878229e103fadd8426fba2

SHA512
a20ce3d9f6402d87fdd48011778133fd75eed95392ffaab79b7fdb7b57a28d663796f6b2b3171fb33dd7f4153d8f3df0205941bf55ff2a1927da07b7a1cb01c0

Download Submit
C:\Windows\SysWOW64\Fodeolof.exe

Filesize
55KB

MD5
55dd05ffd495d4b3c0632c950d4f23a5

SHA1
5a214685e6740a068c936b70b489eed08b65d89d

SHA256
3f010b999428b46d940f8810e4f798edce4478cc0f063ae8d78a25a2147a06d9

SHA512
68bc02a3fbf15d667a8699420c88fdd767f4b03ef0480fd1b00db1877c20d5a11cd7e49ba0afa6e0cd5b57672b31d8360d2861cb3214974622dda74363df7d6c

Download Submit
C:\Windows\SysWOW64\Fomonm32.exe

Filesize
55KB

MD5
75fb38a0e6ce9b8bb550baf5e1c23d7a

SHA1
1da21ea97a498061812f4cb3bf65a9c137c9f90b

SHA256
15941956fdf8b23bcc8b8fe5452b8ee921c19354c91c211b9de3ec2398b7f511

SHA512
16f45e497dcacc983c0f621992bf460ee966a13209ced3acdc0223c5a116bd9ae193ad97f5b2c08b098e72f41125255928d4f7bef50a6eb89f5938ff96cc81b8

Download Submit
C:\Windows\SysWOW64\Fopldmcl.exe

Filesize
55KB

MD5
b3fd83e076a1d72a430db801d58e04c2

SHA1
0dfff08ffa32e493993f437d844ef3c7021167b1

SHA256
64717ca603633e69412173a194941f82500183a5a027dc9c5bcb333052a6c1d9

SHA512
2f261b8675d16af87cf6a63f84346934598e19191092f0df03ee83e1c89034a1edd3b0e44b9e07ec8fe5c5ac2bafb511dff85293c75869870cf573a667c9dbc8

Download Submit
C:\Windows\SysWOW64\Fqaeco32.exe

Filesize
55KB

MD5
072ed69194ec7e7de50a3a6344ed1e13

SHA1
eac5b63630f7b0e81ad60e513934263f7a06f52a

SHA256
6c7050863d0e3ba29d73be11fc986e2db2ea786c89d50e334be36f2600902ed1

SHA512
d7be2c1d396b40a2f1f7ef0366f5fa717f9b4fea4c28e3d74e8c81c9f451e1f2cb232dad3b3509ee3380ca06515a0ecf2143ec4e9be6d37e14a74de71ff1fac1

Download Submit
C:\Windows\SysWOW64\Gbldaffp.exe

Filesize
55KB

MD5
17ea1624fa3c7d8501a6f1e0cf5be1d5

SHA1
4aac7dc0a839b09ce6d1a23ce6a6b35457acf8ce

SHA256
c2f83e0f4a1acdb692756d89b92e9b3739845b8a037bfdb953bbb1cdf6b37729

SHA512
ba342afb92b4b66f3a99a7396f2853f7d021ceebd67677b46550cf913362432694f167ffad2afae90dc39f549ccb08ae6fed63bb5731ed8317e0b3c68b34d937

Download Submit
C:\Windows\SysWOW64\Gcbnejem.exe

Filesize
55KB

MD5
ff5dedf0b059c260c5109ce0cd220d77

SHA1
a4ea998412a46c3ad79d43701ac37febf4b12376

SHA256
475dba2602cc5297a582e1ca071273907bf6e9e82fa141d415636a6bf5bd1229

SHA512
54d75dbd8bc62ad749b905da8a4977ae339d16be25c13c2c61c7c799ccadbc79adf3a2185530686214eee802723ede037943ec727170050aad6d056a81b6bb30

Download Submit
C:\Windows\SysWOW64\Gcekkjcj.exe

Filesize
55KB

MD5
8feda6be7eabadb1c28dac8f767e86bd

SHA1
3a0b9204e012e1779ea2fbfb6ccda6c87e9496a2

SHA256
102db56aae6301e051711a4c5c7230bcbbaeee028438ed9579616819ded87b85

SHA512
d07ee9d26ad3bdf63cf34d51d6b5664a32520e5fefd1b4aad65eb370a791275b15093756b81cde120c3ab6ffd93f7c227d99bcd205825505966b501d79e7c3c6

Download Submit
C:\Windows\SysWOW64\Gcggpj32.exe

Filesize
55KB

MD5
5181130562fd75d3ce45d49885746969

SHA1
5f0125e6d1e4c70a63fcf310bcbbd329d75eee3a

SHA256
58b238ec8aa5329297986d8b260d3db60cbf069dde8c575a929bd4bb43d797a0

SHA512
ec9d33601fc000d84eebc096f8321f3f5fa5bdd205897e17059080b74f1b76ac4a45660b58294d4afb772cfef630a08ef84fccd89fcc5f6a3c94fb5e729bded0

Download Submit
C:\Windows\SysWOW64\Gcidfi32.exe

Filesize
55KB

MD5
d30dc6b32bd3600186eab85c0e3c7396

SHA1
439674b73b98dde047ffcd71994de59e353f48b9

SHA256
ee761c801b1153b915194d7c7d1dddbc69c9ed31936844c220c4e7247ace890b

SHA512
7eece2bd4ce7cdcda251b62239f6f6e8c5304ddef2d1db9d67aceb1f5fa055c28d866c3a33302a49abd9cbe9d6af528b0997cc488111fd76b10b9915eb324f8d

Download Submit
C:\Windows\SysWOW64\Gfcgge32.exe

Filesize
55KB

MD5
4d09c70f5e997f6b26c76ccc643ce2f6

SHA1
626ca80e56ce77863bc1ac084e38e31c72bd907a

SHA256
b41c78df3bb1a7bea0634956063456f2cf33d7c3408dd58fe6bb37c66e3ac8a9

SHA512
e987fa47c5ec803c1c65bbdbc142045e7f843ff97153212884573926cc51921bc3430297cb64e53cb59bd91cef5a5bb27e9b6285c20e763f9df682dc531a7d00

Download Submit
C:\Windows\SysWOW64\Gfedle32.exe

Filesize
55KB

MD5
2b1f8a80e16a4cd69e0c6395d32a1fc2

SHA1
6a8edaa863cc12370c7b19ee4a096e283a22933d

SHA256
bde657646bed14937ad3eb792f4d3b9aa7a3c8449b97372afe0f16eb5f14b38c

SHA512
2bd422ffb843aa4c1d25827f639ea1f2aeee77aa8ff3d0cfe1379b2c5e2ac1f24256b598f8fa183f006229ac603f5cc9aed1b77964a2b1fdcd4b59d8cfc43449

Download Submit
C:\Windows\SysWOW64\Gfnnlffc.exe

Filesize
55KB

MD5
fda7649b378d2a154bb327ab1e7f6897

SHA1
f8caa9bb831c2cb55217b78ea272102917a685d5

SHA256
40aa8ae1f791c0f4875d70e7fce75e53f5026a5e0cc6434f1dbeb0d4eb66f42f

SHA512
d99a9ea9d292e252c26d88757ef5e806846a3ee2c5be8260d7fa1542ec97152298cd153d709f5705f7f217e53492ed3531d2acd56198f9abdd48b6e197fe1f5e

Download Submit
C:\Windows\SysWOW64\Giacca32.exe

Filesize
55KB

MD5
1d89e34d70fc6fdfe950e8ed3201845d

SHA1
61f812f900ebdbd6016cf02dd7188951a5772c8a

SHA256
4183c35169e595f0bf10bbeac6c5a11d6069b00090f8b798b75d4bbb43a0240e

SHA512
e60570cb3baa831c0554e968c7c46c180faa487631da8e1708f371b6c6af4bf7d7d2c83dc2cae436c97fd8d159ce7ba0ed3d67e4ecf4f06acc47cb9115e0c6f5

Download Submit
C:\Windows\SysWOW64\Gidphq32.exe

Filesize
55KB

MD5
9fc76d55b12989ae76e6bd4a59a3ffa9

SHA1
da215c36ecc515432396d381242445907a3ccca4

SHA256
5ceed3bc82ba32521a8bbf66c601d2d8a21eb9be7160acea9c92d3cde4c4175b

SHA512
bcb6b89c03e440055f2d13cdfa68d6efaeae8ab21dde7f9a021e647e50e5f0a553675d61326cef697d79533d0077fa9ac14155a8188a0a839e30a906514d65d1

Download Submit
C:\Windows\SysWOW64\Gimjhafg.exe

Filesize
55KB

MD5
664d2a82893dd9ad900fde214791590c

SHA1
5950172f825310d3ad0e67e67abab6bf3e18caea

SHA256
12b727afc881774f677ad8fd1ecc9702fab43f8dec3f5094029808b14ac58cb7

SHA512
3855a46a93ff836d30e17156a74953d676d64272af73f12dac16853adad3b1f6c7333f2fb0d0f922d0f551b84a352e43eee154f9bf0e8e13c96e5ce100cd0ca5

Download Submit
C:\Windows\SysWOW64\Gjclbc32.exe

Filesize
55KB

MD5
9513ec2bcee061f2f82e4e84035d5c5e

SHA1
67bae6203d6422b61a4b5ccb74c996e678d17e6a

SHA256
92ff29ac5d9378a0154bb386c3a8c6193c50fc0c0b6de29a1346930e79212c5c

SHA512
fa5390e645a2effa400d7d417a171b5a5036f8018d6d134f9c023d6b70758e8b1fa1d1e5c1788f33125bb4a9b38529ad4ce03fb49f038de7b69fed2b082a9e7c

Download Submit
C:\Windows\SysWOW64\Gjlfbd32.exe

Filesize
55KB

MD5
67e0fab6c2bdf0708c5327825dc5e27c

SHA1
4499423bb9ba83d584329c5ab967a5b631d48bec

SHA256
4535a2528d04dd347e53d66616590917365e3e47b42d26f741a0bad41c53d2d3

SHA512
60989f3c6d0057b0650a832b523d63cfee9b7d985f8e64765523335701e91ec602aac6ddf32218053d6a3a74bda9e822257eb382ee2c2fff31577240f57e169e

Download Submit
C:\Windows\SysWOW64\Gmaioo32.exe

Filesize
55KB

MD5
6dedbe82d70f6fc07f6a372074828896

SHA1
bbdfccf89f52ea09b0a1107c2c3fa9b201b24f27

SHA256
762305984d8e13cd8f0134ab4567ca8e26e2655eda87cf21af5150ae96892249

SHA512
83cd66092c1e4446f35097b09b0fa32cc83b160d015eaa01275a6c7e4fc0c0295f1f521fb5394ed9ffeed115ea0fec7f4f50cdaeab12059977cc4b8bdc3dbff4

Download Submit
C:\Windows\SysWOW64\Gmkbnp32.exe

Filesize
55KB

MD5
ef845b1a86036f5e40efd608ad6e8ee8

SHA1
f0ea203d47c5c448df9606fd738db656f6f644f4

SHA256
ddf131bd60544dd3fac8a13f2303e7781a2c20b065873ee05bd474bd04da31d4

SHA512
077b1075606bcc28769dd8c8b5f07a615af6f98f56c098a47300629da0543a761190aa30a83f3c1e3f9cb500ff0323904f4328e09799b866116754fa80c5c801

Download Submit
C:\Windows\SysWOW64\Gogbdl32.exe

Filesize
55KB

MD5
897c11144fb829be33623079f1731ae6

SHA1
f13189566a8eaed8d0ca5613584640180070c76c

SHA256
cf27c6404f2f4e2fcec16ce4b3c12cc6e7c7f68b734f57553f8ed6345cb4d184

SHA512
cbe165e893ec8bb4f623eea49bfe219e47bcdfec89c053ac3441d595cc1e9ee06095dc67d4d28cb3e90f4d39dadae1134544bc5b9321c696c3cb41ac6bc8db4b

Download Submit
C:\Windows\SysWOW64\Hboagf32.exe

Filesize
55KB

MD5
38cf52d9406e963c322acda18e3c8c30

SHA1
b3c4aee518bc0037a7546ffc3b26e91f8d8a7ddc

SHA256
32ef9c55220a557f8870112e3db1420a25781d9278382a3e4066136ea4990ada

SHA512
43ced937f88351b32fe28a5b00b430ad7a8dcfaf31792c4185e40122dd7045b862b2ab3eedddca32aedafaa77b7aeacb6a8bc78a102f9f65cc39c8d963079101

Download Submit
C:\Windows\SysWOW64\Hibljoco.exe

Filesize
55KB

MD5
d73798f7f89ee36510119691da506af4

SHA1
bb85b529f46f3c1bca2a54365164519bb975b35d

SHA256
8dec6c5c5e18f9b95ed3b698b7ae773477137ab40110c764983d8d4217227ade

SHA512
988c950acd4729e7d16bde124abc502e7ed74ba48abaa624ab19c1a9173b0e57e8c0418f2b567c877472c350f3fb4c0b12d5bad1cca2d0488aeb1e5b9713b7e2

Download Submit
memory/216-335-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/228-64-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/412-387-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/428-209-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/520-305-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/560-81-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/840-301-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/856-93-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/928-245-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1120-62-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1144-121-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1184-49-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1196-947-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1216-952-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1252-293-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1288-105-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1304-431-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1336-353-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1348-33-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1372-193-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1660-8-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1680-401-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1724-177-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1732-311-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1804-329-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1836-317-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2268-248-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2520-429-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2584-944-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2968-424-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3104-112-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3152-169-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3292-17-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3332-275-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3508-291-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3576-418-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3608-29-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3620-328-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3672-351-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3720-73-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3732-41-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3740-153-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3776-345-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3996-263-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4004-233-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4072-216-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4140-137-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4168-371-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4192-395-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4332-185-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4340-269-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4356-285-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4388-951-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4412-225-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4464-377-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4512-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4512-6-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4516-201-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4548-129-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4564-161-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4580-389-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4640-369-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4656-407-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4732-144-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4780-256-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4816-97-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4916-359-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5060-441-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5124-941-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5160-902-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5244-893-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5336-936-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5372-913-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5456-933-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5488-892-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5644-909-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5760-926-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5824-896-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5884-923-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5928-895-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5984-921-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads