55fa5ee940a4c2c16fd810de5fed975030c3028d9ebe817683563c11a996a073

Analysis

max time kernel
93s
max time network
99s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
28-03-2024 20:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

55fa5ee940a4c2c16fd810de5fed975030c3028d9ebe817683563c11a996a073.exe
Size

207KB
MD5

0559e52de78fca51d8c8c58a4b1dd869
SHA1

3e27bc4ce7336038d8235cb458495c5db630c3da
SHA256

55fa5ee940a4c2c16fd810de5fed975030c3028d9ebe817683563c11a996a073
SHA512

f4fbe723ee17886e396b28b1ac7d4ea418d06eca8e1627767dee8478cb558d7e6f244f26382b0d10a03860479504fc4d4c1f982572d7df362c4d13bb95a744ca
SSDEEP

6144:/o4p6Fup1q55TekHcVjj+VPj92d62ASOwj:/o4p64piTerpIPj92aSOc

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gjjjle32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gqfooodg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kdaldd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gmhfhp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gcekkjcj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jibeql32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jfkoeppq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lddbqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jpjqhgol.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lalcng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cedihl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dofpgqji.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Efgodj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gqdbiofi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ifjfnb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jiphkm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nkncdifl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Elagacbk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jbfpobpb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcdegnep.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ibmmhdhm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Baojaoke.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Clldogdc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chbedh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Clckpf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Eckonn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hfofbd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ccmclp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hjjbcbqj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpolqa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nkjjij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ebbidj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lgbnmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fihqmb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncgkcl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bpqjofcd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gbjhlfhb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Iiibkn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Laopdgcg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnlfigcc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcklgm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bbofkbbh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hmfbjnbp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ipegmg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Badcln32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ceblbm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cakjmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gfqjafdq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Imdnklfp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dpemacql.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fhajlc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gcbnejem.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gjocgdkg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqiogp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Clldogdc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cpjmee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Clckpf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fhajlc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ncihikcg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cakjmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Imgkql32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bpcgdfaa.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ldkojb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Maohkd32.exe

UPX dump on OEP (original entry point) 52 IoCs

resource	yara_rule
behavioral2/files/0x000a000000023162-6.dat	UPX
behavioral2/files/0x00070000000231f9-14.dat	UPX
behavioral2/files/0x00070000000231fb-22.dat	UPX
behavioral2/files/0x00070000000231fd-29.dat	UPX
behavioral2/files/0x00070000000231ff-38.dat	UPX
behavioral2/files/0x0007000000023201-45.dat	UPX
behavioral2/memory/4640-47-0x0000000000400000-0x000000000045B000-memory.dmp	UPX
behavioral2/files/0x0007000000023203-53.dat	UPX
behavioral2/memory/4848-63-0x0000000000400000-0x000000000045B000-memory.dmp	UPX
behavioral2/files/0x0007000000023205-62.dat	UPX
behavioral2/files/0x0007000000023207-69.dat	UPX
behavioral2/files/0x0007000000023209-77.dat	UPX
behavioral2/files/0x000700000002320d-93.dat	UPX
behavioral2/files/0x000700000002320b-86.dat	UPX
behavioral2/files/0x0007000000023211-110.dat	UPX
behavioral2/files/0x0007000000023213-117.dat	UPX
behavioral2/files/0x0007000000023215-125.dat	UPX
behavioral2/files/0x0007000000023217-132.dat	UPX
behavioral2/files/0x0007000000023219-138.dat	UPX
behavioral2/files/0x000700000002321b-145.dat	UPX
behavioral2/files/0x000700000002321d-152.dat	UPX
behavioral2/files/0x000700000002321f-160.dat	UPX
behavioral2/files/0x0007000000023221-167.dat	UPX
behavioral2/files/0x0007000000023223-173.dat	UPX
behavioral2/files/0x0007000000023225-180.dat	UPX
behavioral2/files/0x0007000000023227-187.dat	UPX
behavioral2/files/0x0007000000023229-195.dat	UPX
behavioral2/files/0x000700000002322d-209.dat	UPX
behavioral2/files/0x000700000002322f-216.dat	UPX
behavioral2/files/0x0007000000023231-223.dat	UPX
behavioral2/files/0x0007000000023233-230.dat	UPX
behavioral2/files/0x0007000000023235-238.dat	UPX
behavioral2/files/0x000700000002322b-202.dat	UPX
behavioral2/files/0x000700000002320f-102.dat	UPX
behavioral2/memory/872-276-0x0000000000400000-0x000000000045B000-memory.dmp	UPX
behavioral2/memory/1600-285-0x0000000000400000-0x000000000045B000-memory.dmp	UPX
behavioral2/memory/2256-315-0x0000000000400000-0x000000000045B000-memory.dmp	UPX
behavioral2/memory/4420-339-0x0000000000400000-0x000000000045B000-memory.dmp	UPX
behavioral2/memory/4136-349-0x0000000000400000-0x000000000045B000-memory.dmp	UPX
behavioral2/files/0x0007000000023270-415.dat	UPX
behavioral2/memory/1896-432-0x0000000000400000-0x000000000045B000-memory.dmp	UPX
behavioral2/memory/5004-488-0x0000000000400000-0x000000000045B000-memory.dmp	UPX
behavioral2/memory/4948-498-0x0000000000400000-0x000000000045B000-memory.dmp	UPX
behavioral2/memory/2952-504-0x0000000000400000-0x000000000045B000-memory.dmp	UPX
behavioral2/files/0x0008000000023130-541.dat	UPX
behavioral2/memory/3912-540-0x0000000000400000-0x000000000045B000-memory.dmp	UPX
behavioral2/memory/4148-550-0x0000000000400000-0x000000000045B000-memory.dmp	UPX
behavioral2/memory/456-557-0x0000000000400000-0x000000000045B000-memory.dmp	UPX
behavioral2/files/0x00070000000232f1-818.dat	UPX
behavioral2/files/0x0007000000023382-1254.dat	UPX
behavioral2/files/0x00070000000233b8-1410.dat	UPX
behavioral2/files/0x00070000000233ce-1472.dat	UPX

Executes dropped EXE 64 IoCs

pid	Process
4544	Behiln32.exe
4740	Bhgehi32.exe
2884	Baojaoke.exe
1396	Bifbbllg.exe
4568	Bhibni32.exe
4640	Bpqjofcd.exe
4976	Bbofkbbh.exe
4848	Biiohl32.exe
2828	Bpcgdfaa.exe
4144	Boegpc32.exe
2016	Badcln32.exe
4196	Bikkml32.exe
1520	Clihig32.exe
4428	Cpedjf32.exe
4808	Cccpfa32.exe
4664	Cafpanem.exe
3900	Ceblbm32.exe
3496	Cimhckeo.exe
4828	Clldogdc.exe
1964	Cpgqpe32.exe
1448	Ccfmla32.exe
516	Caimgncj.exe
4960	Cedihl32.exe
1876	Chbedh32.exe
3516	Clnadfbp.exe
2600	Cpjmee32.exe
2520	Commqb32.exe
912	Cchiaqjm.exe
1628	Cakjmm32.exe
872	Cibank32.exe
1760	Clqnjf32.exe
4764	Ccjfgphj.exe
4396	Camfbm32.exe
208	Ceibclgn.exe
4508	Clckpf32.exe
5060	Ccmclp32.exe
1600	Capchmmb.exe
3724	Dpacfd32.exe
4588	Denlnk32.exe
3544	Dlgdkeje.exe
3108	Dofpgqji.exe
696	Dephckaf.exe
3680	Dpemacql.exe
2256	Dohmlp32.exe
512	Dhqaefng.exe
4728	Dphifcoi.exe
2324	Daifnk32.exe
4420	Dfdbojmq.exe
4136	Dhcnke32.exe
3832	Domfgpca.exe
4448	Efgodj32.exe
2040	Ehekqe32.exe
4656	Elagacbk.exe
1556	Eckonn32.exe
3344	Ejegjh32.exe
4524	Ehhgfdho.exe
2868	Elccfc32.exe
2444	Ecmlcmhe.exe
2932	Eflhoigi.exe
5088	Ehjdldfl.exe
640	Eqalmafo.exe
1372	Ebbidj32.exe
3316	Ejjqeg32.exe
1896	Elhmablc.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Cibank32.exe	Cakjmm32.exe
File created	C:\Windows\SysWOW64\Ceibclgn.exe	Camfbm32.exe
File created	C:\Windows\SysWOW64\Gjclbc32.exe	Gbldaffp.exe
File created	C:\Windows\SysWOW64\Jfkoeppq.exe	Jdmcidam.exe
File created	C:\Windows\SysWOW64\Ajgblndm.dll	Kgphpo32.exe
File created	C:\Windows\SysWOW64\Gfqjafdq.exe	Gcbnejem.exe
File opened for modification	C:\Windows\SysWOW64\Kmjqmi32.exe	Kgphpo32.exe
File created	C:\Windows\SysWOW64\Kgdbkohf.exe	Kpjjod32.exe
File created	C:\Windows\SysWOW64\Gjoceo32.dll	Laopdgcg.exe
File opened for modification	C:\Windows\SysWOW64\Mpolqa32.exe	Mnapdf32.exe
File created	C:\Windows\SysWOW64\Bhibni32.exe	Bifbbllg.exe
File created	C:\Windows\SysWOW64\Bpcgdfaa.exe	Biiohl32.exe
File created	C:\Windows\SysWOW64\Gcjdcc32.dll	Boegpc32.exe
File created	C:\Windows\SysWOW64\Jingckla.dll	Clqnjf32.exe
File opened for modification	C:\Windows\SysWOW64\Ifhiib32.exe	Ibmmhdhm.exe
File created	C:\Windows\SysWOW64\Kflflhfg.dll	Imgkql32.exe
File opened for modification	C:\Windows\SysWOW64\Kmnjhioc.exe	Kibnhjgj.exe
File opened for modification	C:\Windows\SysWOW64\Ljnnch32.exe	Lgpagm32.exe
File created	C:\Windows\SysWOW64\Helaah32.dll	Bifbbllg.exe
File created	C:\Windows\SysWOW64\Bpqjofcd.exe	Bhibni32.exe
File created	C:\Windows\SysWOW64\Ceblbm32.exe	Cafpanem.exe
File opened for modification	C:\Windows\SysWOW64\Denlnk32.exe	Dpacfd32.exe
File created	C:\Windows\SysWOW64\Hkcdljbo.dll	Efpajh32.exe
File created	C:\Windows\SysWOW64\Ffbnph32.exe	Fbgbpihg.exe
File created	C:\Windows\SysWOW64\Kdhbec32.exe	Kpmfddnf.exe
File created	C:\Windows\SysWOW64\Qgejif32.dll	Lcmofolg.exe
File created	C:\Windows\SysWOW64\Lgpagm32.exe	Lcdegnep.exe
File created	C:\Windows\SysWOW64\Bbgkjl32.dll	Lcdegnep.exe
File opened for modification	C:\Windows\SysWOW64\Mciobn32.exe	Mdfofakp.exe
File created	C:\Windows\SysWOW64\Nbkhfc32.exe	Nkqpjidj.exe
File opened for modification	C:\Windows\SysWOW64\Fihqmb32.exe	Ffjdqg32.exe
File opened for modification	C:\Windows\SysWOW64\Ipegmg32.exe	Imgkql32.exe
File opened for modification	C:\Windows\SysWOW64\Idacmfkj.exe	Ipegmg32.exe
File created	C:\Windows\SysWOW64\Kagichjo.exe	Kipabjil.exe
File opened for modification	C:\Windows\SysWOW64\Kagichjo.exe	Kipabjil.exe
File opened for modification	C:\Windows\SysWOW64\Mnlfigcc.exe	Lknjmkdo.exe
File created	C:\Windows\SysWOW64\Mgekbljc.exe	Mciobn32.exe
File created	C:\Windows\SysWOW64\Pbcfgejn.dll	Mjhqjg32.exe
File opened for modification	C:\Windows\SysWOW64\Mcbahlip.exe	Mdpalp32.exe
File created	C:\Windows\SysWOW64\Jgegko32.dll	Denlnk32.exe
File created	C:\Windows\SysWOW64\Dpemacql.exe	Dephckaf.exe
File created	C:\Windows\SysWOW64\Gcbnejem.exe	Gqdbiofi.exe
File created	C:\Windows\SysWOW64\Hmfbjnbp.exe	Hikfip32.exe
File created	C:\Windows\SysWOW64\Hdgpjm32.dll	Icgqggce.exe
File created	C:\Windows\SysWOW64\Iinlemia.exe	Ijkljp32.exe
File created	C:\Windows\SysWOW64\Mpolqa32.exe	Mnapdf32.exe
File created	C:\Windows\SysWOW64\Egqcbapl.dll	Mcbahlip.exe
File created	C:\Windows\SysWOW64\Inolmdgj.dll	Cakjmm32.exe
File created	C:\Windows\SysWOW64\Gpkqnp32.dll	Gpnhekgl.exe
File opened for modification	C:\Windows\SysWOW64\Jfaloa32.exe	Jbfpobpb.exe
File opened for modification	C:\Windows\SysWOW64\Jjbako32.exe	Jfffjqdf.exe
File created	C:\Windows\SysWOW64\Hefffnbk.dll	Kipabjil.exe
File created	C:\Windows\SysWOW64\Dnapla32.dll	Lkiqbl32.exe
File created	C:\Windows\SysWOW64\Ibhblqpo.dll	Mnlfigcc.exe
File created	C:\Windows\SysWOW64\Honckk32.dll	Hmfbjnbp.exe
File created	C:\Windows\SysWOW64\Lcpllo32.exe	Laopdgcg.exe
File created	C:\Windows\SysWOW64\Ibjqcd32.exe	Icgqggce.exe
File created	C:\Windows\SysWOW64\Hfkkgo32.dll	Ifopiajn.exe
File opened for modification	C:\Windows\SysWOW64\Behiln32.exe	55fa5ee940a4c2c16fd810de5fed975030c3028d9ebe817683563c11a996a073.exe
File opened for modification	C:\Windows\SysWOW64\Biiohl32.exe	Bbofkbbh.exe
File created	C:\Windows\SysWOW64\Fijmbb32.exe	Fflaff32.exe
File opened for modification	C:\Windows\SysWOW64\Icgqggce.exe	Hcedaheh.exe
File created	C:\Windows\SysWOW64\Ogdimilg.dll	Kpmfddnf.exe
File opened for modification	C:\Windows\SysWOW64\Laalifad.exe	Lgkhlnbn.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
7684	7528	WerFault.exe	331

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kdcijcke.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mdfofakp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fhpdhp32.dll"	Mnfipekh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	55fa5ee940a4c2c16fd810de5fed975030c3028d9ebe817683563c11a996a073.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ceblbm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aaokiafg.dll"	Cibank32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dhcnke32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Fqmlhpla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qgenhgdd.dll"	Gcpapkgp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eeopdi32.dll"	Ifjfnb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nnjbke32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ncihikcg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kdopod32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nkjjij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fopfdhej.dll"	Caimgncj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ocaapo32.dll"	Gbcakg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hifqbnpb.dll"	Gfqjafdq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hfofbd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ijkljp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hpgkkioa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hbeghene.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kgfoan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Laopdgcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pipfna32.dll"	Nqiogp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kmegbjgn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Njljefql.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Clnadfbp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ehjdldfl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Gbldaffp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Honckk32.dll"	Hmfbjnbp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jibeql32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fldggfbc.dll"	Ljnnch32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Gfcgge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hapaemll.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Imgkql32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jfkoeppq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qgejif32.dll"	Lcmofolg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cpjljp32.dll"	Jigollag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cakjmm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ceibclgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hcedaheh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ifhiib32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ifjfnb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Inolmdgj.dll"	Cakjmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kpepcedo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Clihig32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghamqdaj.dll"	Ccfmla32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdghlnlo.dll"	Eckonn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hakfehok.dll"	Fijmbb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nqklmpdd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nbkhfc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ccjfgphj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Fqaeco32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmbkmemo.dll"	Impepm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jfhbppbc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mciobn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Caimgncj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Gmhfhp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Iinlemia.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mkgmcjld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Egmhjb32.dll"	Hapaemll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hjjbcbqj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Efhikhod.dll"	Lmqgnhmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jnngob32.dll"	Lgbnmm32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 8 wrote to memory of 4544	8	55fa5ee940a4c2c16fd810de5fed975030c3028d9ebe817683563c11a996a073.exe	86
PID 8 wrote to memory of 4544	8	55fa5ee940a4c2c16fd810de5fed975030c3028d9ebe817683563c11a996a073.exe	86
PID 8 wrote to memory of 4544	8	55fa5ee940a4c2c16fd810de5fed975030c3028d9ebe817683563c11a996a073.exe	86
PID 4544 wrote to memory of 4740	4544	Behiln32.exe	87
PID 4544 wrote to memory of 4740	4544	Behiln32.exe	87
PID 4544 wrote to memory of 4740	4544	Behiln32.exe	87
PID 4740 wrote to memory of 2884	4740	Bhgehi32.exe	89
PID 4740 wrote to memory of 2884	4740	Bhgehi32.exe	89
PID 4740 wrote to memory of 2884	4740	Bhgehi32.exe	89
PID 2884 wrote to memory of 1396	2884	Baojaoke.exe	90
PID 2884 wrote to memory of 1396	2884	Baojaoke.exe	90
PID 2884 wrote to memory of 1396	2884	Baojaoke.exe	90
PID 1396 wrote to memory of 4568	1396	Bifbbllg.exe	91
PID 1396 wrote to memory of 4568	1396	Bifbbllg.exe	91
PID 1396 wrote to memory of 4568	1396	Bifbbllg.exe	91
PID 4568 wrote to memory of 4640	4568	Bhibni32.exe	92
PID 4568 wrote to memory of 4640	4568	Bhibni32.exe	92
PID 4568 wrote to memory of 4640	4568	Bhibni32.exe	92
PID 4640 wrote to memory of 4976	4640	Bpqjofcd.exe	93
PID 4640 wrote to memory of 4976	4640	Bpqjofcd.exe	93
PID 4640 wrote to memory of 4976	4640	Bpqjofcd.exe	93
PID 4976 wrote to memory of 4848	4976	Bbofkbbh.exe	94
PID 4976 wrote to memory of 4848	4976	Bbofkbbh.exe	94
PID 4976 wrote to memory of 4848	4976	Bbofkbbh.exe	94
PID 4848 wrote to memory of 2828	4848	Biiohl32.exe	96
PID 4848 wrote to memory of 2828	4848	Biiohl32.exe	96
PID 4848 wrote to memory of 2828	4848	Biiohl32.exe	96
PID 2828 wrote to memory of 4144	2828	Bpcgdfaa.exe	97
PID 2828 wrote to memory of 4144	2828	Bpcgdfaa.exe	97
PID 2828 wrote to memory of 4144	2828	Bpcgdfaa.exe	97
PID 4144 wrote to memory of 2016	4144	Boegpc32.exe	98
PID 4144 wrote to memory of 2016	4144	Boegpc32.exe	98
PID 4144 wrote to memory of 2016	4144	Boegpc32.exe	98
PID 2016 wrote to memory of 4196	2016	Badcln32.exe	99
PID 2016 wrote to memory of 4196	2016	Badcln32.exe	99
PID 2016 wrote to memory of 4196	2016	Badcln32.exe	99
PID 4196 wrote to memory of 1520	4196	Bikkml32.exe	100
PID 4196 wrote to memory of 1520	4196	Bikkml32.exe	100
PID 4196 wrote to memory of 1520	4196	Bikkml32.exe	100
PID 1520 wrote to memory of 4428	1520	Clihig32.exe	101
PID 1520 wrote to memory of 4428	1520	Clihig32.exe	101
PID 1520 wrote to memory of 4428	1520	Clihig32.exe	101
PID 4428 wrote to memory of 4808	4428	Cpedjf32.exe	102
PID 4428 wrote to memory of 4808	4428	Cpedjf32.exe	102
PID 4428 wrote to memory of 4808	4428	Cpedjf32.exe	102
PID 4808 wrote to memory of 4664	4808	Cccpfa32.exe	103
PID 4808 wrote to memory of 4664	4808	Cccpfa32.exe	103
PID 4808 wrote to memory of 4664	4808	Cccpfa32.exe	103
PID 4664 wrote to memory of 3900	4664	Cafpanem.exe	104
PID 4664 wrote to memory of 3900	4664	Cafpanem.exe	104
PID 4664 wrote to memory of 3900	4664	Cafpanem.exe	104
PID 3900 wrote to memory of 3496	3900	Ceblbm32.exe	105
PID 3900 wrote to memory of 3496	3900	Ceblbm32.exe	105
PID 3900 wrote to memory of 3496	3900	Ceblbm32.exe	105
PID 3496 wrote to memory of 4828	3496	Cimhckeo.exe	106
PID 3496 wrote to memory of 4828	3496	Cimhckeo.exe	106
PID 3496 wrote to memory of 4828	3496	Cimhckeo.exe	106
PID 4828 wrote to memory of 1964	4828	Clldogdc.exe	107
PID 4828 wrote to memory of 1964	4828	Clldogdc.exe	107
PID 4828 wrote to memory of 1964	4828	Clldogdc.exe	107
PID 1964 wrote to memory of 1448	1964	Cpgqpe32.exe	108
PID 1964 wrote to memory of 1448	1964	Cpgqpe32.exe	108
PID 1964 wrote to memory of 1448	1964	Cpgqpe32.exe	108
PID 1448 wrote to memory of 516	1448	Ccfmla32.exe	109

C:\Users\Admin\AppData\Local\Temp\55fa5ee940a4c2c16fd810de5fed975030c3028d9ebe817683563c11a996a073.exe
"C:\Users\Admin\AppData\Local\Temp\55fa5ee940a4c2c16fd810de5fed975030c3028d9ebe817683563c11a996a073.exe"
1⤵
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:8
- C:\Windows\SysWOW64\Behiln32.exe
  C:\Windows\system32\Behiln32.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4544
- - C:\Windows\SysWOW64\Bhgehi32.exe
    C:\Windows\system32\Bhgehi32.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:4740
  - - C:\Windows\SysWOW64\Baojaoke.exe
      C:\Windows\system32\Baojaoke.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:2884
    - - C:\Windows\SysWOW64\Bifbbllg.exe
        
        C:\Windows\system32\Bifbbllg.exe
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1396
      - C:\Windows\SysWOW64\Bhibni32.exe
        
        C:\Windows\system32\Bhibni32.exe
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4568
        
        C:\Windows\SysWOW64\Bpqjofcd.exe
        
        C:\Windows\system32\Bpqjofcd.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4640
        
        C:\Windows\SysWOW64\Bbofkbbh.exe
        
        C:\Windows\system32\Bbofkbbh.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4976
        
        C:\Windows\SysWOW64\Biiohl32.exe
        
        C:\Windows\system32\Biiohl32.exe
        9⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4848
        
        C:\Windows\SysWOW64\Bpcgdfaa.exe
        
        C:\Windows\system32\Bpcgdfaa.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2828
        
        C:\Windows\SysWOW64\Boegpc32.exe
        
        C:\Windows\system32\Boegpc32.exe
        11⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4144
        
        C:\Windows\SysWOW64\Badcln32.exe
        
        C:\Windows\system32\Badcln32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2016
        
        C:\Windows\SysWOW64\Bikkml32.exe
        
        C:\Windows\system32\Bikkml32.exe
        13⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4196
        
        C:\Windows\SysWOW64\Clihig32.exe
        
        C:\Windows\system32\Clihig32.exe
        14⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1520
        
        C:\Windows\SysWOW64\Cpedjf32.exe
        
        C:\Windows\system32\Cpedjf32.exe
        15⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4428
        
        C:\Windows\SysWOW64\Cccpfa32.exe
        
        C:\Windows\system32\Cccpfa32.exe
        16⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4808
        
        C:\Windows\SysWOW64\Cafpanem.exe
        
        C:\Windows\system32\Cafpanem.exe
        17⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4664
        
        C:\Windows\SysWOW64\Ceblbm32.exe
        
        C:\Windows\system32\Ceblbm32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3900
        
        C:\Windows\SysWOW64\Cimhckeo.exe
        
        C:\Windows\system32\Cimhckeo.exe
        19⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3496
        
        C:\Windows\SysWOW64\Clldogdc.exe
        
        C:\Windows\system32\Clldogdc.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4828
        
        C:\Windows\SysWOW64\Cpgqpe32.exe
        
        C:\Windows\system32\Cpgqpe32.exe
        21⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1964
        
        C:\Windows\SysWOW64\Ccfmla32.exe
        
        C:\Windows\system32\Ccfmla32.exe
        22⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1448
        
        C:\Windows\SysWOW64\Caimgncj.exe
        
        C:\Windows\system32\Caimgncj.exe
        23⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:516
        
        C:\Windows\SysWOW64\Cedihl32.exe
        
        C:\Windows\system32\Cedihl32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4960
        
        C:\Windows\SysWOW64\Chbedh32.exe
        
        C:\Windows\system32\Chbedh32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1876
        
        C:\Windows\SysWOW64\Clnadfbp.exe
        
        C:\Windows\system32\Clnadfbp.exe
        26⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3516
        
        C:\Windows\SysWOW64\Cpjmee32.exe
        
        C:\Windows\system32\Cpjmee32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2600
        
        C:\Windows\SysWOW64\Commqb32.exe
        
        C:\Windows\system32\Commqb32.exe
        28⤵
        Executes dropped EXE
        
        PID:2520
        
        C:\Windows\SysWOW64\Cchiaqjm.exe
        
        C:\Windows\system32\Cchiaqjm.exe
        29⤵
        Executes dropped EXE
        
        PID:912
        
        C:\Windows\SysWOW64\Cakjmm32.exe
        
        C:\Windows\system32\Cakjmm32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1628
        
        C:\Windows\SysWOW64\Cibank32.exe
        
        C:\Windows\system32\Cibank32.exe
        31⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:872
        
        C:\Windows\SysWOW64\Clqnjf32.exe
        
        C:\Windows\system32\Clqnjf32.exe
        32⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1760
        
        C:\Windows\SysWOW64\Ccjfgphj.exe
        
        C:\Windows\system32\Ccjfgphj.exe
        33⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4764
        
        C:\Windows\SysWOW64\Camfbm32.exe
        
        C:\Windows\system32\Camfbm32.exe
        34⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4396
        
        C:\Windows\SysWOW64\Ceibclgn.exe
        
        C:\Windows\system32\Ceibclgn.exe
        35⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:208
        
        C:\Windows\SysWOW64\Clckpf32.exe
        
        C:\Windows\system32\Clckpf32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4508
        
        C:\Windows\SysWOW64\Ccmclp32.exe
        
        C:\Windows\system32\Ccmclp32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:5060
        
        C:\Windows\SysWOW64\Capchmmb.exe
        
        C:\Windows\system32\Capchmmb.exe
        38⤵
        Executes dropped EXE
        
        PID:1600
        
        C:\Windows\SysWOW64\Dpacfd32.exe
        
        C:\Windows\system32\Dpacfd32.exe
        39⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3724
        
        C:\Windows\SysWOW64\Denlnk32.exe
        
        C:\Windows\system32\Denlnk32.exe
        40⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4588
        
        C:\Windows\SysWOW64\Dlgdkeje.exe
        
        C:\Windows\system32\Dlgdkeje.exe
        41⤵
        Executes dropped EXE
        
        PID:3544
        
        C:\Windows\SysWOW64\Dofpgqji.exe
        
        C:\Windows\system32\Dofpgqji.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3108
        
        C:\Windows\SysWOW64\Dephckaf.exe
        
        C:\Windows\system32\Dephckaf.exe
        43⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:696
        
        C:\Windows\SysWOW64\Dpemacql.exe
        
        C:\Windows\system32\Dpemacql.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3680
        
        C:\Windows\SysWOW64\Dohmlp32.exe
        
        C:\Windows\system32\Dohmlp32.exe
        45⤵
        Executes dropped EXE
        
        PID:2256
        
        C:\Windows\SysWOW64\Dhqaefng.exe
        
        C:\Windows\system32\Dhqaefng.exe
        46⤵
        Executes dropped EXE
        
        PID:512
        
        C:\Windows\SysWOW64\Dphifcoi.exe
        
        C:\Windows\system32\Dphifcoi.exe
        47⤵
        Executes dropped EXE
        
        PID:4728
        
        C:\Windows\SysWOW64\Daifnk32.exe
        
        C:\Windows\system32\Daifnk32.exe
        48⤵
        Executes dropped EXE
        
        PID:2324
        
        C:\Windows\SysWOW64\Dfdbojmq.exe
        
        C:\Windows\system32\Dfdbojmq.exe
        49⤵
        Executes dropped EXE
        
        PID:4420
        
        C:\Windows\SysWOW64\Dhcnke32.exe
        
        C:\Windows\system32\Dhcnke32.exe
        50⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4136
        
        C:\Windows\SysWOW64\Domfgpca.exe
        
        C:\Windows\system32\Domfgpca.exe
        51⤵
        Executes dropped EXE
        
        PID:3832
        
        C:\Windows\SysWOW64\Efgodj32.exe
        
        C:\Windows\system32\Efgodj32.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4448
        
        C:\Windows\SysWOW64\Ehekqe32.exe
        
        C:\Windows\system32\Ehekqe32.exe
        53⤵
        Executes dropped EXE
        
        PID:2040
        
        C:\Windows\SysWOW64\Elagacbk.exe
        
        C:\Windows\system32\Elagacbk.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4656
        
        C:\Windows\SysWOW64\Eckonn32.exe
        
        C:\Windows\system32\Eckonn32.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1556
        
        C:\Windows\SysWOW64\Ejegjh32.exe
        
        C:\Windows\system32\Ejegjh32.exe
        56⤵
        Executes dropped EXE
        
        PID:3344
        
        C:\Windows\SysWOW64\Ehhgfdho.exe
        
        C:\Windows\system32\Ehhgfdho.exe
        57⤵
        Executes dropped EXE
        
        PID:4524
        
        C:\Windows\SysWOW64\Elccfc32.exe
        
        C:\Windows\system32\Elccfc32.exe
        58⤵
        Executes dropped EXE
        
        PID:2868
        
        C:\Windows\SysWOW64\Ecmlcmhe.exe
        
        C:\Windows\system32\Ecmlcmhe.exe
        59⤵
        Executes dropped EXE
        
        PID:2444
        
        C:\Windows\SysWOW64\Eflhoigi.exe
        
        C:\Windows\system32\Eflhoigi.exe
        60⤵
        Executes dropped EXE
        
        PID:2932
        
        C:\Windows\SysWOW64\Ehjdldfl.exe
        
        C:\Windows\system32\Ehjdldfl.exe
        61⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:5088
        
        C:\Windows\SysWOW64\Eqalmafo.exe
        
        C:\Windows\system32\Eqalmafo.exe
        62⤵
        Executes dropped EXE
        
        PID:640
        
        C:\Windows\SysWOW64\Ebbidj32.exe
        
        C:\Windows\system32\Ebbidj32.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1372
        
        C:\Windows\SysWOW64\Ejjqeg32.exe
        
        C:\Windows\system32\Ejjqeg32.exe
        64⤵
        Executes dropped EXE
        
        PID:3316
        
        C:\Windows\SysWOW64\Elhmablc.exe
        
        C:\Windows\system32\Elhmablc.exe
        65⤵
        Executes dropped EXE
        
        PID:1896
        
        C:\Windows\SysWOW64\Eofinnkf.exe
        
        C:\Windows\system32\Eofinnkf.exe
        66⤵
        
        PID:4492
        
        C:\Windows\SysWOW64\Efpajh32.exe
        
        C:\Windows\system32\Efpajh32.exe
        67⤵
        Drops file in System32 directory
        
        PID:3476
        
        C:\Windows\SysWOW64\Ehonfc32.exe
        
        C:\Windows\system32\Ehonfc32.exe
        68⤵
        
        PID:4736
        
        C:\Windows\SysWOW64\Eoifcnid.exe
        
        C:\Windows\system32\Eoifcnid.exe
        69⤵
        
        PID:4908
        
        C:\Windows\SysWOW64\Fbgbpihg.exe
        
        C:\Windows\system32\Fbgbpihg.exe
        70⤵
        Drops file in System32 directory
        
        PID:4208
        
        C:\Windows\SysWOW64\Ffbnph32.exe
        
        C:\Windows\system32\Ffbnph32.exe
        71⤵
        
        PID:1856
        
        C:\Windows\SysWOW64\Fhajlc32.exe
        
        C:\Windows\system32\Fhajlc32.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3504
        
        C:\Windows\SysWOW64\Fokbim32.exe
        
        C:\Windows\system32\Fokbim32.exe
        73⤵
        
        PID:2228
        
        C:\Windows\SysWOW64\Fbioei32.exe
        
        C:\Windows\system32\Fbioei32.exe
        74⤵
        
        PID:1256
        
        C:\Windows\SysWOW64\Fjqgff32.exe
        
        C:\Windows\system32\Fjqgff32.exe
        75⤵
        
        PID:5004
        
        C:\Windows\SysWOW64\Ficgacna.exe
        
        C:\Windows\system32\Ficgacna.exe
        76⤵
        
        PID:4948
        
        C:\Windows\SysWOW64\Fbllkh32.exe
        
        C:\Windows\system32\Fbllkh32.exe
        77⤵
        
        PID:2952
        
        C:\Windows\SysWOW64\Fqmlhpla.exe
        
        C:\Windows\system32\Fqmlhpla.exe
        78⤵
        Modifies registry class
        
        PID:2028
        
        C:\Windows\SysWOW64\Fbnhphbp.exe
        
        C:\Windows\system32\Fbnhphbp.exe
        79⤵
        
        PID:2484
        
        C:\Windows\SysWOW64\Ffjdqg32.exe
        
        C:\Windows\system32\Ffjdqg32.exe
        80⤵
        Drops file in System32 directory
        
        PID:2488
        
        C:\Windows\SysWOW64\Fihqmb32.exe
        
        C:\Windows\system32\Fihqmb32.exe
        81⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2340
        
        C:\Windows\SysWOW64\Fqohnp32.exe
        
        C:\Windows\system32\Fqohnp32.exe
        82⤵
        
        PID:3508
        
        C:\Windows\SysWOW64\Fbqefhpm.exe
        
        C:\Windows\system32\Fbqefhpm.exe
        83⤵
        
        PID:2720
        
        C:\Windows\SysWOW64\Fflaff32.exe
        
        C:\Windows\system32\Fflaff32.exe
        84⤵
        Drops file in System32 directory
        
        PID:3912
        
        C:\Windows\SysWOW64\Fijmbb32.exe
        
        C:\Windows\system32\Fijmbb32.exe
        85⤵
        Modifies registry class
        
        PID:4148
        
        C:\Windows\SysWOW64\Fqaeco32.exe
        
        C:\Windows\system32\Fqaeco32.exe
        86⤵
        Modifies registry class
        
        PID:3568
        
        C:\Windows\SysWOW64\Gcpapkgp.exe
        
        C:\Windows\system32\Gcpapkgp.exe
        87⤵
        Modifies registry class
        
        PID:456
        
        C:\Windows\SysWOW64\Gbcakg32.exe
        
        C:\Windows\system32\Gbcakg32.exe
        88⤵
        Modifies registry class
        
        PID:2336
        
        C:\Windows\SysWOW64\Gjjjle32.exe
        
        C:\Windows\system32\Gjjjle32.exe
        89⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4436
        
        C:\Windows\SysWOW64\Gmhfhp32.exe
        
        C:\Windows\system32\Gmhfhp32.exe
        90⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:3120
        
        C:\Windows\SysWOW64\Gqdbiofi.exe
        
        C:\Windows\system32\Gqdbiofi.exe
        91⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:1984
        
        C:\Windows\SysWOW64\Gcbnejem.exe
        
        C:\Windows\system32\Gcbnejem.exe
        92⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:2380
        
        C:\Windows\SysWOW64\Gfqjafdq.exe
        
        C:\Windows\system32\Gfqjafdq.exe
        93⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:1124
        
        C:\Windows\SysWOW64\Giofnacd.exe
        
        C:\Windows\system32\Giofnacd.exe
        94⤵
        
        PID:2104
        
        C:\Windows\SysWOW64\Gqfooodg.exe
        
        C:\Windows\system32\Gqfooodg.exe
        95⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3132
        
        C:\Windows\SysWOW64\Gcekkjcj.exe
        
        C:\Windows\system32\Gcekkjcj.exe
        96⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5160
        
        C:\Windows\SysWOW64\Gfcgge32.exe
        
        C:\Windows\system32\Gfcgge32.exe
        97⤵
        Modifies registry class
        
        PID:5196
        
        C:\Windows\SysWOW64\Gjocgdkg.exe
        
        C:\Windows\system32\Gjocgdkg.exe
        98⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5232
        
        C:\Windows\SysWOW64\Gmmocpjk.exe
        
        C:\Windows\system32\Gmmocpjk.exe
        99⤵
        
        PID:5276
        
        C:\Windows\SysWOW64\Gbjhlfhb.exe
        
        C:\Windows\system32\Gbjhlfhb.exe
        100⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5316
        
        C:\Windows\SysWOW64\Gmoliohh.exe
        
        C:\Windows\system32\Gmoliohh.exe
        101⤵
        
        PID:5360
        
        C:\Windows\SysWOW64\Gpnhekgl.exe
        
        C:\Windows\system32\Gpnhekgl.exe
        102⤵
        Drops file in System32 directory
        
        PID:5396
        
        C:\Windows\SysWOW64\Gbldaffp.exe
        
        C:\Windows\system32\Gbldaffp.exe
        103⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5440
        
        C:\Windows\SysWOW64\Gjclbc32.exe
        
        C:\Windows\system32\Gjclbc32.exe
        104⤵
        
        PID:5480
        
        C:\Windows\SysWOW64\Gifmnpnl.exe
        
        C:\Windows\system32\Gifmnpnl.exe
        105⤵
        
        PID:5524
        
        C:\Windows\SysWOW64\Gmaioo32.exe
        
        C:\Windows\system32\Gmaioo32.exe
        106⤵
        
        PID:5564
        
        C:\Windows\SysWOW64\Gppekj32.exe
        
        C:\Windows\system32\Gppekj32.exe
        107⤵
        
        PID:5604
        
        C:\Windows\SysWOW64\Hboagf32.exe
        
        C:\Windows\system32\Hboagf32.exe
        108⤵
        
        PID:5640
        
        C:\Windows\SysWOW64\Hfjmgdlf.exe
        
        C:\Windows\system32\Hfjmgdlf.exe
        109⤵
        
        PID:5680
        
        C:\Windows\SysWOW64\Hmdedo32.exe
        
        C:\Windows\system32\Hmdedo32.exe
        110⤵
        
        PID:5724
        
        C:\Windows\SysWOW64\Hapaemll.exe
        
        C:\Windows\system32\Hapaemll.exe
        111⤵
        Modifies registry class
        
        PID:5764
        
        C:\Windows\SysWOW64\Hcnnaikp.exe
        
        C:\Windows\system32\Hcnnaikp.exe
        112⤵
        
        PID:5804
        
        C:\Windows\SysWOW64\Hikfip32.exe
        
        C:\Windows\system32\Hikfip32.exe
        113⤵
        Drops file in System32 directory
        
        PID:5844
        
        C:\Windows\SysWOW64\Hmfbjnbp.exe
        
        C:\Windows\system32\Hmfbjnbp.exe
        114⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5888
        
        C:\Windows\SysWOW64\Habnjm32.exe
        
        C:\Windows\system32\Habnjm32.exe
        115⤵
        
        PID:5924
        
        C:\Windows\SysWOW64\Hcqjfh32.exe
        
        C:\Windows\system32\Hcqjfh32.exe
        116⤵
        
        PID:5968
        
        C:\Windows\SysWOW64\Hfofbd32.exe
        
        C:\Windows\system32\Hfofbd32.exe
        117⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6008
        
        C:\Windows\SysWOW64\Hjjbcbqj.exe
        
        C:\Windows\system32\Hjjbcbqj.exe
        118⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6052
        
        C:\Windows\SysWOW64\Hpgkkioa.exe
        
        C:\Windows\system32\Hpgkkioa.exe
        119⤵
        Modifies registry class
        
        PID:6108
        
        C:\Windows\SysWOW64\Hbeghene.exe
        
        C:\Windows\system32\Hbeghene.exe
        120⤵
        Modifies registry class
        
        PID:4172
        
        C:\Windows\SysWOW64\Hpihai32.exe
        
        C:\Windows\system32\Hpihai32.exe
        121⤵
        
        PID:5192
        
        C:\Windows\SysWOW64\Hcedaheh.exe
        
        C:\Windows\system32\Hcedaheh.exe
        122⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5260
        
        C:\Windows\SysWOW64\Icgqggce.exe
        
        C:\Windows\system32\Icgqggce.exe
        123⤵
        Drops file in System32 directory
        
        PID:5344
        
        C:\Windows\SysWOW64\Ibjqcd32.exe
        
        C:\Windows\system32\Ibjqcd32.exe
        124⤵
        
        PID:5428
        
        C:\Windows\SysWOW64\Ijaida32.exe
        
        C:\Windows\system32\Ijaida32.exe
        125⤵
        
        PID:5516
        
        C:\Windows\SysWOW64\Impepm32.exe
        
        C:\Windows\system32\Impepm32.exe
        126⤵
        Modifies registry class
        
        PID:5584
        
        C:\Windows\SysWOW64\Ibmmhdhm.exe
        
        C:\Windows\system32\Ibmmhdhm.exe
        127⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5648
        
        C:\Windows\SysWOW64\Ifhiib32.exe
        
        C:\Windows\system32\Ifhiib32.exe
        128⤵
        Modifies registry class
        
        PID:5716
        
        C:\Windows\SysWOW64\Iannfk32.exe
        
        C:\Windows\system32\Iannfk32.exe
        129⤵
        
        PID:5792
        
        C:\Windows\SysWOW64\Ifjfnb32.exe
        
        C:\Windows\system32\Ifjfnb32.exe
        130⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5852
        
        C:\Windows\SysWOW64\Iiibkn32.exe
        
        C:\Windows\system32\Iiibkn32.exe
        131⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5932
        
        C:\Windows\SysWOW64\Imdnklfp.exe
        
        C:\Windows\system32\Imdnklfp.exe
        132⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5992
        
        C:\Windows\SysWOW64\Ipckgh32.exe
        
        C:\Windows\system32\Ipckgh32.exe
        133⤵
        
        PID:6064
        
        C:\Windows\SysWOW64\Ifmcdblq.exe
        
        C:\Windows\system32\Ifmcdblq.exe
        134⤵
        
        PID:6128
        
        C:\Windows\SysWOW64\Iikopmkd.exe
        
        C:\Windows\system32\Iikopmkd.exe
        135⤵
        
        PID:5180
        
        C:\Windows\SysWOW64\Imgkql32.exe
        
        C:\Windows\system32\Imgkql32.exe
        136⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5272
        
        C:\Windows\SysWOW64\Ipegmg32.exe
        
        C:\Windows\system32\Ipegmg32.exe
        137⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5392
        
        C:\Windows\SysWOW64\Idacmfkj.exe
        
        C:\Windows\system32\Idacmfkj.exe
        138⤵
        
        PID:5492
        
        C:\Windows\SysWOW64\Ifopiajn.exe
        
        C:\Windows\system32\Ifopiajn.exe
        139⤵
        Drops file in System32 directory
        
        PID:5588
        
        C:\Windows\SysWOW64\Ijkljp32.exe
        
        C:\Windows\system32\Ijkljp32.exe
        140⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5708
        
        C:\Windows\SysWOW64\Iinlemia.exe
        
        C:\Windows\system32\Iinlemia.exe
        141⤵
        Modifies registry class
        
        PID:5784
        
        C:\Windows\SysWOW64\Jpgdbg32.exe
        
        C:\Windows\system32\Jpgdbg32.exe
        142⤵
        
        PID:5916
        
        C:\Windows\SysWOW64\Jbfpobpb.exe
        
        C:\Windows\system32\Jbfpobpb.exe
        143⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6016
        
        C:\Windows\SysWOW64\Jfaloa32.exe
        
        C:\Windows\system32\Jfaloa32.exe
        144⤵
        
        PID:6116
        
        C:\Windows\SysWOW64\Jiphkm32.exe
        
        C:\Windows\system32\Jiphkm32.exe
        145⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6140
        
        C:\Windows\SysWOW64\Jagqlj32.exe
        
        C:\Windows\system32\Jagqlj32.exe
        146⤵
        
        PID:5380
        
        C:\Windows\SysWOW64\Jpjqhgol.exe
        
        C:\Windows\system32\Jpjqhgol.exe
        147⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5552
        
        C:\Windows\SysWOW64\Jbhmdbnp.exe
        
        C:\Windows\system32\Jbhmdbnp.exe
        148⤵
        
        PID:5748
        
        C:\Windows\SysWOW64\Jibeql32.exe
        
        C:\Windows\system32\Jibeql32.exe
        149⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5912
        
        C:\Windows\SysWOW64\Jmnaakne.exe
        
        C:\Windows\system32\Jmnaakne.exe
        150⤵
        
        PID:6100
        
        C:\Windows\SysWOW64\Jplmmfmi.exe
        
        C:\Windows\system32\Jplmmfmi.exe
        151⤵
        
        PID:5308
        
        C:\Windows\SysWOW64\Jfffjqdf.exe
        
        C:\Windows\system32\Jfffjqdf.exe
        152⤵
        Drops file in System32 directory
        
        PID:5688
        
        C:\Windows\SysWOW64\Jjbako32.exe
        
        C:\Windows\system32\Jjbako32.exe
        153⤵
        
        PID:5812
        
        C:\Windows\SysWOW64\Jaljgidl.exe
        
        C:\Windows\system32\Jaljgidl.exe
        154⤵
        
        PID:5268
        
        C:\Windows\SysWOW64\Jdjfcecp.exe
        
        C:\Windows\system32\Jdjfcecp.exe
        155⤵
        
        PID:5840
        
        C:\Windows\SysWOW64\Jbmfoa32.exe
        
        C:\Windows\system32\Jbmfoa32.exe
        156⤵
        
        PID:5324
        
        C:\Windows\SysWOW64\Jfhbppbc.exe
        
        C:\Windows\system32\Jfhbppbc.exe
        157⤵
        Modifies registry class
        
        PID:5148
        
        C:\Windows\SysWOW64\Jigollag.exe
        
        C:\Windows\system32\Jigollag.exe
        158⤵
        Modifies registry class
        
        PID:6148
        
        C:\Windows\SysWOW64\Jmbklj32.exe
        
        C:\Windows\system32\Jmbklj32.exe
        159⤵
        
        PID:6184
        
        C:\Windows\SysWOW64\Jpaghf32.exe
        
        C:\Windows\system32\Jpaghf32.exe
        160⤵
        
        PID:6228
        
        C:\Windows\SysWOW64\Jdmcidam.exe
        
        C:\Windows\system32\Jdmcidam.exe
        161⤵
        Drops file in System32 directory
        
        PID:6272
        
        C:\Windows\SysWOW64\Jfkoeppq.exe
        
        C:\Windows\system32\Jfkoeppq.exe
        162⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6312
        
        C:\Windows\SysWOW64\Kmegbjgn.exe
        
        C:\Windows\system32\Kmegbjgn.exe
        163⤵
        Modifies registry class
        
        PID:6368
        
        C:\Windows\SysWOW64\Kpccnefa.exe
        
        C:\Windows\system32\Kpccnefa.exe
        164⤵
        
        PID:6408
        
        C:\Windows\SysWOW64\Kdopod32.exe
        
        C:\Windows\system32\Kdopod32.exe
        165⤵
        Modifies registry class
        
        PID:6448
        
        C:\Windows\SysWOW64\Kbapjafe.exe
        
        C:\Windows\system32\Kbapjafe.exe
        166⤵
        
        PID:6484
        
        C:\Windows\SysWOW64\Kkihknfg.exe
        
        C:\Windows\system32\Kkihknfg.exe
        167⤵
        
        PID:6528
        
        C:\Windows\SysWOW64\Kmgdgjek.exe
        
        C:\Windows\system32\Kmgdgjek.exe
        168⤵
        
        PID:6600
        
        C:\Windows\SysWOW64\Kpepcedo.exe
        
        C:\Windows\system32\Kpepcedo.exe
        169⤵
        Modifies registry class
        
        PID:6648
        
        C:\Windows\SysWOW64\Kdaldd32.exe
        
        C:\Windows\system32\Kdaldd32.exe
        170⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6688
        
        C:\Windows\SysWOW64\Kgphpo32.exe
        
        C:\Windows\system32\Kgphpo32.exe
        171⤵
        Drops file in System32 directory
        
        PID:6724
        
        C:\Windows\SysWOW64\Kmjqmi32.exe
        
        C:\Windows\system32\Kmjqmi32.exe
        172⤵
        
        PID:6772
        
        C:\Windows\SysWOW64\Kdcijcke.exe
        
        C:\Windows\system32\Kdcijcke.exe
        173⤵
        Modifies registry class
        
        PID:6816
        
        C:\Windows\SysWOW64\Kgbefoji.exe
        
        C:\Windows\system32\Kgbefoji.exe
        174⤵
        
        PID:6856
        
        C:\Windows\SysWOW64\Kipabjil.exe
        
        C:\Windows\system32\Kipabjil.exe
        175⤵
        Drops file in System32 directory
        
        PID:6896
        
        C:\Windows\SysWOW64\Kagichjo.exe
        
        C:\Windows\system32\Kagichjo.exe
        176⤵
        
        PID:6936
        
        C:\Windows\SysWOW64\Kpjjod32.exe
        
        C:\Windows\system32\Kpjjod32.exe
        177⤵
        Drops file in System32 directory
        
        PID:6980
        
        C:\Windows\SysWOW64\Kgdbkohf.exe
        
        C:\Windows\system32\Kgdbkohf.exe
        178⤵
        
        PID:7028
        
        C:\Windows\SysWOW64\Kibnhjgj.exe
        
        C:\Windows\system32\Kibnhjgj.exe
        179⤵
        Drops file in System32 directory
        
        PID:7068
        
        C:\Windows\SysWOW64\Kmnjhioc.exe
        
        C:\Windows\system32\Kmnjhioc.exe
        180⤵
        
        PID:7112
        
        C:\Windows\SysWOW64\Kpmfddnf.exe
        
        C:\Windows\system32\Kpmfddnf.exe
        181⤵
        Drops file in System32 directory
        
        PID:7152
        
        C:\Windows\SysWOW64\Kdhbec32.exe
        
        C:\Windows\system32\Kdhbec32.exe
        182⤵
        
        PID:6164
        
        C:\Windows\SysWOW64\Kgfoan32.exe
        
        C:\Windows\system32\Kgfoan32.exe
        183⤵
        Modifies registry class
        
        PID:6236
        
        C:\Windows\SysWOW64\Lmqgnhmp.exe
        
        C:\Windows\system32\Lmqgnhmp.exe
        184⤵
        Modifies registry class
        
        PID:6308
        
        C:\Windows\SysWOW64\Lalcng32.exe
        
        C:\Windows\system32\Lalcng32.exe
        185⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6392
        
        C:\Windows\SysWOW64\Ldkojb32.exe
        
        C:\Windows\system32\Ldkojb32.exe
        186⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6472
        
        C:\Windows\SysWOW64\Lcmofolg.exe
        
        C:\Windows\system32\Lcmofolg.exe
        187⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6508
        
        C:\Windows\SysWOW64\Lkdggmlj.exe
        
        C:\Windows\system32\Lkdggmlj.exe
        188⤵
        
        PID:6580
        
        C:\Windows\SysWOW64\Laopdgcg.exe
        
        C:\Windows\system32\Laopdgcg.exe
        189⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6672
        
        C:\Windows\SysWOW64\Lcpllo32.exe
        
        C:\Windows\system32\Lcpllo32.exe
        190⤵
        
        PID:6732
        
        C:\Windows\SysWOW64\Lgkhlnbn.exe
        
        C:\Windows\system32\Lgkhlnbn.exe
        191⤵
        Drops file in System32 directory
        
        PID:6800
        
        C:\Windows\SysWOW64\Laalifad.exe
        
        C:\Windows\system32\Laalifad.exe
        192⤵
        
        PID:6864
        
        C:\Windows\SysWOW64\Lcbiao32.exe
        
        C:\Windows\system32\Lcbiao32.exe
        193⤵
        
        PID:6928
        
        C:\Windows\SysWOW64\Lkiqbl32.exe
        
        C:\Windows\system32\Lkiqbl32.exe
        194⤵
        Drops file in System32 directory
        
        PID:6988
        
        C:\Windows\SysWOW64\Lnhmng32.exe
        
        C:\Windows\system32\Lnhmng32.exe
        195⤵
        
        PID:7044
        
        C:\Windows\SysWOW64\Lcdegnep.exe
        
        C:\Windows\system32\Lcdegnep.exe
        196⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:7140
        
        C:\Windows\SysWOW64\Lgpagm32.exe
        
        C:\Windows\system32\Lgpagm32.exe
        197⤵
        Drops file in System32 directory
        
        PID:6156
        
        C:\Windows\SysWOW64\Ljnnch32.exe
        
        C:\Windows\system32\Ljnnch32.exe
        198⤵
        Modifies registry class
        
        PID:6352
        
        C:\Windows\SysWOW64\Lnjjdgee.exe
        
        C:\Windows\system32\Lnjjdgee.exe
        199⤵
        
        PID:6444
        
        C:\Windows\SysWOW64\Lphfpbdi.exe
        
        C:\Windows\system32\Lphfpbdi.exe
        200⤵
        
        PID:6572
        
        C:\Windows\SysWOW64\Lddbqa32.exe
        
        C:\Windows\system32\Lddbqa32.exe
        201⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6748
        
        C:\Windows\SysWOW64\Lgbnmm32.exe
        
        C:\Windows\system32\Lgbnmm32.exe
        202⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6852
        
        C:\Windows\SysWOW64\Lknjmkdo.exe
        
        C:\Windows\system32\Lknjmkdo.exe
        203⤵
        Drops file in System32 directory
        
        PID:6976
        
        C:\Windows\SysWOW64\Mnlfigcc.exe
        
        C:\Windows\system32\Mnlfigcc.exe
        204⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:7148
        
        C:\Windows\SysWOW64\Mahbje32.exe
        
        C:\Windows\system32\Mahbje32.exe
        205⤵
        
        PID:6404
        
        C:\Windows\SysWOW64\Mdfofakp.exe
        
        C:\Windows\system32\Mdfofakp.exe
        206⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6848
        
        C:\Windows\SysWOW64\Mciobn32.exe
        
        C:\Windows\system32\Mciobn32.exe
        207⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:7108
        
        C:\Windows\SysWOW64\Mgekbljc.exe
        
        C:\Windows\system32\Mgekbljc.exe
        208⤵
        
        PID:6720
        
        C:\Windows\SysWOW64\Mjcgohig.exe
        
        C:\Windows\system32\Mjcgohig.exe
        209⤵
        
        PID:6440
        
        C:\Windows\SysWOW64\Mpmokb32.exe
        
        C:\Windows\system32\Mpmokb32.exe
        210⤵
        
        PID:7200
        
        C:\Windows\SysWOW64\Mdiklqhm.exe
        
        C:\Windows\system32\Mdiklqhm.exe
        211⤵
        
        PID:7240
        
        C:\Windows\SysWOW64\Mcklgm32.exe
        
        C:\Windows\system32\Mcklgm32.exe
        212⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7280
        
        C:\Windows\SysWOW64\Mjeddggd.exe
        
        C:\Windows\system32\Mjeddggd.exe
        213⤵
        
        PID:7324
        
        C:\Windows\SysWOW64\Mnapdf32.exe
        
        C:\Windows\system32\Mnapdf32.exe
        214⤵
        Drops file in System32 directory
        
        PID:7360
        
        C:\Windows\SysWOW64\Mpolqa32.exe
        
        C:\Windows\system32\Mpolqa32.exe
        215⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7400
        
        C:\Windows\SysWOW64\Mcnhmm32.exe
        
        C:\Windows\system32\Mcnhmm32.exe
        216⤵
        
        PID:7444
        
        C:\Windows\SysWOW64\Mgidml32.exe
        
        C:\Windows\system32\Mgidml32.exe
        217⤵
        
        PID:7488
        
        C:\Windows\SysWOW64\Mjhqjg32.exe
        
        C:\Windows\system32\Mjhqjg32.exe
        218⤵
        Drops file in System32 directory
        
        PID:7532
        
        C:\Windows\SysWOW64\Maohkd32.exe
        
        C:\Windows\system32\Maohkd32.exe
        219⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7572
        
        C:\Windows\SysWOW64\Mpaifalo.exe
        
        C:\Windows\system32\Mpaifalo.exe
        220⤵
        
        PID:7616
        
        C:\Windows\SysWOW64\Mcpebmkb.exe
        
        C:\Windows\system32\Mcpebmkb.exe
        221⤵
        
        PID:7656
        
        C:\Windows\SysWOW64\Mkgmcjld.exe
        
        C:\Windows\system32\Mkgmcjld.exe
        222⤵
        Modifies registry class
        
        PID:7700
        
        C:\Windows\SysWOW64\Mnfipekh.exe
        
        C:\Windows\system32\Mnfipekh.exe
        223⤵
        Modifies registry class
        
        PID:7736
        
        C:\Windows\SysWOW64\Mdpalp32.exe
        
        C:\Windows\system32\Mdpalp32.exe
        224⤵
        Drops file in System32 directory
        
        PID:7780
        
        C:\Windows\SysWOW64\Mcbahlip.exe
        
        C:\Windows\system32\Mcbahlip.exe
        225⤵
        Drops file in System32 directory
        
        PID:7820
        
        C:\Windows\SysWOW64\Nkjjij32.exe
        
        C:\Windows\system32\Nkjjij32.exe
        226⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:7860
        
        C:\Windows\SysWOW64\Njljefql.exe
        
        C:\Windows\system32\Njljefql.exe
        227⤵
        Modifies registry class
        
        PID:7896
        
        C:\Windows\SysWOW64\Nacbfdao.exe
        
        C:\Windows\system32\Nacbfdao.exe
        228⤵
        
        PID:7936
        
        C:\Windows\SysWOW64\Nceonl32.exe
        
        C:\Windows\system32\Nceonl32.exe
        229⤵
        
        PID:7968
        
        C:\Windows\SysWOW64\Nklfoi32.exe
        
        C:\Windows\system32\Nklfoi32.exe
        230⤵
        
        PID:8008
        
        C:\Windows\SysWOW64\Nnjbke32.exe
        
        C:\Windows\system32\Nnjbke32.exe
        231⤵
        Modifies registry class
        
        PID:8048
        
        C:\Windows\SysWOW64\Nqiogp32.exe
        
        C:\Windows\system32\Nqiogp32.exe
        232⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:8088
        
        C:\Windows\SysWOW64\Ncgkcl32.exe
        
        C:\Windows\system32\Ncgkcl32.exe
        233⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8128
        
        C:\Windows\SysWOW64\Nkncdifl.exe
        
        C:\Windows\system32\Nkncdifl.exe
        234⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8164
        
        C:\Windows\SysWOW64\Nnmopdep.exe
        
        C:\Windows\system32\Nnmopdep.exe
        235⤵
        
        PID:7188
        
        C:\Windows\SysWOW64\Nqklmpdd.exe
        
        C:\Windows\system32\Nqklmpdd.exe
        236⤵
        Modifies registry class
        
        PID:7260
        
        C:\Windows\SysWOW64\Ncihikcg.exe
        
        C:\Windows\system32\Ncihikcg.exe
        237⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:7320
        
        C:\Windows\SysWOW64\Nkqpjidj.exe
        
        C:\Windows\system32\Nkqpjidj.exe
        238⤵
        Drops file in System32 directory
        
        PID:7368
        
        C:\Windows\SysWOW64\Nbkhfc32.exe
        
        C:\Windows\system32\Nbkhfc32.exe
        239⤵
        Modifies registry class
        
        PID:7436
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        240⤵
        
        PID:7528
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 7528 -s 436
        241⤵
        Program crash
        
        PID:7684

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 7528 -ip 7528
1⤵
PID:7640

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Badcln32.exe

Filesize
207KB

MD5
1fff12e612254ed1abf0944b529eae64

SHA1
d93af2c62dd8ee9fe0904ad5abcf60da4ca32721

SHA256
9c5a2d420f8819f9034c41fbdb13f49f2e4a9f69a0d121397e81fb07cff1155f

SHA512
4c99715c3d5cbcb52f079c29875489f5d86e5a2cf55f21177ec6459722a8e91eebe31d0c7e3e4644937b24c4e7c4f805e5876c982391fe598f1e82f2291ae019

Download Submit
C:\Windows\SysWOW64\Baojaoke.exe

Filesize
207KB

MD5
19c93d93e40f56db7da342f1368bbefc

SHA1
e517bde935a77fdb9baf6db94950fa05019922b1

SHA256
65235fbd5fad4e96c9d154d4b73028d74c6353a22d60e174a2aa8e5f739822f9

SHA512
ca1455b9481723f5f81f205e112fd883523c2aebaf2e42284e5a309e931b430094a496d426be7df704a1429c2d495c25dffa98867c66fd54c34d87c08ece6b71

Download Submit
C:\Windows\SysWOW64\Bbofkbbh.exe

Filesize
207KB

MD5
e78b7151f51448094d87a6fe62ed9797

SHA1
cd3748946e5991ca0621396d0d8c816396ad53c3

SHA256
2b7b61db8a9917d297765b9ef801268c152b33e52b48f76c64efddec221d6117

SHA512
9116a13e10d769e8e544fa7eae4470b25e704dfd9e5f48b46f349c8c99f93f6dbe8100b3cf8fa67ec6d999cec2704d5720d803bfd70ccf4ec8730ef59a704fae

Download Submit
C:\Windows\SysWOW64\Behiln32.exe

Filesize
207KB

MD5
ab7ae26892992ea1525be68ad49c69ba

SHA1
2b169e6bd9b1e83373538c74cab95a1426e4b0db

SHA256
054f5579defcf07f4588b46e3af6837af86576e2d58df558e0a3f1ad4d7ae1b5

SHA512
7a21f154cc85a1784fb89381899621cb5e3229e4196a9b88bf1026e82c9e7aca7d0df067e0b6032f9397aca0ff24cf71ca8c3b16f6fa40dbb6adb4f54c96a559

Download Submit
C:\Windows\SysWOW64\Bhgehi32.exe

Filesize
207KB

MD5
0263d443f29a8ac99659231c29d5458c

SHA1
8e54b77003cae069f1d0bc38af49639196704a74

SHA256
ff8838e3e3b89b293d67d1c5383bfc8e337cf325de53bbd4a7353236bff1aa4d

SHA512
d493aea07aa27837cc41f7a20654835b30881bf65d4c0911366c70cd523ef1373079e341cd0349b1383f330ac7c0532ab6e0df5bc8c1f786bc632b1f6f77fe13

Download Submit
C:\Windows\SysWOW64\Bhibni32.exe

Filesize
207KB

MD5
fda05f7b754fb839e445d1c7a31e23ca

SHA1
6275d889f7e6248e98a21647908fad15ec2d4821

SHA256
419f90b7ac8d05e187a07ed880ef5819df7cc00ebffe22f3bdbe1b8d55f50d4f

SHA512
c88021e0675d5056e2ed378733d1a45740e06558655f43af7275adb4c2b0e747b40269937d2fe8d55d17547c4aa4f56583c2a1f2d1940b558097018957f248d6

Download Submit
C:\Windows\SysWOW64\Bifbbllg.exe

Filesize
207KB

MD5
fed902a3af60e8eb2df934d8a1f9f65e

SHA1
f92d4672adced570eae801acf6d8176f3b7dee0b

SHA256
682ddfc9f99a17ee952c4b828d3aa2e03c2d928831b8204cd4f7b450ac570d65

SHA512
4ceae8ceb13087e0eaf1476ea1ae2a22cc9de397d590b166fef766bbff8f019fdc4a0146c1ad9ffc58692219745f6d91ff5808d5bcc8093f1ca7885f4983c47a

Download Submit
C:\Windows\SysWOW64\Biiohl32.exe

Filesize
207KB

MD5
b16d1fff4db2e3697288a98e1a317d2a

SHA1
45679b64109435d1fa692e5f3ac1f898d50cc9ee

SHA256
da1dd34f3ec608d2d79dded7b79e533ed164261fb636921f52beb3c1cdf6812d

SHA512
2a1853c526357f0176fb5246be85bf127e75c33c900fcd3ec6e372ca0cfea6cd3a9cebd79a64bb4a76ca1d19a5d42663b8c8e57455c7e804f3b0557391abdffc

Download Submit
C:\Windows\SysWOW64\Bikkml32.exe

Filesize
207KB

MD5
50b7a729f34bf65bc516ba09f4a5243e

SHA1
6ce58425d309f2f604d084a148486349dd7988f4

SHA256
6047dbf0c1f66342323accb005a5b6a2312d1c06f558e4bb748cb2d870b50d10

SHA512
52dc1a907fdf3ed3615e034edf73647e6b1a7927d55b1ae09d6ee2aa9eb7f8f3c596fb84476d780ae91e5eaa88f36b9ff1b13906173111dca5fc1df7a723a011

Download Submit
C:\Windows\SysWOW64\Boegpc32.exe

Filesize
207KB

MD5
130abc528a4b9985987c839385e8322e

SHA1
cd032842eaf0ad4d5a30596f795e354f82803edc

SHA256
75350139157a7851363ac15fb1a2c5557eca24f92a8b7fb0c948603ae54851ab

SHA512
65d8853c6c07ce0aec01c287c21d88ed11e2badef09c7b6cf924af9e2b84856685a4a160eaf042b0e2fc49a294b9fe9f213b346823487a99ed3ac7750d13332c

Download Submit
C:\Windows\SysWOW64\Bpcgdfaa.exe

Filesize
207KB

MD5
c67bbe1ecb44caae6f17c7a7be76aa13

SHA1
d77668fd5bf5f573fa1b77edfa6bb5448b015304

SHA256
33e549bfe8933ab3cbb1d41c07efef59e5a0e2015070e197b96e7f799e52e8ab

SHA512
3137a93f53e96a9748a57510feb684756718ccc7628b52b3686bd95918d2d9050bb766c0f7a8ed9c5ea68b26c2ca1ddb531edfe4193f2c69e5e1fcfdf159a3bf

Download Submit
C:\Windows\SysWOW64\Bpqjofcd.exe

Filesize
207KB

MD5
416ccd3cb570f67cb3e20dda597a25bf

SHA1
391959d669a08973ed14b58cb0e4df092098449e

SHA256
2179f5b128d566e1040c09725082c66e9fdcb43eabff6974e5e9496c152e8fa8

SHA512
14ce7c880f21c014be9efdd74b10376173c8fc22eb0cb6cc9cee516c65c10c39d658bee2614f7cbfd733d9abb78e28b2c99b1b2666427b62896e80ff7558e1aa

Download Submit
C:\Windows\SysWOW64\Cafpanem.exe

Filesize
207KB

MD5
409a5ce09b65e2480f615032329c6dca

SHA1
a463b29b3003dd62b952eac72dd4df8651e84f2b

SHA256
23d258b92d77a7764aa3b47f5fd441e5f328156625291fcd1b35246e53d12216

SHA512
09829e755aadeb3a8048b74fdd938976956c1d788e557d29ea75cc4f9d8633c670b5c27bf1f1745b966d39d268903e173728d75e8ba513b26e05d9809db1759a

Download Submit
C:\Windows\SysWOW64\Caimgncj.exe

Filesize
207KB

MD5
f51246366cce589ac2319935cb7b4289

SHA1
4dbb7dc3bfad8f92162ec28b2db4ad8f26f9c443

SHA256
63bd6dd9c2978b2676d1aa16efda9d313c9544ad8c9aa2339e81cbaadcf38669

SHA512
cd1e142aa8cfa78f33ab36bca9bcb63c0d4abb0e4d2ef4b7ea3724f37b3f12c75421a2855fa9fa0b81dfd17951d7d0b6a449dbfe8f30bbb672661a8620ed3802

Download Submit
C:\Windows\SysWOW64\Cakjmm32.exe

Filesize
207KB

MD5
0206163eaddc0a156668cba3088ff767

SHA1
64b0e89ab729c7e9f5e2cf01f4f6ca935311308a

SHA256
63d9e840c01d1a72fd3a05986e409131b0622a321af6a4e1a5561a99841be5ba

SHA512
219ea15ef0c08b4260d555bef4fe947ade716c9884122612f96b0558be9884fcc21be5b968794b66e9aae31eab210ddbb4fd6d7d4b4773e3ef3dbef9b4139523

Download Submit
C:\Windows\SysWOW64\Cccpfa32.exe

Filesize
207KB

MD5
4c5c2da56cf84b53db790de5055ec96a

SHA1
0ae151ea7d181e5774572ed55f9ce70ddeb00739

SHA256
b8cd4043d0273ac2ffb16b6126386bdaa2bca6be17b15594d76972e1152551d5

SHA512
f54d7d5b89f36ed85c93a9947ed31cf4fbb476ca8ebd7c435b89e305afc563b38ab1d67827a1efc62583b28abc842cf4afc56703392bef49be5742838d5e006b

Download Submit
C:\Windows\SysWOW64\Ccfmla32.exe

Filesize
207KB

MD5
6cf6ad22f9ba7394ea04bb9faab6a464

SHA1
bc287ffe9c728cb809cab5eb52e941a8145520df

SHA256
3b1c761c058905398320a6ab7d1dddcbfe89c8a8d16b576530900dd3e9614348

SHA512
6a6adaa1d08d8afb3e5f3cf906b61493efea8d50e3899631d8e9093ae53fd5e12ec5fbf9d203e8eab4d9a4cd7972dac36d0d4070ed5ec9ebe6cfc1231848084c

Download Submit
C:\Windows\SysWOW64\Cchiaqjm.exe

Filesize
207KB

MD5
60ed176448f0340c222efa89021c4697

SHA1
803370dfce4b838eee20966808008ea36d509b33

SHA256
d4aa2e8331a1242e7f433565fade07a8130231a9dcccbef155c414ba7d6a47ba

SHA512
86c1d0f513eb8aeb60d1eb097e9bca1b923d7c4b94c280912df04f351f9e11f1f3fad2654c1c52d369a0ae382456b21e71dfd631a28e3d018a455779eac8464d

Download Submit
C:\Windows\SysWOW64\Ccjfgphj.exe

Filesize
207KB

MD5
53199d2d83d3e7b68acd5f3e36ff115b

SHA1
7e8a18cbab24d25d98961cfce7d86b39a20d2c86

SHA256
a3fa6e59137dd729a63e77f4dda3692cf0bcafc07d75d4b97443710a2bc0b049

SHA512
5b01d0bced42ea5a8de71be4eae1a0b388632513000ae803d93f812ad780555a97b19013e3d564e57fa9ca074f0fe69626e92380bb283a96c59630c0e5d669ea

Download Submit
C:\Windows\SysWOW64\Ceblbm32.exe

Filesize
207KB

MD5
37674b7d8bd0b327cf1ab1eec27f21a5

SHA1
535cb4a75afb78aa874089187b4297931f1ea9f6

SHA256
fbdf86925a13b77f4b2433a88400b76466942c4835cb126957ca822365d905a3

SHA512
de1867a5aaf2425d17eb62c9bbf74920cdbb8c467993e0360eceded53ffee9d74b2e6ea629552c63de7e52a22cdc43f9065d057187789ca5bfd05f785edcd7b0

Download Submit
C:\Windows\SysWOW64\Cedihl32.exe

Filesize
207KB

MD5
bd6b0e6e971bd006e7e7d2dbd579faeb

SHA1
f27dfbb6c31ab1dc6aa184d3d181656f5248f2a4

SHA256
9dc8dce03151df8bc52bc700a1be1461ef0cc1749a33cfcbb8fa127d841006a5

SHA512
79ddbd838db0e63d3471538770339db32fcefa52e9d96780a6ac6530ef3433b4c9e1374be5459c34345130be24f5cf8462b7af4c9fec5cc7722f5d1906f06bd5

Download Submit
C:\Windows\SysWOW64\Chbedh32.exe

Filesize
207KB

MD5
b66ed80c9cdd27777e8d44672811517c

SHA1
2662fee6b85583cf40c518fae39280ad91de7981

SHA256
a7e62fb91f2b1666cf1007f3a108c34061cdfe90b8245c53c0cae1cfe02d6ce0

SHA512
550c57262c5245d1473596d78ee52981e46d642f9dc614d6b1b7989865a7f23a6351dd80768f496e54533849aac8a75627b3ec80872904078416822107ff45bc

Download Submit
C:\Windows\SysWOW64\Cibank32.exe

Filesize
207KB

MD5
87cfcf37d76577c1c87ec01fa1e156f3

SHA1
4d8ea9a6cac0081703e8371de527d3fddc7e53a1

SHA256
5836182c66ec0560d1da2b8a2731cabc0e312c37be57c3bffaafcd712b33d70a

SHA512
8babda3bee8ee79947d88b25d52113eafd3d64da37f0dec432f6f3330ada4be3ee3f51ab7d45049f475ec9a22b0e7b8e14e9cc2bbb47f591d4627631922c72e5

Download Submit
C:\Windows\SysWOW64\Cimhckeo.exe

Filesize
207KB

MD5
1fb4eb9bd187dd32a31a71c3abfe035f

SHA1
b16e067f356549468ca149e23f6bfb58979b502a

SHA256
836bc0cc20302cecea58cceb17283ab61c430f9e67bd92b52fd209def0204aa7

SHA512
2ce7453716fd269b2a8cb2f915315b19cd84ebd0a00885f204e6ac11806ca1ba1c901f14f7b1a2f22208072e11074c84d4f862509b5f59c046444de7aba6291a

Download Submit
C:\Windows\SysWOW64\Clihig32.exe

Filesize
207KB

MD5
857e630153b45cfaf1cd320ba80dfcd3

SHA1
e6e13bd981f602f791d202f05dfb32de8e4ea7fe

SHA256
41451927afd2fba05c5950d710bdece96ace111723b63acd789f38d5a3d4b232

SHA512
ff36ff6613a8b9ac6943892a07ed027499dc38b6f23f94ec5807826b380d064b10d7e4dcc911be00d0d70d87a4f0a57bbd58a25f97ec8e5b3cf044c69485e28b

Download Submit
C:\Windows\SysWOW64\Clldogdc.exe

Filesize
207KB

MD5
905a563339071a6668f3d5b90e98fe23

SHA1
92661b7c9cf0580ef3141c860bb4a454ed349e24

SHA256
4fb164c01ea282b5b4a166e8345518fd6ccd191c7e160236b24594b042db8d53

SHA512
28cc2f467a41442e45462e1af650a226c8fa3ecdabb818fa0fce759fe98f5338e347814839dbd2be13c6684cdb6149b87ce0dfdf1264419cf8cdc3555c9e0b6d

Download Submit
C:\Windows\SysWOW64\Clnadfbp.exe

Filesize
207KB

MD5
5d3f3343295beb449221a01842f8dc2b

SHA1
f0dbe416188abf506d919bf00351900fd95db0ea

SHA256
a3af58cab11abeb47e8a5b0a7fea4708760f3bfd406e93c634a8ccb655d2bd56

SHA512
95f6d0496c084ed7ed6d17e5c8dcb0e82f2f1ea040cb6ae11504768598868887e92754e0a68731e6be44bac9579d00ddaacf515868d79e23580cca44c3a2e07d

Download Submit
C:\Windows\SysWOW64\Clqnjf32.exe

Filesize
207KB

MD5
35b0a99d52353f0490ea7e5d8d6fce6b

SHA1
f1e6f5ebe8be2d4575d79afb386ede3d5359eed1

SHA256
9ed2d9568e77f2d25c502f78a80ba0bc37690caf98670b6565271e55df5f873f

SHA512
66309eecd2a5af31fab9792411e3a8c75e15821c8ff0b06b1c8932218756ed2f9b3e68a36a3fd41d908bd092331e7f41d61e07128b47b768dbdcd2652b7eba5d

Download Submit
C:\Windows\SysWOW64\Commqb32.exe

Filesize
207KB

MD5
5df10804390daee13a9363f3af672c56

SHA1
f60036876009c025bb5d6a55416e8840425e6867

SHA256
d983ba3fa12b0320e01bc2284a12675d7643ec7eae20b14036845381c15ec9e5

SHA512
472c034832ca781facb0af57e6675cf9094c5c81883ca9b74d37195bdecb39b8140cf5ce814037ca5e8af991226646e71aad94a0b9fad8e835dcabbc592f64bc

Download Submit
C:\Windows\SysWOW64\Cpedjf32.exe

Filesize
207KB

MD5
496219f7bad32c4857465d453c3e755a

SHA1
0147ba4a64fd7a3d38f04933eee1acb627259fb1

SHA256
089686cc9aa52a568cc69136a096cfa54161d7d8d6bc1bb61f2f425709c47e2c

SHA512
8c573450ce9cd973474f512e8d9cdb9853f5905db4b2e5475305bb9916b34b17ec12204ec5c6e64ca5c6eb8ef71e578ce615f44e6ce8405e3c4dd0f43ca3c0d6

Download Submit
C:\Windows\SysWOW64\Cpgqpe32.exe

Filesize
207KB

MD5
dcb4517fc9a94ec9e12d2896f3dbd4db

SHA1
0577c27906b61ceb5c14504cab4d7c186e119183

SHA256
f1b8443b7f4cd922fb97453a2ceeed906edafd59d12cf5bb6192fa15eaf24749

SHA512
d15218a35cbda79126af32972f2198670fed8f2525f9e2e2315f2fe5aff96609c282741f367b6db79b2e36f1a4182c5f9cec904519b9eb55fe37de851d5b6a46

Download Submit
C:\Windows\SysWOW64\Cpjmee32.exe

Filesize
207KB

MD5
72415af731979803ef1cd891494d5afd

SHA1
08a56e8fec70027bb100f109e80998149889bdc8

SHA256
0d919c180a18d9eea9494b416d12007ad35176ae5698b10363627381a37f3840

SHA512
016b712bacffad5b55bb515f4b11ea6f8d599b10b7ff54dcf451dc57d808cee3e057fc8ddf5027015fe7dfbe6f6ade12a2c7826218420545025b5764906fdb21

Download Submit
C:\Windows\SysWOW64\Ebbidj32.exe

Filesize
207KB

MD5
8d133a4ebb49bf63979996a408ac0730

SHA1
dd28d2d0096f68778aca7690123c8a8d1ca220c3

SHA256
d5e5474dc1bf86f53ad3c5df6b60ad98da0d240e601839c56e0c06a95363c422

SHA512
c2c42eed36becc9ca472453f52660ca12327684835de8eb693b4f6cbeb07cd71f277150fae8a3e16a7851bd69314cfc506e3203b14b5851ae3d399b0082649dc

Download Submit
C:\Windows\SysWOW64\Fijmbb32.exe

Filesize
207KB

MD5
0d68571630934adcd585396ced9ae95f

SHA1
def98728ba20a7fab02a238581711660321a3291

SHA256
dd2d4d66d2bb98fa18365c54fbfb6f365f8c69b9d8ccda4e408169bb2f408cb2

SHA512
3d72804e284c692d5fbb6499d167acde6fd7f41eefaecf358be475d09a2403d063804f14de979492eced834da2341a14cd6b49166b18f4f9439a50c8928e879d

Download Submit
C:\Windows\SysWOW64\Helaah32.dll

Filesize
7KB

MD5
63596292f7aadb81166172002ecc1f67

SHA1
a2118cbd8c102a18e06014d8a903027f5fb156a0

SHA256
53df368bd4c2ce84dd0115d154f3cdf5e0175b61b275979e230b5e47f65641f2

SHA512
66f4fc7e6a8f8896e290f3fe766f29a96356e906e9f7c11a1014bbfa5751b041fbb2a2672e143a16bf1b8c4d1edc3939d7064ec95aa9659e62a16f263eab5272

Download Submit
C:\Windows\SysWOW64\Iannfk32.exe

Filesize
207KB

MD5
3f25a8da826cb7cfceb157adff87272a

SHA1
ff2d1c984c69a1cb83d1e9f96025f9ccd895c9b6

SHA256
8d3baf2faeec097f2cc3e49f554bfd0a9f298432528744a8739c517e90b45c3d

SHA512
fd969e6a2c8cb23810f5393081e540c3780f7bc5af757c568074fcaf7597e7dd286b0750ef4b7d5db8d0c0e3268663b5a491810ad4dc2284d3d6f3d691cad0c0

Download Submit
C:\Windows\SysWOW64\Lddbqa32.exe

Filesize
207KB

MD5
d45a210f4eff25c005626cba568a22bd

SHA1
398fca4ad575eea98f9247a427be81803a71148f

SHA256
1b447cc4934889c5aa570f2e23d8671f3e80c663413695587566771f0c885146

SHA512
f058dbbd54d1594aa1ecfb0e959e27b5252462e71f9b8f176304f85f33fbe10b724de72d0707789970a80b52749480f1cd18d6dabed7f06f8a6452c98b7715e8

Download Submit
C:\Windows\SysWOW64\Nacbfdao.exe

Filesize
207KB

MD5
3178b847137fc231a4bd8e348e79add6

SHA1
2322d98494380e320e0b4a7a39678d6f81944c67

SHA256
0f1bf9dc4de657eee5685b162f752af8fb4fe85d96a3fa580abe923c9aa1a56d

SHA512
b8b79d881914fc5042cd2cdb60f3800777f4e1f9e5eea04855ac90ed431a0eed1a6e3e74ad27908710f0b92c2be052cf99966bd0457391403278a9fedf08baca

Download Submit
C:\Windows\SysWOW64\Nbkhfc32.exe

Filesize
207KB

MD5
7aca032119d70846c0bea92edb1545f3

SHA1
0aeeb3853e865ab87127743749cacb6d8e186596

SHA256
ef83e1007ece920e7184dd0bd9917043d2172d489ef70a31bd98fe81d9e49903

SHA512
e33a5962bc54468260b0f2aea40280d1aaf8cd4905858f3cae5cbe383ae4bfa05ae72bddd23792f6fd12a5f001dda8a33d02e2afd2b914ede5ae2c12fde292fc

Download Submit
memory/8-0-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/208-279-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/456-557-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/512-321-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/640-414-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/872-276-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/912-271-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/1372-424-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/1396-30-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/1448-261-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/1520-103-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/1600-285-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/1760-278-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/1856-470-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/1876-268-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/1896-432-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2016-87-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2028-511-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2040-362-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2256-315-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2324-337-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2340-522-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2444-397-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2600-270-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2720-538-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2828-71-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2868-391-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2952-504-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/3108-302-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/3316-426-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/3344-384-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/3476-448-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/3496-250-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/3504-476-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/3508-528-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/3544-292-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/3680-309-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/3832-351-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/3900-243-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/3912-540-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/4136-349-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/4144-85-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/4148-550-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/4196-99-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/4208-469-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/4420-339-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/4428-111-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/4492-438-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/4508-280-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/4524-389-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/4544-12-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/4568-39-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/4640-47-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/4656-372-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/4664-229-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/4728-327-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/4740-15-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/4828-255-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/4848-63-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/4948-498-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/4960-263-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/4976-55-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/5004-488-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/5088-408-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads