e547fd1f960b7dfc30aa486f931a803f368d0324d52e058674066d66534981c0

Analysis

max time kernel
150s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
09/04/2024, 03:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e547fd1f960b7dfc30aa486f931a803f368d0324d52e058674066d66534981c0.exe
Size

136KB
MD5

89fcb07f60a14726fe08739c8e1cb242
SHA1

671bb2850fbfad18774bbc063b302f216d86e808
SHA256

e547fd1f960b7dfc30aa486f931a803f368d0324d52e058674066d66534981c0
SHA512

487d36f64b1b1cd6083233b6d1f85d3cf3a3e172170b9cd37a30c48fdafafa8f3827a5f9f189792454873e370f0de6f131f157f0e55e632039eba82a1186a5fc
SSDEEP

3072:V5zPf9jg6ff718Exk8QYxQdLrCimBaH8UH30ZIvM6qMH5X3O/gU:V5Js6fx8ExFtCApaH8m3QIvMWH5H3U

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nkjjij32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njogjfoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Eflhoigi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jaedgjjd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jaljgidl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdaldd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lgkhlnbn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpolqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nbkhfc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gcpapkgp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gmaioo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Habnjm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eleplc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gimjhafg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jbocea32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kphmie32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Laalifad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ebbidj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Imdnklfp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kmegbjgn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kpmfddnf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lmccchkn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gbgkfg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jjbako32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mcklgm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nnjbke32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nbkhfc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Epopgbia.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kckbqpnj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kkbkamnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lnhmng32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ejjqeg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Icgqggce.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jkdnpo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnfipekh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nkncdifl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kpmfddnf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lnhmng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gcpapkgp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kpepcedo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lpocjdld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gjclbc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lpocjdld.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkepnjng.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nddkgonp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ncihikcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jjmhppqd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lkdggmlj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gmkbnp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gbgkfg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gfedle32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Impepm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ijkljp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jaedgjjd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ejjqeg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Giacca32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jpaghf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kgbefoji.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kmnjhioc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lijdhiaa.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ecmlcmhe.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hcqjfh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Idacmfkj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jkfkfohj.exe

Executes dropped EXE 64 IoCs

pid	Process
764	Efikji32.exe
4392	Epopgbia.exe
4860	Ecmlcmhe.exe
4824	Eflhoigi.exe
3788	Eleplc32.exe
220	Eodlho32.exe
3416	Ebbidj32.exe
4896	Ejjqeg32.exe
1588	Eqciba32.exe
2836	Ebeejijj.exe
4748	Ehonfc32.exe
4008	Ecdbdl32.exe
1640	Fjnjqfij.exe
4076	Fokbim32.exe
1880	Fjqgff32.exe
4848	Fmocba32.exe
1000	Fcikolnh.exe
4456	Fifdgblo.exe
2832	Fbnhphbp.exe
4820	Fjepaecb.exe
5088	Fobiilai.exe
1236	Fjhmgeao.exe
1652	Gcpapkgp.exe
1044	Gfnnlffc.exe
392	Gimjhafg.exe
2600	Gfqjafdq.exe
4552	Gmkbnp32.exe
5044	Gbgkfg32.exe
3188	Giacca32.exe
3648	Gpklpkio.exe
4792	Gfedle32.exe
1572	Gmoliohh.exe
3944	Gcidfi32.exe
2040	Gjclbc32.exe
4904	Gmaioo32.exe
1532	Gppekj32.exe
1804	Hboagf32.exe
4992	Hihicplj.exe
4144	Hpbaqj32.exe
4520	Hfljmdjc.exe
4444	Habnjm32.exe
2440	Hcqjfh32.exe
1536	Hfofbd32.exe
4388	Hmioonpn.exe
3132	Hpgkkioa.exe
1448	Hfachc32.exe
3748	Hmklen32.exe
4452	Hfcpncdk.exe
3996	Hmmhjm32.exe
680	Icgqggce.exe
2768	Iffmccbi.exe
2484	Impepm32.exe
4964	Icjmmg32.exe
4292	Ifhiib32.exe
4308	Imbaemhc.exe
3672	Icljbg32.exe
2608	Ifjfnb32.exe
264	Imdnklfp.exe
1592	Idofhfmm.exe
1060	Ijhodq32.exe
4540	Iabgaklg.exe
3912	Idacmfkj.exe
4928	Ijkljp32.exe
2380	Jaedgjjd.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Ecmlcmhe.exe	Epopgbia.exe
File created	C:\Windows\SysWOW64\Neahbi32.dll	Fjnjqfij.exe
File created	C:\Windows\SysWOW64\Jplifcqp.dll	Kpmfddnf.exe
File created	C:\Windows\SysWOW64\Mglack32.exe	Mdmegp32.exe
File created	C:\Windows\SysWOW64\Lfhilofo.dll	Eodlho32.exe
File created	C:\Windows\SysWOW64\Eqciba32.exe	Ejjqeg32.exe
File created	C:\Windows\SysWOW64\Lijdhiaa.exe	Lgkhlnbn.exe
File created	C:\Windows\SysWOW64\Fjhmgeao.exe	Fobiilai.exe
File opened for modification	C:\Windows\SysWOW64\Gmkbnp32.exe	Gfqjafdq.exe
File opened for modification	C:\Windows\SysWOW64\Gcidfi32.exe	Gmoliohh.exe
File created	C:\Windows\SysWOW64\Imbaemhc.exe	Ifhiib32.exe
File created	C:\Windows\SysWOW64\Kpmfddnf.exe	Kmnjhioc.exe
File created	C:\Windows\SysWOW64\Adijolgl.dll	Gmoliohh.exe
File created	C:\Windows\SysWOW64\Idofhfmm.exe	Imdnklfp.exe
File created	C:\Windows\SysWOW64\Ndclfb32.dll	Lcpllo32.exe
File opened for modification	C:\Windows\SysWOW64\Lnhmng32.exe	Lgneampk.exe
File opened for modification	C:\Windows\SysWOW64\Ifjfnb32.exe	Icljbg32.exe
File created	C:\Windows\SysWOW64\Pnfmmb32.dll	Gfqjafdq.exe
File created	C:\Windows\SysWOW64\Opocad32.dll	Hfcpncdk.exe
File opened for modification	C:\Windows\SysWOW64\Nnhfee32.exe	Nkjjij32.exe
File created	C:\Windows\SysWOW64\Efikji32.exe	e547fd1f960b7dfc30aa486f931a803f368d0324d52e058674066d66534981c0.exe
File created	C:\Windows\SysWOW64\Eoodnhmi.dll	Epopgbia.exe
File opened for modification	C:\Windows\SysWOW64\Eflhoigi.exe	Ecmlcmhe.exe
File created	C:\Windows\SysWOW64\Hmklen32.exe	Hfachc32.exe
File created	C:\Windows\SysWOW64\Bgcomh32.dll	Laalifad.exe
File created	C:\Windows\SysWOW64\Ldobbkdk.dll	Kkihknfg.exe
File created	C:\Windows\SysWOW64\Pbcfgejn.dll	Mkepnjng.exe
File created	C:\Windows\SysWOW64\Ecmlcmhe.exe	Epopgbia.exe
File created	C:\Windows\SysWOW64\Ehonfc32.exe	Ebeejijj.exe
File created	C:\Windows\SysWOW64\Adakia32.dll	Hboagf32.exe
File created	C:\Windows\SysWOW64\Iabgaklg.exe	Ijhodq32.exe
File opened for modification	C:\Windows\SysWOW64\Jbfpobpb.exe	Jdcpcf32.exe
File created	C:\Windows\SysWOW64\Eleplc32.exe	Eflhoigi.exe
File created	C:\Windows\SysWOW64\Qnoaog32.dll	Jjmhppqd.exe
File created	C:\Windows\SysWOW64\Mdpalp32.exe	Mnfipekh.exe
File created	C:\Windows\SysWOW64\Kpepcedo.exe	Kkihknfg.exe
File created	C:\Windows\SysWOW64\Geegicjl.dll	Mglack32.exe
File created	C:\Windows\SysWOW64\Ogedoeae.dll	Ehonfc32.exe
File opened for modification	C:\Windows\SysWOW64\Hpgkkioa.exe	Hmioonpn.exe
File opened for modification	C:\Windows\SysWOW64\Imdnklfp.exe	Ifjfnb32.exe
File created	C:\Windows\SysWOW64\Bpqnnk32.dll	Iabgaklg.exe
File created	C:\Windows\SysWOW64\Gmlgol32.dll	Jpaghf32.exe
File opened for modification	C:\Windows\SysWOW64\Kpccnefa.exe	Kmegbjgn.exe
File created	C:\Windows\SysWOW64\Ngpjnkpf.exe	Nqfbaq32.exe
File created	C:\Windows\SysWOW64\Dgcifj32.dll	Mpolqa32.exe
File created	C:\Windows\SysWOW64\Fneiph32.dll	Maohkd32.exe
File opened for modification	C:\Windows\SysWOW64\Nkncdifl.exe	Ncgkcl32.exe
File created	C:\Windows\SysWOW64\Eilljncf.dll	Jbocea32.exe
File created	C:\Windows\SysWOW64\Ogpnaafp.dll	Ncihikcg.exe
File opened for modification	C:\Windows\SysWOW64\Fmocba32.exe	Fjqgff32.exe
File opened for modification	C:\Windows\SysWOW64\Gmaioo32.exe	Gjclbc32.exe
File opened for modification	C:\Windows\SysWOW64\Iffmccbi.exe	Icgqggce.exe
File created	C:\Windows\SysWOW64\Ebkdha32.dll	Idofhfmm.exe
File created	C:\Windows\SysWOW64\Mdmegp32.exe	Maohkd32.exe
File created	C:\Windows\SysWOW64\Gcpapkgp.exe	Fjhmgeao.exe
File created	C:\Windows\SysWOW64\Gmoliohh.exe	Gfedle32.exe
File opened for modification	C:\Windows\SysWOW64\Lijdhiaa.exe	Lgkhlnbn.exe
File created	C:\Windows\SysWOW64\Fbnhphbp.exe	Fifdgblo.exe
File opened for modification	C:\Windows\SysWOW64\Kmnjhioc.exe	Kkpnlm32.exe
File created	C:\Windows\SysWOW64\Jbocea32.exe	Jpaghf32.exe
File opened for modification	C:\Windows\SysWOW64\Nkqpjidj.exe	Ncihikcg.exe
File created	C:\Windows\SysWOW64\Fjnjqfij.exe	Ecdbdl32.exe
File created	C:\Windows\SysWOW64\Mnapdf32.exe	Mkbchk32.exe
File created	C:\Windows\SysWOW64\Gbledndp.dll	Ijkljp32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5872	5876	WerFault.exe	230

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Eodlho32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ejjqeg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbdcekmm.dll"	Ecdbdl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nnjbke32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mbgaem32.dll"	Hmioonpn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kmnjhioc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jmbklj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ehonfc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gpklpkio.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ncgkcl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hboagf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hihicplj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fokbim32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fcikolnh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bkmdbdbp.dll"	Gbgkfg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jjbako32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qjebnamp.dll"	Eflhoigi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hfofbd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bnckcnhb.dll"	Kpepcedo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ebbidj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Eqciba32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Icgqggce.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hpbaqj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pipfna32.dll"	Nddkgonp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jkfkfohj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kaemnhla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Npckna32.dll"	Nnhfee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nnmopdep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cniohj32.dll"	e547fd1f960b7dfc30aa486f931a803f368d0324d52e058674066d66534981c0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gimjhafg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Akanejnd.dll"	Kgbefoji.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ocdehlgh.dll"	Giacca32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Eflhoigi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hfljmdjc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jdhine32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lgneampk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mdmegp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hfofbd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kkihknfg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kpepcedo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nnhfee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gfedle32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gjclbc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdgdjjem.dll"	Mkbchk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fjhmgeao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kkpnlm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ehonfc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hfkkgo32.dll"	Idacmfkj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mcplce32.dll"	Fcikolnh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fifdgblo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Laalifad.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mglack32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nqfbaq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iljnde32.dll"	Jkfkfohj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ejjqeg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hkcdljbo.dll"	Ebeejijj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fjkiobic.dll"	Hmmhjm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nddkgonp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hpgkkioa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lpocjdld.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gpklpkio.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jdcpcf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jbmfoa32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nddkgonp.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 464 wrote to memory of 764	464	e547fd1f960b7dfc30aa486f931a803f368d0324d52e058674066d66534981c0.exe	86
PID 464 wrote to memory of 764	464	e547fd1f960b7dfc30aa486f931a803f368d0324d52e058674066d66534981c0.exe	86
PID 464 wrote to memory of 764	464	e547fd1f960b7dfc30aa486f931a803f368d0324d52e058674066d66534981c0.exe	86
PID 764 wrote to memory of 4392	764	Efikji32.exe	87
PID 764 wrote to memory of 4392	764	Efikji32.exe	87
PID 764 wrote to memory of 4392	764	Efikji32.exe	87
PID 4392 wrote to memory of 4860	4392	Epopgbia.exe	88
PID 4392 wrote to memory of 4860	4392	Epopgbia.exe	88
PID 4392 wrote to memory of 4860	4392	Epopgbia.exe	88
PID 4860 wrote to memory of 4824	4860	Ecmlcmhe.exe	89
PID 4860 wrote to memory of 4824	4860	Ecmlcmhe.exe	89
PID 4860 wrote to memory of 4824	4860	Ecmlcmhe.exe	89
PID 4824 wrote to memory of 3788	4824	Eflhoigi.exe	90
PID 4824 wrote to memory of 3788	4824	Eflhoigi.exe	90
PID 4824 wrote to memory of 3788	4824	Eflhoigi.exe	90
PID 3788 wrote to memory of 220	3788	Eleplc32.exe	92
PID 3788 wrote to memory of 220	3788	Eleplc32.exe	92
PID 3788 wrote to memory of 220	3788	Eleplc32.exe	92
PID 220 wrote to memory of 3416	220	Eodlho32.exe	93
PID 220 wrote to memory of 3416	220	Eodlho32.exe	93
PID 220 wrote to memory of 3416	220	Eodlho32.exe	93
PID 3416 wrote to memory of 4896	3416	Ebbidj32.exe	94
PID 3416 wrote to memory of 4896	3416	Ebbidj32.exe	94
PID 3416 wrote to memory of 4896	3416	Ebbidj32.exe	94
PID 4896 wrote to memory of 1588	4896	Ejjqeg32.exe	95
PID 4896 wrote to memory of 1588	4896	Ejjqeg32.exe	95
PID 4896 wrote to memory of 1588	4896	Ejjqeg32.exe	95
PID 1588 wrote to memory of 2836	1588	Eqciba32.exe	96
PID 1588 wrote to memory of 2836	1588	Eqciba32.exe	96
PID 1588 wrote to memory of 2836	1588	Eqciba32.exe	96
PID 2836 wrote to memory of 4748	2836	Ebeejijj.exe	97
PID 2836 wrote to memory of 4748	2836	Ebeejijj.exe	97
PID 2836 wrote to memory of 4748	2836	Ebeejijj.exe	97
PID 4748 wrote to memory of 4008	4748	Ehonfc32.exe	98
PID 4748 wrote to memory of 4008	4748	Ehonfc32.exe	98
PID 4748 wrote to memory of 4008	4748	Ehonfc32.exe	98
PID 4008 wrote to memory of 1640	4008	Ecdbdl32.exe	100
PID 4008 wrote to memory of 1640	4008	Ecdbdl32.exe	100
PID 4008 wrote to memory of 1640	4008	Ecdbdl32.exe	100
PID 1640 wrote to memory of 4076	1640	Fjnjqfij.exe	102
PID 1640 wrote to memory of 4076	1640	Fjnjqfij.exe	102
PID 1640 wrote to memory of 4076	1640	Fjnjqfij.exe	102
PID 4076 wrote to memory of 1880	4076	Fokbim32.exe	103
PID 4076 wrote to memory of 1880	4076	Fokbim32.exe	103
PID 4076 wrote to memory of 1880	4076	Fokbim32.exe	103
PID 1880 wrote to memory of 4848	1880	Fjqgff32.exe	104
PID 1880 wrote to memory of 4848	1880	Fjqgff32.exe	104
PID 1880 wrote to memory of 4848	1880	Fjqgff32.exe	104
PID 4848 wrote to memory of 1000	4848	Fmocba32.exe	105
PID 4848 wrote to memory of 1000	4848	Fmocba32.exe	105
PID 4848 wrote to memory of 1000	4848	Fmocba32.exe	105
PID 1000 wrote to memory of 4456	1000	Fcikolnh.exe	106
PID 1000 wrote to memory of 4456	1000	Fcikolnh.exe	106
PID 1000 wrote to memory of 4456	1000	Fcikolnh.exe	106
PID 4456 wrote to memory of 2832	4456	Fifdgblo.exe	107
PID 4456 wrote to memory of 2832	4456	Fifdgblo.exe	107
PID 4456 wrote to memory of 2832	4456	Fifdgblo.exe	107
PID 2832 wrote to memory of 4820	2832	Fbnhphbp.exe	108
PID 2832 wrote to memory of 4820	2832	Fbnhphbp.exe	108
PID 2832 wrote to memory of 4820	2832	Fbnhphbp.exe	108
PID 4820 wrote to memory of 5088	4820	Fjepaecb.exe	109
PID 4820 wrote to memory of 5088	4820	Fjepaecb.exe	109
PID 4820 wrote to memory of 5088	4820	Fjepaecb.exe	109
PID 5088 wrote to memory of 1236	5088	Fobiilai.exe	110

C:\Users\Admin\AppData\Local\Temp\e547fd1f960b7dfc30aa486f931a803f368d0324d52e058674066d66534981c0.exe
"C:\Users\Admin\AppData\Local\Temp\e547fd1f960b7dfc30aa486f931a803f368d0324d52e058674066d66534981c0.exe"
1⤵
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:464
- C:\Windows\SysWOW64\Efikji32.exe
  C:\Windows\system32\Efikji32.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:764
- - C:\Windows\SysWOW64\Epopgbia.exe
    C:\Windows\system32\Epopgbia.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious use of WriteProcessMemory
    PID:4392
  - - C:\Windows\SysWOW64\Ecmlcmhe.exe
      C:\Windows\system32\Ecmlcmhe.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious use of WriteProcessMemory
      PID:4860
    - - C:\Windows\SysWOW64\Eflhoigi.exe
        
        C:\Windows\system32\Eflhoigi.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4824
      - C:\Windows\SysWOW64\Eleplc32.exe
        
        C:\Windows\system32\Eleplc32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3788
        
        C:\Windows\SysWOW64\Eodlho32.exe
        
        C:\Windows\system32\Eodlho32.exe
        7⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:220
        
        C:\Windows\SysWOW64\Ebbidj32.exe
        
        C:\Windows\system32\Ebbidj32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3416
        
        C:\Windows\SysWOW64\Ejjqeg32.exe
        
        C:\Windows\system32\Ejjqeg32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4896
        
        C:\Windows\SysWOW64\Eqciba32.exe
        
        C:\Windows\system32\Eqciba32.exe
        10⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1588
        
        C:\Windows\SysWOW64\Ebeejijj.exe
        
        C:\Windows\system32\Ebeejijj.exe
        11⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2836
        
        C:\Windows\SysWOW64\Ehonfc32.exe
        
        C:\Windows\system32\Ehonfc32.exe
        12⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4748
        
        C:\Windows\SysWOW64\Ecdbdl32.exe
        
        C:\Windows\system32\Ecdbdl32.exe
        13⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4008
        
        C:\Windows\SysWOW64\Fjnjqfij.exe
        
        C:\Windows\system32\Fjnjqfij.exe
        14⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1640
        
        C:\Windows\SysWOW64\Fokbim32.exe
        
        C:\Windows\system32\Fokbim32.exe
        15⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4076
        
        C:\Windows\SysWOW64\Fjqgff32.exe
        
        C:\Windows\system32\Fjqgff32.exe
        16⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1880
        
        C:\Windows\SysWOW64\Fmocba32.exe
        
        C:\Windows\system32\Fmocba32.exe
        17⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4848
        
        C:\Windows\SysWOW64\Fcikolnh.exe
        
        C:\Windows\system32\Fcikolnh.exe
        18⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1000
        
        C:\Windows\SysWOW64\Fifdgblo.exe
        
        C:\Windows\system32\Fifdgblo.exe
        19⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4456
        
        C:\Windows\SysWOW64\Fbnhphbp.exe
        
        C:\Windows\system32\Fbnhphbp.exe
        20⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2832
        
        C:\Windows\SysWOW64\Fjepaecb.exe
        
        C:\Windows\system32\Fjepaecb.exe
        21⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4820
        
        C:\Windows\SysWOW64\Fobiilai.exe
        
        C:\Windows\system32\Fobiilai.exe
        22⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:5088
        
        C:\Windows\SysWOW64\Fjhmgeao.exe
        
        C:\Windows\system32\Fjhmgeao.exe
        23⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1236
        
        C:\Windows\SysWOW64\Gcpapkgp.exe
        
        C:\Windows\system32\Gcpapkgp.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1652
        
        C:\Windows\SysWOW64\Gfnnlffc.exe
        
        C:\Windows\system32\Gfnnlffc.exe
        25⤵
        Executes dropped EXE
        
        PID:1044
        
        C:\Windows\SysWOW64\Gimjhafg.exe
        
        C:\Windows\system32\Gimjhafg.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:392
        
        C:\Windows\SysWOW64\Gfqjafdq.exe
        
        C:\Windows\system32\Gfqjafdq.exe
        27⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2600
        
        C:\Windows\SysWOW64\Gmkbnp32.exe
        
        C:\Windows\system32\Gmkbnp32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4552
        
        C:\Windows\SysWOW64\Gbgkfg32.exe
        
        C:\Windows\system32\Gbgkfg32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:5044
        
        C:\Windows\SysWOW64\Giacca32.exe
        
        C:\Windows\system32\Giacca32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3188
        
        C:\Windows\SysWOW64\Gpklpkio.exe
        
        C:\Windows\system32\Gpklpkio.exe
        31⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3648
        
        C:\Windows\SysWOW64\Gfedle32.exe
        
        C:\Windows\system32\Gfedle32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4792
        
        C:\Windows\SysWOW64\Gmoliohh.exe
        
        C:\Windows\system32\Gmoliohh.exe
        33⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1572
        
        C:\Windows\SysWOW64\Gcidfi32.exe
        
        C:\Windows\system32\Gcidfi32.exe
        34⤵
        Executes dropped EXE
        
        PID:3944
        
        C:\Windows\SysWOW64\Gjclbc32.exe
        
        C:\Windows\system32\Gjclbc32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2040
        
        C:\Windows\SysWOW64\Gmaioo32.exe
        
        C:\Windows\system32\Gmaioo32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4904
        
        C:\Windows\SysWOW64\Gppekj32.exe
        
        C:\Windows\system32\Gppekj32.exe
        37⤵
        Executes dropped EXE
        
        PID:1532
        
        C:\Windows\SysWOW64\Hboagf32.exe
        
        C:\Windows\system32\Hboagf32.exe
        38⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1804
        
        C:\Windows\SysWOW64\Hihicplj.exe
        
        C:\Windows\system32\Hihicplj.exe
        39⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4992
        
        C:\Windows\SysWOW64\Hpbaqj32.exe
        
        C:\Windows\system32\Hpbaqj32.exe
        40⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4144
        
        C:\Windows\SysWOW64\Hfljmdjc.exe
        
        C:\Windows\system32\Hfljmdjc.exe
        41⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4520
        
        C:\Windows\SysWOW64\Habnjm32.exe
        
        C:\Windows\system32\Habnjm32.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4444
        
        C:\Windows\SysWOW64\Hcqjfh32.exe
        
        C:\Windows\system32\Hcqjfh32.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2440
        
        C:\Windows\SysWOW64\Hfofbd32.exe
        
        C:\Windows\system32\Hfofbd32.exe
        44⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1536
        
        C:\Windows\SysWOW64\Hmioonpn.exe
        
        C:\Windows\system32\Hmioonpn.exe
        45⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4388
        
        C:\Windows\SysWOW64\Hpgkkioa.exe
        
        C:\Windows\system32\Hpgkkioa.exe
        46⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3132
        
        C:\Windows\SysWOW64\Hfachc32.exe
        
        C:\Windows\system32\Hfachc32.exe
        47⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1448
        
        C:\Windows\SysWOW64\Hmklen32.exe
        
        C:\Windows\system32\Hmklen32.exe
        48⤵
        Executes dropped EXE
        
        PID:3748
        
        C:\Windows\SysWOW64\Hfcpncdk.exe
        
        C:\Windows\system32\Hfcpncdk.exe
        49⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4452
        
        C:\Windows\SysWOW64\Hmmhjm32.exe
        
        C:\Windows\system32\Hmmhjm32.exe
        50⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3996
        
        C:\Windows\SysWOW64\Icgqggce.exe
        
        C:\Windows\system32\Icgqggce.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:680
        
        C:\Windows\SysWOW64\Iffmccbi.exe
        
        C:\Windows\system32\Iffmccbi.exe
        52⤵
        Executes dropped EXE
        
        PID:2768
        
        C:\Windows\SysWOW64\Impepm32.exe
        
        C:\Windows\system32\Impepm32.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2484
        
        C:\Windows\SysWOW64\Icjmmg32.exe
        
        C:\Windows\system32\Icjmmg32.exe
        54⤵
        Executes dropped EXE
        
        PID:4964
        
        C:\Windows\SysWOW64\Ifhiib32.exe
        
        C:\Windows\system32\Ifhiib32.exe
        55⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4292
        
        C:\Windows\SysWOW64\Imbaemhc.exe
        
        C:\Windows\system32\Imbaemhc.exe
        56⤵
        Executes dropped EXE
        
        PID:4308
        
        C:\Windows\SysWOW64\Icljbg32.exe
        
        C:\Windows\system32\Icljbg32.exe
        57⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3672
        
        C:\Windows\SysWOW64\Ifjfnb32.exe
        
        C:\Windows\system32\Ifjfnb32.exe
        58⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2608
        
        C:\Windows\SysWOW64\Imdnklfp.exe
        
        C:\Windows\system32\Imdnklfp.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:264
        
        C:\Windows\SysWOW64\Idofhfmm.exe
        
        C:\Windows\system32\Idofhfmm.exe
        60⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1592
        
        C:\Windows\SysWOW64\Ijhodq32.exe
        
        C:\Windows\system32\Ijhodq32.exe
        61⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1060
        
        C:\Windows\SysWOW64\Iabgaklg.exe
        
        C:\Windows\system32\Iabgaklg.exe
        62⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4540
        
        C:\Windows\SysWOW64\Idacmfkj.exe
        
        C:\Windows\system32\Idacmfkj.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3912
        
        C:\Windows\SysWOW64\Ijkljp32.exe
        
        C:\Windows\system32\Ijkljp32.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4928
        
        C:\Windows\SysWOW64\Jaedgjjd.exe
        
        C:\Windows\system32\Jaedgjjd.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2380
        
        C:\Windows\SysWOW64\Jdcpcf32.exe
        
        C:\Windows\system32\Jdcpcf32.exe
        66⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5096
        
        C:\Windows\SysWOW64\Jbfpobpb.exe
        
        C:\Windows\system32\Jbfpobpb.exe
        67⤵
        
        PID:4796
        
        C:\Windows\SysWOW64\Jjmhppqd.exe
        
        C:\Windows\system32\Jjmhppqd.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:3024
        
        C:\Windows\SysWOW64\Jmkdlkph.exe
        
        C:\Windows\system32\Jmkdlkph.exe
        69⤵
        
        PID:4512
        
        C:\Windows\SysWOW64\Jbhmdbnp.exe
        
        C:\Windows\system32\Jbhmdbnp.exe
        70⤵
        
        PID:2420
        
        C:\Windows\SysWOW64\Jjpeepnb.exe
        
        C:\Windows\system32\Jjpeepnb.exe
        71⤵
        
        PID:3740
        
        C:\Windows\SysWOW64\Jmnaakne.exe
        
        C:\Windows\system32\Jmnaakne.exe
        72⤵
        
        PID:3220
        
        C:\Windows\SysWOW64\Jdhine32.exe
        
        C:\Windows\system32\Jdhine32.exe
        73⤵
        Modifies registry class
        
        PID:4232
        
        C:\Windows\SysWOW64\Jjbako32.exe
        
        C:\Windows\system32\Jjbako32.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4064
        
        C:\Windows\SysWOW64\Jaljgidl.exe
        
        C:\Windows\system32\Jaljgidl.exe
        75⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3940
        
        C:\Windows\SysWOW64\Jdjfcecp.exe
        
        C:\Windows\system32\Jdjfcecp.exe
        76⤵
        
        PID:1596
        
        C:\Windows\SysWOW64\Jbmfoa32.exe
        
        C:\Windows\system32\Jbmfoa32.exe
        77⤵
        Modifies registry class
        
        PID:5024
        
        C:\Windows\SysWOW64\Jkdnpo32.exe
        
        C:\Windows\system32\Jkdnpo32.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:544
        
        C:\Windows\SysWOW64\Jmbklj32.exe
        
        C:\Windows\system32\Jmbklj32.exe
        79⤵
        Modifies registry class
        
        PID:3924
        
        C:\Windows\SysWOW64\Jpaghf32.exe
        
        C:\Windows\system32\Jpaghf32.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:1056
        
        C:\Windows\SysWOW64\Jbocea32.exe
        
        C:\Windows\system32\Jbocea32.exe
        81⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4956
        
        C:\Windows\SysWOW64\Jkfkfohj.exe
        
        C:\Windows\system32\Jkfkfohj.exe
        82⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:388
        
        C:\Windows\SysWOW64\Kmegbjgn.exe
        
        C:\Windows\system32\Kmegbjgn.exe
        83⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:2812
        
        C:\Windows\SysWOW64\Kpccnefa.exe
        
        C:\Windows\system32\Kpccnefa.exe
        84⤵
        
        PID:4296
        
        C:\Windows\SysWOW64\Kdopod32.exe
        
        C:\Windows\system32\Kdopod32.exe
        85⤵
        
        PID:4312
        
        C:\Windows\SysWOW64\Kkihknfg.exe
        
        C:\Windows\system32\Kkihknfg.exe
        86⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:812
        
        C:\Windows\SysWOW64\Kpepcedo.exe
        
        C:\Windows\system32\Kpepcedo.exe
        87⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:2760
        
        C:\Windows\SysWOW64\Kdaldd32.exe
        
        C:\Windows\system32\Kdaldd32.exe
        88⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2644
        
        C:\Windows\SysWOW64\Kgphpo32.exe
        
        C:\Windows\system32\Kgphpo32.exe
        89⤵
        
        PID:2800
        
        C:\Windows\SysWOW64\Kkkdan32.exe
        
        C:\Windows\system32\Kkkdan32.exe
        90⤵
        
        PID:2664
        
        C:\Windows\SysWOW64\Kaemnhla.exe
        
        C:\Windows\system32\Kaemnhla.exe
        91⤵
        Modifies registry class
        
        PID:2116
        
        C:\Windows\SysWOW64\Kphmie32.exe
        
        C:\Windows\system32\Kphmie32.exe
        92⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2684
        
        C:\Windows\SysWOW64\Kgbefoji.exe
        
        C:\Windows\system32\Kgbefoji.exe
        93⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5124
        
        C:\Windows\SysWOW64\Kmlnbi32.exe
        
        C:\Windows\system32\Kmlnbi32.exe
        94⤵
        
        PID:5164
        
        C:\Windows\SysWOW64\Kkpnlm32.exe
        
        C:\Windows\system32\Kkpnlm32.exe
        95⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5376
        
        C:\Windows\SysWOW64\Kmnjhioc.exe
        
        C:\Windows\system32\Kmnjhioc.exe
        96⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5424
        
        C:\Windows\SysWOW64\Kpmfddnf.exe
        
        C:\Windows\system32\Kpmfddnf.exe
        97⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5464
        
        C:\Windows\SysWOW64\Kckbqpnj.exe
        
        C:\Windows\system32\Kckbqpnj.exe
        98⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5512
        
        C:\Windows\SysWOW64\Kkbkamnl.exe
        
        C:\Windows\system32\Kkbkamnl.exe
        99⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5548
        
        C:\Windows\SysWOW64\Lalcng32.exe
        
        C:\Windows\system32\Lalcng32.exe
        100⤵
        
        PID:5592
        
        C:\Windows\SysWOW64\Lpocjdld.exe
        
        C:\Windows\system32\Lpocjdld.exe
        101⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5636
        
        C:\Windows\SysWOW64\Lcmofolg.exe
        
        C:\Windows\system32\Lcmofolg.exe
        102⤵
        
        PID:5676
        
        C:\Windows\SysWOW64\Lkdggmlj.exe
        
        C:\Windows\system32\Lkdggmlj.exe
        103⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5724
        
        C:\Windows\SysWOW64\Lmccchkn.exe
        
        C:\Windows\system32\Lmccchkn.exe
        104⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5768
        
        C:\Windows\SysWOW64\Lpappc32.exe
        
        C:\Windows\system32\Lpappc32.exe
        105⤵
        
        PID:5804
        
        C:\Windows\SysWOW64\Lcpllo32.exe
        
        C:\Windows\system32\Lcpllo32.exe
        106⤵
        Drops file in System32 directory
        
        PID:5844
        
        C:\Windows\SysWOW64\Lgkhlnbn.exe
        
        C:\Windows\system32\Lgkhlnbn.exe
        107⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5892
        
        C:\Windows\SysWOW64\Lijdhiaa.exe
        
        C:\Windows\system32\Lijdhiaa.exe
        108⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5928
        
        C:\Windows\SysWOW64\Laalifad.exe
        
        C:\Windows\system32\Laalifad.exe
        109⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5976
        
        C:\Windows\SysWOW64\Ldohebqh.exe
        
        C:\Windows\system32\Ldohebqh.exe
        110⤵
        
        PID:6020
        
        C:\Windows\SysWOW64\Lgneampk.exe
        
        C:\Windows\system32\Lgneampk.exe
        111⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6076
        
        C:\Windows\SysWOW64\Lnhmng32.exe
        
        C:\Windows\system32\Lnhmng32.exe
        112⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6124
        
        C:\Windows\SysWOW64\Mcklgm32.exe
        
        C:\Windows\system32\Mcklgm32.exe
        113⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5144
        
        C:\Windows\SysWOW64\Mkbchk32.exe
        
        C:\Windows\system32\Mkbchk32.exe
        114⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5176
        
        C:\Windows\SysWOW64\Mnapdf32.exe
        
        C:\Windows\system32\Mnapdf32.exe
        115⤵
        
        PID:5420
        
        C:\Windows\SysWOW64\Mpolqa32.exe
        
        C:\Windows\system32\Mpolqa32.exe
        116⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5440
        
        C:\Windows\SysWOW64\Mcnhmm32.exe
        
        C:\Windows\system32\Mcnhmm32.exe
        117⤵
        
        PID:5524
        
        C:\Windows\SysWOW64\Mkepnjng.exe
        
        C:\Windows\system32\Mkepnjng.exe
        118⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5580
        
        C:\Windows\SysWOW64\Maohkd32.exe
        
        C:\Windows\system32\Maohkd32.exe
        119⤵
        Drops file in System32 directory
        
        PID:5628
        
        C:\Windows\SysWOW64\Mdmegp32.exe
        
        C:\Windows\system32\Mdmegp32.exe
        120⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5664
        
        C:\Windows\SysWOW64\Mglack32.exe
        
        C:\Windows\system32\Mglack32.exe
        121⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5292
        
        C:\Windows\SysWOW64\Mjjmog32.exe
        
        C:\Windows\system32\Mjjmog32.exe
        122⤵
        
        PID:5764
        
        C:\Windows\SysWOW64\Mnfipekh.exe
        
        C:\Windows\system32\Mnfipekh.exe
        123⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5820
        
        C:\Windows\SysWOW64\Mdpalp32.exe
        
        C:\Windows\system32\Mdpalp32.exe
        124⤵
        
        PID:5264
        
        C:\Windows\SysWOW64\Nkjjij32.exe
        
        C:\Windows\system32\Nkjjij32.exe
        125⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5972
        
        C:\Windows\SysWOW64\Nnhfee32.exe
        
        C:\Windows\system32\Nnhfee32.exe
        126⤵
        Modifies registry class
        
        PID:6008
        
        C:\Windows\SysWOW64\Nqfbaq32.exe
        
        C:\Windows\system32\Nqfbaq32.exe
        127⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6092
        
        C:\Windows\SysWOW64\Ngpjnkpf.exe
        
        C:\Windows\system32\Ngpjnkpf.exe
        128⤵
        
        PID:5208
        
        C:\Windows\SysWOW64\Njogjfoj.exe
        
        C:\Windows\system32\Njogjfoj.exe
        129⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5408
        
        C:\Windows\SysWOW64\Nnjbke32.exe
        
        C:\Windows\system32\Nnjbke32.exe
        130⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5472
        
        C:\Windows\SysWOW64\Nddkgonp.exe
        
        C:\Windows\system32\Nddkgonp.exe
        131⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5328
        
        C:\Windows\SysWOW64\Ncgkcl32.exe
        
        C:\Windows\system32\Ncgkcl32.exe
        132⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5316
        
        C:\Windows\SysWOW64\Nkncdifl.exe
        
        C:\Windows\system32\Nkncdifl.exe
        133⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5732
        
        C:\Windows\SysWOW64\Nnmopdep.exe
        
        C:\Windows\system32\Nnmopdep.exe
        134⤵
        Modifies registry class
        
        PID:5276
        
        C:\Windows\SysWOW64\Nqklmpdd.exe
        
        C:\Windows\system32\Nqklmpdd.exe
        135⤵
        
        PID:5916
        
        C:\Windows\SysWOW64\Ncihikcg.exe
        
        C:\Windows\system32\Ncihikcg.exe
        136⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6068
        
        C:\Windows\SysWOW64\Nkqpjidj.exe
        
        C:\Windows\system32\Nkqpjidj.exe
        137⤵
        
        PID:5392
        
        C:\Windows\SysWOW64\Nbkhfc32.exe
        
        C:\Windows\system32\Nbkhfc32.exe
        138⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5588
        
        C:\Windows\SysWOW64\Ncldnkae.exe
        
        C:\Windows\system32\Ncldnkae.exe
        139⤵
        
        PID:5692
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        140⤵
        
        PID:5876
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5876 -s 404
        141⤵
        Program crash
        
        PID:5872

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 5876 -ip 5876
1⤵
PID:5616

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Ebbidj32.exe

Filesize
136KB

MD5
47bdd6e890642b44c4d6170508a32477

SHA1
df0ce0744822bd510d51ff0fed53361c7605ef89

SHA256
488fc9a05bcc3d5d5f902f80190dc1653dd9ed69356fbf651a9ad7b121785755

SHA512
36938ae0353001e5bd866b739269cccad9439565b1c04392c6d09fa5bdb124902728af5d8053c0aadfd4e3904473553285bdc761a1f5ed4f5c29bd64969a6abf

Download Submit
C:\Windows\SysWOW64\Ebeejijj.exe

Filesize
136KB

MD5
80b7e91d9b8a136b15129fdea5c0ca5a

SHA1
a5415c2537e1273dd8431221b4ad4784cd320ce0

SHA256
e2774b73b8e9e2cb8fd2ea8f36b9d8612080baeb7baf58288fb60a798e0d8e31

SHA512
af7fc4fc0d4b74bae4f80d4f16bd2dccef94db47334e77bbe0213c8915217efe2d8fa975010502434355b4f3df999538d5fe5c5f5834e8ec8d62a8c107e12ac9

Download Submit
C:\Windows\SysWOW64\Ecdbdl32.exe

Filesize
136KB

MD5
d69c112fdfaaf9c8effa4689f602cd96

SHA1
1e2b3ea5485832d568669ca0d981c497bac2b78c

SHA256
b1952213c27d7874f88e5f340fda412d1921f606796df8f0e7644564fe146596

SHA512
4dd73494e0ab123ced78be44c1ba7253c7389b8ec9304f10b78fa5defadb6256a3a897a982fa5b63d78cc7bc1a5684259776f3fed5f0c9b0b669fcc654c59c52

Download Submit
C:\Windows\SysWOW64\Ecmlcmhe.exe

Filesize
136KB

MD5
ffbbf01e2ff2e6b19146db7002f9aa70

SHA1
b6ac21ead3df317e919f973527f5ab8c80ca8ecd

SHA256
0e5e5b4ba5f703fabb6b5a5806bcd0d3c5a77a7d0e7495870d94cbbd947fb388

SHA512
707b6be481534483c521ec7bf720053fed79b6c494b2091614d521ce5daa1e254bb00de5cd988483c8fffc6e2bb1e916b6910342e27febc6485b4ea7df5d525e

Download Submit
C:\Windows\SysWOW64\Efikji32.exe

Filesize
136KB

MD5
57c6db8f859add1578666717e2d4f900

SHA1
079a1da178058a43183de4cf42793a3fda78b120

SHA256
909dcce5ed1e8698ea5f58b2d62f70e8e074ade666df75bd911b6cdc2e38ed31

SHA512
2a077acb8a884f27984b73957a171b0596ccc4d4ef28f520d9396b8b621aaa08d81b16e083f4da5390351bd8603eaede1cdbae984eeb664f79c6d785f4e15b0d

Download Submit
C:\Windows\SysWOW64\Eflhoigi.exe

Filesize
136KB

MD5
9c4290b970d3d9f0807e35b382beebe3

SHA1
2cd0ad3c3fa248e8699668932b7a5bb2d8482f41

SHA256
62cc298632086290516e210a8339eaa82b5a7c625275ebd1952f056d8668e9e7

SHA512
76a55019accc521662b93709293729674044a0819fdf8e5ddc36f454696870f524a9a62f1f4d39eb3f64fe9de2b1c19ce151ec4f65bc3e524ff6987dd1d72bb6

Download Submit
C:\Windows\SysWOW64\Ehonfc32.exe

Filesize
136KB

MD5
e233401ea8e65cd5b983cd5a6b4a93e8

SHA1
21dd586aa75fd92abed0669984c9514566e506c9

SHA256
f2fc3b4d3804f8d3f765c8748afa1a19729b0474c11aca86eec6e9d136836ec1

SHA512
f376b5e7cc0b4593110d012e704016faac001db337930fef3a7e871e836f22ff5b71b298b4f5235b7c596742bb4674a4f1c77db64baf3b439804f10ebe115253

Download Submit
C:\Windows\SysWOW64\Ejjqeg32.exe

Filesize
136KB

MD5
d193fe6206b1568b667d0c101be82448

SHA1
3aeeac50605f6d81b9c78490c1b23a9b257ecf98

SHA256
76d57da5ccc655a3a1ee09eacda8da03f1d276c994dff6afdf93043c0cfc2cef

SHA512
fb0bcc6ae4cadd465f75d6b01fc1a2ce5b88b192603716fc19d14655f7e2855bff5682e922d1b6cb46065d82916843a373a5b7fd2d4d9f2a7f414057b28af937

Download Submit
C:\Windows\SysWOW64\Eleplc32.exe

Filesize
136KB

MD5
fb6244dd8755e29a1675bba6b0a78d20

SHA1
39e6e1bcf9e27ced898829faa5b6e207cdb33915

SHA256
7997db267ee7848513d0036b0289e2306be34fa79eb8fbc7d0182f3ab3f85fd9

SHA512
ce829681be4ff6c2eb03fde9623c2805e927ff938b7710652765640e4f8f6bf3010dc3ffff18a8420caed58d6eeb6bc445e8a0012b68542e99a4dfab90a6d038

Download Submit
C:\Windows\SysWOW64\Eodlho32.exe

Filesize
136KB

MD5
7fa12a579a4983cc6aff4ef68e509bd6

SHA1
9bac0b2dc01611a03601f9aeb4273d9b85b6bad3

SHA256
39f2cffabaf0b594a9aa9ae9a5ccdc7c243216635d5d93b287ca2447728772c0

SHA512
7630db5e2aa207c0ad5c0e8e7dca033de3665b64d8dd9cca1c1e82c8dc84ec4abd22aa3f467a6848b1fef155f879a9413e525fd2511dbef6d5542a9a42c457bf

Download Submit
C:\Windows\SysWOW64\Epopgbia.exe

Filesize
136KB

MD5
236294d66d0c93dda19fa8851ad4eeae

SHA1
f98b52901dbe54d2e61841de88b1a97e50200eeb

SHA256
3335b0eaa348f344401893ad35fbf6e4d5d8076913420203aa621a6cd0a1b18a

SHA512
fe7ffc2e631551d36d90612f6bb42ba9977fb33c1027f6c70da7a39dec67ba444184e3a06e1afb95c3d3db952730a568eb7716d6e2ec1b992e022f75d1803840

Download Submit
C:\Windows\SysWOW64\Eqciba32.exe

Filesize
136KB

MD5
8470063c800660a0a365255f4f34112a

SHA1
16b25eda6c642310b75718469f05c2def7703b15

SHA256
b34af259d8f3c713b8e1bf731ca64e9fec4932769c96bba01ce23582b0909cb6

SHA512
38d8d29bad4d562361644df2bf0f6b4190e128fee8ece817cea21308e3bab699ca9e0e50402182baf27ba79a616bd8ad90bee3f14f57126b05f6a4a63308760e

Download Submit
C:\Windows\SysWOW64\Fbnhphbp.exe

Filesize
136KB

MD5
a716c7662c25facc73ce9f2a2b37bcca

SHA1
e16f8b079a64fedce32416a6098d42550ab63a33

SHA256
50b5e4de0546ef683be1544254ebe0bef3a1f3c4383ee590cf51c47bef48ca17

SHA512
cb18882e0ae13008c3fe535bed044afc208b3ec0fa73aca4c43cea104d3fafc1bc063d47f11f2bbe111790abb22f5068e4ca722e5685c03f2336920d78784c98

Download Submit
C:\Windows\SysWOW64\Fcikolnh.exe

Filesize
136KB

MD5
19af0d7c62b74f87af7a4a75450ce185

SHA1
3eac4a2ea1be0bc0e014d65f5b1fcb9bea47bd9a

SHA256
7d15c6bb4c12875e5dfe4ec78c90b37b316c7390cd743aec0a92135ffd36beff

SHA512
eb22eb65994a3cf783c7fae04fc9826242d84132dca4642169f1c3c5aa37e7762b602d229eddc958a4ec992e7bc820f9e5940ab07347f004e2292ec8f638ceb1

Download Submit
C:\Windows\SysWOW64\Fifdgblo.exe

Filesize
136KB

MD5
f84fc9814f342dc2feb4726e7a9e3a03

SHA1
68b58322297eb8f5afc2cc9e61ca2b4657a455d8

SHA256
fb2115c5168d85c9f4972f4dcb537a624bea3831007f652cc26aafc355af454f

SHA512
114e8847bf08849ff5428f9adf69ae5f9b999cb658de42c75d9e72551d405e83d0147dabd9fd50509c9d59bc9df5b986d833bab7357ae56cbdba1c0244da2bb7

Download Submit
C:\Windows\SysWOW64\Fjepaecb.exe

Filesize
136KB

MD5
ebbe9472848fc7d7ae0bd008ab2dd888

SHA1
9ee4bd1118d282c140b86b4f843d83da8bb9ba6b

SHA256
045eb1aea0c8692368c667334f87f7717bf551b05cda68638e7f72339d326339

SHA512
cbebd52496c95cc695d4beca2a431a8cf71493110270c9f5bc129d958e682078c0b215c0526b1640aa3b1ee1820904fefc8e21eaa2f78d53a3ddef9a1e8d91ad

Download Submit
C:\Windows\SysWOW64\Fjhmgeao.exe

Filesize
136KB

MD5
8bf76d68e0e7bf3a324d471506ba173e

SHA1
37c0435d9fe4c19d7af63dd60f5bfed3f3f5d93b

SHA256
2a6f16139434752612b6dc4158f461c175a88b7a4bba87a4108ceb7949d5d760

SHA512
a0c92af84e8e97d449c64569fb1db8b1ca19e4f7f663ba3f1722609db3ceed964fc0cb5e0f6da45ba6f16617be053f97f93f113598809bf21f3750399d5fc313

Download Submit
C:\Windows\SysWOW64\Fjnjqfij.exe

Filesize
136KB

MD5
f22f3ad2155486fa45051234ebabe160

SHA1
c21113f3c26259346fe4e1d6d624e09b01239ab3

SHA256
dc25b661f16d7a1220347862171727bea5f0ce2910b8b4bae42a8c9f1b8bd3db

SHA512
5231326e9da1399a7294c85dff61bc0a7acec7ef59963b33c526efbcf6cf5c5482e87456b6d2dc2e509747a643b20a7171e327d45943c5502f0841758586cdcf

Download Submit
C:\Windows\SysWOW64\Fjqgff32.exe

Filesize
136KB

MD5
9d985aea5e60996e4be6a0a6735d156b

SHA1
75b6bbdaf6c36ddb7576392396ec6a8b2247c9b4

SHA256
05ac085b02a68decc33396dc8a14c33a4c1a256aea4e320a8e75dcf216b418d2

SHA512
8f895c5987b7eaca6f2c19af2b701095ea08cd5e50df5873d75a29a1051ce15ab953ce70ba9d96b3f97b635ad777fe0061e3a03d2e951408f5bfbfccf7db8ec6

Download Submit
C:\Windows\SysWOW64\Fmocba32.exe

Filesize
136KB

MD5
4943d80fe02a2e8fe104b1ec57470e3f

SHA1
b9ea70e07ede3868c4dabd548446910c6dcf63d7

SHA256
4f9ece280e9d1cd00e09b390e43b24dfa9b3df555ad1e44578ed3cfe6386e44d

SHA512
ff5c1716c7a74a6b4b29d63838b03d15b417433a78960469ef344c864f7ecccaeb1190e66633c96d3850a3ab41f04eff87d6ad4e3860db318364dd4fc609d349

Download Submit
C:\Windows\SysWOW64\Fobiilai.exe

Filesize
136KB

MD5
c149c1937f96fa2dda27475f74e4597a

SHA1
2b9950ca2c9db7c0e21af521e5f0818b4b5a40f6

SHA256
a7dbd5bdf35e540161754f94b759f1a2861f2377d579080d54543343a0a874d6

SHA512
b87540917aed5341a041a44bef80986e131611db49c4adf3a6f11e864006368c1e7ec1562a8ad98d204bf30edb982ec917316ff5d818f7e4f87719c79a604f81

Download Submit
C:\Windows\SysWOW64\Fokbim32.exe

Filesize
136KB

MD5
c82c35c9c8c4ed68ad8bd2c4e7304b51

SHA1
dfef7ebc5aade4cfcbf5b9f4020d960b940a8600

SHA256
87378a75b4f73335805416193943e1b495ea90ec56826b566f0987363f37b0c0

SHA512
f33327e21cb3b5186d7b53b8f9f7df8df13d6cf708adfe330e5cf72f89bb2b4e7ff9dbc6bedf5bb7cbca75d41e0c4c24bf9ad27d88f7055cdac06d037a3709b7

Download Submit
C:\Windows\SysWOW64\Gbgkfg32.exe

Filesize
136KB

MD5
c780b06aeac061dfe572d78e65f6fefb

SHA1
3a834d10de77ab2af9da8d8212244627fd7be6f6

SHA256
0413634966d984ab5d2ca14ea535279b340a7e688c6a98fb0b7c8877cbd7fc4f

SHA512
3275a6eaf0ac8d52ff178696fc49cb5e374857d793f58bd14bc4251bab962312da341724fa2a814367dd9d99eab119e0c607c2408c2a1e76cb96a27a0e635e8f

Download Submit
C:\Windows\SysWOW64\Gcpapkgp.exe

Filesize
136KB

MD5
ae834c090ecda1b091182f4a754f9f59

SHA1
dfdf8c78d493f7e87a50017267c187a26e84dc26

SHA256
8fe21f434e6e1650b4ff32693ce0f46511ff874ff27569f8f8a8aa4f07e2708b

SHA512
916b1c2340ed4bcd563b346a63cb8bd7b5bd9ecad625e1290d7a68faf658349f8df9df6cf60ebe952a5c5788bc577b1bb767c4b936c75726ab6b4a6c0c448e26

Download Submit
C:\Windows\SysWOW64\Gfedle32.exe

Filesize
136KB

MD5
5433a37df8de2c3e6c699516834a7292

SHA1
162c3003ad447e46d9848c85a068caa4712e3138

SHA256
e3a642c1d3453d9e8929f6cdfde89d3640a3acc47e087b8dba5a52967b65cb8d

SHA512
f5071948d64725234178fad66869438162567213b11cd1b3febb6b2a0ba627de9c338dc008384d3a084dbcc1142529192b2b3bdc0bd7ec84957eead6acd34eba

Download Submit
C:\Windows\SysWOW64\Gfnnlffc.exe

Filesize
136KB

MD5
d740b5d23436c94bba150084f8aa6dfd

SHA1
868ed23c3ffbc1972b3394a41ce02be91ceb53d3

SHA256
7b39ae4ca971ed7b34416249b2939b48e0f5e7a7f3e038c260eb956a165bbde0

SHA512
d37fff300fb1c4b76d22224c58568fd6a11a6f002c232b0d4ad3b32d6102b830390ec1856e5a76f710871929ab5e61b1252a5051dd582396f1b18b572e64ec31

Download Submit
C:\Windows\SysWOW64\Gfqjafdq.exe

Filesize
136KB

MD5
33365332652a84e4b78fb58a800fe6f5

SHA1
9ed8734a5a39ecd969f37a595856683d65d8271f

SHA256
8aceb6f5e4b65b8d86aaa49ba9de3a9d6929716b1f99d8a217460368ebf9a237

SHA512
b925fc8e2fb34b88b6856665e6b4bfd830bc1d3b974d4677ba24dad39b9024d178f5349359ef1d6d82478e37dbea7983a8f9933bf53abe1e28cf4d8ab08ff540

Download Submit
C:\Windows\SysWOW64\Giacca32.exe

Filesize
136KB

MD5
7f3f0fb659db04450cfadd808a232f1b

SHA1
d42aa782cf3a8ac554dad261ffe78a71669b546a

SHA256
f0d7176dfa70d8009318131943d987487b36948591d385991e0bd4029c21d4fa

SHA512
5b103dedd1e4b5b53d28585245c79032ad9b157f43ee5ef61c224f03fb2608ff002fb3105213797c4e836a3864f2dcba06fa85050ef09c42b53e6ac1c9194ff1

Download Submit
C:\Windows\SysWOW64\Gimjhafg.exe

Filesize
136KB

MD5
516b7f508e909cbe75453b480152b7be

SHA1
cb0c6fad3f4f87b0a811aebfabbd71a7bee20721

SHA256
1f35cebdfd3d535a4159bd2fe09f0d16eaefa85a53d3a9107ea44f64db3ec9f0

SHA512
9a9c77d6a509d7bfdfd6879e65637b04646de1cd53804ece9cc190acb10cd1d79866fad1c6cd17973c9e2f37b55caa91068d56f2dd5c55f07db1657946e6d80a

Download Submit
C:\Windows\SysWOW64\Gmkbnp32.exe

Filesize
136KB

MD5
46c0ead61cdec6d5ebb308dc6d5582d8

SHA1
24fdd03131e8c988e65d87800214ba262a7f90fd

SHA256
ce275c8026b518edf2575f04a0986a2e83a645fc4d93d2fa49e4269697f4ce54

SHA512
4b6c83e0e7c353969c58f031537698c59936eb43ae405c0397aca30f95c6c4d43e83b6038de13c6585fe30d78e6bbd50b80865e5e853948fde338eef5410001b

Download Submit
C:\Windows\SysWOW64\Gmoliohh.exe

Filesize
136KB

MD5
1ecc05cc5999c985de2c947aab95b2c6

SHA1
8294b7d0990e910630a99ceb00e6e1f16c88f1e4

SHA256
c80a917f9925ebb397b176ae636d9ee5f27ec15668f745c89d885a8db9454294

SHA512
de1ef9ff4745356f1655e090a8d94cc0477917b2e18a451112057fd496d9e4f8eea244c6a80ea4009e77ef24363c12f533bda600f3c145fe54ad848f03a82847

Download Submit
C:\Windows\SysWOW64\Gpklpkio.exe

Filesize
136KB

MD5
51c173ca1071bd78f737f86fbbbc4ba2

SHA1
07ddf68824311dbed7726835495830d449a6a01e

SHA256
8677c852d44ec10115ceef653ff276e1aae485708e336865966013f0e5127377

SHA512
1f836df5a5ce27d287ecd74212008e2213e3619241b44136536243561ef16d024c58863922891cbec3773a3bb18bbc310e97ed56a4128c05dce09cd900dace7f

Download Submit
C:\Windows\SysWOW64\Nkjjij32.exe

Filesize
136KB

MD5
05f4f31b08bd9654de285563a629f885

SHA1
16de28a35e369f77121dfefc9ff1f141bcf8c64b

SHA256
1d5abb46f1ad27a663d5338240b3cb26fd5431addab41c0a13eba8b651211d41

SHA512
dcdf963cbfc12c4c077b944e421cfdd934741557b600ad824759816ca86822a94049885678e3170d9d82926727bb9762137ec287b0efd40e323a7fad853598d9

Download Submit
memory/220-49-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/264-413-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/392-200-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/464-0-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/464-5-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/680-368-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/764-8-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1000-136-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1044-198-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1060-425-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1236-177-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1448-341-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1532-285-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1536-323-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1572-257-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1588-73-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1592-419-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1640-104-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1652-189-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1804-291-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1880-121-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2040-271-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2440-317-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2484-381-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2600-209-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2608-411-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2768-371-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2832-153-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2836-81-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3132-339-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3188-233-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3416-57-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3648-241-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3672-401-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3748-347-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3788-41-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3912-437-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3944-263-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3996-359-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4008-101-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4076-113-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4144-303-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4292-389-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4308-395-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4388-333-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4392-17-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4444-315-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4452-353-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4456-144-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4520-305-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4540-431-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4552-217-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4748-89-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4792-249-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4820-165-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4824-33-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4848-129-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4860-25-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4896-65-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4904-275-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4964-387-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4992-293-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5044-225-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5088-168-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads