7e15c8ade9d5f2b40de4fb7989493ade2e84fd08ed5f060c093f0763090cba56

Analysis

max time kernel
92s
max time network
126s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
27/03/2024, 21:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7e15c8ade9d5f2b40de4fb7989493ade2e84fd08ed5f060c093f0763090cba56.exe
Size

144KB
MD5

d3d15d18110b072ecc74d03c0960f786
SHA1

29fd5699b52c0614844a320ffd7cd3d8f13cdc1f
SHA256

7e15c8ade9d5f2b40de4fb7989493ade2e84fd08ed5f060c093f0763090cba56
SHA512

4dea82bd5b901ada5a86d0beb3e1fc35dfeff341dbdce1000853583dbeded27061e3ada87b1759cbd0739efea1a47f6504192bc893186330f250c7b18ff37239
SSDEEP

3072:kKpEWsmpVdMDP35dUg4uZfzdH13+EE+RaZ6r+GDZnBcV8:djsmpVdMDPJaIfzd5IF6rfBBcV8

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fjhmgeao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kajfig32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mciobn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Majopeii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kpmfddnf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mnocof32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ffjdqg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hjhfnccl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jdcpcf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kinemkko.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kibnhjgj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kdaldd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdiklqhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fihqmb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gbgkfg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hmmhjm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jdemhe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jplmmfmi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Haggelfd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hjfihc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Majopeii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fqmlhpla.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hmdedo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jidbflcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lcbiao32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fqkocpod.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fqaeco32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gmhfhp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kinemkko.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mkepnjng.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fckhdk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hpgkkioa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kmjqmi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hjolnb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Iffmccbi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jagqlj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ficgacna.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jdemhe32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jfkoeppq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcpllo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lijdhiaa.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjjmog32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fqmlhpla.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hbeghene.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jigollag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jfkoeppq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lpappc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hjfihc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jpjqhgol.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Liekmj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mahbje32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gmmocpjk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gmaioo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lalcng32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ldohebqh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nbhkac32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iakaql32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jiikak32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gcekkjcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gpnhekgl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jaimbj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Njcpee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ngpjnkpf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nbhkac32.exe

Executes dropped EXE 64 IoCs

pid	Process
4604	Fqhbmqqg.exe
4112	Fbioei32.exe
4324	Ficgacna.exe
3804	Fqkocpod.exe
1384	Fbllkh32.exe
3136	Ffggkgmk.exe
2168	Fifdgblo.exe
1664	Fqmlhpla.exe
3256	Fckhdk32.exe
2304	Ffjdqg32.exe
2556	Fihqmb32.exe
3300	Fobiilai.exe
4376	Fbqefhpm.exe
3352	Fjhmgeao.exe
1600	Fqaeco32.exe
4924	Gcpapkgp.exe
2640	Gfnnlffc.exe
3396	Gmhfhp32.exe
2592	Gogbdl32.exe
4488	Gfqjafdq.exe
748	Gcekkjcj.exe
4008	Gbgkfg32.exe
4440	Gmmocpjk.exe
3996	Gqikdn32.exe
1088	Gcggpj32.exe
3508	Gjapmdid.exe
2248	Gpnhekgl.exe
700	Gfhqbe32.exe
1560	Gmaioo32.exe
5044	Gppekj32.exe
3864	Hjfihc32.exe
3244	Hmdedo32.exe
4004	Hcnnaikp.exe
968	Hjhfnccl.exe
32	Hmfbjnbp.exe
4680	Himcoo32.exe
3148	Hmioonpn.exe
3952	Hpgkkioa.exe
4152	Hbeghene.exe
4060	Hjmoibog.exe
2528	Haggelfd.exe
1868	Hcedaheh.exe
1904	Hjolnb32.exe
2296	Hibljoco.exe
2456	Hmmhjm32.exe
4904	Iffmccbi.exe
732	Iakaql32.exe
5108	Ifhiib32.exe
4300	Jpgdbg32.exe
3716	Jdcpcf32.exe
1528	Jjmhppqd.exe
4796	Jagqlj32.exe
1212	Jpjqhgol.exe
4472	Jdemhe32.exe
1276	Jfdida32.exe
4340	Jaimbj32.exe
2228	Jplmmfmi.exe
5008	Jbkjjblm.exe
4992	Jidbflcj.exe
4400	Jbmfoa32.exe
4832	Jigollag.exe
1956	Jmbklj32.exe
3140	Jangmibi.exe
916	Jdmcidam.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Kipabjil.exe	Kgbefoji.exe
File opened for modification	C:\Windows\SysWOW64\Nkcmohbg.exe	Ncldnkae.exe
File opened for modification	C:\Windows\SysWOW64\Fbioei32.exe	Fqhbmqqg.exe
File opened for modification	C:\Windows\SysWOW64\Kmjqmi32.exe	Kinemkko.exe
File created	C:\Windows\SysWOW64\Peeafpaf.dll	Gogbdl32.exe
File opened for modification	C:\Windows\SysWOW64\Ficgacna.exe	Fbioei32.exe
File opened for modification	C:\Windows\SysWOW64\Gmhfhp32.exe	Gfnnlffc.exe
File created	C:\Windows\SysWOW64\Hnfmbf32.dll	Mpdelajl.exe
File created	C:\Windows\SysWOW64\Kmegbjgn.exe	Jiikak32.exe
File created	C:\Windows\SysWOW64\Lkiqbl32.exe	Lcbiao32.exe
File opened for modification	C:\Windows\SysWOW64\Fobiilai.exe	Fihqmb32.exe
File created	C:\Windows\SysWOW64\Anjekdho.dll	Jdemhe32.exe
File created	C:\Windows\SysWOW64\Ffjdqg32.exe	Fckhdk32.exe
File created	C:\Windows\SysWOW64\Jigollag.exe	Jbmfoa32.exe
File created	C:\Windows\SysWOW64\Jangmibi.exe	Jmbklj32.exe
File created	C:\Windows\SysWOW64\Njljefql.exe	Mgnnhk32.exe
File opened for modification	C:\Windows\SysWOW64\Fqkocpod.exe	Ficgacna.exe
File created	C:\Windows\SysWOW64\Fckhdk32.exe	Fqmlhpla.exe
File created	C:\Windows\SysWOW64\Gmhfhp32.exe	Gfnnlffc.exe
File created	C:\Windows\SysWOW64\Gjoceo32.dll	Lpappc32.exe
File created	C:\Windows\SysWOW64\Mahbje32.exe	Lknjmkdo.exe
File created	C:\Windows\SysWOW64\Hjolnb32.exe	Hcedaheh.exe
File created	C:\Windows\SysWOW64\Kcifkp32.exe	Kmlnbi32.exe
File created	C:\Windows\SysWOW64\Lifenaok.dll	Mpkbebbf.exe
File opened for modification	C:\Windows\SysWOW64\Ifhiib32.exe	Iakaql32.exe
File created	C:\Windows\SysWOW64\Bgcomh32.dll	Lnepih32.exe
File opened for modification	C:\Windows\SysWOW64\Kkbkamnl.exe	Kckbqpnj.exe
File created	C:\Windows\SysWOW64\Gbbkdl32.dll	Mjjmog32.exe
File created	C:\Windows\SysWOW64\Hibljoco.exe	Hjolnb32.exe
File opened for modification	C:\Windows\SysWOW64\Kibnhjgj.exe	Kcifkp32.exe
File opened for modification	C:\Windows\SysWOW64\Jigollag.exe	Jbmfoa32.exe
File opened for modification	C:\Windows\SysWOW64\Mcnhmm32.exe	Mpolqa32.exe
File created	C:\Windows\SysWOW64\Odegmceb.dll	Mnapdf32.exe
File created	C:\Windows\SysWOW64\Lklnhlfb.exe	Lcdegnep.exe
File opened for modification	C:\Windows\SysWOW64\Lklnhlfb.exe	Lcdegnep.exe
File opened for modification	C:\Windows\SysWOW64\Kdaldd32.exe	Kacphh32.exe
File opened for modification	C:\Windows\SysWOW64\Kckbqpnj.exe	Kpmfddnf.exe
File created	C:\Windows\SysWOW64\Mjhqjg32.exe	Mkepnjng.exe
File created	C:\Windows\SysWOW64\Emhmioko.dll	Gqikdn32.exe
File created	C:\Windows\SysWOW64\Pellipfm.dll	Liggbi32.exe
File opened for modification	C:\Windows\SysWOW64\Hcedaheh.exe	Haggelfd.exe
File created	C:\Windows\SysWOW64\Liekmj32.exe	Kkbkamnl.exe
File created	C:\Windows\SysWOW64\Gmaioo32.exe	Gfhqbe32.exe
File created	C:\Windows\SysWOW64\Dnapla32.dll	Lkiqbl32.exe
File created	C:\Windows\SysWOW64\Gpnhekgl.exe	Gjapmdid.exe
File opened for modification	C:\Windows\SysWOW64\Kilhgk32.exe	Kkihknfg.exe
File opened for modification	C:\Windows\SysWOW64\Lcpllo32.exe	Lpappc32.exe
File opened for modification	C:\Windows\SysWOW64\Mpdelajl.exe	Mjjmog32.exe
File created	C:\Windows\SysWOW64\Njcpee32.exe	Ngedij32.exe
File opened for modification	C:\Windows\SysWOW64\Njcpee32.exe	Ngedij32.exe
File created	C:\Windows\SysWOW64\Jidbflcj.exe	Jbkjjblm.exe
File created	C:\Windows\SysWOW64\Hofddb32.dll	Fckhdk32.exe
File created	C:\Windows\SysWOW64\Mngoghpn.dll	Gmaioo32.exe
File opened for modification	C:\Windows\SysWOW64\Jplmmfmi.exe	Jaimbj32.exe
File created	C:\Windows\SysWOW64\Akanejnd.dll	Kipabjil.exe
File created	C:\Windows\SysWOW64\Lalcng32.exe	Liekmj32.exe
File opened for modification	C:\Windows\SysWOW64\Gcpapkgp.exe	Fqaeco32.exe
File created	C:\Windows\SysWOW64\Lmmcfa32.dll	Kpccnefa.exe
File created	C:\Windows\SysWOW64\Lbhnnj32.dll	Kibnhjgj.exe
File created	C:\Windows\SysWOW64\Nbhkac32.exe	Nnmopdep.exe
File opened for modification	C:\Windows\SysWOW64\Nbkhfc32.exe	Njcpee32.exe
File created	C:\Windows\SysWOW64\Diefokle.dll	Gpnhekgl.exe
File opened for modification	C:\Windows\SysWOW64\Jdcpcf32.exe	Jpgdbg32.exe
File created	C:\Windows\SysWOW64\Paadnmaq.dll	Nbhkac32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5372	6092	WerFault.exe	218

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kkihknfg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mcnhmm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Fbioei32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Gqikdn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ifhiib32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jdcpcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Gmaioo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Gppekj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jdemhe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jplmmfmi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jbkjjblm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mfpoqooh.dll"	Jdmcidam.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ldohebqh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lnhmng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bademghm.dll"	Ficgacna.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Chbijmok.dll"	Gfqjafdq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jfdida32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kbapjafe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Laopdgcg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jplmmfmi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ffjdqg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmlfmg32.dll"	Hbeghene.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mnnkcb32.dll"	Ifhiib32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jgiacnii.dll"	Jpgdbg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogndib32.dll"	Laopdgcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Fbllkh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ngedij32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Gfhqbe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjobcj32.dll"	Jdcpcf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lnepih32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kdcijcke.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Fjhmgeao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kckbqpnj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lkgdml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Odegmceb.dll"	Mnapdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjlcankg.dll"	Jpjqhgol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bbbjnidp.dll"	Jaimbj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Fjhmgeao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bgdnaigp.dll"	Hjolnb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Fifdgblo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bjikbh32.dll"	Fqmlhpla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mjhqjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ncldnkae.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jdemhe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bejkjg32.dll"	Hjhfnccl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ffggkgmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lkbhbe32.dll"	Hcedaheh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ceaklo32.dll"	Hjmoibog.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kpccnefa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mkeebhjc.dll"	Kmjqmi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kkbkamnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbbkdl32.dll"	Mjjmog32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Fqkocpod.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Fckhdk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hibljoco.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jmbklj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Gfnnlffc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Gogbdl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bnjdmn32.dll"	Kajfig32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Liekmj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lknjmkdo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jiikak32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kibnhjgj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lknjmkdo.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 316 wrote to memory of 4604	316	7e15c8ade9d5f2b40de4fb7989493ade2e84fd08ed5f060c093f0763090cba56.exe	86
PID 316 wrote to memory of 4604	316	7e15c8ade9d5f2b40de4fb7989493ade2e84fd08ed5f060c093f0763090cba56.exe	86
PID 316 wrote to memory of 4604	316	7e15c8ade9d5f2b40de4fb7989493ade2e84fd08ed5f060c093f0763090cba56.exe	86
PID 4604 wrote to memory of 4112	4604	Fqhbmqqg.exe	87
PID 4604 wrote to memory of 4112	4604	Fqhbmqqg.exe	87
PID 4604 wrote to memory of 4112	4604	Fqhbmqqg.exe	87
PID 4112 wrote to memory of 4324	4112	Fbioei32.exe	88
PID 4112 wrote to memory of 4324	4112	Fbioei32.exe	88
PID 4112 wrote to memory of 4324	4112	Fbioei32.exe	88
PID 4324 wrote to memory of 3804	4324	Ficgacna.exe	89
PID 4324 wrote to memory of 3804	4324	Ficgacna.exe	89
PID 4324 wrote to memory of 3804	4324	Ficgacna.exe	89
PID 3804 wrote to memory of 1384	3804	Fqkocpod.exe	90
PID 3804 wrote to memory of 1384	3804	Fqkocpod.exe	90
PID 3804 wrote to memory of 1384	3804	Fqkocpod.exe	90
PID 1384 wrote to memory of 3136	1384	Fbllkh32.exe	91
PID 1384 wrote to memory of 3136	1384	Fbllkh32.exe	91
PID 1384 wrote to memory of 3136	1384	Fbllkh32.exe	91
PID 3136 wrote to memory of 2168	3136	Ffggkgmk.exe	92
PID 3136 wrote to memory of 2168	3136	Ffggkgmk.exe	92
PID 3136 wrote to memory of 2168	3136	Ffggkgmk.exe	92
PID 2168 wrote to memory of 1664	2168	Fifdgblo.exe	93
PID 2168 wrote to memory of 1664	2168	Fifdgblo.exe	93
PID 2168 wrote to memory of 1664	2168	Fifdgblo.exe	93
PID 1664 wrote to memory of 3256	1664	Fqmlhpla.exe	95
PID 1664 wrote to memory of 3256	1664	Fqmlhpla.exe	95
PID 1664 wrote to memory of 3256	1664	Fqmlhpla.exe	95
PID 3256 wrote to memory of 2304	3256	Fckhdk32.exe	96
PID 3256 wrote to memory of 2304	3256	Fckhdk32.exe	96
PID 3256 wrote to memory of 2304	3256	Fckhdk32.exe	96
PID 2304 wrote to memory of 2556	2304	Ffjdqg32.exe	97
PID 2304 wrote to memory of 2556	2304	Ffjdqg32.exe	97
PID 2304 wrote to memory of 2556	2304	Ffjdqg32.exe	97
PID 2556 wrote to memory of 3300	2556	Fihqmb32.exe	98
PID 2556 wrote to memory of 3300	2556	Fihqmb32.exe	98
PID 2556 wrote to memory of 3300	2556	Fihqmb32.exe	98
PID 3300 wrote to memory of 4376	3300	Fobiilai.exe	99
PID 3300 wrote to memory of 4376	3300	Fobiilai.exe	99
PID 3300 wrote to memory of 4376	3300	Fobiilai.exe	99
PID 4376 wrote to memory of 3352	4376	Fbqefhpm.exe	100
PID 4376 wrote to memory of 3352	4376	Fbqefhpm.exe	100
PID 4376 wrote to memory of 3352	4376	Fbqefhpm.exe	100
PID 3352 wrote to memory of 1600	3352	Fjhmgeao.exe	101
PID 3352 wrote to memory of 1600	3352	Fjhmgeao.exe	101
PID 3352 wrote to memory of 1600	3352	Fjhmgeao.exe	101
PID 1600 wrote to memory of 4924	1600	Fqaeco32.exe	102
PID 1600 wrote to memory of 4924	1600	Fqaeco32.exe	102
PID 1600 wrote to memory of 4924	1600	Fqaeco32.exe	102
PID 4924 wrote to memory of 2640	4924	Gcpapkgp.exe	104
PID 4924 wrote to memory of 2640	4924	Gcpapkgp.exe	104
PID 4924 wrote to memory of 2640	4924	Gcpapkgp.exe	104
PID 2640 wrote to memory of 3396	2640	Gfnnlffc.exe	105
PID 2640 wrote to memory of 3396	2640	Gfnnlffc.exe	105
PID 2640 wrote to memory of 3396	2640	Gfnnlffc.exe	105
PID 3396 wrote to memory of 2592	3396	Gmhfhp32.exe	106
PID 3396 wrote to memory of 2592	3396	Gmhfhp32.exe	106
PID 3396 wrote to memory of 2592	3396	Gmhfhp32.exe	106
PID 2592 wrote to memory of 4488	2592	Gogbdl32.exe	107
PID 2592 wrote to memory of 4488	2592	Gogbdl32.exe	107
PID 2592 wrote to memory of 4488	2592	Gogbdl32.exe	107
PID 4488 wrote to memory of 748	4488	Gfqjafdq.exe	108
PID 4488 wrote to memory of 748	4488	Gfqjafdq.exe	108
PID 4488 wrote to memory of 748	4488	Gfqjafdq.exe	108
PID 748 wrote to memory of 4008	748	Gcekkjcj.exe	110

C:\Users\Admin\AppData\Local\Temp\7e15c8ade9d5f2b40de4fb7989493ade2e84fd08ed5f060c093f0763090cba56.exe
"C:\Users\Admin\AppData\Local\Temp\7e15c8ade9d5f2b40de4fb7989493ade2e84fd08ed5f060c093f0763090cba56.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:316
- C:\Windows\SysWOW64\Fqhbmqqg.exe
  C:\Windows\system32\Fqhbmqqg.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:4604
- - C:\Windows\SysWOW64\Fbioei32.exe
    C:\Windows\system32\Fbioei32.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:4112
  - - C:\Windows\SysWOW64\Ficgacna.exe
      C:\Windows\system32\Ficgacna.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:4324
    - - C:\Windows\SysWOW64\Fqkocpod.exe
        
        C:\Windows\system32\Fqkocpod.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3804
      - C:\Windows\SysWOW64\Fbllkh32.exe
        
        C:\Windows\system32\Fbllkh32.exe
        6⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1384
        
        C:\Windows\SysWOW64\Ffggkgmk.exe
        
        C:\Windows\system32\Ffggkgmk.exe
        7⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3136
        
        C:\Windows\SysWOW64\Fifdgblo.exe
        
        C:\Windows\system32\Fifdgblo.exe
        8⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2168
        
        C:\Windows\SysWOW64\Fqmlhpla.exe
        
        C:\Windows\system32\Fqmlhpla.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1664
        
        C:\Windows\SysWOW64\Fckhdk32.exe
        
        C:\Windows\system32\Fckhdk32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3256
        
        C:\Windows\SysWOW64\Ffjdqg32.exe
        
        C:\Windows\system32\Ffjdqg32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2304
        
        C:\Windows\SysWOW64\Fihqmb32.exe
        
        C:\Windows\system32\Fihqmb32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2556
        
        C:\Windows\SysWOW64\Fobiilai.exe
        
        C:\Windows\system32\Fobiilai.exe
        13⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3300
        
        C:\Windows\SysWOW64\Fbqefhpm.exe
        
        C:\Windows\system32\Fbqefhpm.exe
        14⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4376
        
        C:\Windows\SysWOW64\Fjhmgeao.exe
        
        C:\Windows\system32\Fjhmgeao.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3352
        
        C:\Windows\SysWOW64\Fqaeco32.exe
        
        C:\Windows\system32\Fqaeco32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1600
        
        C:\Windows\SysWOW64\Gcpapkgp.exe
        
        C:\Windows\system32\Gcpapkgp.exe
        17⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4924
        
        C:\Windows\SysWOW64\Gfnnlffc.exe
        
        C:\Windows\system32\Gfnnlffc.exe
        18⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2640
        
        C:\Windows\SysWOW64\Gmhfhp32.exe
        
        C:\Windows\system32\Gmhfhp32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3396
        
        C:\Windows\SysWOW64\Gogbdl32.exe
        
        C:\Windows\system32\Gogbdl32.exe
        20⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2592
        
        C:\Windows\SysWOW64\Gfqjafdq.exe
        
        C:\Windows\system32\Gfqjafdq.exe
        21⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4488
        
        C:\Windows\SysWOW64\Gcekkjcj.exe
        
        C:\Windows\system32\Gcekkjcj.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:748
        
        C:\Windows\SysWOW64\Gbgkfg32.exe
        
        C:\Windows\system32\Gbgkfg32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4008
        
        C:\Windows\SysWOW64\Gmmocpjk.exe
        
        C:\Windows\system32\Gmmocpjk.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4440
        
        C:\Windows\SysWOW64\Gqikdn32.exe
        
        C:\Windows\system32\Gqikdn32.exe
        25⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3996
        
        C:\Windows\SysWOW64\Gcggpj32.exe
        
        C:\Windows\system32\Gcggpj32.exe
        26⤵
        Executes dropped EXE
        
        PID:1088
        
        C:\Windows\SysWOW64\Gjapmdid.exe
        
        C:\Windows\system32\Gjapmdid.exe
        27⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3508
        
        C:\Windows\SysWOW64\Gpnhekgl.exe
        
        C:\Windows\system32\Gpnhekgl.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2248
        
        C:\Windows\SysWOW64\Gfhqbe32.exe
        
        C:\Windows\system32\Gfhqbe32.exe
        29⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:700
        
        C:\Windows\SysWOW64\Gmaioo32.exe
        
        C:\Windows\system32\Gmaioo32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1560
        
        C:\Windows\SysWOW64\Gppekj32.exe
        
        C:\Windows\system32\Gppekj32.exe
        31⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:5044
        
        C:\Windows\SysWOW64\Hjfihc32.exe
        
        C:\Windows\system32\Hjfihc32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3864
        
        C:\Windows\SysWOW64\Hmdedo32.exe
        
        C:\Windows\system32\Hmdedo32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3244
        
        C:\Windows\SysWOW64\Hcnnaikp.exe
        
        C:\Windows\system32\Hcnnaikp.exe
        34⤵
        Executes dropped EXE
        
        PID:4004
        
        C:\Windows\SysWOW64\Hjhfnccl.exe
        
        C:\Windows\system32\Hjhfnccl.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:968
        
        C:\Windows\SysWOW64\Hmfbjnbp.exe
        
        C:\Windows\system32\Hmfbjnbp.exe
        36⤵
        Executes dropped EXE
        
        PID:32
        
        C:\Windows\SysWOW64\Himcoo32.exe
        
        C:\Windows\system32\Himcoo32.exe
        37⤵
        Executes dropped EXE
        
        PID:4680
        
        C:\Windows\SysWOW64\Hmioonpn.exe
        
        C:\Windows\system32\Hmioonpn.exe
        38⤵
        Executes dropped EXE
        
        PID:3148
        
        C:\Windows\SysWOW64\Hpgkkioa.exe
        
        C:\Windows\system32\Hpgkkioa.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3952
        
        C:\Windows\SysWOW64\Hbeghene.exe
        
        C:\Windows\system32\Hbeghene.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4152
        
        C:\Windows\SysWOW64\Hjmoibog.exe
        
        C:\Windows\system32\Hjmoibog.exe
        41⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4060
        
        C:\Windows\SysWOW64\Haggelfd.exe
        
        C:\Windows\system32\Haggelfd.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2528
        
        C:\Windows\SysWOW64\Hcedaheh.exe
        
        C:\Windows\system32\Hcedaheh.exe
        43⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1868
        
        C:\Windows\SysWOW64\Hjolnb32.exe
        
        C:\Windows\system32\Hjolnb32.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1904
        
        C:\Windows\SysWOW64\Hibljoco.exe
        
        C:\Windows\system32\Hibljoco.exe
        45⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2296
        
        C:\Windows\SysWOW64\Hmmhjm32.exe
        
        C:\Windows\system32\Hmmhjm32.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2456
        
        C:\Windows\SysWOW64\Iffmccbi.exe
        
        C:\Windows\system32\Iffmccbi.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4904
        
        C:\Windows\SysWOW64\Iakaql32.exe
        
        C:\Windows\system32\Iakaql32.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:732
        
        C:\Windows\SysWOW64\Ifhiib32.exe
        
        C:\Windows\system32\Ifhiib32.exe
        49⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:5108
        
        C:\Windows\SysWOW64\Jpgdbg32.exe
        
        C:\Windows\system32\Jpgdbg32.exe
        50⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4300
        
        C:\Windows\SysWOW64\Jdcpcf32.exe
        
        C:\Windows\system32\Jdcpcf32.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3716
        
        C:\Windows\SysWOW64\Jjmhppqd.exe
        
        C:\Windows\system32\Jjmhppqd.exe
        52⤵
        Executes dropped EXE
        
        PID:1528
        
        C:\Windows\SysWOW64\Jagqlj32.exe
        
        C:\Windows\system32\Jagqlj32.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4796
        
        C:\Windows\SysWOW64\Jpjqhgol.exe
        
        C:\Windows\system32\Jpjqhgol.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1212
        
        C:\Windows\SysWOW64\Jdemhe32.exe
        
        C:\Windows\system32\Jdemhe32.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4472
        
        C:\Windows\SysWOW64\Jfdida32.exe
        
        C:\Windows\system32\Jfdida32.exe
        56⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1276
        
        C:\Windows\SysWOW64\Jaimbj32.exe
        
        C:\Windows\system32\Jaimbj32.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4340
        
        C:\Windows\SysWOW64\Jplmmfmi.exe
        
        C:\Windows\system32\Jplmmfmi.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2228
        
        C:\Windows\SysWOW64\Jbkjjblm.exe
        
        C:\Windows\system32\Jbkjjblm.exe
        59⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5008
        
        C:\Windows\SysWOW64\Jidbflcj.exe
        
        C:\Windows\system32\Jidbflcj.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4992
        
        C:\Windows\SysWOW64\Jbmfoa32.exe
        
        C:\Windows\system32\Jbmfoa32.exe
        61⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4400
        
        C:\Windows\SysWOW64\Jigollag.exe
        
        C:\Windows\system32\Jigollag.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4832
        
        C:\Windows\SysWOW64\Jmbklj32.exe
        
        C:\Windows\system32\Jmbklj32.exe
        63⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1956
        
        C:\Windows\SysWOW64\Jangmibi.exe
        
        C:\Windows\system32\Jangmibi.exe
        64⤵
        Executes dropped EXE
        
        PID:3140
        
        C:\Windows\SysWOW64\Jdmcidam.exe
        
        C:\Windows\system32\Jdmcidam.exe
        65⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:916
        
        C:\Windows\SysWOW64\Jfkoeppq.exe
        
        C:\Windows\system32\Jfkoeppq.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4748
        
        C:\Windows\SysWOW64\Jiikak32.exe
        
        C:\Windows\system32\Jiikak32.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:1544
        
        C:\Windows\SysWOW64\Kmegbjgn.exe
        
        C:\Windows\system32\Kmegbjgn.exe
        68⤵
        
        PID:4024
        
        C:\Windows\SysWOW64\Kpccnefa.exe
        
        C:\Windows\system32\Kpccnefa.exe
        69⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1572
        
        C:\Windows\SysWOW64\Kbapjafe.exe
        
        C:\Windows\system32\Kbapjafe.exe
        70⤵
        Modifies registry class
        
        PID:232
        
        C:\Windows\SysWOW64\Kkihknfg.exe
        
        C:\Windows\system32\Kkihknfg.exe
        71⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:964
        
        C:\Windows\SysWOW64\Kilhgk32.exe
        
        C:\Windows\system32\Kilhgk32.exe
        72⤵
        
        PID:3260
        
        C:\Windows\SysWOW64\Kacphh32.exe
        
        C:\Windows\system32\Kacphh32.exe
        73⤵
        Drops file in System32 directory
        
        PID:2392
        
        C:\Windows\SysWOW64\Kdaldd32.exe
        
        C:\Windows\system32\Kdaldd32.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4432
        
        C:\Windows\SysWOW64\Kinemkko.exe
        
        C:\Windows\system32\Kinemkko.exe
        75⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4528
        
        C:\Windows\SysWOW64\Kmjqmi32.exe
        
        C:\Windows\system32\Kmjqmi32.exe
        76⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4492
        
        C:\Windows\SysWOW64\Kphmie32.exe
        
        C:\Windows\system32\Kphmie32.exe
        77⤵
        
        PID:4812
        
        C:\Windows\SysWOW64\Kdcijcke.exe
        
        C:\Windows\system32\Kdcijcke.exe
        78⤵
        Modifies registry class
        
        PID:516
        
        C:\Windows\SysWOW64\Kgbefoji.exe
        
        C:\Windows\system32\Kgbefoji.exe
        79⤵
        Drops file in System32 directory
        
        PID:4364
        
        C:\Windows\SysWOW64\Kipabjil.exe
        
        C:\Windows\system32\Kipabjil.exe
        80⤵
        Drops file in System32 directory
        
        PID:3220
        
        C:\Windows\SysWOW64\Kmlnbi32.exe
        
        C:\Windows\system32\Kmlnbi32.exe
        81⤵
        Drops file in System32 directory
        
        PID:4124
        
        C:\Windows\SysWOW64\Kcifkp32.exe
        
        C:\Windows\system32\Kcifkp32.exe
        82⤵
        Drops file in System32 directory
        
        PID:3436
        
        C:\Windows\SysWOW64\Kibnhjgj.exe
        
        C:\Windows\system32\Kibnhjgj.exe
        83⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:624
        
        C:\Windows\SysWOW64\Kajfig32.exe
        
        C:\Windows\system32\Kajfig32.exe
        84⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:3820
        
        C:\Windows\SysWOW64\Kpmfddnf.exe
        
        C:\Windows\system32\Kpmfddnf.exe
        85⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:1764
        
        C:\Windows\SysWOW64\Kckbqpnj.exe
        
        C:\Windows\system32\Kckbqpnj.exe
        86⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:3916
        
        C:\Windows\SysWOW64\Kkbkamnl.exe
        
        C:\Windows\system32\Kkbkamnl.exe
        87⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4444
        
        C:\Windows\SysWOW64\Liekmj32.exe
        
        C:\Windows\system32\Liekmj32.exe
        88⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:3696
        
        C:\Windows\SysWOW64\Lalcng32.exe
        
        C:\Windows\system32\Lalcng32.exe
        89⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:900
        
        C:\Windows\SysWOW64\Liggbi32.exe
        
        C:\Windows\system32\Liggbi32.exe
        90⤵
        Drops file in System32 directory
        
        PID:976
        
        C:\Windows\SysWOW64\Laopdgcg.exe
        
        C:\Windows\system32\Laopdgcg.exe
        91⤵
        Modifies registry class
        
        PID:4996
        
        C:\Windows\SysWOW64\Lpappc32.exe
        
        C:\Windows\system32\Lpappc32.exe
        92⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:1068
        
        C:\Windows\SysWOW64\Lcpllo32.exe
        
        C:\Windows\system32\Lcpllo32.exe
        93⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5124
        
        C:\Windows\SysWOW64\Lkgdml32.exe
        
        C:\Windows\system32\Lkgdml32.exe
        94⤵
        Modifies registry class
        
        PID:5168
        
        C:\Windows\SysWOW64\Lijdhiaa.exe
        
        C:\Windows\system32\Lijdhiaa.exe
        95⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5204
        
        C:\Windows\SysWOW64\Lnepih32.exe
        
        C:\Windows\system32\Lnepih32.exe
        96⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5248
        
        C:\Windows\SysWOW64\Ldohebqh.exe
        
        C:\Windows\system32\Ldohebqh.exe
        97⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5300
        
        C:\Windows\SysWOW64\Lcbiao32.exe
        
        C:\Windows\system32\Lcbiao32.exe
        98⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5340
        
        C:\Windows\SysWOW64\Lkiqbl32.exe
        
        C:\Windows\system32\Lkiqbl32.exe
        99⤵
        Drops file in System32 directory
        
        PID:5384
        
        C:\Windows\SysWOW64\Lnhmng32.exe
        
        C:\Windows\system32\Lnhmng32.exe
        100⤵
        Modifies registry class
        
        PID:5416
        
        C:\Windows\SysWOW64\Lcdegnep.exe
        
        C:\Windows\system32\Lcdegnep.exe
        101⤵
        Drops file in System32 directory
        
        PID:5472
        
        C:\Windows\SysWOW64\Lklnhlfb.exe
        
        C:\Windows\system32\Lklnhlfb.exe
        102⤵
        
        PID:5512
        
        C:\Windows\SysWOW64\Lphfpbdi.exe
        
        C:\Windows\system32\Lphfpbdi.exe
        103⤵
        
        PID:5556
        
        C:\Windows\SysWOW64\Lknjmkdo.exe
        
        C:\Windows\system32\Lknjmkdo.exe
        104⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5604
        
        C:\Windows\SysWOW64\Mahbje32.exe
        
        C:\Windows\system32\Mahbje32.exe
        105⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5656
        
        C:\Windows\SysWOW64\Mpkbebbf.exe
        
        C:\Windows\system32\Mpkbebbf.exe
        106⤵
        Drops file in System32 directory
        
        PID:5692
        
        C:\Windows\SysWOW64\Mciobn32.exe
        
        C:\Windows\system32\Mciobn32.exe
        107⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5732
        
        C:\Windows\SysWOW64\Mkpgck32.exe
        
        C:\Windows\system32\Mkpgck32.exe
        108⤵
        
        PID:5776
        
        C:\Windows\SysWOW64\Mnocof32.exe
        
        C:\Windows\system32\Mnocof32.exe
        109⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5820
        
        C:\Windows\SysWOW64\Majopeii.exe
        
        C:\Windows\system32\Majopeii.exe
        110⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5864
        
        C:\Windows\SysWOW64\Mdiklqhm.exe
        
        C:\Windows\system32\Mdiklqhm.exe
        111⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5908
        
        C:\Windows\SysWOW64\Mgghhlhq.exe
        
        C:\Windows\system32\Mgghhlhq.exe
        112⤵
        
        PID:5948
        
        C:\Windows\SysWOW64\Mnapdf32.exe
        
        C:\Windows\system32\Mnapdf32.exe
        113⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5996
        
        C:\Windows\SysWOW64\Mpolqa32.exe
        
        C:\Windows\system32\Mpolqa32.exe
        114⤵
        Drops file in System32 directory
        
        PID:6040
        
        C:\Windows\SysWOW64\Mcnhmm32.exe
        
        C:\Windows\system32\Mcnhmm32.exe
        115⤵
        Modifies registry class
        
        PID:6080
        
        C:\Windows\SysWOW64\Mkepnjng.exe
        
        C:\Windows\system32\Mkepnjng.exe
        116⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6124
        
        C:\Windows\SysWOW64\Mjhqjg32.exe
        
        C:\Windows\system32\Mjhqjg32.exe
        117⤵
        Modifies registry class
        
        PID:5152
        
        C:\Windows\SysWOW64\Mcpebmkb.exe
        
        C:\Windows\system32\Mcpebmkb.exe
        118⤵
        
        PID:5180
        
        C:\Windows\SysWOW64\Mjjmog32.exe
        
        C:\Windows\system32\Mjjmog32.exe
        119⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5284
        
        C:\Windows\SysWOW64\Mpdelajl.exe
        
        C:\Windows\system32\Mpdelajl.exe
        120⤵
        Drops file in System32 directory
        
        PID:5336
        
        C:\Windows\SysWOW64\Mgnnhk32.exe
        
        C:\Windows\system32\Mgnnhk32.exe
        121⤵
        Drops file in System32 directory
        
        PID:5424
        
        C:\Windows\SysWOW64\Njljefql.exe
        
        C:\Windows\system32\Njljefql.exe
        122⤵
        
        PID:5484
        
        C:\Windows\SysWOW64\Ngpjnkpf.exe
        
        C:\Windows\system32\Ngpjnkpf.exe
        123⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5552
        
        C:\Windows\SysWOW64\Nnmopdep.exe
        
        C:\Windows\system32\Nnmopdep.exe
        124⤵
        Drops file in System32 directory
        
        PID:5620
        
        C:\Windows\SysWOW64\Nbhkac32.exe
        
        C:\Windows\system32\Nbhkac32.exe
        125⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5684
        
        C:\Windows\SysWOW64\Ngedij32.exe
        
        C:\Windows\system32\Ngedij32.exe
        126⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5748
        
        C:\Windows\SysWOW64\Njcpee32.exe
        
        C:\Windows\system32\Njcpee32.exe
        127⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5808
        
        C:\Windows\SysWOW64\Nbkhfc32.exe
        
        C:\Windows\system32\Nbkhfc32.exe
        128⤵
        
        PID:5860
        
        C:\Windows\SysWOW64\Nqmhbpba.exe
        
        C:\Windows\system32\Nqmhbpba.exe
        129⤵
        
        PID:5964
        
        C:\Windows\SysWOW64\Ncldnkae.exe
        
        C:\Windows\system32\Ncldnkae.exe
        130⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6020
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        131⤵
        
        PID:6092
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6092 -s 420
        132⤵
        Program crash
        
        PID:5372

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 6092 -ip 6092
1⤵
PID:5200

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Fbioei32.exe

Filesize
144KB

MD5
c3db1e286cb1c39b88a979bd2432f946

SHA1
9c49b490e5d3b2569aac2d6eca38c843986589df

SHA256
95ea732dc293038e495e3e29a4b4e7224179129d7dd642db5d27b5d813ab6a74

SHA512
bcb3335348bbedf30282fadbf46eacbed89f475791eceb71ab16f470d16e8902884a27a8a11a7fd928e2bfae1014e9b387a11e4d7f7230cf8ea7390b48b8e177

Download Submit
C:\Windows\SysWOW64\Fbllkh32.exe

Filesize
144KB

MD5
daf3ee16a79242cdf269469d509f0cba

SHA1
4bfb217fcbde3ea90eb2b2bb5820ec0d7907e89f

SHA256
d87958a80e71c69b8c44a8e4d9c778061ba0ad7146ebc96f4d0297e50b21d2fe

SHA512
de36094ee6d1e08e17f07791d1cefb48e3a438a723422bbf2f1a8383408c05e7fbe0a64da1c33461238c9e4215d8216787e70599d3b4ec173ba74d72f9643b6f

Download Submit
C:\Windows\SysWOW64\Fbqefhpm.exe

Filesize
144KB

MD5
4b6ff3840925639d705a0dfabb369f72

SHA1
c64884a5ef89696b798e283d6477cd6684c4f911

SHA256
07886325ce906286cbee8deb977884ee09bb904032fb609fa23fa9f168f05b28

SHA512
3d692045d4633264c8fb35408d331b92a8f7e6fb2fb7b872b7cc1b9bb2f68dae9d113110865a21e5718c2ae9bdd79fa86c9124d61cb07b574597977495d0de3d

Download Submit
C:\Windows\SysWOW64\Fckhdk32.exe

Filesize
144KB

MD5
e9110555e91f34023d4bb510548fec0d

SHA1
5e5e21c2fa2d70641dbb6aa62835067385a3c0dc

SHA256
d8d01aafbccc27f413092a7d409fae307d8ba2001a2a01afa99e1cd19cd86af7

SHA512
ef58ab241ad057565cdcea0e2e5c6072ac8e270de2018a156540d742239c06ba7258d333a168f7051a842acffb919c7ef33197b01733c0c34548af679caa8e7f

Download Submit
C:\Windows\SysWOW64\Ffggkgmk.exe

Filesize
144KB

MD5
80cd8f0f9a3f371b840f6cd7137aa9ab

SHA1
5a945ae5663739ebb89be292182387dc4af4fa39

SHA256
9f9a22277b6077bd888e99b6ed1f686f988593f9e591f860e7124641fb99bfef

SHA512
2b622610f6f7dbe4707f95c76dab2a3c1f3fc7aebc14ccff8ec1cef1eba1c0a4ed6761fcf8b4b679d8ac513af7811aa01a22136ef66e4390e196277983eece95

Download Submit
C:\Windows\SysWOW64\Ffjdqg32.exe

Filesize
144KB

MD5
3bd6db345c5492b7223f5af718cfe627

SHA1
afcb80aeb2a92e1a695732b5f0b93a20ee2aaf50

SHA256
40be3258908f1df7f28cc807c3b17bde65f1ee6cb61fb4d79e78469ea4b69dca

SHA512
9c1de80c5f08763ab598f22035a4736c1431e0ed54414b0cb1292e927c5e4f593926200597eb64576a47285e09341cee4e143bee3c608ea23308e5756be59b7d

Download Submit
C:\Windows\SysWOW64\Ficgacna.exe

Filesize
144KB

MD5
2e737c0890a7e8160ae383a5340ecd16

SHA1
4f203b1ae1c273b3d037063dd5da44a4fe441a63

SHA256
f411c36eb8c2adfa673f5cb6839360b52ac086e327b0ace026e7327fb324de93

SHA512
586c180963b8b5588fa29351efba3c2ebae06ed5df73165ed2801131725cb4cf3dbc2ff752359a3e579727cae5ad839571753258e871bb089d7166c5715b296f

Download Submit
C:\Windows\SysWOW64\Fifdgblo.exe

Filesize
144KB

MD5
d9597f40ae8e1127d5e84a43e2558193

SHA1
92e7916fe2b9df2f535af86d3c90d75c8297fe82

SHA256
9c6d1395d1afbc82ba105e2bc5f98142b56aaf403b01c9cfd6ab9b581ea67f4c

SHA512
d47112e0147995458b50841042e160f4012e6d88f0fbb14216819a9dd261ef0ae1ddf3c8399d48241a5f2d8b074b23f4b8beccaef4d4f76f5f7d797ea4c8411e

Download Submit
C:\Windows\SysWOW64\Fihqmb32.exe

Filesize
144KB

MD5
96bbd643d1498a47e710ff550dc14135

SHA1
9858b8ac230afc6a1de658ca0bd80c12535496cf

SHA256
64f6c16465cad0134b44e86fd1bc625177ba4b01d1fa46b8e6d2e63cbcf5c18e

SHA512
d6133818c924bc16a1c0bab08474df685fe2ce663c36ac58b1780b20fa2caa130a900c36b7bc657401c75b717b5975426552a3c9d9dfa243f5aa3256226adfcd

Download Submit
C:\Windows\SysWOW64\Fjhmgeao.exe

Filesize
144KB

MD5
769558c4197d7dece7a08b3312768b28

SHA1
a0f3a8475431a8504ba167f895b1aeeb33645b31

SHA256
a50607e5bb0aeef15cb38d34ebeac708ac89e1c0edafe3ad824b52059e1fc812

SHA512
0b6ff82d324b2ea17399cfe4e634b0705f3a3ce944640acde7942646594d8dc0190b8c74ea72617bc38ac4f1c5d5638c6da7ef35c926c4891d67d4d3d9d85b97

Download Submit
C:\Windows\SysWOW64\Fobiilai.exe

Filesize
144KB

MD5
e900c27c24d73e56f4ac5dc09ac5878e

SHA1
f82a66f6bc53e2a377bc4baa19d3036fde1e2253

SHA256
e8b225b9fe8894eb11868f775677ca8bfac8fb428eed702aec6fc6bc70e3feb2

SHA512
0cda59f283cdd898087f75779445dedf8a6cc96d174f2bb98b3a262a77e22a8b3c6e98a8ae934c2dc211ffe9624ead558926f1b62ea3dc5a305181d2d1328316

Download Submit
C:\Windows\SysWOW64\Fqaeco32.exe

Filesize
144KB

MD5
9c0e033ff5eb717c442d9b3be6249dba

SHA1
c2c43d45b6a72a69064c55673fe27b7d1c41a810

SHA256
24d7c5d5ed129335d86a9fa3573c05ae40c5885e711b09b50c45b4db79b758fe

SHA512
7f3e5d69c88ae42f31db41573345fde2ca370d20f9ae6df58cd856f30ca5d4d16b7385ca50d22c5c8e2679e4f57f68ce415c7a99b23a201093c41717f124a3b6

Download Submit
C:\Windows\SysWOW64\Fqhbmqqg.exe

Filesize
144KB

MD5
ad94eb3dd400cfe2a55905dcd844b630

SHA1
634e738f45e5de4c234100ed6c761ce8aaf9e8e1

SHA256
1c18ce976cedaaded8e88d91ade92f5f292e061badb003b584fc1f4261a0c636

SHA512
a42456efed2cd89a3cd6d77504063e431a9cf4ef93b22168e6b07b7e24d4dae3e6b6ebc5ab16d693059a7b7a28ad9bb320608fe666c88fc75db15394f6cb9026

Download Submit
C:\Windows\SysWOW64\Fqkocpod.exe

Filesize
144KB

MD5
db7396f1bf4184f3a07769579172ab1f

SHA1
653d33f53c4beca53564b0a8b46885f9c87c27c5

SHA256
1fb74028395af6e31c447f36537aec0c136dab22e9410bb659cd76ea10cb925c

SHA512
2d66a3db3753beb29b08ec7b23a54b690b473c481e96b70db14bf59d192d9419b3241fe44db7d4e97c0a230172e674b303279fb133696b2dc60b5e9dffbf3db6

Download Submit
C:\Windows\SysWOW64\Fqmlhpla.exe

Filesize
144KB

MD5
8ca85b3f61af92803c5ee21a3f5a9093

SHA1
9dfb7164d3e6b085155196488fad435447c8f426

SHA256
3e108bc30821cd984d7661af15fa2cdbea632dd48ffb73f910db83169243cabf

SHA512
32aac89e13148a3421c2d41fccc9931a341b6f9b39dc28f610747f0e3d9122199a3b866b72f3b6c8025b992cf107f14ae248c7575264f813f4748f3a6af07b25

Download Submit
C:\Windows\SysWOW64\Gbgkfg32.exe

Filesize
144KB

MD5
a80d7ffb6ae3933f0de758def1cb2ae8

SHA1
b6b1dd392420ea000c6e0cd270f1d61225b9aaf6

SHA256
90f3b12982ca67b04442b8d4803b411b8e9d743632e7b10a7afc681bd83b0054

SHA512
23a704979d139cb358cc17650dba13657f7fa74e3d483ec933761d4f612cf1bf26c9667cb509cca0167d2af2ef92ac8dc2a8720eb6c8b21ea8e5b610fc3eba16

Download Submit
C:\Windows\SysWOW64\Gcekkjcj.exe

Filesize
144KB

MD5
ac16850bf86314d9e62bc3f26627db66

SHA1
8fe3d68fee25abaef65f3c2b0b93b715e91ffec0

SHA256
93b0ca526d1f0ab5eb0382833b0e701d3c19d2e1bc0278eafc2b11de8a9a0bd8

SHA512
ea34c3e97d964333388247288ba7aba89aeb07bc20e07a9ab56a6078ca0ba8e2eca82893e4211d71491259b849d2500006c4c7508f8957bdafa32379ff30da26

Download Submit
C:\Windows\SysWOW64\Gcggpj32.exe

Filesize
144KB

MD5
12b8fbbcd356d5718cf1ca3407ef1dc7

SHA1
9f4d2e39d9563ec3bac5aae4c1f6b961edff60dd

SHA256
d9baad0fe50be3a01a011cd7a7da6c0fcc66f2c3e58cc85aefa3cd30bf23da80

SHA512
c0ed57a126ffb4ead070202787acee08a86366cd40632bff3286624592a4c5f6a2482851553e1fe19bfb1907fbc17215503971bfc73cafd57834baa4e0282501

Download Submit
C:\Windows\SysWOW64\Gcpapkgp.exe

Filesize
144KB

MD5
aada1dd347ab725008d7554798b2001a

SHA1
1b0d8d515f07c9a1f595c7f7e1dec44d492cf925

SHA256
5c452f75e3eb1ecbbc0d89a57d1a166736fa0e23bf4ed8b1cc5754b551cc573d

SHA512
8c351290f152332ff247280df7b75449f5cb00648ebcf36a79d9d4b1dfbc61953653c4f9453dc3f9191d996702480016bbb891a73055377cf7efd2792b86be9c

Download Submit
C:\Windows\SysWOW64\Gddfpk32.dll

Filesize
7KB

MD5
f9f616ac380d1bc84d6442abfc0c51cb

SHA1
489eaef00e51d2ebde3aa2f5f2137a46307fa0ff

SHA256
7190696fcf5b5d480dab25b961bcda28bda2cd6d0f8ce9110c7b46c17ef343a6

SHA512
95818d3ba536ccdac4dbc426dd3688b8ee98b0f85f1cd17dc96bb91eb259ddb09dab41ee5bc465dd2913b6a2a757d2fd4a5e4ddc1dd82e75efcbd392f49508f0

Download Submit
C:\Windows\SysWOW64\Gfhqbe32.exe

Filesize
144KB

MD5
115da68b6cee0bfa64aaee67832e8a8a

SHA1
d6943830ab0c9a33a20382b8084ab4163a97903b

SHA256
dba6dc2780b43a293ee8053ce68bd801646105032303683ebd8768bc07bc3336

SHA512
d9505ebc7e126e1793bd1575a33ac3ac19f590bc164506dc49036116167688bfaf56740d9941397a7733188d3207fb34bac29dba52c7fa15f5ba0c90a5558711

Download Submit
C:\Windows\SysWOW64\Gfnnlffc.exe

Filesize
144KB

MD5
816f27a227aab1a2bcd44111823be9e9

SHA1
9dfbd439ab678e0414183b6754d4d21c21342697

SHA256
d0790344490066fc4fd5226bd4b0914971b4b386ac7fa6dca7cc1cd7054419cf

SHA512
fbac6b248c76651624035028fe886bcefbe20423e53b1988e46d295e9d5b581c52f8c947d3355f3ef5c965d0db3df1ea75887938782f5802b78d3b92d936f694

Download Submit
C:\Windows\SysWOW64\Gfqjafdq.exe

Filesize
144KB

MD5
6288c2f67d67a4159c60ba6a86778ddf

SHA1
f8179bf5d11ae1b26e9580b29e74f3d9339ff598

SHA256
1f5d2b63f0ade720fb8bf37f447c73250e5305088585ed9f361c9911e1cea2ca

SHA512
be431284bdb3cbb9760797622c9729e362c64eeaabaef1a68b61a00dbc3160a60fc92a8510a8514a94203fa9da553d39aa16f1368937664965264764deee71e4

Download Submit
C:\Windows\SysWOW64\Gjapmdid.exe

Filesize
144KB

MD5
5027f9d92da16af308b1ace7d6ff8779

SHA1
43ca94b53dbfc8c92ab0c40a308e0cc362ebca7a

SHA256
cf1e5019b18c1877325eb406901b72f939c97b0e44c0e8a33a5782d0acda9ed8

SHA512
1135236d38c6ed8314460e16153309e1a73140c4febe10123175495950d314eb7b2363b2eb08215e463792388f8b74d859e9da6b7eaade5c79f43f51347d6d6c

Download Submit
C:\Windows\SysWOW64\Gmaioo32.exe

Filesize
144KB

MD5
e23e817baeaa529bc67e8cb0e3b28320

SHA1
a6be7fde597c1472a08dfd57c32297c4d5992c71

SHA256
514fceda4ac52ba76cc036d0aece6c0a9060b525c19eb8118c5633305e504dc8

SHA512
474ab8ea61cade7351ebf95b52399389df5c8d6a5f382d6b4dbb9f7dbd518aa453b3e515e1028e75bdedc07a6a3de1fd075a41852767d485a0fdc2ea7bb1528d

Download Submit
C:\Windows\SysWOW64\Gmhfhp32.exe

Filesize
144KB

MD5
1586ac8d438d61997fa5af049f913afe

SHA1
bf67b27dc5a4043f634d6caf35ec0bfc1360e7e6

SHA256
8e26114de07ea47a82190e66a3793ec4e4e10d0c5a9c8e57fc336b9b64143ed6

SHA512
f83aa14743fb068f9dfa562e405375d3296d631c3e7c4a3bc808a8fdae4a2df6f9b315e8ffbd01b504b8cdd5fa3d16fb0729acfb56a5e12697d2eec2c62c4c26

Download Submit
C:\Windows\SysWOW64\Gmmocpjk.exe

Filesize
144KB

MD5
2481928e5e4ea9e86ee83466150c8d1f

SHA1
cff04e0adc591aa5576c63c699c4e65f97077969

SHA256
5eda37cd2b0542c25a8dd9264d3144734968d9cc08ef2e2a7e8e72b815782ff1

SHA512
31d4a5e589fe644bcf1ea6d96b800d0b5d023550021b079593a399f2e79cd6ef4f627614851a5ad1d36023c3b48cccb99c48a6119ed133898367673f94b50a53

Download Submit
C:\Windows\SysWOW64\Gogbdl32.exe

Filesize
144KB

MD5
e96c8d50f21fea3bdef97b70498dea41

SHA1
6f91bf93c88881511b1395bf5a4d41a82036c785

SHA256
d1eb960ed46107ee22ff18111b0bea4072d8b405c9cbfc6aa2202f8c67602ff1

SHA512
0d231483671d5cd47b382d68a07dd73d191b9090c398c3a3dba40b27ea711db99b49dae7f008a2ba54d8d85701db46f3d0b61dc402eb950ee56bfbb8efb43498

Download Submit
C:\Windows\SysWOW64\Gpnhekgl.exe

Filesize
144KB

MD5
7eb2b0608ecd751f93aa784cd9d72fcd

SHA1
fc36dbb4e8bbfe0d9b523a67362dfac2ae03e8d3

SHA256
c1c624ce2e40f861bd171787a65638c3abbf5d0199bf8213dd029ce638dafe7a

SHA512
299339bc631cafd9c57885bebd8ced35ae9e38dd154bd87eef9111b0f97e88ed6e8258d8dacac5333dfc0259592d5e577c3b116308f7abc727a1bc662f1deaf6

Download Submit
C:\Windows\SysWOW64\Gppekj32.exe

Filesize
144KB

MD5
57880a612f48344f029e446149e9e443

SHA1
b55fd3516ed5b8c3d670632712c10e7440614143

SHA256
00985808882df9664f29fc2c0f3d1d575f58dc6bc004063d5ead22b08f1645ce

SHA512
6a570cbb8a23542aff63808a9ab7b5b063bff64649a9c5c50929eb6d3885e71da14c60764b6650b17f84d27e6e35f33793760d8bce5be6910edf4b715439b36f

Download Submit
C:\Windows\SysWOW64\Gqikdn32.exe

Filesize
144KB

MD5
94cf2d0a782891560ff81d3fbd434d57

SHA1
1a15e659d5a0359dbf2601e61f00a6444e21cad5

SHA256
9d76cdb731291f873d0cf7ccfa8d20b90128392d60a4daced86c3ced2db4bde5

SHA512
6681d1c74453a68b87c7788517cca513d7803d6d5c86d58871f8db547b3f78813a82d659024e4e57d52cfa92b6f31c21846bd0f981d0dd542ca99c5a210d0a7b

Download Submit
C:\Windows\SysWOW64\Hjfihc32.exe

Filesize
144KB

MD5
4c0a3475dd3084fd61ffad99e0b750c5

SHA1
559f53b4d9cfc6f56566ef1821abf83727ec74ef

SHA256
476f532a5c0efc428bda1db6846d5fed18946bc62399edd02fb3ac546c6f7a8a

SHA512
9f3404cc72adaeb41e1ffb5fa4f58ae7e5581889c14658ecdc5cbc3ff3add8ae7c7c82440bdd78afb8381c705a4203b08e4772896563bf2abf58254aca85b921

Download Submit
C:\Windows\SysWOW64\Hmdedo32.exe

Filesize
144KB

MD5
2299d8a93ecfea93d5678165dd145427

SHA1
6778d13f80724f59c3a4b527ed5183c5622f0593

SHA256
74e87f1cdf1b6bb8b93fc0ce520712935fd78381e62a683db02b98be905402aa

SHA512
cf876b3899621dc3ccd5af09033f4cef90464e94feb63dba1dcf4c98598e17d43260a686d9baa351e0047457d532cd3bd6c0491767288f0208a4f8cf8fb9d40c

Download Submit
C:\Windows\SysWOW64\Kbapjafe.exe

Filesize
144KB

MD5
25cb6561bf90c9097b553cc003465fa7

SHA1
6040b7229a9c1348bef0c97f02f1f3d61a01df02

SHA256
83771d24926406aa3b9d159d3d10c04ccb2e81f0c30f504441cc11bf70c705d2

SHA512
d7330f4f8c168d74b5170eda741a11e54dc350da930ddab2f431375763aad6246db9094bc7c0d4e1972ef8abbc3fa418af1409dcba7a6678a573feb880227b34

Download Submit
C:\Windows\SysWOW64\Kckbqpnj.exe

Filesize
144KB

MD5
d7c58fd96a9ba96f50935893db570be7

SHA1
d88c610ec0f0b5e5cb857eda9e7bf27c8e27621d

SHA256
a620cce4e43c6f9e3b9676439e6aa3ccb8f84215573678296ef34a8965da6c88

SHA512
c393288772e21e322d6e1791a975bd13125054e57774480c7861fdb063c8d2195f771d0e7b9ccc57bce8dd6725984cc11acbdbe17d37588babd8b661b781c71d

Download Submit
C:\Windows\SysWOW64\Ncldnkae.exe

Filesize
144KB

MD5
7831bc2506646ae33f98cdd93a003fa7

SHA1
671e7a1b642cb4c31dbec3ff86a5612aa3d5a6e5

SHA256
d01d26622aa95e309c4bb57fbee8dae637352e8924cc78262487227f9044a181

SHA512
4165dce28330ad521a49a9150eae51e87e9ea37941ecd79d7ef4ac1a37c91f974ed0d96ea7a416e9f80e8098ad6123da3749f82ec23477f9aaab217852033d3d

Download Submit
memory/32-274-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/232-944-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/316-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/700-224-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/732-346-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/748-167-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/900-925-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/968-272-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1068-922-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1088-200-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1212-387-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1276-394-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1384-40-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1528-375-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1560-231-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1572-945-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1600-124-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1664-68-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1868-316-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1904-322-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1956-440-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2168-56-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2228-411-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2248-220-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2296-332-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2304-80-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2392-941-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2456-338-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2528-315-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2556-88-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2592-153-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2640-136-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3136-48-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3140-446-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3148-290-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3220-934-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3244-256-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3256-72-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3260-942-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3300-96-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3352-111-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3396-144-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3436-932-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3508-207-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3716-369-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3804-31-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3864-248-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3952-292-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3996-191-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4004-262-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4008-175-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4060-307-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4112-15-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4152-303-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4300-358-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4324-24-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4340-405-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4364-935-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4376-104-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4400-424-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4440-183-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4472-393-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4488-159-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4492-938-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4528-939-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4604-12-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4680-284-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4796-385-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4832-435-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4904-340-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4924-128-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4992-418-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5008-417-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5044-240-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5108-352-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5152-897-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5300-917-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5336-894-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5484-892-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5552-891-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5556-911-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5604-910-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5620-890-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5684-889-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5820-905-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5948-902-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5964-886-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads