ed4b2a3bdb8fcc635890bca623feb0d55fa060061ae043598aee128502e30389

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
09/04/2024, 23:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

da5a7a01f1e69662892cbdb8c6feab17.exe
Size

320KB
MD5

da5a7a01f1e69662892cbdb8c6feab17
SHA1

da5745349291e48c51469fb48f1f4d55f24dcbd9
SHA256

ed4b2a3bdb8fcc635890bca623feb0d55fa060061ae043598aee128502e30389
SHA512

2d32d08198b5f1bb9cc7840683065e6eba9b53bedb16224c8dc2037b69b650c74e08fa515fd2326b180238e899790fc156d4ece78d9e64b0ac4d05cba1f000ba
SSDEEP

3072:BVR7E51lfBhAy8/41QUUZm8/41QrAoUZ4pWLB51jozFWLBggS2LHqN:p7E5bPyZgZ0Wd/OWdPS2L8

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ffggkgmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lpfijcfl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqklmpdd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ecbenm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fokbim32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ldmlpbbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mjjmog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lmqgnhmp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eofinnkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jmnaakne.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mahbje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mpkbebbf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nqklmpdd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	da5a7a01f1e69662892cbdb8c6feab17.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hfcpncdk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mdkhapfj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fbqefhpm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ifjfnb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kkkdan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lknjmkdo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fmclmabe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gmkbnp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hfcpncdk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ijkljp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jpjqhgol.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncgkcl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fjhmgeao.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kmegbjgn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nbkhfc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Efpajh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jmpngk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mgidml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mcpebmkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ndbnboqb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Haggelfd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gfedle32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kgbefoji.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjhqjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Njogjfoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Efneehef.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gfedle32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ijdeiaio.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kdffocib.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mkpgck32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdkhapfj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ehonfc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hihicplj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jdhine32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kgfoan32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gbjhlfhb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ibojncfj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kacphh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lcbiao32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ficgacna.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iffmccbi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kgdbkohf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcbiao32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Laciofpa.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lddbqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nklfoi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gbenqg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Imdnklfp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jpojcf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mamleegg.exe

Executes dropped EXE 64 IoCs

pid	Process
2984	Efneehef.exe
3056	Elhmablc.exe
2592	Eofinnkf.exe
4100	Ecbenm32.exe
212	Efpajh32.exe
1424	Ehonfc32.exe
1436	Fokbim32.exe
1748	Ficgacna.exe
1084	Ffggkgmk.exe
4824	Fifdgblo.exe
4088	Fopldmcl.exe
2424	Ffjdqg32.exe
2736	Fmclmabe.exe
184	Fbqefhpm.exe
812	Fjhmgeao.exe
1624	Gfnnlffc.exe
3308	Gjjjle32.exe
1344	Gbenqg32.exe
3408	Gmkbnp32.exe
3644	Gcekkjcj.exe
4288	Gbjhlfhb.exe
2928	Gfedle32.exe
3460	Gbldaffp.exe
540	Gjclbc32.exe
4748	Gppekj32.exe
2388	Hfjmgdlf.exe
5028	Hihicplj.exe
2344	Hcnnaikp.exe
1688	Hbanme32.exe
4364	Hbckbepg.exe
772	Hadkpm32.exe
1632	Hbeghene.exe
1380	Haggelfd.exe
2268	Hfcpncdk.exe
3956	Haidklda.exe
1880	Icgqggce.exe
1188	Iffmccbi.exe
3788	Iidipnal.exe
3248	Ipnalhii.exe
2144	Ibmmhdhm.exe
1760	Ijdeiaio.exe
1248	Ibojncfj.exe
1524	Ifjfnb32.exe
1904	Imdnklfp.exe
924	Idofhfmm.exe
3480	Iikopmkd.exe
2824	Idacmfkj.exe
116	Ijkljp32.exe
2404	Jaedgjjd.exe
1020	Jbfpobpb.exe
4144	Jpjqhgol.exe
436	Jjpeepnb.exe
2732	Jmnaakne.exe
2808	Jdhine32.exe
4236	Jjbako32.exe
4508	Jmpngk32.exe
1668	Jpojcf32.exe
2940	Jigollag.exe
1472	Jangmibi.exe
1644	Jfkoeppq.exe
5100	Jiikak32.exe
4424	Kmegbjgn.exe
2740	Kpccnefa.exe
3496	Kgmlkp32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Qgejif32.dll	Lpocjdld.exe
File created	C:\Windows\SysWOW64\Ggdddife.dll	Gcekkjcj.exe
File opened for modification	C:\Windows\SysWOW64\Jjpeepnb.exe	Jpjqhgol.exe
File opened for modification	C:\Windows\SysWOW64\Jmnaakne.exe	Jjpeepnb.exe
File created	C:\Windows\SysWOW64\Pkckjila.dll	Nqklmpdd.exe
File created	C:\Windows\SysWOW64\Fogjfmfe.dll	Kdffocib.exe
File created	C:\Windows\SysWOW64\Lidmdfdo.dll	Ldohebqh.exe
File created	C:\Windows\SysWOW64\Mjeddggd.exe	Mgghhlhq.exe
File created	C:\Windows\SysWOW64\Lklnhlfb.exe	Lcdegnep.exe
File created	C:\Windows\SysWOW64\Njljefql.exe	Nkjjij32.exe
File opened for modification	C:\Windows\SysWOW64\Njljefql.exe	Nkjjij32.exe
File created	C:\Windows\SysWOW64\Miimhchp.dll	Elhmablc.exe
File created	C:\Windows\SysWOW64\Fbqefhpm.exe	Fmclmabe.exe
File created	C:\Windows\SysWOW64\Pnfmmb32.dll	Gbenqg32.exe
File opened for modification	C:\Windows\SysWOW64\Nnmopdep.exe	Nkncdifl.exe
File created	C:\Windows\SysWOW64\Ogijli32.dll	Lkgdml32.exe
File created	C:\Windows\SysWOW64\Khehmdgi.dll	Lilanioo.exe
File created	C:\Windows\SysWOW64\Jnngob32.dll	Lgbnmm32.exe
File opened for modification	C:\Windows\SysWOW64\Efpajh32.exe	Ecbenm32.exe
File created	C:\Windows\SysWOW64\Fokbim32.exe	Ehonfc32.exe
File opened for modification	C:\Windows\SysWOW64\Fifdgblo.exe	Ffggkgmk.exe
File created	C:\Windows\SysWOW64\Nklfoi32.exe	Ngpjnkpf.exe
File opened for modification	C:\Windows\SysWOW64\Gjclbc32.exe	Gbldaffp.exe
File created	C:\Windows\SysWOW64\Hbckbepg.exe	Hbanme32.exe
File created	C:\Windows\SysWOW64\Jiikak32.exe	Jfkoeppq.exe
File created	C:\Windows\SysWOW64\Mahbje32.exe	Lknjmkdo.exe
File created	C:\Windows\SysWOW64\Mbaohn32.dll	Laciofpa.exe
File opened for modification	C:\Windows\SysWOW64\Mcpebmkb.exe	Mpaifalo.exe
File opened for modification	C:\Windows\SysWOW64\Lpocjdld.exe	Lmqgnhmp.exe
File created	C:\Windows\SysWOW64\Ijdeiaio.exe	Ibmmhdhm.exe
File opened for modification	C:\Windows\SysWOW64\Mkpgck32.exe	Mciobn32.exe
File created	C:\Windows\SysWOW64\Jgengpmj.dll	Mjeddggd.exe
File opened for modification	C:\Windows\SysWOW64\Jpjqhgol.exe	Jbfpobpb.exe
File opened for modification	C:\Windows\SysWOW64\Lijdhiaa.exe	Lkgdml32.exe
File created	C:\Windows\SysWOW64\Ehbccoaj.dll	Hbanme32.exe
File created	C:\Windows\SysWOW64\Hadkpm32.exe	Hbckbepg.exe
File created	C:\Windows\SysWOW64\Kgkocp32.dll	Lkiqbl32.exe
File opened for modification	C:\Windows\SysWOW64\Fopldmcl.exe	Fifdgblo.exe
File created	C:\Windows\SysWOW64\Pmcglkid.dll	Fjhmgeao.exe
File created	C:\Windows\SysWOW64\Lpcioj32.dll	Gppekj32.exe
File created	C:\Windows\SysWOW64\Ibmmhdhm.exe	Ipnalhii.exe
File created	C:\Windows\SysWOW64\Agbnmibj.dll	Mdiklqhm.exe
File created	C:\Windows\SysWOW64\Klfbpcko.dll	da5a7a01f1e69662892cbdb8c6feab17.exe
File created	C:\Windows\SysWOW64\Hkcdljbo.dll	Efpajh32.exe
File opened for modification	C:\Windows\SysWOW64\Ldmlpbbj.exe	Lmccchkn.exe
File created	C:\Windows\SysWOW64\Lijdhiaa.exe	Lkgdml32.exe
File opened for modification	C:\Windows\SysWOW64\Njogjfoj.exe	Nklfoi32.exe
File opened for modification	C:\Windows\SysWOW64\Mciobn32.exe	Mpkbebbf.exe
File created	C:\Windows\SysWOW64\Kpmfddnf.exe	Kmnjhioc.exe
File created	C:\Windows\SysWOW64\Ibhblqpo.dll	Lknjmkdo.exe
File created	C:\Windows\SysWOW64\Gbbkdl32.dll	Mjjmog32.exe
File opened for modification	C:\Windows\SysWOW64\Hcnnaikp.exe	Hihicplj.exe
File created	C:\Windows\SysWOW64\Kmegbjgn.exe	Jiikak32.exe
File created	C:\Windows\SysWOW64\Bheenp32.dll	Lcdegnep.exe
File opened for modification	C:\Windows\SysWOW64\Kmegbjgn.exe	Jiikak32.exe
File opened for modification	C:\Windows\SysWOW64\Mdiklqhm.exe	Majopeii.exe
File opened for modification	C:\Windows\SysWOW64\Fjhmgeao.exe	Fbqefhpm.exe
File created	C:\Windows\SysWOW64\Ockcknah.dll	Majopeii.exe
File created	C:\Windows\SysWOW64\Ncgkcl32.exe	Nqiogp32.exe
File opened for modification	C:\Windows\SysWOW64\Kmnjhioc.exe	Kgdbkohf.exe
File created	C:\Windows\SysWOW64\Bgcomh32.dll	Lijdhiaa.exe
File opened for modification	C:\Windows\SysWOW64\Mgidml32.exe	Mdkhapfj.exe
File created	C:\Windows\SysWOW64\Ffggkgmk.exe	Ficgacna.exe
File created	C:\Windows\SysWOW64\Lghekack.dll	Fmclmabe.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5336	6060	WerFault.exe	225

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hfjmgdlf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lddbqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lcpllo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lkiqbl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Njogjfoj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fopldmcl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gfnnlffc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekiidlll.dll"	Lcbiao32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ndbnboqb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ngpjnkpf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lpocjdld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mgghhlhq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nqiogp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Klfbpcko.dll"	da5a7a01f1e69662892cbdb8c6feab17.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jjpeepnb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jigollag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lmqgnhmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mpkbebbf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nklfoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Chbijmok.dll"	Gmkbnp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lnjjdgee.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jnngob32.dll"	Lgbnmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oimhnoch.dll"	Kgdbkohf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kpmfddnf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fjhmgeao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gpnkgo32.dll"	Mgidml32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ficgacna.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fmclmabe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qngfmkdl.dll"	Ibmmhdhm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kacphh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mkeebhjc.dll"	Kkkdan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hdgohg32.dll"	Fbqefhpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ldooifgl.dll"	Hcnnaikp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mgblmpji.dll"	Iffmccbi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Milgab32.dll"	Kphmie32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mciobn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pipagf32.dll"	Kdhbec32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Maohkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Miimhchp.dll"	Elhmablc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lpocjdld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hfkkgo32.dll"	Idacmfkj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndninjfg.dll"	Jbfpobpb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kkkdan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Akihmf32.dll"	Kgbefoji.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kmegbjgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	da5a7a01f1e69662892cbdb8c6feab17.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mahbje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjoceo32.dll"	Ldmlpbbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lcbiao32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmdigkkd.dll"	Mahbje32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mpkbebbf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kgfoan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmbkmemo.dll"	Ipnalhii.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nqklmpdd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lcdegnep.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lddbqa32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mcpebmkb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jdhine32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Anmklllo.dll"	Jjbako32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogdimilg.dll"	Kpmfddnf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gbenqg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jmpngk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ficgacna.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hbanme32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4964 wrote to memory of 2984	4964	da5a7a01f1e69662892cbdb8c6feab17.exe	85
PID 4964 wrote to memory of 2984	4964	da5a7a01f1e69662892cbdb8c6feab17.exe	85
PID 4964 wrote to memory of 2984	4964	da5a7a01f1e69662892cbdb8c6feab17.exe	85
PID 2984 wrote to memory of 3056	2984	Efneehef.exe	86
PID 2984 wrote to memory of 3056	2984	Efneehef.exe	86
PID 2984 wrote to memory of 3056	2984	Efneehef.exe	86
PID 3056 wrote to memory of 2592	3056	Elhmablc.exe	87
PID 3056 wrote to memory of 2592	3056	Elhmablc.exe	87
PID 3056 wrote to memory of 2592	3056	Elhmablc.exe	87
PID 2592 wrote to memory of 4100	2592	Eofinnkf.exe	88
PID 2592 wrote to memory of 4100	2592	Eofinnkf.exe	88
PID 2592 wrote to memory of 4100	2592	Eofinnkf.exe	88
PID 4100 wrote to memory of 212	4100	Ecbenm32.exe	89
PID 4100 wrote to memory of 212	4100	Ecbenm32.exe	89
PID 4100 wrote to memory of 212	4100	Ecbenm32.exe	89
PID 212 wrote to memory of 1424	212	Efpajh32.exe	90
PID 212 wrote to memory of 1424	212	Efpajh32.exe	90
PID 212 wrote to memory of 1424	212	Efpajh32.exe	90
PID 1424 wrote to memory of 1436	1424	Ehonfc32.exe	91
PID 1424 wrote to memory of 1436	1424	Ehonfc32.exe	91
PID 1424 wrote to memory of 1436	1424	Ehonfc32.exe	91
PID 1436 wrote to memory of 1748	1436	Fokbim32.exe	92
PID 1436 wrote to memory of 1748	1436	Fokbim32.exe	92
PID 1436 wrote to memory of 1748	1436	Fokbim32.exe	92
PID 1748 wrote to memory of 1084	1748	Ficgacna.exe	94
PID 1748 wrote to memory of 1084	1748	Ficgacna.exe	94
PID 1748 wrote to memory of 1084	1748	Ficgacna.exe	94
PID 1084 wrote to memory of 4824	1084	Ffggkgmk.exe	95
PID 1084 wrote to memory of 4824	1084	Ffggkgmk.exe	95
PID 1084 wrote to memory of 4824	1084	Ffggkgmk.exe	95
PID 4824 wrote to memory of 4088	4824	Fifdgblo.exe	96
PID 4824 wrote to memory of 4088	4824	Fifdgblo.exe	96
PID 4824 wrote to memory of 4088	4824	Fifdgblo.exe	96
PID 4088 wrote to memory of 2424	4088	Fopldmcl.exe	97
PID 4088 wrote to memory of 2424	4088	Fopldmcl.exe	97
PID 4088 wrote to memory of 2424	4088	Fopldmcl.exe	97
PID 2424 wrote to memory of 2736	2424	Ffjdqg32.exe	98
PID 2424 wrote to memory of 2736	2424	Ffjdqg32.exe	98
PID 2424 wrote to memory of 2736	2424	Ffjdqg32.exe	98
PID 2736 wrote to memory of 184	2736	Fmclmabe.exe	100
PID 2736 wrote to memory of 184	2736	Fmclmabe.exe	100
PID 2736 wrote to memory of 184	2736	Fmclmabe.exe	100
PID 184 wrote to memory of 812	184	Fbqefhpm.exe	101
PID 184 wrote to memory of 812	184	Fbqefhpm.exe	101
PID 184 wrote to memory of 812	184	Fbqefhpm.exe	101
PID 812 wrote to memory of 1624	812	Fjhmgeao.exe	102
PID 812 wrote to memory of 1624	812	Fjhmgeao.exe	102
PID 812 wrote to memory of 1624	812	Fjhmgeao.exe	102
PID 1624 wrote to memory of 3308	1624	Gfnnlffc.exe	103
PID 1624 wrote to memory of 3308	1624	Gfnnlffc.exe	103
PID 1624 wrote to memory of 3308	1624	Gfnnlffc.exe	103
PID 3308 wrote to memory of 1344	3308	Gjjjle32.exe	104
PID 3308 wrote to memory of 1344	3308	Gjjjle32.exe	104
PID 3308 wrote to memory of 1344	3308	Gjjjle32.exe	104
PID 1344 wrote to memory of 3408	1344	Gbenqg32.exe	105
PID 1344 wrote to memory of 3408	1344	Gbenqg32.exe	105
PID 1344 wrote to memory of 3408	1344	Gbenqg32.exe	105
PID 3408 wrote to memory of 3644	3408	Gmkbnp32.exe	106
PID 3408 wrote to memory of 3644	3408	Gmkbnp32.exe	106
PID 3408 wrote to memory of 3644	3408	Gmkbnp32.exe	106
PID 3644 wrote to memory of 4288	3644	Gcekkjcj.exe	107
PID 3644 wrote to memory of 4288	3644	Gcekkjcj.exe	107
PID 3644 wrote to memory of 4288	3644	Gcekkjcj.exe	107
PID 4288 wrote to memory of 2928	4288	Gbjhlfhb.exe	108

C:\Users\Admin\AppData\Local\Temp\da5a7a01f1e69662892cbdb8c6feab17.exe
"C:\Users\Admin\AppData\Local\Temp\da5a7a01f1e69662892cbdb8c6feab17.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4964
- C:\Windows\SysWOW64\Efneehef.exe
  C:\Windows\system32\Efneehef.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2984
- - C:\Windows\SysWOW64\Elhmablc.exe
    C:\Windows\system32\Elhmablc.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:3056
  - - C:\Windows\SysWOW64\Eofinnkf.exe
      C:\Windows\system32\Eofinnkf.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:2592
    - - C:\Windows\SysWOW64\Ecbenm32.exe
        
        C:\Windows\system32\Ecbenm32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4100
      - C:\Windows\SysWOW64\Efpajh32.exe
        
        C:\Windows\system32\Efpajh32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:212
        
        C:\Windows\SysWOW64\Ehonfc32.exe
        
        C:\Windows\system32\Ehonfc32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1424
        
        C:\Windows\SysWOW64\Fokbim32.exe
        
        C:\Windows\system32\Fokbim32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1436
        
        C:\Windows\SysWOW64\Ficgacna.exe
        
        C:\Windows\system32\Ficgacna.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1748
        
        C:\Windows\SysWOW64\Ffggkgmk.exe
        
        C:\Windows\system32\Ffggkgmk.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1084
        
        C:\Windows\SysWOW64\Fifdgblo.exe
        
        C:\Windows\system32\Fifdgblo.exe
        11⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4824
        
        C:\Windows\SysWOW64\Fopldmcl.exe
        
        C:\Windows\system32\Fopldmcl.exe
        12⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4088
        
        C:\Windows\SysWOW64\Ffjdqg32.exe
        
        C:\Windows\system32\Ffjdqg32.exe
        13⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2424
        
        C:\Windows\SysWOW64\Fmclmabe.exe
        
        C:\Windows\system32\Fmclmabe.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2736
        
        C:\Windows\SysWOW64\Fbqefhpm.exe
        
        C:\Windows\system32\Fbqefhpm.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:184
        
        C:\Windows\SysWOW64\Fjhmgeao.exe
        
        C:\Windows\system32\Fjhmgeao.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:812
        
        C:\Windows\SysWOW64\Gfnnlffc.exe
        
        C:\Windows\system32\Gfnnlffc.exe
        17⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1624
        
        C:\Windows\SysWOW64\Gjjjle32.exe
        
        C:\Windows\system32\Gjjjle32.exe
        18⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3308
        
        C:\Windows\SysWOW64\Gbenqg32.exe
        
        C:\Windows\system32\Gbenqg32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1344
        
        C:\Windows\SysWOW64\Gmkbnp32.exe
        
        C:\Windows\system32\Gmkbnp32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3408
        
        C:\Windows\SysWOW64\Gcekkjcj.exe
        
        C:\Windows\system32\Gcekkjcj.exe
        21⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3644
        
        C:\Windows\SysWOW64\Gbjhlfhb.exe
        
        C:\Windows\system32\Gbjhlfhb.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4288
        
        C:\Windows\SysWOW64\Gfedle32.exe
        
        C:\Windows\system32\Gfedle32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2928
        
        C:\Windows\SysWOW64\Gbldaffp.exe
        
        C:\Windows\system32\Gbldaffp.exe
        24⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3460
        
        C:\Windows\SysWOW64\Gjclbc32.exe
        
        C:\Windows\system32\Gjclbc32.exe
        25⤵
        Executes dropped EXE
        
        PID:540
        
        C:\Windows\SysWOW64\Gppekj32.exe
        
        C:\Windows\system32\Gppekj32.exe
        26⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4748
        
        C:\Windows\SysWOW64\Hfjmgdlf.exe
        
        C:\Windows\system32\Hfjmgdlf.exe
        27⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2388
        
        C:\Windows\SysWOW64\Hihicplj.exe
        
        C:\Windows\system32\Hihicplj.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5028
        
        C:\Windows\SysWOW64\Hcnnaikp.exe
        
        C:\Windows\system32\Hcnnaikp.exe
        29⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2344
        
        C:\Windows\SysWOW64\Hbanme32.exe
        
        C:\Windows\system32\Hbanme32.exe
        30⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1688
        
        C:\Windows\SysWOW64\Hbckbepg.exe
        
        C:\Windows\system32\Hbckbepg.exe
        31⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4364
        
        C:\Windows\SysWOW64\Hadkpm32.exe
        
        C:\Windows\system32\Hadkpm32.exe
        32⤵
        Executes dropped EXE
        
        PID:772
        
        C:\Windows\SysWOW64\Hbeghene.exe
        
        C:\Windows\system32\Hbeghene.exe
        33⤵
        Executes dropped EXE
        
        PID:1632
        
        C:\Windows\SysWOW64\Haggelfd.exe
        
        C:\Windows\system32\Haggelfd.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1380
        
        C:\Windows\SysWOW64\Hfcpncdk.exe
        
        C:\Windows\system32\Hfcpncdk.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2268
        
        C:\Windows\SysWOW64\Haidklda.exe
        
        C:\Windows\system32\Haidklda.exe
        36⤵
        Executes dropped EXE
        
        PID:3956
        
        C:\Windows\SysWOW64\Icgqggce.exe
        
        C:\Windows\system32\Icgqggce.exe
        37⤵
        Executes dropped EXE
        
        PID:1880
        
        C:\Windows\SysWOW64\Iffmccbi.exe
        
        C:\Windows\system32\Iffmccbi.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1188
        
        C:\Windows\SysWOW64\Iidipnal.exe
        
        C:\Windows\system32\Iidipnal.exe
        39⤵
        Executes dropped EXE
        
        PID:3788
        
        C:\Windows\SysWOW64\Ipnalhii.exe
        
        C:\Windows\system32\Ipnalhii.exe
        40⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3248
        
        C:\Windows\SysWOW64\Ibmmhdhm.exe
        
        C:\Windows\system32\Ibmmhdhm.exe
        41⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2144
        
        C:\Windows\SysWOW64\Ijdeiaio.exe
        
        C:\Windows\system32\Ijdeiaio.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1760
        
        C:\Windows\SysWOW64\Ibojncfj.exe
        
        C:\Windows\system32\Ibojncfj.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1248
        
        C:\Windows\SysWOW64\Ifjfnb32.exe
        
        C:\Windows\system32\Ifjfnb32.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1524
        
        C:\Windows\SysWOW64\Imdnklfp.exe
        
        C:\Windows\system32\Imdnklfp.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1904
        
        C:\Windows\SysWOW64\Idofhfmm.exe
        
        C:\Windows\system32\Idofhfmm.exe
        46⤵
        Executes dropped EXE
        
        PID:924
        
        C:\Windows\SysWOW64\Iikopmkd.exe
        
        C:\Windows\system32\Iikopmkd.exe
        47⤵
        Executes dropped EXE
        
        PID:3480
        
        C:\Windows\SysWOW64\Idacmfkj.exe
        
        C:\Windows\system32\Idacmfkj.exe
        48⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2824
        
        C:\Windows\SysWOW64\Ijkljp32.exe
        
        C:\Windows\system32\Ijkljp32.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:116
        
        C:\Windows\SysWOW64\Jaedgjjd.exe
        
        C:\Windows\system32\Jaedgjjd.exe
        50⤵
        Executes dropped EXE
        
        PID:2404
        
        C:\Windows\SysWOW64\Jbfpobpb.exe
        
        C:\Windows\system32\Jbfpobpb.exe
        51⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1020
        
        C:\Windows\SysWOW64\Jpjqhgol.exe
        
        C:\Windows\system32\Jpjqhgol.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4144
        
        C:\Windows\SysWOW64\Jjpeepnb.exe
        
        C:\Windows\system32\Jjpeepnb.exe
        53⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:436
        
        C:\Windows\SysWOW64\Jmnaakne.exe
        
        C:\Windows\system32\Jmnaakne.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2732
        
        C:\Windows\SysWOW64\Jdhine32.exe
        
        C:\Windows\system32\Jdhine32.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2808
        
        C:\Windows\SysWOW64\Jjbako32.exe
        
        C:\Windows\system32\Jjbako32.exe
        56⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4236
        
        C:\Windows\SysWOW64\Jmpngk32.exe
        
        C:\Windows\system32\Jmpngk32.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4508
        
        C:\Windows\SysWOW64\Jpojcf32.exe
        
        C:\Windows\system32\Jpojcf32.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1668
        
        C:\Windows\SysWOW64\Jfhbppbc.exe
        
        C:\Windows\system32\Jfhbppbc.exe
        59⤵
        
        PID:3108
        
        C:\Windows\SysWOW64\Jigollag.exe
        
        C:\Windows\system32\Jigollag.exe
        60⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2940
        
        C:\Windows\SysWOW64\Jangmibi.exe
        
        C:\Windows\system32\Jangmibi.exe
        61⤵
        Executes dropped EXE
        
        PID:1472
        
        C:\Windows\SysWOW64\Jfkoeppq.exe
        
        C:\Windows\system32\Jfkoeppq.exe
        62⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1644
        
        C:\Windows\SysWOW64\Jiikak32.exe
        
        C:\Windows\system32\Jiikak32.exe
        63⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5100
        
        C:\Windows\SysWOW64\Kmegbjgn.exe
        
        C:\Windows\system32\Kmegbjgn.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4424
        
        C:\Windows\SysWOW64\Kpccnefa.exe
        
        C:\Windows\system32\Kpccnefa.exe
        65⤵
        Executes dropped EXE
        
        PID:2740
        
        C:\Windows\SysWOW64\Kgmlkp32.exe
        
        C:\Windows\system32\Kgmlkp32.exe
        66⤵
        Executes dropped EXE
        
        PID:3496
        
        C:\Windows\SysWOW64\Kmgdgjek.exe
        
        C:\Windows\system32\Kmgdgjek.exe
        67⤵
        
        PID:1008
        
        C:\Windows\SysWOW64\Kacphh32.exe
        
        C:\Windows\system32\Kacphh32.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:708
        
        C:\Windows\SysWOW64\Kbdmpqcb.exe
        
        C:\Windows\system32\Kbdmpqcb.exe
        69⤵
        
        PID:2600
        
        C:\Windows\SysWOW64\Kkkdan32.exe
        
        C:\Windows\system32\Kkkdan32.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4044
        
        C:\Windows\SysWOW64\Kphmie32.exe
        
        C:\Windows\system32\Kphmie32.exe
        71⤵
        Modifies registry class
        
        PID:2352
        
        C:\Windows\SysWOW64\Kgbefoji.exe
        
        C:\Windows\system32\Kgbefoji.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4876
        
        C:\Windows\SysWOW64\Kdffocib.exe
        
        C:\Windows\system32\Kdffocib.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:1412
        
        C:\Windows\SysWOW64\Kgdbkohf.exe
        
        C:\Windows\system32\Kgdbkohf.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:4444
        
        C:\Windows\SysWOW64\Kmnjhioc.exe
        
        C:\Windows\system32\Kmnjhioc.exe
        75⤵
        Drops file in System32 directory
        
        PID:932
        
        C:\Windows\SysWOW64\Kpmfddnf.exe
        
        C:\Windows\system32\Kpmfddnf.exe
        76⤵
        Modifies registry class
        
        PID:3020
        
        C:\Windows\SysWOW64\Kdhbec32.exe
        
        C:\Windows\system32\Kdhbec32.exe
        77⤵
        Modifies registry class
        
        PID:460
        
        C:\Windows\SysWOW64\Kgfoan32.exe
        
        C:\Windows\system32\Kgfoan32.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:1404
        
        C:\Windows\SysWOW64\Lmqgnhmp.exe
        
        C:\Windows\system32\Lmqgnhmp.exe
        79⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:4448
        
        C:\Windows\SysWOW64\Lpocjdld.exe
        
        C:\Windows\system32\Lpocjdld.exe
        80⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5052
        
        C:\Windows\SysWOW64\Lkdggmlj.exe
        
        C:\Windows\system32\Lkdggmlj.exe
        81⤵
        
        PID:3608
        
        C:\Windows\SysWOW64\Lmccchkn.exe
        
        C:\Windows\system32\Lmccchkn.exe
        82⤵
        Drops file in System32 directory
        
        PID:1660
        
        C:\Windows\SysWOW64\Ldmlpbbj.exe
        
        C:\Windows\system32\Ldmlpbbj.exe
        83⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4224
        
        C:\Windows\SysWOW64\Lcpllo32.exe
        
        C:\Windows\system32\Lcpllo32.exe
        84⤵
        Modifies registry class
        
        PID:3412
        
        C:\Windows\SysWOW64\Lkgdml32.exe
        
        C:\Windows\system32\Lkgdml32.exe
        85⤵
        Drops file in System32 directory
        
        PID:3388
        
        C:\Windows\SysWOW64\Lijdhiaa.exe
        
        C:\Windows\system32\Lijdhiaa.exe
        86⤵
        Drops file in System32 directory
        
        PID:2556
        
        C:\Windows\SysWOW64\Ldohebqh.exe
        
        C:\Windows\system32\Ldohebqh.exe
        87⤵
        Drops file in System32 directory
        
        PID:4584
        
        C:\Windows\SysWOW64\Lcbiao32.exe
        
        C:\Windows\system32\Lcbiao32.exe
        88⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5164
        
        C:\Windows\SysWOW64\Lkiqbl32.exe
        
        C:\Windows\system32\Lkiqbl32.exe
        89⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5204
        
        C:\Windows\SysWOW64\Lilanioo.exe
        
        C:\Windows\system32\Lilanioo.exe
        90⤵
        Drops file in System32 directory
        
        PID:5252
        
        C:\Windows\SysWOW64\Laciofpa.exe
        
        C:\Windows\system32\Laciofpa.exe
        91⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5284
        
        C:\Windows\SysWOW64\Lpfijcfl.exe
        
        C:\Windows\system32\Lpfijcfl.exe
        92⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5328
        
        C:\Windows\SysWOW64\Lcdegnep.exe
        
        C:\Windows\system32\Lcdegnep.exe
        93⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5372
        
        C:\Windows\SysWOW64\Lklnhlfb.exe
        
        C:\Windows\system32\Lklnhlfb.exe
        94⤵
        
        PID:5412
        
        C:\Windows\SysWOW64\Ljnnch32.exe
        
        C:\Windows\system32\Ljnnch32.exe
        95⤵
        
        PID:5452
        
        C:\Windows\SysWOW64\Lnjjdgee.exe
        
        C:\Windows\system32\Lnjjdgee.exe
        96⤵
        Modifies registry class
        
        PID:5496
        
        C:\Windows\SysWOW64\Lddbqa32.exe
        
        C:\Windows\system32\Lddbqa32.exe
        97⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5540
        
        C:\Windows\SysWOW64\Lgbnmm32.exe
        
        C:\Windows\system32\Lgbnmm32.exe
        98⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5580
        
        C:\Windows\SysWOW64\Lknjmkdo.exe
        
        C:\Windows\system32\Lknjmkdo.exe
        99⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5624
        
        C:\Windows\SysWOW64\Mahbje32.exe
        
        C:\Windows\system32\Mahbje32.exe
        100⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5672
        
        C:\Windows\SysWOW64\Mpkbebbf.exe
        
        C:\Windows\system32\Mpkbebbf.exe
        101⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5708
        
        C:\Windows\SysWOW64\Mciobn32.exe
        
        C:\Windows\system32\Mciobn32.exe
        102⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5744
        
        C:\Windows\SysWOW64\Mkpgck32.exe
        
        C:\Windows\system32\Mkpgck32.exe
        103⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5800
        
        C:\Windows\SysWOW64\Majopeii.exe
        
        C:\Windows\system32\Majopeii.exe
        104⤵
        Drops file in System32 directory
        
        PID:5836
        
        C:\Windows\SysWOW64\Mdiklqhm.exe
        
        C:\Windows\system32\Mdiklqhm.exe
        105⤵
        Drops file in System32 directory
        
        PID:5876
        
        C:\Windows\SysWOW64\Mgghhlhq.exe
        
        C:\Windows\system32\Mgghhlhq.exe
        106⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5916
        
        C:\Windows\SysWOW64\Mjeddggd.exe
        
        C:\Windows\system32\Mjeddggd.exe
        107⤵
        Drops file in System32 directory
        
        PID:5956
        
        C:\Windows\SysWOW64\Mamleegg.exe
        
        C:\Windows\system32\Mamleegg.exe
        108⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5996
        
        C:\Windows\SysWOW64\Mdkhapfj.exe
        
        C:\Windows\system32\Mdkhapfj.exe
        109⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6036
        
        C:\Windows\SysWOW64\Mgidml32.exe
        
        C:\Windows\system32\Mgidml32.exe
        110⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6076
        
        C:\Windows\SysWOW64\Mjhqjg32.exe
        
        C:\Windows\system32\Mjhqjg32.exe
        111⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6120
        
        C:\Windows\SysWOW64\Maohkd32.exe
        
        C:\Windows\system32\Maohkd32.exe
        112⤵
        Modifies registry class
        
        PID:4636
        
        C:\Windows\SysWOW64\Mpaifalo.exe
        
        C:\Windows\system32\Mpaifalo.exe
        113⤵
        Drops file in System32 directory
        
        PID:5196
        
        C:\Windows\SysWOW64\Mcpebmkb.exe
        
        C:\Windows\system32\Mcpebmkb.exe
        114⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5272
        
        C:\Windows\SysWOW64\Mjjmog32.exe
        
        C:\Windows\system32\Mjjmog32.exe
        115⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5344
        
        C:\Windows\SysWOW64\Mpdelajl.exe
        
        C:\Windows\system32\Mpdelajl.exe
        116⤵
        
        PID:5400
        
        C:\Windows\SysWOW64\Mdpalp32.exe
        
        C:\Windows\system32\Mdpalp32.exe
        117⤵
        
        PID:5488
        
        C:\Windows\SysWOW64\Nkjjij32.exe
        
        C:\Windows\system32\Nkjjij32.exe
        118⤵
        Drops file in System32 directory
        
        PID:5524
        
        C:\Windows\SysWOW64\Njljefql.exe
        
        C:\Windows\system32\Njljefql.exe
        119⤵
        
        PID:5636
        
        C:\Windows\SysWOW64\Nacbfdao.exe
        
        C:\Windows\system32\Nacbfdao.exe
        120⤵
        
        PID:5660
        
        C:\Windows\SysWOW64\Ndbnboqb.exe
        
        C:\Windows\system32\Ndbnboqb.exe
        121⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5752
        
        C:\Windows\SysWOW64\Ngpjnkpf.exe
        
        C:\Windows\system32\Ngpjnkpf.exe
        122⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5832
        
        C:\Windows\SysWOW64\Nklfoi32.exe
        
        C:\Windows\system32\Nklfoi32.exe
        123⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5908
        
        C:\Windows\SysWOW64\Njogjfoj.exe
        
        C:\Windows\system32\Njogjfoj.exe
        124⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5984
        
        C:\Windows\SysWOW64\Nqiogp32.exe
        
        C:\Windows\system32\Nqiogp32.exe
        125⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6044
        
        C:\Windows\SysWOW64\Ncgkcl32.exe
        
        C:\Windows\system32\Ncgkcl32.exe
        126⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6108
        
        C:\Windows\SysWOW64\Nkncdifl.exe
        
        C:\Windows\system32\Nkncdifl.exe
        127⤵
        Drops file in System32 directory
        
        PID:5132
        
        C:\Windows\SysWOW64\Nnmopdep.exe
        
        C:\Windows\system32\Nnmopdep.exe
        128⤵
        
        PID:5268
        
        C:\Windows\SysWOW64\Nqklmpdd.exe
        
        C:\Windows\system32\Nqklmpdd.exe
        129⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5380
        
        C:\Windows\SysWOW64\Ncihikcg.exe
        
        C:\Windows\system32\Ncihikcg.exe
        130⤵
        
        PID:5484
        
        C:\Windows\SysWOW64\Nkqpjidj.exe
        
        C:\Windows\system32\Nkqpjidj.exe
        131⤵
        
        PID:5568
        
        C:\Windows\SysWOW64\Njcpee32.exe
        
        C:\Windows\system32\Njcpee32.exe
        132⤵
        
        PID:5728
        
        C:\Windows\SysWOW64\Nbkhfc32.exe
        
        C:\Windows\system32\Nbkhfc32.exe
        133⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5820
        
        C:\Windows\SysWOW64\Ncldnkae.exe
        
        C:\Windows\system32\Ncldnkae.exe
        134⤵
        
        PID:5940
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        135⤵
        
        PID:6060
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6060 -s 408
        136⤵
        Program crash
        
        PID:5336

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 356 -p 6060 -ip 6060
1⤵
PID:5236

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Ecbenm32.exe

Filesize
320KB

MD5
4b89afdc9c7de900c2b5cfbdde6a9863

SHA1
660f8676fff57007fda6a9aff8f50095accfc1ae

SHA256
7ce8e80fee643c3ecbf7d80010e686b8eb81d4f7f07bb2172180d2e6066e5ae7

SHA512
ce2162f79f43a2883a85d0adbd42ab243834aaf91ec01cdb2977eca50277f5ff80bece844fbdc8cd55b49c58888e899f69a02fbbc5679cf6ef536cee2d35ea28

Download Submit
C:\Windows\SysWOW64\Efneehef.exe

Filesize
320KB

MD5
0801914b843be73c2301582b5a48a74b

SHA1
dd99396f45884e018ac65239188f130729138374

SHA256
451024c9fdf067a6d86acabbb28815a5769540cd014b109fa35b1eb7f85c92ee

SHA512
0a6eacddebb189cc0324c9ffadd1c87e00e3eb1a3fdc1987e25dff3094794d42288adca95a1f36e1052dc5b1139cd2e89f00767d12daaacb9f4700ba5b55cf7a

Download Submit
C:\Windows\SysWOW64\Efpajh32.exe

Filesize
320KB

MD5
2a5ba67725905d14c6f867eba399eb53

SHA1
6a52a8841f96e930d1610018b70b616e1829a257

SHA256
c0556d7367b08d4af75d66f143b040d3c47bd8a5f087155379652436e7bdb68b

SHA512
f8471083ed85ea3fdb1e310ea14f6edd4984d1fd6426730db615ed3472fb7174f6413811a5a6ac91be98ba9063b456ef3bcddb70825cd644d233979c363ee233

Download Submit
C:\Windows\SysWOW64\Ehonfc32.exe

Filesize
320KB

MD5
51497b76685e307268ccb944872d27d2

SHA1
f9adbdebd244fba5ad076f47ace974788ba41472

SHA256
534b888ad6e03d56a5c513d1e810e5e77238062c4d528a636fc8f34eb0e3c8e7

SHA512
aa3e2f6be20725332d6e27bba94e84c00a80bbb476fc22b6b7d3b6b96f44f8aabd6b8c97290c4230b39034e3e492118ab6eee853aedef8777f7c7ee320241cd5

Download Submit
C:\Windows\SysWOW64\Elhmablc.exe

Filesize
320KB

MD5
0025df999cb090f1f1319719f60925d1

SHA1
2f4743f5bf365c7def52051797d45ef3a93a3abf

SHA256
6eb974cc8d109203d5cf06f9da2a210f0f48bf7116499bc76d5cfeeeaf681ea4

SHA512
7dbde87214068c6512c0a72192b7f2346f4e8049f88c217990e652ed3ce8b1c6b6aed4e06b8b9a85854193eb144d05f63e05b67d0bc1a42432459ec4d863a1ed

Download Submit
C:\Windows\SysWOW64\Eofinnkf.exe

Filesize
320KB

MD5
9211554e82fe3aeb164cb55b40b06c66

SHA1
9cf3667c4dcfc4f99afa77c9d762263581de18ba

SHA256
f2d221b5e071cee1c22d2871684e96ba2be29df3fadacceb8f4eb9d536006c35

SHA512
d8dd271da6f2f48c2950ad0a643d636d340116394ea078b4f61093d63e2cba8c7448bcdeba5364df9b920aa95c77d54e3f2180a08c5a14d61e924c5a9c3eef2a

Download Submit
C:\Windows\SysWOW64\Fbqefhpm.exe

Filesize
320KB

MD5
9337fae6383a2d3c744f2adfbef9ab27

SHA1
b43ef24f6cf6e1945ccd2eb7587689b1252a3cc7

SHA256
7cdd5547f22185e5bd2dcfdefa4f883c24556433ec83641c7b606624823c6e3f

SHA512
e36dcfab6a3087c3de862d492657a67eb4ec1cdc8a0d86efcfa6585fe355b1752b3d1b75d7b6aaa56142269b9bd43659382d477f25244f16b966b247cb4363b1

Download Submit
C:\Windows\SysWOW64\Ffggkgmk.exe

Filesize
320KB

MD5
35ba06576c29e4bfd6f037b2894240ed

SHA1
3c193bfd8afeccc80a2726a86c830f3af884114a

SHA256
5e811e7e3211e9eb17ef45843a710ea7798da25d6007daa063df4278c955d5db

SHA512
59264ca1a0f613d7df01707e51698403e3ef782c35e53d5eb404f717a5ddbbb4f5c8f452cd9b2e15f694b067382ddc343dfcb85a7854f7a56063b3b8df00bc62

Download Submit
C:\Windows\SysWOW64\Ffjdqg32.exe

Filesize
320KB

MD5
6848b90238e2a2961c4b06849f7a780d

SHA1
eebbb877cfe189b86c5730892663139bd229dab9

SHA256
85fe0b4c559cab9bae1d38f5d67768f7cf6475916bb648bd7961a3b6c18fc2c4

SHA512
b0568639da0a0d711af0584c1da0e46253b2a44241ae04ae1acf5af74ea7198523ebf1c1cf23fe54823cf780d30ee8f10d6903bd565d0677c0a36bc14112c23b

Download Submit
C:\Windows\SysWOW64\Ficgacna.exe

Filesize
320KB

MD5
bb93446f376692a165def451f22faca0

SHA1
97c824195411ac8824248a5b560b094ed3b403c3

SHA256
9981f596d2b1969ee0c49552afa62621d2daf67add2842d745a920384152411f

SHA512
a5f361fb02bdfb4f593b38d1c1c1c793e49cbb79c601a977b2b4c77c169228465da569ef3523dbc93b3133d3eefa56e972a88cfc588883c0f5b4f81b6cd9b029

Download Submit
C:\Windows\SysWOW64\Fifdgblo.exe

Filesize
320KB

MD5
f24d63f8fbf0925c2782aa428c2999eb

SHA1
17a742d01352963dd0b5979b30cfd5ad9a37a452

SHA256
ff28a878761def541f6c034b13733a88909e5d982b5596d15419052dd5d0d5cf

SHA512
02ebcb59ed41cf03dfb544dd02974ffe11c403fd8e39d2d6de53d50f600726d027a30085aac67fcc5da23077ac2bb63b0c598509d1151b5fede70c4cf3540ee8

Download Submit
C:\Windows\SysWOW64\Fjhmgeao.exe

Filesize
320KB

MD5
f3e8e996de85a686cd6dcfe91e4e879d

SHA1
a0b2c9211b6e021a9eb24a3e4c71e929772922d1

SHA256
1aa5b6b976af9c86b5ec8734b1aa805da81dbefa1e13e80a98dc457ba9ca11b2

SHA512
f4c6acba121e4d4bc46fc73adc6146074e0eb5de6d6ab39588f6c9e5c25337f04c56f768abeb8a67a40f3e954df91af46bd3b8995b547fa131880a05f39a2444

Download Submit
C:\Windows\SysWOW64\Fmclmabe.exe

Filesize
320KB

MD5
20bcafccf58fb5870b80f99f3013d179

SHA1
572cc5dfaf3ca51fb34f4822885e4e06ad6449b0

SHA256
0d4770851a2615faf90c901ac69f553bde5d55b7fb85f7a79357fd41b4f2679c

SHA512
32b49cc7eec27d0798f8fca07de19f3bf271ce84882d610f3ee252bc6c19298097ecb330ae76ea19282442c7202d2bf0ebd1b27f03d063839d047189cc4a47a2

Download Submit
C:\Windows\SysWOW64\Fokbim32.exe

Filesize
320KB

MD5
ffcf8c381277527f6306932046377888

SHA1
56a81d73809afe48d4eaa2a8dfbc4f3b62369a00

SHA256
1c5b635fb98165f6bf59d31aeb8d8e91b7f9e228e9caa58aa45ec1d20660eedc

SHA512
53431809b413b700f0bf429fc8ba997ff942b9be6f55fb85f9f0e7e75eaa2d720daa1ff9f6231edf742d1376f13ba036bc92f8c302a858e8dabe8a2401137265

Download Submit
C:\Windows\SysWOW64\Fopldmcl.exe

Filesize
320KB

MD5
2252406079ba32ceb321a1a8c2120077

SHA1
5910126e606919e0180fd3a3d9c0cb4578b26cc7

SHA256
fb9f28915192d9e94e53ec6eba6f3abf0b69cc0a030a7fb5274ac6f6dcf4e575

SHA512
1ac5086931b1d06e4924019675ba821103cb5034bd31927c6825452587019a6f89f1a8840c353b0c0ed769e1bb2e1fc150a00eda45b3e8270cc15dec808c8fc7

Download Submit
C:\Windows\SysWOW64\Gbenqg32.exe

Filesize
320KB

MD5
31db08e3c1ff9402450115b1406a725c

SHA1
2b14a770193ba6d9c0cd949b2d9e74e6d4ceb075

SHA256
202175ee72928f4d6d1301657bb8f230bb727ebdce475fce434b9dcaf7ff3af5

SHA512
5f6f8972120aa8e32e8f5866b4e5b57283708fd63964b4162572df7c6e0370ece300f63e03afcf8171e8ad5c9a96697552653474f726187d7b3199267068f1b2

Download Submit
C:\Windows\SysWOW64\Gbjhlfhb.exe

Filesize
320KB

MD5
09e3f4f0ff7db30d9b999c34221a4a5d

SHA1
dedbc2c1e052bcf015915e6f4a82ad1d4e99930a

SHA256
c06cbdb1d6840e49b6a5e78dbfa8d725aad7bcc14a0cddd0eb4d8eebceb9ada2

SHA512
c8b8d33d777103031b9dfb24f6ccfea37bc069a067dedb1937c681be5833c10cbcb3798b368d880208bd9ac5f431f15aabcadcb0c81e2eb1772b76f9ba4a5099

Download Submit
C:\Windows\SysWOW64\Gbldaffp.exe

Filesize
320KB

MD5
607d91c0ae23facf4f48462ce4b4505d

SHA1
47d32464af0c1b6cdf94044940452b7e672ff7a3

SHA256
53142a2403fb333ff765b3c411cb7a3cf2d8ac7c056e22b7562189a9d61dd46c

SHA512
afde385c87b2d343d5a5b8f3e4089dd2fbdfc9f46f1f76d6136f915744b0649399133baa6c2f07059810b6a33e78939b1478d80740a78c9713ffbf19c38f9c83

Download Submit
C:\Windows\SysWOW64\Gcekkjcj.exe

Filesize
320KB

MD5
e4213f69e08931ed112a31ca3da9e0d5

SHA1
a3f995a071145ba890898f248a2b29a2ef1473e5

SHA256
d4fb91ef2b06ccdf3456f1c2121ae930556d601c07221ec580d0fc2661868875

SHA512
4bbd5d3eb02438083d5f6733e1f02c6596c6ae03f61796ad883564af21bcf74e34e3c5182844cad80cd6bff4bf05f96c16c756c9f3c73524cb1e0e6a6fec7bca

Download Submit
C:\Windows\SysWOW64\Gfedle32.exe

Filesize
320KB

MD5
c83d60e5009ad7771f1e96087198c003

SHA1
b675e694f31ebb069f3403176748bfdf2979190f

SHA256
e85cf62f01ada180d4980b6aef2cacb7834e1e4afc2c2fca09f7973fac384745

SHA512
8a1d61ec0a855440c5760f5aa60aab4594acfd03bd523c6e0d050280fb59c1a8c6b58a5f832786ba729a97fa2d0dc4e34621841eeb211cadbc6daac6ec30d3e8

Download Submit
C:\Windows\SysWOW64\Gfnnlffc.exe

Filesize
320KB

MD5
b5c9ec2708697d591a2069d0711f4fbd

SHA1
79f49b4cb4300f45c0b674a62b99e44f23a17a0f

SHA256
a7402778a4223de71ec81dad81b7308892c1ab0b43ed575a55e4ce02be4639d3

SHA512
6b1b0d9d22f60c3e7c7897d1d85d047bf770af30ef7405c62684605106d2bdde41e286f3cf50674ba18b4b3752b51796edea1e2ea849b2d1eefedcdcb8ec07a5

Download Submit
C:\Windows\SysWOW64\Gjclbc32.exe

Filesize
320KB

MD5
df1dc341c144091ad03f28ddb9b95e9c

SHA1
20c1c4de7a2edd782e21d75e17e3559a0045c3fc

SHA256
e974650cdfa3850938919defdc776034faa75d287e06f49cca86035f1d916f14

SHA512
6decc85ff2eb9e8bb9bdc8b59e391bf36ab355db47fc657c0c70adbc6251267b73380ababb8096117f5528bec6157b48df73dc406b65f76daeda0a67ca2c534f

Download Submit
C:\Windows\SysWOW64\Gjjjle32.exe

Filesize
320KB

MD5
a945534a72a69a6583c6c49978a3a75b

SHA1
a7a31b49a46717848b1b2ae5dbc6cd13487d0c34

SHA256
c07b32f99c0e7ad139edf6506539001a5598ffba248d289f9132246d6a92c2f8

SHA512
e29be5826eab00c2a127a146ee1518f494a8509625beabd1b4b50e7510d7302117f523ee65b5cc2d3f8eb9a6448c13dc0799f21a70b26c5773c63c71dd67f177

Download Submit
C:\Windows\SysWOW64\Gmkbnp32.exe

Filesize
320KB

MD5
766f3089e5d03b918182b156ec720082

SHA1
7429d58843e0d24787f817b0886cf20214597a8e

SHA256
d6db0fcfaefc72b38f4fb4019d1ae4b1219e3b3865d269450f7b928a9020b5bc

SHA512
f9e662549dbb26ea4b21dc3087876d8a16a7e1994c23464b4604b06e6335b5ffea60afc2b990623e0d91efe46d7bfd436b4fc38d914d7a52834414b6674ea79e

Download Submit
C:\Windows\SysWOW64\Gppekj32.exe

Filesize
320KB

MD5
ac82a1fb037e24bdc156ea34ca85d1ec

SHA1
0d4b18ab05b95074b8b21b7e47f4a8e2775068b0

SHA256
9f891cb030865504824786318edf6211da6568e39a00a2fc07944a4ffa460e56

SHA512
92876be1e0770fea85b279d3903f49f40bb2fabe41b46112bbb23f42f4281a2c52b0cd6f0aba1766c2b6d9a58bc0a028dcdb7c4912c31322f77a0a4727da81be

Download Submit
C:\Windows\SysWOW64\Hadkpm32.exe

Filesize
320KB

MD5
8610cba69758b43c614def38b2f2d41c

SHA1
0bc61a91896def16b0045bec1c4f88d931c2c39b

SHA256
7a51864177c2c6d54f55276bb6d81e69aaeb9320d54aefb7dcea3885821480ef

SHA512
a64fc479c9f2d5529a7b23203efbb04972e562f678180e9f2b3cf279ebb4cbecd1ca428a95f6821f34850be21a2a0032f1276468d3d7f4692bad798aac8ff830

Download Submit
C:\Windows\SysWOW64\Hbanme32.exe

Filesize
320KB

MD5
02b5105b42a7f3e90fca0edddcf89bdf

SHA1
c1aa139cb2d7a38f71222488f3e4681ad925f366

SHA256
c235fcffa4e05e75e48a32fb442a71e3fc48ba34103e1e5f1bdd2d69d290e04e

SHA512
3b8f2fe7fec7a088094e98a5a36338aef36635339d999cf38cced3a895e9f41da4a6d02f62fd8b7f14aa865b263d3ffb02ec27c4a6f2fb6c7477cbe5bcc1526c

Download Submit
C:\Windows\SysWOW64\Hbckbepg.exe

Filesize
320KB

MD5
a41fc7b0fcd0b417403ded60ebdd0ddb

SHA1
8ed5e47af572c26b1077214611bec527ee294ed3

SHA256
17809801b520d2d02ea3fae69b2dda638015dae77c70c2a48263be9f81370f87

SHA512
ff25b14d34ce331d5d1bcec5dcfc37a35120ad5283ff5062e2eea710d862b7a411570692ca522f31e72c54c2ccca369093edfa2cfdbb1b7e24f906e89b2b9471

Download Submit
C:\Windows\SysWOW64\Hbeghene.exe

Filesize
320KB

MD5
af39061d56c7831924c3b96e641e119c

SHA1
743894df3a75c2b896730e7d92273a03cf05275e

SHA256
51178936f1a05caa3d8b2b8287f37917eb6c5a94cdda6b226644be7510b7b10d

SHA512
f8e31b4071f88fe7cc60efc9d09105565a3aaadbf2b86ce2cdb0cc1aceb1036f0b46b9ffe4ef5672bebcf4f689f7962ce65d0639ba207c7d93649e3aa1004a3a

Download Submit
C:\Windows\SysWOW64\Hcnnaikp.exe

Filesize
320KB

MD5
eecc1164702e5d09239f00163c371703

SHA1
a639e6415948b1ac28f8b6b60515401b9f849406

SHA256
4a231e0929ead409e6a82b078d670e0258e5f1a747e7bfab41764ebe5c9a8864

SHA512
6376b091736d2dffa0dc1e8edca6c4d8fbf156fa7d2fe2a3031228d436515c7ec330cd5828e787285d55905ea8cbeb1f4c47c6994de6d36cc14a036aa469f8b7

Download Submit
C:\Windows\SysWOW64\Hfjmgdlf.exe

Filesize
320KB

MD5
bb2717e63a3152fec68d9a26daf2fc50

SHA1
14b034818ede55c6191387ec1c307a6c69677323

SHA256
3ef01a1b5ce8475cdf3b6207f945e7ade9555753154e479ac6463796eb3df1e2

SHA512
e25514f08fd4b771d88b0ace0f4cf8dd26e7a3e7b8640c4126146d3d25de2df1af95ddbaaa0387e754dd61bbb16a4410914bd6c0b0d939a0d211d084bf15871f

Download Submit
C:\Windows\SysWOW64\Hihicplj.exe

Filesize
320KB

MD5
c4f78669a3f935647cb94557ed7f093d

SHA1
fa8296661752182b607769c75ac239b32f70621f

SHA256
8cb6fd0d23a3295fa980fda7b500d95db3291dd8a03a3d5d9e59dfe6515c72a8

SHA512
0452f317639a0a490e371688ae542b057b880f825dd707ede49abcb246101e11855357887fa4816cdd8a15ef67033b56e8a0a5614aa972c69f8f7f6da7665675

Download Submit
C:\Windows\SysWOW64\Mcpebmkb.exe

Filesize
320KB

MD5
6e9e3b47d5750272ea3f70ed4479bb3f

SHA1
0a1bbd3a1d98610a83d158329cff3f14705e91b1

SHA256
9fcc6d96b5391a73c0864404d19ad135bfb16ee77a215baeae5c0652bc03a84f

SHA512
65cf1611d818f0a2397c78734a62c011113b2b070803c6de0aaf376b371447ae9b3389fdfc0e1bd1a499c6fd94790ebe30bb18b2e5d5ae39197de3b82f1c1956

Download Submit
memory/116-354-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/184-112-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/212-40-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/436-373-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/540-191-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/772-247-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/812-120-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/924-332-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/1008-452-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/1020-361-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/1084-72-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/1188-284-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/1248-314-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/1344-144-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/1380-265-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/1424-48-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/1436-56-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/1472-414-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/1524-323-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/1624-128-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/1632-255-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/1668-402-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/1688-230-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/1748-63-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/1760-308-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/1904-330-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/2144-302-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/2268-267-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/2344-228-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/2352-471-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/2388-208-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/2404-355-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/2424-96-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/2592-27-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/2600-459-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/2732-383-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/2736-104-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/2808-385-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/2824-343-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/2928-175-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/2940-412-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/2984-7-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/3056-20-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/3248-301-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/3308-135-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/3408-156-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/3460-184-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/3496-442-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/3644-159-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/3788-290-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/3956-277-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/4044-469-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/4088-88-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/4100-36-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/4144-367-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/4288-172-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/4364-238-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/4424-432-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/4508-401-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/4748-200-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/4824-80-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/4876-477-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/4964-0-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/5100-430-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads