24e993824db1cae9b783056aa7082158ac58fc67527379aae3d0877fe9dcb08c

Analysis

max time kernel
147s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
09/04/2024, 19:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2f8abc3ced74c5863926263c5ee8b4ee.exe
Size

80KB
MD5

2f8abc3ced74c5863926263c5ee8b4ee
SHA1

552512d64235b034474cce2c48629cf780479a62
SHA256

24e993824db1cae9b783056aa7082158ac58fc67527379aae3d0877fe9dcb08c
SHA512

547f24501e56791b54da33ae5092a1e7c29d851f29e05768c4fedf07a90b44d03c9770c95f5168eeaf9304de6a7f962860c56ce6136f6f454e5c111e5a3211be
SSDEEP

1536:JLfQDfH7udP2aoI4nx7nL5Df7vj/bArHDf7XTvLnj/b3zPrHDf7XTvLnj/b3zPrl:Jujzat4nx7nNDf7vj/bArHDf7XTvLnjJ

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Miemjaci.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndhmhh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qnjnnj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ceckcp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddakjkqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Imdgqfbd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ncianepl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpjlklok.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpablkhc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Olcbmj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mgddhf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pnonbk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pcncpbmd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chagok32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Calhnpgn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ibnccmbo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pjeoglgc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pgllfp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cfbkeh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jfeopj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnebeogl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddonekbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nnjlpo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Beglgani.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mibpda32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aglemn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bganhm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dobfld32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jmhale32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jpppnp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Liddbc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmdkch32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bnhjohkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Calhnpgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lbmhlihl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mpjlklok.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncianepl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pgllfp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dopigd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mgagbf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mgimcebb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kfoafi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajanck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfiafg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddmaok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Njciko32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chagok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kmijbcpl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kedoge32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdgljmcd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bchomn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdhhdlid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dopigd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgimcebb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Npfkgjdn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Anadoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddjejl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdcbom32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mmbfpp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Accfbokl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmjocp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lbdolh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lingibiq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ogkcpbam.exe

Executes dropped EXE 64 IoCs

pid	Process
1508	Iejcji32.exe
2920	Ibnccmbo.exe
3228	Imdgqfbd.exe
3604	Ibqpimpl.exe
3208	Iikhfg32.exe
1768	Jfoiokfb.exe
4508	Jmhale32.exe
3140	Jioaqfcc.exe
776	Jianff32.exe
2276	Jfeopj32.exe
5020	Jpnchp32.exe
2956	Jeklag32.exe
816	Jpppnp32.exe
3936	Klgqcqkl.exe
2416	Kikame32.exe
2356	Kpeiioac.exe
3220	Kfoafi32.exe
3540	Kmijbcpl.exe
3932	Kdcbom32.exe
2248	Kedoge32.exe
2396	Klngdpdd.exe
4612	Kmncnb32.exe
2924	Kdgljmcd.exe
4300	Liddbc32.exe
3508	Lbmhlihl.exe
2992	Ligqhc32.exe
1496	Lboeaifi.exe
2272	Liimncmf.exe
228	Ldoaklml.exe
2604	Lbdolh32.exe
4652	Lingibiq.exe
4456	Lphoelqn.exe
3632	Mgagbf32.exe
1372	Mpjlklok.exe
3520	Mgddhf32.exe
3244	Mibpda32.exe
2128	Mplhql32.exe
3472	Mckemg32.exe
2580	Miemjaci.exe
4444	Mpoefk32.exe
1504	Mgimcebb.exe
3892	Mmbfpp32.exe
4468	Mpablkhc.exe
2532	Menjdbgj.exe
2644	Mnebeogl.exe
1900	Ndokbi32.exe
928	Nepgjaeg.exe
4692	Npfkgjdn.exe
2804	Nebdoa32.exe
2476	Nnjlpo32.exe
3384	Ndcdmikd.exe
1640	Njqmepik.exe
384	Ncianepl.exe
4884	Njciko32.exe
4888	Ndhmhh32.exe
2780	Olcbmj32.exe
1312	Odkjng32.exe
372	Ojgbfocc.exe
724	Opakbi32.exe
1864	Ogkcpbam.exe
1916	Pdfjifjo.exe
5104	Pnonbk32.exe
64	Pclgkb32.exe
3240	Pjeoglgc.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Gokgpogl.dll	Qqfmde32.exe
File created	C:\Windows\SysWOW64\Afmhck32.exe	Aeklkchg.exe
File opened for modification	C:\Windows\SysWOW64\Kmncnb32.exe	Klngdpdd.exe
File created	C:\Windows\SysWOW64\Opakbi32.exe	Ojgbfocc.exe
File created	C:\Windows\SysWOW64\Pnfdcjkg.exe	Pgllfp32.exe
File created	C:\Windows\SysWOW64\Ddonekbl.exe	Dobfld32.exe
File created	C:\Windows\SysWOW64\Gnchkk32.dll	Ibnccmbo.exe
File created	C:\Windows\SysWOW64\Bnhjohkb.exe	Accfbokl.exe
File created	C:\Windows\SysWOW64\Hfanhp32.dll	Calhnpgn.exe
File created	C:\Windows\SysWOW64\Bobiobnp.dll	Ddakjkqi.exe
File created	C:\Windows\SysWOW64\Mplhql32.exe	Mibpda32.exe
File created	C:\Windows\SysWOW64\Mnodjf32.dll	Odkjng32.exe
File created	C:\Windows\SysWOW64\Kkmjgool.dll	Ddjejl32.exe
File opened for modification	C:\Windows\SysWOW64\Kfoafi32.exe	Kpeiioac.exe
File opened for modification	C:\Windows\SysWOW64\Bchomn32.exe	Bmngqdpj.exe
File opened for modification	C:\Windows\SysWOW64\Ibqpimpl.exe	Imdgqfbd.exe
File created	C:\Windows\SysWOW64\Iikhfg32.exe	Ibqpimpl.exe
File created	C:\Windows\SysWOW64\Anmcpemd.dll	Jeklag32.exe
File created	C:\Windows\SysWOW64\Hpoddikd.dll	Aeklkchg.exe
File created	C:\Windows\SysWOW64\Aeniabfd.exe	Amgapeea.exe
File created	C:\Windows\SysWOW64\Chagok32.exe	Ceckcp32.exe
File opened for modification	C:\Windows\SysWOW64\Cmnpgb32.exe	Chagok32.exe
File created	C:\Windows\SysWOW64\Mjddiqoc.dll	Jioaqfcc.exe
File created	C:\Windows\SysWOW64\Klgqcqkl.exe	Jpppnp32.exe
File created	C:\Windows\SysWOW64\Mmbfpp32.exe	Mgimcebb.exe
File opened for modification	C:\Windows\SysWOW64\Mpoefk32.exe	Miemjaci.exe
File opened for modification	C:\Windows\SysWOW64\Pcncpbmd.exe	Pmdkch32.exe
File created	C:\Windows\SysWOW64\Pcbmka32.exe	Pnfdcjkg.exe
File created	C:\Windows\SysWOW64\Gfnphnen.dll	Afjlnk32.exe
File opened for modification	C:\Windows\SysWOW64\Aeklkchg.exe	Anadoi32.exe
File created	C:\Windows\SysWOW64\Jfaklh32.dll	Jpppnp32.exe
File created	C:\Windows\SysWOW64\Ejnjpohk.dll	Kmijbcpl.exe
File created	C:\Windows\SysWOW64\Jlgbon32.dll	Kdgljmcd.exe
File created	C:\Windows\SysWOW64\Gmdlbjng.dll	Afmhck32.exe
File opened for modification	C:\Windows\SysWOW64\Bjddphlq.exe	Beglgani.exe
File created	C:\Windows\SysWOW64\Lpggmhkg.dll	Cmnpgb32.exe
File created	C:\Windows\SysWOW64\Pjhlml32.exe	Pcncpbmd.exe
File opened for modification	C:\Windows\SysWOW64\Qcgffqei.exe	Qnjnnj32.exe
File created	C:\Windows\SysWOW64\Qopkop32.dll	Bebblb32.exe
File created	C:\Windows\SysWOW64\Dnieoofh.dll	Banllbdn.exe
File opened for modification	C:\Windows\SysWOW64\Chagok32.exe	Ceckcp32.exe
File created	C:\Windows\SysWOW64\Ncianepl.exe	Njqmepik.exe
File opened for modification	C:\Windows\SysWOW64\Ncianepl.exe	Njqmepik.exe
File created	C:\Windows\SysWOW64\Oomibind.dll	Pmdkch32.exe
File created	C:\Windows\SysWOW64\Agjbpg32.dll	Dopigd32.exe
File created	C:\Windows\SysWOW64\Ckmllpik.dll	Cfbkeh32.exe
File created	C:\Windows\SysWOW64\Pclgkb32.exe	Pnonbk32.exe
File created	C:\Windows\SysWOW64\Hjlena32.dll	Amgapeea.exe
File created	C:\Windows\SysWOW64\Kbejge32.dll	Bmngqdpj.exe
File opened for modification	C:\Windows\SysWOW64\Ndhmhh32.exe	Njciko32.exe
File opened for modification	C:\Windows\SysWOW64\Dopigd32.exe	Dfiafg32.exe
File created	C:\Windows\SysWOW64\Poahbe32.dll	Ddonekbl.exe
File opened for modification	C:\Windows\SysWOW64\Jioaqfcc.exe	Jmhale32.exe
File created	C:\Windows\SysWOW64\Kdgljmcd.exe	Kmncnb32.exe
File created	C:\Windows\SysWOW64\Nebdoa32.exe	Npfkgjdn.exe
File opened for modification	C:\Windows\SysWOW64\Pnonbk32.exe	Pdfjifjo.exe
File opened for modification	C:\Windows\SysWOW64\Pcbmka32.exe	Pnfdcjkg.exe
File opened for modification	C:\Windows\SysWOW64\Bganhm32.exe	Bebblb32.exe
File created	C:\Windows\SysWOW64\Pjeoglgc.exe	Pclgkb32.exe
File created	C:\Windows\SysWOW64\Bmngqdpj.exe	Bjokdipf.exe
File created	C:\Windows\SysWOW64\Jjjald32.dll	Danecp32.exe
File created	C:\Windows\SysWOW64\Alcidkmm.dll	Dfknkg32.exe
File created	C:\Windows\SysWOW64\Jmehcnhg.dll	2f8abc3ced74c5863926263c5ee8b4ee.exe
File created	C:\Windows\SysWOW64\Jmhale32.exe	Jfoiokfb.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5468	6100	WerFault.exe	216

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Liddbc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lbdolh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lphoelqn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Menjdbgj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nepgjaeg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ojgbfocc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lipdae32.dll"	Pnfdcjkg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aqkgpedc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gnchkk32.dll"	Ibnccmbo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jmhale32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Liimncmf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Likjcbkc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mpoefk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fmijnn32.dll"	Mgimcebb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mmbfpp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hhqeiena.dll"	Beglgani.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnieoofh.dll"	Banllbdn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ncianepl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pnfdcjkg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Leqcid32.dll"	Bjokdipf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qlgene32.dll"	Ceckcp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hcjccj32.dll"	Dfiafg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kikame32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cmlihfed.dll"	Mpoefk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Glgmkm32.dll"	Olcbmj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dbnamnpl.dll"	Pclgkb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Afjlnk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Danecp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	2f8abc3ced74c5863926263c5ee8b4ee.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jmehcnhg.dll"	2f8abc3ced74c5863926263c5ee8b4ee.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohfjnoma.dll"	Iejcji32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ligqhc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mpjlklok.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfenmm32.dll"	Miemjaci.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kqgmgehp.dll"	Mmbfpp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qhbepcmd.dll"	Pnonbk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hgaoidec.dll"	Pcbmka32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aeklkchg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Accfbokl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dopigd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aceghl32.dll"	Kikame32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Idodkeom.dll"	Mnebeogl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ndhmhh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Naeheh32.dll"	Cjbpaf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dmgbnq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Liimncmf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mpoefk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qnjnnj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ajanck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jmmmebhb.dll"	Aqncedbp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bfddbh32.dll"	Aglemn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bganhm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dfiafg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kedoge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Njciko32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lommhphi.dll"	Accfbokl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Phiifkjp.dll"	Bnhjohkb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Banllbdn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ddjejl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hpoddikd.dll"	Aeklkchg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aeniabfd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fbnkjc32.dll"	Klgqcqkl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pjmehkqk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qqfmde32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3004 wrote to memory of 1508	3004	2f8abc3ced74c5863926263c5ee8b4ee.exe	85
PID 3004 wrote to memory of 1508	3004	2f8abc3ced74c5863926263c5ee8b4ee.exe	85
PID 3004 wrote to memory of 1508	3004	2f8abc3ced74c5863926263c5ee8b4ee.exe	85
PID 1508 wrote to memory of 2920	1508	Iejcji32.exe	86
PID 1508 wrote to memory of 2920	1508	Iejcji32.exe	86
PID 1508 wrote to memory of 2920	1508	Iejcji32.exe	86
PID 2920 wrote to memory of 3228	2920	Ibnccmbo.exe	87
PID 2920 wrote to memory of 3228	2920	Ibnccmbo.exe	87
PID 2920 wrote to memory of 3228	2920	Ibnccmbo.exe	87
PID 3228 wrote to memory of 3604	3228	Imdgqfbd.exe	88
PID 3228 wrote to memory of 3604	3228	Imdgqfbd.exe	88
PID 3228 wrote to memory of 3604	3228	Imdgqfbd.exe	88
PID 3604 wrote to memory of 3208	3604	Ibqpimpl.exe	89
PID 3604 wrote to memory of 3208	3604	Ibqpimpl.exe	89
PID 3604 wrote to memory of 3208	3604	Ibqpimpl.exe	89
PID 3208 wrote to memory of 1768	3208	Iikhfg32.exe	90
PID 3208 wrote to memory of 1768	3208	Iikhfg32.exe	90
PID 3208 wrote to memory of 1768	3208	Iikhfg32.exe	90
PID 1768 wrote to memory of 4508	1768	Jfoiokfb.exe	92
PID 1768 wrote to memory of 4508	1768	Jfoiokfb.exe	92
PID 1768 wrote to memory of 4508	1768	Jfoiokfb.exe	92
PID 4508 wrote to memory of 3140	4508	Jmhale32.exe	93
PID 4508 wrote to memory of 3140	4508	Jmhale32.exe	93
PID 4508 wrote to memory of 3140	4508	Jmhale32.exe	93
PID 3140 wrote to memory of 776	3140	Jioaqfcc.exe	95
PID 3140 wrote to memory of 776	3140	Jioaqfcc.exe	95
PID 3140 wrote to memory of 776	3140	Jioaqfcc.exe	95
PID 776 wrote to memory of 2276	776	Jianff32.exe	96
PID 776 wrote to memory of 2276	776	Jianff32.exe	96
PID 776 wrote to memory of 2276	776	Jianff32.exe	96
PID 2276 wrote to memory of 5020	2276	Jfeopj32.exe	97
PID 2276 wrote to memory of 5020	2276	Jfeopj32.exe	97
PID 2276 wrote to memory of 5020	2276	Jfeopj32.exe	97
PID 5020 wrote to memory of 2956	5020	Jpnchp32.exe	98
PID 5020 wrote to memory of 2956	5020	Jpnchp32.exe	98
PID 5020 wrote to memory of 2956	5020	Jpnchp32.exe	98
PID 2956 wrote to memory of 816	2956	Jeklag32.exe	99
PID 2956 wrote to memory of 816	2956	Jeklag32.exe	99
PID 2956 wrote to memory of 816	2956	Jeklag32.exe	99
PID 816 wrote to memory of 3936	816	Jpppnp32.exe	100
PID 816 wrote to memory of 3936	816	Jpppnp32.exe	100
PID 816 wrote to memory of 3936	816	Jpppnp32.exe	100
PID 3936 wrote to memory of 2416	3936	Klgqcqkl.exe	101
PID 3936 wrote to memory of 2416	3936	Klgqcqkl.exe	101
PID 3936 wrote to memory of 2416	3936	Klgqcqkl.exe	101
PID 2416 wrote to memory of 2356	2416	Kikame32.exe	102
PID 2416 wrote to memory of 2356	2416	Kikame32.exe	102
PID 2416 wrote to memory of 2356	2416	Kikame32.exe	102
PID 2356 wrote to memory of 3220	2356	Kpeiioac.exe	103
PID 2356 wrote to memory of 3220	2356	Kpeiioac.exe	103
PID 2356 wrote to memory of 3220	2356	Kpeiioac.exe	103
PID 3220 wrote to memory of 3540	3220	Kfoafi32.exe	104
PID 3220 wrote to memory of 3540	3220	Kfoafi32.exe	104
PID 3220 wrote to memory of 3540	3220	Kfoafi32.exe	104
PID 3540 wrote to memory of 3932	3540	Kmijbcpl.exe	106
PID 3540 wrote to memory of 3932	3540	Kmijbcpl.exe	106
PID 3540 wrote to memory of 3932	3540	Kmijbcpl.exe	106
PID 3932 wrote to memory of 2248	3932	Kdcbom32.exe	107
PID 3932 wrote to memory of 2248	3932	Kdcbom32.exe	107
PID 3932 wrote to memory of 2248	3932	Kdcbom32.exe	107
PID 2248 wrote to memory of 2396	2248	Kedoge32.exe	108
PID 2248 wrote to memory of 2396	2248	Kedoge32.exe	108
PID 2248 wrote to memory of 2396	2248	Kedoge32.exe	108
PID 2396 wrote to memory of 4612	2396	Klngdpdd.exe	109

C:\Users\Admin\AppData\Local\Temp\2f8abc3ced74c5863926263c5ee8b4ee.exe
"C:\Users\Admin\AppData\Local\Temp\2f8abc3ced74c5863926263c5ee8b4ee.exe"
1⤵
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3004
- C:\Windows\SysWOW64\Iejcji32.exe
  C:\Windows\system32\Iejcji32.exe
  2⤵
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1508
- - C:\Windows\SysWOW64\Ibnccmbo.exe
    C:\Windows\system32\Ibnccmbo.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2920
  - - C:\Windows\SysWOW64\Imdgqfbd.exe
      C:\Windows\system32\Imdgqfbd.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious use of WriteProcessMemory
      PID:3228
    - - C:\Windows\SysWOW64\Ibqpimpl.exe
        
        C:\Windows\system32\Ibqpimpl.exe
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3604
      - C:\Windows\SysWOW64\Iikhfg32.exe
        
        C:\Windows\system32\Iikhfg32.exe
        6⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3208
        
        C:\Windows\SysWOW64\Jfoiokfb.exe
        
        C:\Windows\system32\Jfoiokfb.exe
        7⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1768
        
        C:\Windows\SysWOW64\Jmhale32.exe
        
        C:\Windows\system32\Jmhale32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4508
        
        C:\Windows\SysWOW64\Jioaqfcc.exe
        
        C:\Windows\system32\Jioaqfcc.exe
        9⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3140
        
        C:\Windows\SysWOW64\Jianff32.exe
        
        C:\Windows\system32\Jianff32.exe
        10⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:776
        
        C:\Windows\SysWOW64\Jfeopj32.exe
        
        C:\Windows\system32\Jfeopj32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2276
        
        C:\Windows\SysWOW64\Jpnchp32.exe
        
        C:\Windows\system32\Jpnchp32.exe
        12⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:5020
        
        C:\Windows\SysWOW64\Jeklag32.exe
        
        C:\Windows\system32\Jeklag32.exe
        13⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2956
        
        C:\Windows\SysWOW64\Jpppnp32.exe
        
        C:\Windows\system32\Jpppnp32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:816
        
        C:\Windows\SysWOW64\Klgqcqkl.exe
        
        C:\Windows\system32\Klgqcqkl.exe
        15⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3936
        
        C:\Windows\SysWOW64\Kikame32.exe
        
        C:\Windows\system32\Kikame32.exe
        16⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2416
        
        C:\Windows\SysWOW64\Kpeiioac.exe
        
        C:\Windows\system32\Kpeiioac.exe
        17⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2356
        
        C:\Windows\SysWOW64\Kfoafi32.exe
        
        C:\Windows\system32\Kfoafi32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3220
        
        C:\Windows\SysWOW64\Kmijbcpl.exe
        
        C:\Windows\system32\Kmijbcpl.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3540
        
        C:\Windows\SysWOW64\Kdcbom32.exe
        
        C:\Windows\system32\Kdcbom32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3932
        
        C:\Windows\SysWOW64\Kedoge32.exe
        
        C:\Windows\system32\Kedoge32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2248
        
        C:\Windows\SysWOW64\Klngdpdd.exe
        
        C:\Windows\system32\Klngdpdd.exe
        22⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2396
        
        C:\Windows\SysWOW64\Kmncnb32.exe
        
        C:\Windows\system32\Kmncnb32.exe
        23⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4612
        
        C:\Windows\SysWOW64\Kdgljmcd.exe
        
        C:\Windows\system32\Kdgljmcd.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2924
        
        C:\Windows\SysWOW64\Liddbc32.exe
        
        C:\Windows\system32\Liddbc32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4300
        
        C:\Windows\SysWOW64\Lbmhlihl.exe
        
        C:\Windows\system32\Lbmhlihl.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3508
        
        C:\Windows\SysWOW64\Ligqhc32.exe
        
        C:\Windows\system32\Ligqhc32.exe
        27⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2992
        
        C:\Windows\SysWOW64\Lboeaifi.exe
        
        C:\Windows\system32\Lboeaifi.exe
        28⤵
        Executes dropped EXE
        
        PID:1496
        
        C:\Windows\SysWOW64\Liimncmf.exe
        
        C:\Windows\system32\Liimncmf.exe
        29⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2272
        
        C:\Windows\SysWOW64\Ldoaklml.exe
        
        C:\Windows\system32\Ldoaklml.exe
        30⤵
        Executes dropped EXE
        
        PID:228
        
        C:\Windows\SysWOW64\Likjcbkc.exe
        
        C:\Windows\system32\Likjcbkc.exe
        31⤵
        Modifies registry class
        
        PID:400
        
        C:\Windows\SysWOW64\Lbdolh32.exe
        
        C:\Windows\system32\Lbdolh32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2604
        
        C:\Windows\SysWOW64\Lingibiq.exe
        
        C:\Windows\system32\Lingibiq.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4652
        
        C:\Windows\SysWOW64\Lphoelqn.exe
        
        C:\Windows\system32\Lphoelqn.exe
        34⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4456
        
        C:\Windows\SysWOW64\Mgagbf32.exe
        
        C:\Windows\system32\Mgagbf32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3632
        
        C:\Windows\SysWOW64\Mpjlklok.exe
        
        C:\Windows\system32\Mpjlklok.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1372
        
        C:\Windows\SysWOW64\Mgddhf32.exe
        
        C:\Windows\system32\Mgddhf32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3520
        
        C:\Windows\SysWOW64\Mibpda32.exe
        
        C:\Windows\system32\Mibpda32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3244
        
        C:\Windows\SysWOW64\Mplhql32.exe
        
        C:\Windows\system32\Mplhql32.exe
        39⤵
        Executes dropped EXE
        
        PID:2128
        
        C:\Windows\SysWOW64\Mckemg32.exe
        
        C:\Windows\system32\Mckemg32.exe
        40⤵
        Executes dropped EXE
        
        PID:3472
        
        C:\Windows\SysWOW64\Miemjaci.exe
        
        C:\Windows\system32\Miemjaci.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2580
        
        C:\Windows\SysWOW64\Mpoefk32.exe
        
        C:\Windows\system32\Mpoefk32.exe
        42⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4444
        
        C:\Windows\SysWOW64\Mgimcebb.exe
        
        C:\Windows\system32\Mgimcebb.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1504
        
        C:\Windows\SysWOW64\Mmbfpp32.exe
        
        C:\Windows\system32\Mmbfpp32.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3892
        
        C:\Windows\SysWOW64\Mpablkhc.exe
        
        C:\Windows\system32\Mpablkhc.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4468
        
        C:\Windows\SysWOW64\Menjdbgj.exe
        
        C:\Windows\system32\Menjdbgj.exe
        46⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2532
        
        C:\Windows\SysWOW64\Mnebeogl.exe
        
        C:\Windows\system32\Mnebeogl.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2644
        
        C:\Windows\SysWOW64\Ndokbi32.exe
        
        C:\Windows\system32\Ndokbi32.exe
        48⤵
        Executes dropped EXE
        
        PID:1900
        
        C:\Windows\SysWOW64\Nepgjaeg.exe
        
        C:\Windows\system32\Nepgjaeg.exe
        49⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:928
        
        C:\Windows\SysWOW64\Npfkgjdn.exe
        
        C:\Windows\system32\Npfkgjdn.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4692
        
        C:\Windows\SysWOW64\Nebdoa32.exe
        
        C:\Windows\system32\Nebdoa32.exe
        51⤵
        Executes dropped EXE
        
        PID:2804
        
        C:\Windows\SysWOW64\Nnjlpo32.exe
        
        C:\Windows\system32\Nnjlpo32.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2476
        
        C:\Windows\SysWOW64\Ndcdmikd.exe
        
        C:\Windows\system32\Ndcdmikd.exe
        53⤵
        Executes dropped EXE
        
        PID:3384
        
        C:\Windows\SysWOW64\Njqmepik.exe
        
        C:\Windows\system32\Njqmepik.exe
        54⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1640
        
        C:\Windows\SysWOW64\Ncianepl.exe
        
        C:\Windows\system32\Ncianepl.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:384
        
        C:\Windows\SysWOW64\Njciko32.exe
        
        C:\Windows\system32\Njciko32.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4884
        
        C:\Windows\SysWOW64\Ndhmhh32.exe
        
        C:\Windows\system32\Ndhmhh32.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4888
        
        C:\Windows\SysWOW64\Olcbmj32.exe
        
        C:\Windows\system32\Olcbmj32.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2780
        
        C:\Windows\SysWOW64\Odkjng32.exe
        
        C:\Windows\system32\Odkjng32.exe
        59⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1312
        
        C:\Windows\SysWOW64\Ojgbfocc.exe
        
        C:\Windows\system32\Ojgbfocc.exe
        60⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:372
        
        C:\Windows\SysWOW64\Opakbi32.exe
        
        C:\Windows\system32\Opakbi32.exe
        61⤵
        Executes dropped EXE
        
        PID:724
        
        C:\Windows\SysWOW64\Ogkcpbam.exe
        
        C:\Windows\system32\Ogkcpbam.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1864
        
        C:\Windows\SysWOW64\Pdfjifjo.exe
        
        C:\Windows\system32\Pdfjifjo.exe
        63⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1916
        
        C:\Windows\SysWOW64\Pnonbk32.exe
        
        C:\Windows\system32\Pnonbk32.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5104
        
        C:\Windows\SysWOW64\Pclgkb32.exe
        
        C:\Windows\system32\Pclgkb32.exe
        65⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:64
        
        C:\Windows\SysWOW64\Pjeoglgc.exe
        
        C:\Windows\system32\Pjeoglgc.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3240
        
        C:\Windows\SysWOW64\Pmdkch32.exe
        
        C:\Windows\system32\Pmdkch32.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:2196
        
        C:\Windows\SysWOW64\Pcncpbmd.exe
        
        C:\Windows\system32\Pcncpbmd.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:972
        
        C:\Windows\SysWOW64\Pjhlml32.exe
        
        C:\Windows\system32\Pjhlml32.exe
        69⤵
        
        PID:480
        
        C:\Windows\SysWOW64\Pdmpje32.exe
        
        C:\Windows\system32\Pdmpje32.exe
        70⤵
        
        PID:1364
        
        C:\Windows\SysWOW64\Pgllfp32.exe
        
        C:\Windows\system32\Pgllfp32.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:1840
        
        C:\Windows\SysWOW64\Pnfdcjkg.exe
        
        C:\Windows\system32\Pnfdcjkg.exe
        72⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:3964
        
        C:\Windows\SysWOW64\Pcbmka32.exe
        
        C:\Windows\system32\Pcbmka32.exe
        73⤵
        Modifies registry class
        
        PID:2344
        
        C:\Windows\SysWOW64\Pjmehkqk.exe
        
        C:\Windows\system32\Pjmehkqk.exe
        74⤵
        Modifies registry class
        
        PID:1996
        
        C:\Windows\SysWOW64\Qqfmde32.exe
        
        C:\Windows\system32\Qqfmde32.exe
        75⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:3032
        
        C:\Windows\SysWOW64\Qfcfml32.exe
        
        C:\Windows\system32\Qfcfml32.exe
        76⤵
        
        PID:4800
        
        C:\Windows\SysWOW64\Qnjnnj32.exe
        
        C:\Windows\system32\Qnjnnj32.exe
        77⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:4012
        
        C:\Windows\SysWOW64\Qcgffqei.exe
        
        C:\Windows\system32\Qcgffqei.exe
        78⤵
        
        PID:4336
        
        C:\Windows\SysWOW64\Ajanck32.exe
        
        C:\Windows\system32\Ajanck32.exe
        79⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:1908
        
        C:\Windows\SysWOW64\Aqkgpedc.exe
        
        C:\Windows\system32\Aqkgpedc.exe
        80⤵
        Modifies registry class
        
        PID:4684
        
        C:\Windows\SysWOW64\Ageolo32.exe
        
        C:\Windows\system32\Ageolo32.exe
        81⤵
        
        PID:2564
        
        C:\Windows\SysWOW64\Anogiicl.exe
        
        C:\Windows\system32\Anogiicl.exe
        82⤵
        
        PID:1564
        
        C:\Windows\SysWOW64\Aqncedbp.exe
        
        C:\Windows\system32\Aqncedbp.exe
        83⤵
        Modifies registry class
        
        PID:3128
        
        C:\Windows\SysWOW64\Afjlnk32.exe
        
        C:\Windows\system32\Afjlnk32.exe
        84⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1236
        
        C:\Windows\SysWOW64\Anadoi32.exe
        
        C:\Windows\system32\Anadoi32.exe
        85⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:1420
        
        C:\Windows\SysWOW64\Aeklkchg.exe
        
        C:\Windows\system32\Aeklkchg.exe
        86⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5172
        
        C:\Windows\SysWOW64\Afmhck32.exe
        
        C:\Windows\system32\Afmhck32.exe
        87⤵
        Drops file in System32 directory
        
        PID:5208
        
        C:\Windows\SysWOW64\Amgapeea.exe
        
        C:\Windows\system32\Amgapeea.exe
        88⤵
        Drops file in System32 directory
        
        PID:5256
        
        C:\Windows\SysWOW64\Aeniabfd.exe
        
        C:\Windows\system32\Aeniabfd.exe
        89⤵
        Modifies registry class
        
        PID:5312
        
        C:\Windows\SysWOW64\Aglemn32.exe
        
        C:\Windows\system32\Aglemn32.exe
        90⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5368
        
        C:\Windows\SysWOW64\Aminee32.exe
        
        C:\Windows\system32\Aminee32.exe
        91⤵
        
        PID:5428
        
        C:\Windows\SysWOW64\Accfbokl.exe
        
        C:\Windows\system32\Accfbokl.exe
        92⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5476
        
        C:\Windows\SysWOW64\Bnhjohkb.exe
        
        C:\Windows\system32\Bnhjohkb.exe
        93⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5520
        
        C:\Windows\SysWOW64\Bebblb32.exe
        
        C:\Windows\system32\Bebblb32.exe
        94⤵
        Drops file in System32 directory
        
        PID:5580
        
        C:\Windows\SysWOW64\Bganhm32.exe
        
        C:\Windows\system32\Bganhm32.exe
        95⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5632
        
        C:\Windows\SysWOW64\Bjokdipf.exe
        
        C:\Windows\system32\Bjokdipf.exe
        96⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5680
        
        C:\Windows\SysWOW64\Bmngqdpj.exe
        
        C:\Windows\system32\Bmngqdpj.exe
        97⤵
        Drops file in System32 directory
        
        PID:5740
        
        C:\Windows\SysWOW64\Bchomn32.exe
        
        C:\Windows\system32\Bchomn32.exe
        98⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5800
        
        C:\Windows\SysWOW64\Bffkij32.exe
        
        C:\Windows\system32\Bffkij32.exe
        99⤵
        
        PID:5844
        
        C:\Windows\SysWOW64\Bmpcfdmg.exe
        
        C:\Windows\system32\Bmpcfdmg.exe
        100⤵
        
        PID:5888
        
        C:\Windows\SysWOW64\Beglgani.exe
        
        C:\Windows\system32\Beglgani.exe
        101⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5944
        
        C:\Windows\SysWOW64\Bjddphlq.exe
        
        C:\Windows\system32\Bjddphlq.exe
        102⤵
        
        PID:5988
        
        C:\Windows\SysWOW64\Banllbdn.exe
        
        C:\Windows\system32\Banllbdn.exe
        103⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6036
        
        C:\Windows\SysWOW64\Chokikeb.exe
        
        C:\Windows\system32\Chokikeb.exe
        104⤵
        
        PID:6072
        
        C:\Windows\SysWOW64\Cfbkeh32.exe
        
        C:\Windows\system32\Cfbkeh32.exe
        105⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6120
        
        C:\Windows\SysWOW64\Cnicfe32.exe
        
        C:\Windows\system32\Cnicfe32.exe
        106⤵
        
        PID:5148
        
        C:\Windows\SysWOW64\Ceckcp32.exe
        
        C:\Windows\system32\Ceckcp32.exe
        107⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5200
        
        C:\Windows\SysWOW64\Chagok32.exe
        
        C:\Windows\system32\Chagok32.exe
        108⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5276
        
        C:\Windows\SysWOW64\Cmnpgb32.exe
        
        C:\Windows\system32\Cmnpgb32.exe
        109⤵
        Drops file in System32 directory
        
        PID:5376
        
        C:\Windows\SysWOW64\Cdhhdlid.exe
        
        C:\Windows\system32\Cdhhdlid.exe
        110⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5464
        
        C:\Windows\SysWOW64\Cjbpaf32.exe
        
        C:\Windows\system32\Cjbpaf32.exe
        111⤵
        Modifies registry class
        
        PID:5568
        
        C:\Windows\SysWOW64\Calhnpgn.exe
        
        C:\Windows\system32\Calhnpgn.exe
        112⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5664
        
        C:\Windows\SysWOW64\Ddjejl32.exe
        
        C:\Windows\system32\Ddjejl32.exe
        113⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5748
        
        C:\Windows\SysWOW64\Dfiafg32.exe
        
        C:\Windows\system32\Dfiafg32.exe
        114⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5832
        
        C:\Windows\SysWOW64\Dopigd32.exe
        
        C:\Windows\system32\Dopigd32.exe
        115⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5932
        
        C:\Windows\SysWOW64\Danecp32.exe
        
        C:\Windows\system32\Danecp32.exe
        116⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5972
        
        C:\Windows\SysWOW64\Ddmaok32.exe
        
        C:\Windows\system32\Ddmaok32.exe
        117⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6048
        
        C:\Windows\SysWOW64\Dfknkg32.exe
        
        C:\Windows\system32\Dfknkg32.exe
        118⤵
        Drops file in System32 directory
        
        PID:6112
        
        C:\Windows\SysWOW64\Dobfld32.exe
        
        C:\Windows\system32\Dobfld32.exe
        119⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5184
        
        C:\Windows\SysWOW64\Ddonekbl.exe
        
        C:\Windows\system32\Ddonekbl.exe
        120⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5300
        
        C:\Windows\SysWOW64\Dfnjafap.exe
        
        C:\Windows\system32\Dfnjafap.exe
        121⤵
        
        PID:5472
        
        C:\Windows\SysWOW64\Dmgbnq32.exe
        
        C:\Windows\system32\Dmgbnq32.exe
        122⤵
        Modifies registry class
        
        PID:5588
        
        C:\Windows\SysWOW64\Ddakjkqi.exe
        
        C:\Windows\system32\Ddakjkqi.exe
        123⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5700
        
        C:\Windows\SysWOW64\Dmjocp32.exe
        
        C:\Windows\system32\Dmjocp32.exe
        124⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5896
        
        C:\Windows\SysWOW64\Dddhpjof.exe
        
        C:\Windows\system32\Dddhpjof.exe
        125⤵
        
        PID:5980
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        126⤵
        
        PID:6100
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6100 -s 404
        127⤵
        Program crash
        
        PID:5468

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 6100 -ip 6100
1⤵
PID:5356

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Ageolo32.exe

Filesize
80KB

MD5
39a3a434d042033e29292588e7027f00

SHA1
a317880be5d52a94e36c14401933f726c751c026

SHA256
115921de476b73004c6bafde3d4dbbb37a5fb9e3cedd1a8261404f57649f7fb7

SHA512
30988c19178bac81770aa58742e1e2356cb00eb0e02b953a9ffb901b61c3cb763b4d6a40e10a746ad96533ba43ec395a5b3ca27b0f431a7de66d6b98379cfabe

Download Submit
C:\Windows\SysWOW64\Ibnccmbo.exe

Filesize
80KB

MD5
26f05574aae853aaa9d8dc8c0571cb01

SHA1
36349028212b6f4bdf3cdb6c857762abd9cfe4c1

SHA256
53252ba613f421ad10366827a4246d3b981a60f2c718e028d2fee71e225b37da

SHA512
e098d8bf968ecb213fa8307af575613e82b4b7ac62a1d64c58246f65b105780246fcf7dbac29b070ddc82b3d553ccc00d5eacbc10b8d649e3af8e6aad3cbfce6

Download Submit
C:\Windows\SysWOW64\Ibqpimpl.exe

Filesize
80KB

MD5
bba905d2748629c5a01c79d49a3d658b

SHA1
bc12f1951e866d6f64e74763e87dd7158c9f81c2

SHA256
1054868663b7a1a74c55aa728de09d9f12fe333d08d4ee4b2bf88e83905edbfe

SHA512
ff3917132f07ef94db5872a93ad77c52fa9f38873e1ac09581bcf21ff7470840038ee1553b686ba66699e85da022a258bbe86c5185100858da077b59ce83f078

Download Submit
C:\Windows\SysWOW64\Iejcji32.exe

Filesize
80KB

MD5
298d5dd91849f77b36f2cc696dc28604

SHA1
14db375167dc643c5bc717cee4960ca574eea116

SHA256
36bc1a87fed9925aa8c72eea229a8b7368ec58d242e510ad2a061244e69a7a08

SHA512
bcd8087e5914bae47c1da5e986994a95817b9765ae031756ee874fa0a249e1be3e643306cde1709a2ac5ca589d4cde31864958c7dbdaf8a6b684c4df02bd2ded

Download Submit
C:\Windows\SysWOW64\Iikhfg32.exe

Filesize
80KB

MD5
6e8a31623465429d764f1a02330de46b

SHA1
8f72720ba3b024dc977654b74dd0654883a4dfc7

SHA256
9e722dcad4d27d703087685ec62c0a27b14c8af40bede280ab7829de6edabe9e

SHA512
0a07cceee28e7c8d26ece8d17b970f8e02f3db63f5432aa9780bfa9de90119bec1d0fb692f3e636a3081bb8f3cbd00f6f61e765e0489eaedb8ddc9f389538f91

Download Submit
C:\Windows\SysWOW64\Imdgqfbd.exe

Filesize
80KB

MD5
339fde946ab5e0e3b2697906dfb54ac0

SHA1
4f35e6be22abdc77abcfd637713850f4be6eb403

SHA256
82414a347214c2b0bbdf038b77f3de7b6d81168d5ae3f3bbd1a40d4696492990

SHA512
0ef7b9df18484aee7f4b673d3b181cb6f6c8b3171a7b9bbaaa03e20e1bbd822a7568c60527254fb1926d889786a76cacebfca7185461299f11ee17e53e4cac38

Download Submit
C:\Windows\SysWOW64\Jeklag32.exe

Filesize
80KB

MD5
9dd091b00544b6eb2f74a8fc41a6d570

SHA1
bcaa81572c470ca01631f9efd88e7558e8f4d651

SHA256
547884cc6e606c22f5c5ca126eb600b0b3e6941e6d7c97263dc3a6f47fe57b8b

SHA512
3fd356456e24e8a7ab2227a95ad179eb50bfeda64c2ab3a070339a3f4b7052bfb3acfe6cffdbecb4640a7a646213b2a190fba796efdb402e5b1e6203a0a7f865

Download Submit
C:\Windows\SysWOW64\Jfeopj32.exe

Filesize
80KB

MD5
7bea40027db2368ebceaa4f2e4b3decc

SHA1
957dd2f52c1ada05c6ee8d99ba770d6bc499b22e

SHA256
f7d04df5c5c17557590ace3e4608775cfeb7cbf73a8c7d4c7cb6148fcc219a0c

SHA512
a32be0b78916d62ea22fd53909f9c74f5937efcc92f4fc3dd6542d30c9559d198cf95870cc441eb8b79b6899b99fc0cf0d8220b969ddbb810d3b99f3b4fdeaaa

Download Submit
C:\Windows\SysWOW64\Jfoiokfb.exe

Filesize
80KB

MD5
b22b49abf5b18145980b7fe450739237

SHA1
6add512c175a8d179a0386292c78e1defeb0803e

SHA256
887e0c3cca4d2cc1d7d68bc5213eed754d2fce7fe677d0ce3186fc98c8760536

SHA512
11dad1f1f8f90424c2e48d3093e624a75ac7e4b1db3a2b11b36a06e9fdf4a117a3feba5f6038200582f56c6667747c43ba7c29e33fcffa3de5505209a54e9af4

Download Submit
C:\Windows\SysWOW64\Jianff32.exe

Filesize
80KB

MD5
ba0ddfd18dafb3583f4c727e857eb2f7

SHA1
e1340327bead8f5070c881ab977426af206dd7c0

SHA256
84c32fd976f627fee99fe96e02a1592d85f36c30b79240b6b8646fa043b8f379

SHA512
7f5cb11b8cd4c93a107d67c1675f3c3ea77cc277f34129ee7ca86185ba1aabd04cf45842da63c615dbf855aaf0bb09b9538a7f3dddc7ad86d88d353620837e66

Download Submit
C:\Windows\SysWOW64\Jioaqfcc.exe

Filesize
80KB

MD5
c9014f3a6fb1a69cb27a53e8034fa8dd

SHA1
040db7c777220a8df7d79cf83225bd1d8e559126

SHA256
6a6618ab76d6b0d6ad9ad9631a3b628c323383f0a5349bbfc6bdcd631ff1ed79

SHA512
6b813d853590b35e563ba065f5015003d74bbbc07ef0e41c4ad7275cb23d43872c44d662fc5f4836aedb02ab9a797f9f26d7b74154435a448fe0ca92c8d34023

Download Submit
C:\Windows\SysWOW64\Jmhale32.exe

Filesize
80KB

MD5
ed2d76f881ece4e3df16e20565eae3a5

SHA1
f85c5b8d756de783ac7bdfb9b86d5182a62108f1

SHA256
ff30eb4d05e0ace0892a11128b0e07906741aebb042945026a73c8b170da7dac

SHA512
3bf46246e15ab59c6fb7ec06bf8af4ece6575639583bd54ecac528b8c80caecd15d3feda59e805580d817c37b65793e6a70a08408dad559edcff00f1c235a78d

Download Submit
C:\Windows\SysWOW64\Jpnchp32.exe

Filesize
80KB

MD5
9bbb3f838744cf0834d80a705dd603a9

SHA1
0e844c7768a42852be2d1818ddb0d043e242c736

SHA256
b74d41beaecb79abd91e9a8a6fd234a53f49743702fd2bd414cc68dc4b287baa

SHA512
ff537a18f2f9771a443dd4f417835231454fe4607d61aa90ad5cac1ba898121e153ce66144a085e975f1e8a1b01d15fc9b6f9ec533090f422d59446ac7b65e6d

Download Submit
C:\Windows\SysWOW64\Jpppnp32.exe

Filesize
80KB

MD5
10c653f511cb3b46bfd90c265ae6ffc4

SHA1
cb1cd2150ef57bfa7863fa014a65c1d78a753ff8

SHA256
8b0116e80de9d070dc0e95edfa4865fe528c69f4c0d1a4c769f52e152ec17980

SHA512
2fee54cc5e3ff35ef29be26585585fcce5bf03af8a58c404d3ccff4e8f00d143ce5f6b9c8ae158c46a3cbbe3dd816dc942e26407f728f0c134733ec9a474c3f6

Download Submit
C:\Windows\SysWOW64\Kdcbom32.exe

Filesize
80KB

MD5
fe5f11a6449329326437256e8cf44503

SHA1
f6cb9c5ec9d390e3a8db50ef7b5b1a1e607b4dba

SHA256
36b9398a4e27316c8b2d05ff21d7f9669ba9dee72e426468857c3a8b479e948a

SHA512
d4cff1afa54f4f553942e1fec2ea13c9c0bdf88558b68e42af30c256dd646bea924d4d40ae558e6961419b4b7c35892502d31ca266b3c422617eac48bfc7b039

Download Submit
C:\Windows\SysWOW64\Kdgljmcd.exe

Filesize
80KB

MD5
daff9bc18c01763b3db9db5950822b4c

SHA1
add8e8f317fa9201efd2a3bb354fdf0590d10702

SHA256
f1978e2f2174f374bf113fe9e20934a858d2a92a39c74d0f89ac5bad70055713

SHA512
605628a933fcd922e4ff9cfb28b5babf6ddea1b0ba64c958893c48ba2d76491ff1701c002fe77316bcfda0e50d3cb48556bb0eab0b42f52bc41a589da44c4014

Download Submit
C:\Windows\SysWOW64\Kedoge32.exe

Filesize
80KB

MD5
f7d598aeb51205a4193a8e107aef6dc8

SHA1
7ed7eaa2628fa3342a5f9876a317bb97654771ca

SHA256
e5c1aae7f717012beae73fb3effb6911ad1478915bab682fa3db1a7c88634569

SHA512
fd3f392e3705977dcdab665fd5d41efeef7c13fb4643f847e4bf6b902ad09f3415271ccc7902501442b9af45b64123fa3564b23cfe827f99c9491c83ce89ebf6

Download Submit
C:\Windows\SysWOW64\Kfoafi32.exe

Filesize
80KB

MD5
32e1d9738ea0469e984085ec4126d20d

SHA1
33d2b0af9206f736aa952b7fcc20fc1d319ccdf9

SHA256
05a892b3d77af4f4fc71b8ad83832d77864e92a2162f74e662f39f58178f42b2

SHA512
ebdfab8c8a36b7dabc9eee8115da32c8290a0a848afb5df9d258a1955e8f72b5a5b59d33a47b9bb7a2e6f1cd128836d820cb7c9773cf36714a005d1b7d0da083

Download Submit
C:\Windows\SysWOW64\Kikame32.exe

Filesize
80KB

MD5
0e2d44250a5e010b4ca016a558aa03cd

SHA1
c53f86269dc4818ffbc6751a36cbd48cfdd552dc

SHA256
a4856642360fa13f006b8c8f5147b43bbae10ccfbb0b6d892a8d32364ef8db33

SHA512
44dce8f250b8ffb2bb4f40380e2d444be19ea031a76406b6a47d8728021c96b196e81787595cd50798f08e45c3db6223cbdcaa0a849c67ee48e001a39380ebd6

Download Submit
C:\Windows\SysWOW64\Klgqcqkl.exe

Filesize
80KB

MD5
1791b6d26faf94232a130e18d9586ddd

SHA1
9807005e36d39ebfe81530ecf3dae8754a860e34

SHA256
3453825c29a939f3249c84ff94d6ccb88800b9803dec5ff51503951a88823f88

SHA512
5db46c8f333fef19ea5c760073cf817dabb1dbb8d4e6b771571390e35e75cbfd4e706ffd47483382bdee869f4d8860bd5fa71c5edee2342144ff83bdfc0a4113

Download Submit
C:\Windows\SysWOW64\Klngdpdd.exe

Filesize
80KB

MD5
a5150a0b49ac9d98e1c9e1e7bfb5361e

SHA1
0f678f7c9bb7b52d3b697de77c65d222d6f28bd3

SHA256
78735bfca5c89fcef1a9575405f593ca438b1f3e29eb2750e3e1d13e355315d3

SHA512
1941301156a521c4463157d7b91e33059dc5b8941faf7233919baeee7646327994bf42d94e923daea14ceb57ba14c0049b6ad6204edd86b0b6701e87449dc779

Download Submit
C:\Windows\SysWOW64\Kmijbcpl.exe

Filesize
80KB

MD5
2e59416078261bb92c643cf7bcaccaca

SHA1
3cb09c286486b0f0cabdad9925976c7229d4b27a

SHA256
46ae679f769db714bf0b119e5f62873014afafc5879ea5dc8bcd2d1e8d06185c

SHA512
8c7f49171dfbde9bcb149d80e69075b80058cfa51c227510e1ef77b2cbb9821b25b32360759663b1d28ec8308be9b8ad675320318d72b42a57514ff65f7b89bc

Download Submit
C:\Windows\SysWOW64\Kmncnb32.exe

Filesize
80KB

MD5
b4eab3cead781afdb0680c51187ad828

SHA1
e6a598d255ddf168ae3d909d91bacf30b5e59a30

SHA256
bdd54f9653c45bcdd3bccdb6f99f93b84c1116afc3d94fe35565df65fbe0b2d7

SHA512
ff034e1e42dc66d6bf9e7e4533fb0a35ad2c7171fc5e17068eb031502fc5cea43ae32bfac906fa58d2b3bf68054f013191976219c385b40d22df2f28db433931

Download Submit
C:\Windows\SysWOW64\Kpeiioac.exe

Filesize
80KB

MD5
e9ac33131bb873ce682b7d3505141ae4

SHA1
d832500b4a5fa58629602d6122aa87def58f26fc

SHA256
e7792411708eaa1e4e628df0e11404b17c898b15cec660846d6ebdb45ac5c0bf

SHA512
93ec3cff23ffbb0f544f1046122990e0d036cf2ac04c3c79c95f91487034fcf42302e35ed1c5736d5f58ab7d6f7a0e2e38e26dd06b079744f920459119876f45

Download Submit
C:\Windows\SysWOW64\Lbdolh32.exe

Filesize
80KB

MD5
dd61d4f2b07b262019a63588557b1950

SHA1
3202e3fe4605b754556f51f0bbc9416915e704f1

SHA256
622129441abeb3c4d00f05db631350a067d914c8dad6194cb6773e1569aad6fc

SHA512
4c95d5474b8d6cbbd27b24fc693ec5b0ccbae76d14ab5adc05b4df181cdd8cb6954cea40cc0daf496f953408169b86eb121356287ac2931411b1285af82d1644

Download Submit
C:\Windows\SysWOW64\Lbmhlihl.exe

Filesize
80KB

MD5
04d321aa26a153d90f5b203e0c011928

SHA1
c1766c00989e30052026573a5d731822db1d32ab

SHA256
dd4cfef788c8145f7a3eafd7582c4972c88eda0ba82701d48763e28b1773b164

SHA512
a256a55506f4a4905eab91cfb9ab589d707ee71dbc510aa43454e4c8d495e3a2c51a0a33496c109344cccd757c143c41c1ac635955f5aae844bff5ca41368895

Download Submit
C:\Windows\SysWOW64\Lboeaifi.exe

Filesize
80KB

MD5
4cf58d711bad035550b6ed7a71aa3cd2

SHA1
a887a7422205d1eab9a2ae5b1da83f079be93b4f

SHA256
fa43d1ee8abddd7f4971b524679ce4957904d3d2c373234b93b0937690e2ff74

SHA512
c9ee8d5d379296e35c9840c4b20a49a791c443152889dc3fe60a6f8be0a7e285445d819fa49cc96f898d0ae47155cafbd161b1e5ad0cbe772b1aaade742812e9

Download Submit
C:\Windows\SysWOW64\Ldoaklml.exe

Filesize
80KB

MD5
9c8cf8c4e851b2d0803136cbd0851ca4

SHA1
564b133c2a982f285a80c650243fd64656db8353

SHA256
3a92ab2246039e8a0e7da3fe51402d5639b7dbc0db8494ec113a000c3cdf7a20

SHA512
6c5e17122a45aae47e04f94b27c5f7673338cfce36cf0d2783432013258a27fe842da5f52ed8fb848740952d25dffda086eba03b5f8d79784c2084cdbb7b8ed6

Download Submit
C:\Windows\SysWOW64\Liddbc32.exe

Filesize
80KB

MD5
0d3138def39542e58a4a73bab295d83f

SHA1
4e8b5b062784c94c85fe2ebae4b3f45b7c7f0461

SHA256
203e29dfc360c015dbd1e1be4188b0e12847a1ce7baa0934c41727202eb6bbc4

SHA512
8595da373a99db9eb82256260c98b08b6b529a5d631b98e5efd064fda03d0419dc307c704e16d9d8134ce6bca0602a91c094317918636517cc7fd818a1a36c98

Download Submit
C:\Windows\SysWOW64\Ligqhc32.exe

Filesize
80KB

MD5
48744580960f345fb0aee952fe387e59

SHA1
74969c311dea981c71a2390c80ce8efc5a8c0eb2

SHA256
6bb816b31dfe8f264b502e2ed0adb2ab59d2a907b78fc709494439775b261721

SHA512
be821c3eb35399f14a98fbad645b8fc05264febad3106b7094a64ef839aa139112c40a422c6967b5207fc1fca2f127ce7e34b96abf720043892ad0f33268180b

Download Submit
C:\Windows\SysWOW64\Liimncmf.exe

Filesize
80KB

MD5
3faba93fa6299be02bad2fd245582c31

SHA1
70f615d7279ecf71f4829c2b23cc2e95fe005c8b

SHA256
961750b70d9d19fe463f303aeafb5fe554ef502437d199eaf10bef7ff6d7e6e6

SHA512
ccb86627f154a039beb471b70408ad56e425256dac68041c6a73c5e9f5efe4a00ca3f77d93d0e148cf72ffffab001f563484e9fd8373cdb32c720ffcbd2da200

Download Submit
C:\Windows\SysWOW64\Lingibiq.exe

Filesize
80KB

MD5
9ffaefbb87463a83d0b5482c6a42edb2

SHA1
f9b48a225f14c6a7eb505e681abd1d201575cea9

SHA256
f195b6c05a47a6e94bbbf0544ce6a397a0d69da31cdeacba6d9d6907c89d8ffb

SHA512
8456f29220c849421a06310870f13ca8987ba739f49f5a9dd79b61af08cd66b24ae617e470fc0039c155dcf8171e33efe26b4054d372d6e81ed77f4bd416cf94

Download Submit
C:\Windows\SysWOW64\Lphoelqn.exe

Filesize
80KB

MD5
20aa980cbf718f5e05a5b33bb6e29369

SHA1
3e9c2729bd5824a621aefe5b1b8090ee2bded848

SHA256
3c1988df8886ae3e1c4cce576e6d6122ebe08ee3d08cb153ec1807e37289166d

SHA512
01c925f7139bf579eb825aa4e0c191743ed67682fff0f219ac40675c71f23818123750f73da8442a387f06897d4293a6ce9e8fdcbc9caefe7d7563dc86bad3b6

Download Submit
C:\Windows\SysWOW64\Mgagbf32.exe

Filesize
80KB

MD5
ed800cd619ace0a0ba318073319f5626

SHA1
157dbf715f095c7caffde931de004e986c812339

SHA256
88a6f29f2044d110b1d12a5a1c9881a8d71ac9e2443ee9f9887f4f18e99bf7a3

SHA512
bf3f82b9947397696c5904088dc2de6a5a6a345de08b144bd7d407cecf5885bce3d6b762bab62136a6b988a7e6054a56d5803f0e78047e31614efa8c7d5a960e

Download Submit
C:\Windows\SysWOW64\Njqmepik.exe

Filesize
80KB

MD5
7385224e5b5d6860f8a998938f65c9ea

SHA1
74008c5a2dade1727ba7d6c13215bbc1ae8dbfa6

SHA256
c3bf5b934e7c0c02308af5a7bf3e54699f371c9398f250c470a3106c7e409a56

SHA512
8825d7b7e89f867f1668af628cc1344d5b73f3c29de1bd694b7973ee05341fe39de207b279179cf7211bd63ed74e514f0d10cd714138a11814b5618a7faf475a

Download Submit
C:\Windows\SysWOW64\Olcbmj32.exe

Filesize
80KB

MD5
45acd86fcf94044d255afd12209c944a

SHA1
eac0a4832531779589cfe156936684c5e18a6c24

SHA256
93dbf936924ae4bb995e5374729e9b85fbeefc14304655ee0c6c0d71d03ab841

SHA512
d711eb8cfe10ddf45af81058e86781ebc1830767c8990785beedba9b362aaf6ca80e0f076c69251284086f217e4473bfb48d2a7cae006d09d8c988abaaf114c5

Download Submit
C:\Windows\SysWOW64\Pcbmka32.exe

Filesize
80KB

MD5
30f5e8b08a8bafc95c2c67b8a70a461d

SHA1
195f2e85cc7a9e3462d527ac20c83fb7b2e7837c

SHA256
07de399fb9bfa5efd5c1d8fb230625d807b64cfd92a817e9fdf9d5a1103f7a26

SHA512
33d3b5234539642719f6264fd859b7c060040166d9db996d5826f8abb1cf53c900e1a86ad3944b78b497818653f07c3d50a240ea3c54b3644e3928acc5a3b13d

Download Submit
memory/228-232-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/372-414-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/384-388-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/400-233-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/724-420-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/776-73-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/816-104-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/928-348-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1312-408-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1372-270-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1496-217-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1504-312-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1508-9-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1640-382-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1768-48-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1864-426-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1900-342-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1916-432-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2128-288-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2248-165-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2272-230-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2276-80-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2356-128-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2396-168-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2416-121-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2476-366-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2532-330-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2580-300-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2604-241-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2644-336-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2780-402-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2804-360-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2920-16-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2924-185-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2956-96-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2992-208-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3004-0-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3004-5-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3140-64-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3208-41-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3220-141-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3228-25-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3244-282-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3384-372-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3472-294-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3508-201-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3520-276-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3540-145-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3604-33-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3632-264-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3892-322-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3932-153-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3936-113-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4300-193-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4444-310-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4456-257-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4468-324-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4508-57-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4612-177-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4652-255-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4692-357-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4884-390-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4888-396-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5020-89-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads