49096e65d58f90f1cae0d707403176266ef2cfbc5c14898fdaac61126189fa90

Analysis

max time kernel
92s
max time network
121s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
10/04/2024, 05:44

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

1e5847702d9ed521966f49d59238065c.exe
Size

96KB
MD5

1e5847702d9ed521966f49d59238065c
SHA1

a52dd6e80954a52eec8f46cd5059163ee587e764
SHA256

49096e65d58f90f1cae0d707403176266ef2cfbc5c14898fdaac61126189fa90
SHA512

447fb0a5375ddc3af21d6ea447f90e1fdf41c4f243cb11c4eb1c793ca341aee335a90653faff19d95bf3f52683d7aa5dad76821bc130fd060f7ea5607a20e680
SSDEEP

1536:fYSUaNSTzF8Qj2SqESt2LYsBMu/HCmiDcg3MZRP3cEW3AE:ABzmMS+Ya6miEo

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nkjjij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nqmhbpba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Iakaql32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jiikak32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lcpllo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mahbje32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mncmjfmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gfnnlffc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdiklqhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nnmopdep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Iiibkn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdopod32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kbfiep32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqklmpdd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lcbiao32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lgpagm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kkbkamnl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mciobn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mpolqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Njogjfoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gcbnejem.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ibojncfj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lijdhiaa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mcbahlip.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mamleegg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	1e5847702d9ed521966f49d59238065c.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gfnnlffc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ifopiajn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jdhine32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jaljgidl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nkncdifl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnolfdcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lijdhiaa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Laciofpa.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjjmog32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hjhfnccl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Iidipnal.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jiikak32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kinemkko.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lmqgnhmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gbldaffp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iabgaklg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jdemhe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kinemkko.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kgfoan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ibjqcd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jdemhe32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kgmlkp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Laciofpa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hibljoco.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ijfboafl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jfaloa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kpepcedo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hpbaqj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Iikopmkd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iinlemia.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nkqpjidj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hjhfnccl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jaimbj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jdmcidam.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnhfee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jiphkm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kaqcbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kpjjod32.exe

Executes dropped EXE 64 IoCs

pid	Process
4468	Gfnnlffc.exe
2888	Gimjhafg.exe
3748	Gmhfhp32.exe
3860	Gcbnejem.exe
2636	Gfqjafdq.exe
2664	Giofnacd.exe
2560	Gqfooodg.exe
2388	Gbgkfg32.exe
1040	Gjocgdkg.exe
4704	Gmmocpjk.exe
2660	Gcggpj32.exe
2148	Gfedle32.exe
2908	Gmoliohh.exe
784	Gbldaffp.exe
3032	Gjclbc32.exe
2640	Gameonno.exe
1672	Gppekj32.exe
2896	Hjfihc32.exe
4612	Hpbaqj32.exe
3848	Hbanme32.exe
5084	Hjhfnccl.exe
1320	Hmfbjnbp.exe
3344	Hfofbd32.exe
4608	Hadkpm32.exe
4696	Hbeghene.exe
3052	Hippdo32.exe
4860	Hpihai32.exe
3968	Hbhdmd32.exe
908	Hibljoco.exe
3476	Ibjqcd32.exe
2332	Iidipnal.exe
2364	Iakaql32.exe
1124	Icjmmg32.exe
4832	Imbaemhc.exe
1740	Ipqnahgf.exe
4052	Ibojncfj.exe
4200	Ijfboafl.exe
1436	Iiibkn32.exe
4796	Iapjlk32.exe
4244	Idofhfmm.exe
1020	Ifmcdblq.exe
5064	Iikopmkd.exe
2380	Iabgaklg.exe
1048	Idacmfkj.exe
2480	Ifopiajn.exe
5080	Iinlemia.exe
2612	Jaedgjjd.exe
4252	Jfaloa32.exe
2196	Jiphkm32.exe
3512	Jdemhe32.exe
3616	Jfdida32.exe
2092	Jibeql32.exe
5092	Jaimbj32.exe
3484	Jdhine32.exe
3944	Jfffjqdf.exe
1176	Jidbflcj.exe
4688	Jaljgidl.exe
4012	Jpojcf32.exe
1992	Jfhbppbc.exe
388	Jigollag.exe
1828	Jangmibi.exe
1820	Jdmcidam.exe
3536	Jiikak32.exe
5104	Kaqcbi32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Gcggpj32.exe	Gmmocpjk.exe
File created	C:\Windows\SysWOW64\Ibojncfj.exe	Ipqnahgf.exe
File opened for modification	C:\Windows\SysWOW64\Jfaloa32.exe	Jaedgjjd.exe
File opened for modification	C:\Windows\SysWOW64\Jibeql32.exe	Jfdida32.exe
File created	C:\Windows\SysWOW64\Lcpllo32.exe	Lpappc32.exe
File created	C:\Windows\SysWOW64\Ndclfb32.dll	Lcpllo32.exe
File opened for modification	C:\Windows\SysWOW64\Mpaifalo.exe	Mncmjfmk.exe
File opened for modification	C:\Windows\SysWOW64\Lcpllo32.exe	Lpappc32.exe
File created	C:\Windows\SysWOW64\Gfnnlffc.exe	1e5847702d9ed521966f49d59238065c.exe
File created	C:\Windows\SysWOW64\Gjoceo32.dll	Lpappc32.exe
File created	C:\Windows\SysWOW64\Jiphkm32.exe	Jfaloa32.exe
File opened for modification	C:\Windows\SysWOW64\Lkiqbl32.exe	Lcbiao32.exe
File opened for modification	C:\Windows\SysWOW64\Hibljoco.exe	Hbhdmd32.exe
File opened for modification	C:\Windows\SysWOW64\Ibjqcd32.exe	Hibljoco.exe
File created	C:\Windows\SysWOW64\Kinemkko.exe	Kgphpo32.exe
File created	C:\Windows\SysWOW64\Geegicjl.dll	Mcpebmkb.exe
File created	C:\Windows\SysWOW64\Bebboiqi.dll	Mjjmog32.exe
File created	C:\Windows\SysWOW64\Ngedij32.exe	Ndghmo32.exe
File opened for modification	C:\Windows\SysWOW64\Hjfihc32.exe	Gppekj32.exe
File created	C:\Windows\SysWOW64\Ldooifgl.dll	Hpbaqj32.exe
File opened for modification	C:\Windows\SysWOW64\Jaedgjjd.exe	Iinlemia.exe
File opened for modification	C:\Windows\SysWOW64\Nnolfdcn.exe	Nkqpjidj.exe
File created	C:\Windows\SysWOW64\Iakaql32.exe	Iidipnal.exe
File created	C:\Windows\SysWOW64\Jfhbppbc.exe	Jpojcf32.exe
File created	C:\Windows\SysWOW64\Kgphpo32.exe	Kpepcedo.exe
File created	C:\Windows\SysWOW64\Lgpagm32.exe	Ldaeka32.exe
File opened for modification	C:\Windows\SysWOW64\Mncmjfmk.exe	Mkepnjng.exe
File created	C:\Windows\SysWOW64\Nqfbaq32.exe	Nnhfee32.exe
File created	C:\Windows\SysWOW64\Mkeebhjc.dll	Kinemkko.exe
File created	C:\Windows\SysWOW64\Kpjjod32.exe	Kagichjo.exe
File opened for modification	C:\Windows\SysWOW64\Lkdggmlj.exe	Lcmofolg.exe
File created	C:\Windows\SysWOW64\Mjeddggd.exe	Mgghhlhq.exe
File opened for modification	C:\Windows\SysWOW64\Iikopmkd.exe	Ifmcdblq.exe
File created	C:\Windows\SysWOW64\Lcmofolg.exe	Lpocjdld.exe
File created	C:\Windows\SysWOW64\Ndghmo32.exe	Nqklmpdd.exe
File opened for modification	C:\Windows\SysWOW64\Hmfbjnbp.exe	Hjhfnccl.exe
File created	C:\Windows\SysWOW64\Ijfboafl.exe	Ibojncfj.exe
File opened for modification	C:\Windows\SysWOW64\Lpocjdld.exe	Lmqgnhmp.exe
File created	C:\Windows\SysWOW64\Lgbnmm32.exe	Lddbqa32.exe
File created	C:\Windows\SysWOW64\Lgabcngj.dll	Gppekj32.exe
File created	C:\Windows\SysWOW64\Mlilmlna.dll	Imbaemhc.exe
File created	C:\Windows\SysWOW64\Eplmgmol.dll	Kaqcbi32.exe
File created	C:\Windows\SysWOW64\Kckbqpnj.exe	Kpmfddnf.exe
File created	C:\Windows\SysWOW64\Lpcmec32.exe	Laalifad.exe
File created	C:\Windows\SysWOW64\Mdfofakp.exe	Mahbje32.exe
File created	C:\Windows\SysWOW64\Hdgpjm32.dll	Hibljoco.exe
File opened for modification	C:\Windows\SysWOW64\Idacmfkj.exe	Iabgaklg.exe
File created	C:\Windows\SysWOW64\Kpepcedo.exe	Kmgdgjek.exe
File opened for modification	C:\Windows\SysWOW64\Mdfofakp.exe	Mahbje32.exe
File opened for modification	C:\Windows\SysWOW64\Mcbahlip.exe	Maaepd32.exe
File created	C:\Windows\SysWOW64\Jdkhlo32.dll	Gjclbc32.exe
File created	C:\Windows\SysWOW64\Idacmfkj.exe	Iabgaklg.exe
File opened for modification	C:\Windows\SysWOW64\Nddkgonp.exe	Nafokcol.exe
File opened for modification	C:\Windows\SysWOW64\Jfhbppbc.exe	Jpojcf32.exe
File created	C:\Windows\SysWOW64\Kmgdgjek.exe	Kkihknfg.exe
File opened for modification	C:\Windows\SysWOW64\Nqfbaq32.exe	Nnhfee32.exe
File created	C:\Windows\SysWOW64\Gppekj32.exe	Gameonno.exe
File created	C:\Windows\SysWOW64\Jfdida32.exe	Jdemhe32.exe
File opened for modification	C:\Windows\SysWOW64\Lpappc32.exe	Lmccchkn.exe
File created	C:\Windows\SysWOW64\Gmmocpjk.exe	Gjocgdkg.exe
File opened for modification	C:\Windows\SysWOW64\Gcggpj32.exe	Gmmocpjk.exe
File opened for modification	C:\Windows\SysWOW64\Lijdhiaa.exe	Lgkhlnbn.exe
File opened for modification	C:\Windows\SysWOW64\Gqfooodg.exe	Giofnacd.exe
File created	C:\Windows\SysWOW64\Iidipnal.exe	Ibjqcd32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5476	6024	WerFault.exe	228

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bpqnnk32.dll"	Iabgaklg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nkjjij32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hpbaqj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jiikak32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gfedle32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qcldhk32.dll"	Mcnhmm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ngedij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gmhfhp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Iakaql32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Offdjb32.dll"	Lpocjdld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mdiklqhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hpihai32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lmccchkn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hmfbjnbp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdkind32.dll"	Jfaloa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jdemhe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ofdhdf32.dll"	Kkbkamnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ipqnahgf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Iinlemia.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fogjfmfe.dll"	Kcifkp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mdfofakp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfcbokki.dll"	Ngpjnkpf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bejkjg32.dll"	Hjhfnccl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hmfbjnbp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kpepcedo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hfofbd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jaimbj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ecppdbpl.dll"	Jangmibi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kibnhjgj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ggpfjejo.dll"	Jfhbppbc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gmoliohh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hibljoco.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Impoan32.dll"	Iikopmkd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jfffjqdf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kipabjil.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mgghhlhq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mjjmog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Iakaql32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	1e5847702d9ed521966f49d59238065c.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gimjhafg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dakcla32.dll"	Iiibkn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ppaaagol.dll"	Kphmie32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lgpagm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ciiqgjgg.dll"	Mkepnjng.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ngpjnkpf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Iidipnal.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mjeddggd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlnpomfk.dll"	Nafokcol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hibljoco.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Icjmmg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nafokcol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Geegicjl.dll"	Mcpebmkb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kaqcbi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lcpllo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Laalifad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Npckna32.dll"	Nnhfee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ngcgcjnc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kpepcedo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Odhibo32.dll"	Gjocgdkg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hjhfnccl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gmhfhp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qbplof32.dll"	Gbldaffp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mamleegg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hfofbd32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4604 wrote to memory of 4468	4604	1e5847702d9ed521966f49d59238065c.exe	87
PID 4604 wrote to memory of 4468	4604	1e5847702d9ed521966f49d59238065c.exe	87
PID 4604 wrote to memory of 4468	4604	1e5847702d9ed521966f49d59238065c.exe	87
PID 4468 wrote to memory of 2888	4468	Gfnnlffc.exe	88
PID 4468 wrote to memory of 2888	4468	Gfnnlffc.exe	88
PID 4468 wrote to memory of 2888	4468	Gfnnlffc.exe	88
PID 2888 wrote to memory of 3748	2888	Gimjhafg.exe	89
PID 2888 wrote to memory of 3748	2888	Gimjhafg.exe	89
PID 2888 wrote to memory of 3748	2888	Gimjhafg.exe	89
PID 3748 wrote to memory of 3860	3748	Gmhfhp32.exe	90
PID 3748 wrote to memory of 3860	3748	Gmhfhp32.exe	90
PID 3748 wrote to memory of 3860	3748	Gmhfhp32.exe	90
PID 3860 wrote to memory of 2636	3860	Gcbnejem.exe	91
PID 3860 wrote to memory of 2636	3860	Gcbnejem.exe	91
PID 3860 wrote to memory of 2636	3860	Gcbnejem.exe	91
PID 2636 wrote to memory of 2664	2636	Gfqjafdq.exe	92
PID 2636 wrote to memory of 2664	2636	Gfqjafdq.exe	92
PID 2636 wrote to memory of 2664	2636	Gfqjafdq.exe	92
PID 2664 wrote to memory of 2560	2664	Giofnacd.exe	93
PID 2664 wrote to memory of 2560	2664	Giofnacd.exe	93
PID 2664 wrote to memory of 2560	2664	Giofnacd.exe	93
PID 2560 wrote to memory of 2388	2560	Gqfooodg.exe	94
PID 2560 wrote to memory of 2388	2560	Gqfooodg.exe	94
PID 2560 wrote to memory of 2388	2560	Gqfooodg.exe	94
PID 2388 wrote to memory of 1040	2388	Gbgkfg32.exe	95
PID 2388 wrote to memory of 1040	2388	Gbgkfg32.exe	95
PID 2388 wrote to memory of 1040	2388	Gbgkfg32.exe	95
PID 1040 wrote to memory of 4704	1040	Gjocgdkg.exe	96
PID 1040 wrote to memory of 4704	1040	Gjocgdkg.exe	96
PID 1040 wrote to memory of 4704	1040	Gjocgdkg.exe	96
PID 4704 wrote to memory of 2660	4704	Gmmocpjk.exe	97
PID 4704 wrote to memory of 2660	4704	Gmmocpjk.exe	97
PID 4704 wrote to memory of 2660	4704	Gmmocpjk.exe	97
PID 2660 wrote to memory of 2148	2660	Gcggpj32.exe	98
PID 2660 wrote to memory of 2148	2660	Gcggpj32.exe	98
PID 2660 wrote to memory of 2148	2660	Gcggpj32.exe	98
PID 2148 wrote to memory of 2908	2148	Gfedle32.exe	99
PID 2148 wrote to memory of 2908	2148	Gfedle32.exe	99
PID 2148 wrote to memory of 2908	2148	Gfedle32.exe	99
PID 2908 wrote to memory of 784	2908	Gmoliohh.exe	100
PID 2908 wrote to memory of 784	2908	Gmoliohh.exe	100
PID 2908 wrote to memory of 784	2908	Gmoliohh.exe	100
PID 784 wrote to memory of 3032	784	Gbldaffp.exe	101
PID 784 wrote to memory of 3032	784	Gbldaffp.exe	101
PID 784 wrote to memory of 3032	784	Gbldaffp.exe	101
PID 3032 wrote to memory of 2640	3032	Gjclbc32.exe	102
PID 3032 wrote to memory of 2640	3032	Gjclbc32.exe	102
PID 3032 wrote to memory of 2640	3032	Gjclbc32.exe	102
PID 2640 wrote to memory of 1672	2640	Gameonno.exe	103
PID 2640 wrote to memory of 1672	2640	Gameonno.exe	103
PID 2640 wrote to memory of 1672	2640	Gameonno.exe	103
PID 1672 wrote to memory of 2896	1672	Gppekj32.exe	104
PID 1672 wrote to memory of 2896	1672	Gppekj32.exe	104
PID 1672 wrote to memory of 2896	1672	Gppekj32.exe	104
PID 2896 wrote to memory of 4612	2896	Hjfihc32.exe	106
PID 2896 wrote to memory of 4612	2896	Hjfihc32.exe	106
PID 2896 wrote to memory of 4612	2896	Hjfihc32.exe	106
PID 4612 wrote to memory of 3848	4612	Hpbaqj32.exe	107
PID 4612 wrote to memory of 3848	4612	Hpbaqj32.exe	107
PID 4612 wrote to memory of 3848	4612	Hpbaqj32.exe	107
PID 3848 wrote to memory of 5084	3848	Hbanme32.exe	108
PID 3848 wrote to memory of 5084	3848	Hbanme32.exe	108
PID 3848 wrote to memory of 5084	3848	Hbanme32.exe	108
PID 5084 wrote to memory of 1320	5084	Hjhfnccl.exe	109

C:\Users\Admin\AppData\Local\Temp\1e5847702d9ed521966f49d59238065c.exe
"C:\Users\Admin\AppData\Local\Temp\1e5847702d9ed521966f49d59238065c.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4604
- C:\Windows\SysWOW64\Gfnnlffc.exe
  C:\Windows\system32\Gfnnlffc.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4468
- - C:\Windows\SysWOW64\Gimjhafg.exe
    C:\Windows\system32\Gimjhafg.exe
    3⤵
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2888
  - - C:\Windows\SysWOW64\Gmhfhp32.exe
      C:\Windows\system32\Gmhfhp32.exe
      4⤵
      Executes dropped EXE
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:3748
    - - C:\Windows\SysWOW64\Gcbnejem.exe
        
        C:\Windows\system32\Gcbnejem.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3860
      - C:\Windows\SysWOW64\Gfqjafdq.exe
        
        C:\Windows\system32\Gfqjafdq.exe
        6⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2636
        
        C:\Windows\SysWOW64\Giofnacd.exe
        
        C:\Windows\system32\Giofnacd.exe
        7⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2664
        
        C:\Windows\SysWOW64\Gqfooodg.exe
        
        C:\Windows\system32\Gqfooodg.exe
        8⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2560
        
        C:\Windows\SysWOW64\Gbgkfg32.exe
        
        C:\Windows\system32\Gbgkfg32.exe
        9⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2388
        
        C:\Windows\SysWOW64\Gjocgdkg.exe
        
        C:\Windows\system32\Gjocgdkg.exe
        10⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1040
        
        C:\Windows\SysWOW64\Gmmocpjk.exe
        
        C:\Windows\system32\Gmmocpjk.exe
        11⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4704
        
        C:\Windows\SysWOW64\Gcggpj32.exe
        
        C:\Windows\system32\Gcggpj32.exe
        12⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2660
        
        C:\Windows\SysWOW64\Gfedle32.exe
        
        C:\Windows\system32\Gfedle32.exe
        13⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2148
        
        C:\Windows\SysWOW64\Gmoliohh.exe
        
        C:\Windows\system32\Gmoliohh.exe
        14⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2908
        
        C:\Windows\SysWOW64\Gbldaffp.exe
        
        C:\Windows\system32\Gbldaffp.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:784
        
        C:\Windows\SysWOW64\Gjclbc32.exe
        
        C:\Windows\system32\Gjclbc32.exe
        16⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3032
        
        C:\Windows\SysWOW64\Gameonno.exe
        
        C:\Windows\system32\Gameonno.exe
        17⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2640
        
        C:\Windows\SysWOW64\Gppekj32.exe
        
        C:\Windows\system32\Gppekj32.exe
        18⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1672
        
        C:\Windows\SysWOW64\Hjfihc32.exe
        
        C:\Windows\system32\Hjfihc32.exe
        19⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2896
        
        C:\Windows\SysWOW64\Hpbaqj32.exe
        
        C:\Windows\system32\Hpbaqj32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4612
        
        C:\Windows\SysWOW64\Hbanme32.exe
        
        C:\Windows\system32\Hbanme32.exe
        21⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3848
        
        C:\Windows\SysWOW64\Hjhfnccl.exe
        
        C:\Windows\system32\Hjhfnccl.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5084
        
        C:\Windows\SysWOW64\Hmfbjnbp.exe
        
        C:\Windows\system32\Hmfbjnbp.exe
        23⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1320
        
        C:\Windows\SysWOW64\Hfofbd32.exe
        
        C:\Windows\system32\Hfofbd32.exe
        24⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3344
        
        C:\Windows\SysWOW64\Hadkpm32.exe
        
        C:\Windows\system32\Hadkpm32.exe
        25⤵
        Executes dropped EXE
        
        PID:4608
        
        C:\Windows\SysWOW64\Hbeghene.exe
        
        C:\Windows\system32\Hbeghene.exe
        26⤵
        Executes dropped EXE
        
        PID:4696
        
        C:\Windows\SysWOW64\Hippdo32.exe
        
        C:\Windows\system32\Hippdo32.exe
        27⤵
        Executes dropped EXE
        
        PID:3052
        
        C:\Windows\SysWOW64\Hpihai32.exe
        
        C:\Windows\system32\Hpihai32.exe
        28⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4860
        
        C:\Windows\SysWOW64\Hbhdmd32.exe
        
        C:\Windows\system32\Hbhdmd32.exe
        29⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3968
        
        C:\Windows\SysWOW64\Hibljoco.exe
        
        C:\Windows\system32\Hibljoco.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:908
        
        C:\Windows\SysWOW64\Ibjqcd32.exe
        
        C:\Windows\system32\Ibjqcd32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3476
        
        C:\Windows\SysWOW64\Iidipnal.exe
        
        C:\Windows\system32\Iidipnal.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2332
        
        C:\Windows\SysWOW64\Iakaql32.exe
        
        C:\Windows\system32\Iakaql32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2364
        
        C:\Windows\SysWOW64\Icjmmg32.exe
        
        C:\Windows\system32\Icjmmg32.exe
        34⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1124
        
        C:\Windows\SysWOW64\Imbaemhc.exe
        
        C:\Windows\system32\Imbaemhc.exe
        35⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4832
        
        C:\Windows\SysWOW64\Ipqnahgf.exe
        
        C:\Windows\system32\Ipqnahgf.exe
        36⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1740
        
        C:\Windows\SysWOW64\Ibojncfj.exe
        
        C:\Windows\system32\Ibojncfj.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4052
        
        C:\Windows\SysWOW64\Ijfboafl.exe
        
        C:\Windows\system32\Ijfboafl.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4200
        
        C:\Windows\SysWOW64\Iiibkn32.exe
        
        C:\Windows\system32\Iiibkn32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1436
        
        C:\Windows\SysWOW64\Iapjlk32.exe
        
        C:\Windows\system32\Iapjlk32.exe
        40⤵
        Executes dropped EXE
        
        PID:4796
        
        C:\Windows\SysWOW64\Idofhfmm.exe
        
        C:\Windows\system32\Idofhfmm.exe
        41⤵
        Executes dropped EXE
        
        PID:4244
        
        C:\Windows\SysWOW64\Ifmcdblq.exe
        
        C:\Windows\system32\Ifmcdblq.exe
        42⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1020
        
        C:\Windows\SysWOW64\Iikopmkd.exe
        
        C:\Windows\system32\Iikopmkd.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:5064
        
        C:\Windows\SysWOW64\Iabgaklg.exe
        
        C:\Windows\system32\Iabgaklg.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2380
        
        C:\Windows\SysWOW64\Idacmfkj.exe
        
        C:\Windows\system32\Idacmfkj.exe
        45⤵
        Executes dropped EXE
        
        PID:1048
        
        C:\Windows\SysWOW64\Ifopiajn.exe
        
        C:\Windows\system32\Ifopiajn.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2480
        
        C:\Windows\SysWOW64\Iinlemia.exe
        
        C:\Windows\system32\Iinlemia.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5080
        
        C:\Windows\SysWOW64\Jaedgjjd.exe
        
        C:\Windows\system32\Jaedgjjd.exe
        48⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2612
        
        C:\Windows\SysWOW64\Jfaloa32.exe
        
        C:\Windows\system32\Jfaloa32.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4252
        
        C:\Windows\SysWOW64\Jiphkm32.exe
        
        C:\Windows\system32\Jiphkm32.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2196
        
        C:\Windows\SysWOW64\Jdemhe32.exe
        
        C:\Windows\system32\Jdemhe32.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3512
        
        C:\Windows\SysWOW64\Jfdida32.exe
        
        C:\Windows\system32\Jfdida32.exe
        52⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3616
        
        C:\Windows\SysWOW64\Jibeql32.exe
        
        C:\Windows\system32\Jibeql32.exe
        53⤵
        Executes dropped EXE
        
        PID:2092
        
        C:\Windows\SysWOW64\Jaimbj32.exe
        
        C:\Windows\system32\Jaimbj32.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:5092
        
        C:\Windows\SysWOW64\Jdhine32.exe
        
        C:\Windows\system32\Jdhine32.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3484
        
        C:\Windows\SysWOW64\Jfffjqdf.exe
        
        C:\Windows\system32\Jfffjqdf.exe
        56⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3944
        
        C:\Windows\SysWOW64\Jidbflcj.exe
        
        C:\Windows\system32\Jidbflcj.exe
        57⤵
        Executes dropped EXE
        
        PID:1176
        
        C:\Windows\SysWOW64\Jaljgidl.exe
        
        C:\Windows\system32\Jaljgidl.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4688
        
        C:\Windows\SysWOW64\Jpojcf32.exe
        
        C:\Windows\system32\Jpojcf32.exe
        59⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4012
        
        C:\Windows\SysWOW64\Jfhbppbc.exe
        
        C:\Windows\system32\Jfhbppbc.exe
        60⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1992
        
        C:\Windows\SysWOW64\Jigollag.exe
        
        C:\Windows\system32\Jigollag.exe
        61⤵
        Executes dropped EXE
        
        PID:388
        
        C:\Windows\SysWOW64\Jangmibi.exe
        
        C:\Windows\system32\Jangmibi.exe
        62⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1828
        
        C:\Windows\SysWOW64\Jdmcidam.exe
        
        C:\Windows\system32\Jdmcidam.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1820
        
        C:\Windows\SysWOW64\Jiikak32.exe
        
        C:\Windows\system32\Jiikak32.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3536
        
        C:\Windows\SysWOW64\Kaqcbi32.exe
        
        C:\Windows\system32\Kaqcbi32.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5104
        
        C:\Windows\SysWOW64\Kdopod32.exe
        
        C:\Windows\system32\Kdopod32.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1392
        
        C:\Windows\SysWOW64\Kgmlkp32.exe
        
        C:\Windows\system32\Kgmlkp32.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2744
        
        C:\Windows\SysWOW64\Kkihknfg.exe
        
        C:\Windows\system32\Kkihknfg.exe
        68⤵
        Drops file in System32 directory
        
        PID:3596
        
        C:\Windows\SysWOW64\Kmgdgjek.exe
        
        C:\Windows\system32\Kmgdgjek.exe
        69⤵
        Drops file in System32 directory
        
        PID:2272
        
        C:\Windows\SysWOW64\Kpepcedo.exe
        
        C:\Windows\system32\Kpepcedo.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:740
        
        C:\Windows\SysWOW64\Kgphpo32.exe
        
        C:\Windows\system32\Kgphpo32.exe
        71⤵
        Drops file in System32 directory
        
        PID:3112
        
        C:\Windows\SysWOW64\Kinemkko.exe
        
        C:\Windows\system32\Kinemkko.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:3264
        
        C:\Windows\SysWOW64\Kphmie32.exe
        
        C:\Windows\system32\Kphmie32.exe
        73⤵
        Modifies registry class
        
        PID:4544
        
        C:\Windows\SysWOW64\Kbfiep32.exe
        
        C:\Windows\system32\Kbfiep32.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2440
        
        C:\Windows\SysWOW64\Kgbefoji.exe
        
        C:\Windows\system32\Kgbefoji.exe
        75⤵
        
        PID:4728
        
        C:\Windows\SysWOW64\Kipabjil.exe
        
        C:\Windows\system32\Kipabjil.exe
        76⤵
        Modifies registry class
        
        PID:4160
        
        C:\Windows\SysWOW64\Kagichjo.exe
        
        C:\Windows\system32\Kagichjo.exe
        77⤵
        Drops file in System32 directory
        
        PID:4980
        
        C:\Windows\SysWOW64\Kpjjod32.exe
        
        C:\Windows\system32\Kpjjod32.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4920
        
        C:\Windows\SysWOW64\Kcifkp32.exe
        
        C:\Windows\system32\Kcifkp32.exe
        79⤵
        Modifies registry class
        
        PID:1760
        
        C:\Windows\SysWOW64\Kgdbkohf.exe
        
        C:\Windows\system32\Kgdbkohf.exe
        80⤵
        
        PID:4924
        
        C:\Windows\SysWOW64\Kibnhjgj.exe
        
        C:\Windows\system32\Kibnhjgj.exe
        81⤵
        Modifies registry class
        
        PID:2936
        
        C:\Windows\SysWOW64\Kmnjhioc.exe
        
        C:\Windows\system32\Kmnjhioc.exe
        82⤵
        
        PID:3540
        
        C:\Windows\SysWOW64\Kpmfddnf.exe
        
        C:\Windows\system32\Kpmfddnf.exe
        83⤵
        Drops file in System32 directory
        
        PID:3792
        
        C:\Windows\SysWOW64\Kckbqpnj.exe
        
        C:\Windows\system32\Kckbqpnj.exe
        84⤵
        
        PID:1004
        
        C:\Windows\SysWOW64\Kgfoan32.exe
        
        C:\Windows\system32\Kgfoan32.exe
        85⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2984
        
        C:\Windows\SysWOW64\Kkbkamnl.exe
        
        C:\Windows\system32\Kkbkamnl.exe
        86⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:1216
        
        C:\Windows\SysWOW64\Lmqgnhmp.exe
        
        C:\Windows\system32\Lmqgnhmp.exe
        87⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4116
        
        C:\Windows\SysWOW64\Lpocjdld.exe
        
        C:\Windows\system32\Lpocjdld.exe
        88⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:3932
        
        C:\Windows\SysWOW64\Lcmofolg.exe
        
        C:\Windows\system32\Lcmofolg.exe
        89⤵
        Drops file in System32 directory
        
        PID:3196
        
        C:\Windows\SysWOW64\Lkdggmlj.exe
        
        C:\Windows\system32\Lkdggmlj.exe
        90⤵
        
        PID:2672
        
        C:\Windows\SysWOW64\Lmccchkn.exe
        
        C:\Windows\system32\Lmccchkn.exe
        91⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:3712
        
        C:\Windows\SysWOW64\Lpappc32.exe
        
        C:\Windows\system32\Lpappc32.exe
        92⤵
        Drops file in System32 directory
        
        PID:3612
        
        C:\Windows\SysWOW64\Lcpllo32.exe
        
        C:\Windows\system32\Lcpllo32.exe
        93⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:4864
        
        C:\Windows\SysWOW64\Lgkhlnbn.exe
        
        C:\Windows\system32\Lgkhlnbn.exe
        94⤵
        Drops file in System32 directory
        
        PID:2004
        
        C:\Windows\SysWOW64\Lijdhiaa.exe
        
        C:\Windows\system32\Lijdhiaa.exe
        95⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5156
        
        C:\Windows\SysWOW64\Laalifad.exe
        
        C:\Windows\system32\Laalifad.exe
        96⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5200
        
        C:\Windows\SysWOW64\Lpcmec32.exe
        
        C:\Windows\system32\Lpcmec32.exe
        97⤵
        
        PID:5240
        
        C:\Windows\SysWOW64\Lcbiao32.exe
        
        C:\Windows\system32\Lcbiao32.exe
        98⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5284
        
        C:\Windows\SysWOW64\Lkiqbl32.exe
        
        C:\Windows\system32\Lkiqbl32.exe
        99⤵
        
        PID:5328
        
        C:\Windows\SysWOW64\Lnhmng32.exe
        
        C:\Windows\system32\Lnhmng32.exe
        100⤵
        
        PID:5372
        
        C:\Windows\SysWOW64\Laciofpa.exe
        
        C:\Windows\system32\Laciofpa.exe
        101⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5416
        
        C:\Windows\SysWOW64\Ldaeka32.exe
        
        C:\Windows\system32\Ldaeka32.exe
        102⤵
        Drops file in System32 directory
        
        PID:5464
        
        C:\Windows\SysWOW64\Lgpagm32.exe
        
        C:\Windows\system32\Lgpagm32.exe
        103⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5512
        
        C:\Windows\SysWOW64\Lddbqa32.exe
        
        C:\Windows\system32\Lddbqa32.exe
        104⤵
        Drops file in System32 directory
        
        PID:5568
        
        C:\Windows\SysWOW64\Lgbnmm32.exe
        
        C:\Windows\system32\Lgbnmm32.exe
        105⤵
        
        PID:5608
        
        C:\Windows\SysWOW64\Mjqjih32.exe
        
        C:\Windows\system32\Mjqjih32.exe
        106⤵
        
        PID:5652
        
        C:\Windows\SysWOW64\Mahbje32.exe
        
        C:\Windows\system32\Mahbje32.exe
        107⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5692
        
        C:\Windows\SysWOW64\Mdfofakp.exe
        
        C:\Windows\system32\Mdfofakp.exe
        108⤵
        Modifies registry class
        
        PID:5736
        
        C:\Windows\SysWOW64\Mciobn32.exe
        
        C:\Windows\system32\Mciobn32.exe
        109⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5780
        
        C:\Windows\SysWOW64\Mjcgohig.exe
        
        C:\Windows\system32\Mjcgohig.exe
        110⤵
        
        PID:5832
        
        C:\Windows\SysWOW64\Majopeii.exe
        
        C:\Windows\system32\Majopeii.exe
        111⤵
        
        PID:5872
        
        C:\Windows\SysWOW64\Mdiklqhm.exe
        
        C:\Windows\system32\Mdiklqhm.exe
        112⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5916
        
        C:\Windows\SysWOW64\Mgghhlhq.exe
        
        C:\Windows\system32\Mgghhlhq.exe
        113⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5956
        
        C:\Windows\SysWOW64\Mjeddggd.exe
        
        C:\Windows\system32\Mjeddggd.exe
        114⤵
        Modifies registry class
        
        PID:6004
        
        C:\Windows\SysWOW64\Mamleegg.exe
        
        C:\Windows\system32\Mamleegg.exe
        115⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6044
        
        C:\Windows\SysWOW64\Mpolqa32.exe
        
        C:\Windows\system32\Mpolqa32.exe
        116⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6084
        
        C:\Windows\SysWOW64\Mcnhmm32.exe
        
        C:\Windows\system32\Mcnhmm32.exe
        117⤵
        Modifies registry class
        
        PID:6132
        
        C:\Windows\SysWOW64\Mkepnjng.exe
        
        C:\Windows\system32\Mkepnjng.exe
        118⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5128
        
        C:\Windows\SysWOW64\Mncmjfmk.exe
        
        C:\Windows\system32\Mncmjfmk.exe
        119⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5212
        
        C:\Windows\SysWOW64\Mpaifalo.exe
        
        C:\Windows\system32\Mpaifalo.exe
        120⤵
        
        PID:5276
        
        C:\Windows\SysWOW64\Mcpebmkb.exe
        
        C:\Windows\system32\Mcpebmkb.exe
        121⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5344
        
        C:\Windows\SysWOW64\Mjjmog32.exe
        
        C:\Windows\system32\Mjjmog32.exe
        122⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5412
        
        C:\Windows\SysWOW64\Maaepd32.exe
        
        C:\Windows\system32\Maaepd32.exe
        123⤵
        Drops file in System32 directory
        
        PID:5456
        
        C:\Windows\SysWOW64\Mcbahlip.exe
        
        C:\Windows\system32\Mcbahlip.exe
        124⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5556
        
        C:\Windows\SysWOW64\Nkjjij32.exe
        
        C:\Windows\system32\Nkjjij32.exe
        125⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5616
        
        C:\Windows\SysWOW64\Nnhfee32.exe
        
        C:\Windows\system32\Nnhfee32.exe
        126⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5688
        
        C:\Windows\SysWOW64\Nqfbaq32.exe
        
        C:\Windows\system32\Nqfbaq32.exe
        127⤵
        
        PID:5756
        
        C:\Windows\SysWOW64\Ngpjnkpf.exe
        
        C:\Windows\system32\Ngpjnkpf.exe
        128⤵
        Modifies registry class
        
        PID:5824
        
        C:\Windows\SysWOW64\Njogjfoj.exe
        
        C:\Windows\system32\Njogjfoj.exe
        129⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5912
        
        C:\Windows\SysWOW64\Nafokcol.exe
        
        C:\Windows\system32\Nafokcol.exe
        130⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5952
        
        C:\Windows\SysWOW64\Nddkgonp.exe
        
        C:\Windows\system32\Nddkgonp.exe
        131⤵
        
        PID:6036
        
        C:\Windows\SysWOW64\Ngcgcjnc.exe
        
        C:\Windows\system32\Ngcgcjnc.exe
        132⤵
        Modifies registry class
        
        PID:6112
        
        C:\Windows\SysWOW64\Nkncdifl.exe
        
        C:\Windows\system32\Nkncdifl.exe
        133⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5140
        
        C:\Windows\SysWOW64\Nnmopdep.exe
        
        C:\Windows\system32\Nnmopdep.exe
        134⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5260
        
        C:\Windows\SysWOW64\Nqklmpdd.exe
        
        C:\Windows\system32\Nqklmpdd.exe
        135⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5356
        
        C:\Windows\SysWOW64\Ndghmo32.exe
        
        C:\Windows\system32\Ndghmo32.exe
        136⤵
        Drops file in System32 directory
        
        PID:5444
        
        C:\Windows\SysWOW64\Ngedij32.exe
        
        C:\Windows\system32\Ngedij32.exe
        137⤵
        Modifies registry class
        
        PID:5596
        
        C:\Windows\SysWOW64\Nkqpjidj.exe
        
        C:\Windows\system32\Nkqpjidj.exe
        138⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5648
        
        C:\Windows\SysWOW64\Nnolfdcn.exe
        
        C:\Windows\system32\Nnolfdcn.exe
        139⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5816
        
        C:\Windows\SysWOW64\Nqmhbpba.exe
        
        C:\Windows\system32\Nqmhbpba.exe
        140⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5880
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        141⤵
        
        PID:6024
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6024 -s 408
        142⤵
        Program crash
        
        PID:5476

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 6024 -ip 6024
1⤵
PID:5176

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Gameonno.exe

Filesize
96KB

MD5
871225b33a88bb0b5b39824abafe5806

SHA1
a23ecd325583c0906316588dbdde56df3f716bf4

SHA256
d6d366743929380870e9f058a2b0ebe1913beb4b6c1981d54485e8b43fe7ea3d

SHA512
a40f10d42d33b61272fa57a07827a2306ed8444b0801429c81cc9663e5d92ff8fd83f3598c93729485b02442426f4b57bf8351227cb3937545ed529d3ad23c5f

Download Submit
C:\Windows\SysWOW64\Gbgkfg32.exe

Filesize
96KB

MD5
c3be10e84a9258bad4226c68037e62ef

SHA1
2c046f646a40f78ba22dfb5fec96792c3e8cd290

SHA256
531b3f5984a946e3d4d06061020562043780ee829e0d2aab1dd3ec5ca9e18604

SHA512
58bc0044fc146e9bade602e28f2db74e019ea6e62dc4ac3cdf1cad0834255c64ae9de6efb779a4503158084e8233af02fe37716e478bb9b7ae2b6f3c774b9e61

Download Submit
C:\Windows\SysWOW64\Gbldaffp.exe

Filesize
96KB

MD5
efe9478afe484ef072460b2db847cf33

SHA1
c80a216ff8289dc2fc1333b800448799cad0f4e8

SHA256
a3b0cca2b30903bfb8e50ff9f540b5560f601e490c5a30d8fd4aa77bbac92d9c

SHA512
7541498f267a34a1a40ad6b0053544bff397d467e8caddefa5044ebffa66b7ab96688c73d1ee03bcb2a2667b31237104d63c5aee6c5cfb6076b788abd0575c10

Download Submit
C:\Windows\SysWOW64\Gcbnejem.exe

Filesize
96KB

MD5
190e782b4e4b74e9321b02ce99698abf

SHA1
d136104fd87fb949bbe687242f91edb76e73b6e8

SHA256
c95043c9826b64f4448a750d05fb9eef86011a7cc2aadc7c72209d4419c2936f

SHA512
497911557b285ba1cc95fd9d8eeae8d0170cb1d5fdd4e7153493bbe5a4a0a71df9a11b8c42464e3d9b5dc3218a3bed40549e62fc256a7578277e826dcc9f3b4b

Download Submit
C:\Windows\SysWOW64\Gcggpj32.exe

Filesize
96KB

MD5
091088b6f50c800501ad44f3d411c4b7

SHA1
188c386d8cc4064948a243c3e67da576b85d7056

SHA256
06bd4b87421da28ae594d717de8180a816ad7165c6b139610f9a6ecf0f033a6b

SHA512
a8a043b3b9e005b7e96989dbff3d9777d60dc8adea6c1943ef477d6da288ac524ef59355429951f5545f2631c7e607bfda28d8e0ba8866fae61d586831805d4f

Download Submit
C:\Windows\SysWOW64\Gfedle32.exe

Filesize
96KB

MD5
da82df7e26ed623fac9d1b51c107e0cb

SHA1
69d31d1f054637752852186b64a87fb8edc0fd72

SHA256
c2c4ba843102afdc964c46a5faf1d4eadbd8b4e6d63f8907651c2c3eb76486a7

SHA512
cbdb65ec1f8a2a03b478060535a13e4d780b436acedb5bb84c461ff1321ece54616c5127c664a592a3b7b65e4fa6d00d372eb258b9b4348261c9eb792350bd92

Download Submit
C:\Windows\SysWOW64\Gfnnlffc.exe

Filesize
96KB

MD5
73629b935fefc34f1df8fe2c297e8755

SHA1
a83da5a375ecbf7742bc5a00e82614a60cdd6d2b

SHA256
5941d97d6067d09920bb3db89267661fbae8602845077a238ce3ecc8422a8a44

SHA512
166a123bb2b019d2eb991c4ae3828dde70a58940fc80b69a4799a3bff7131e6b70d258cad0d31fdace9c5f224d20905d23efc3663c4d4eedd4e36ab74abd6a69

Download Submit
C:\Windows\SysWOW64\Gfqjafdq.exe

Filesize
96KB

MD5
70025c39c9a065e8195508edcafc3bdc

SHA1
f8509a7cba1e4dd95c4f4b7acc8e89060b240013

SHA256
952fb4b5f5ebbe61c70477a61f9fe93a2c56fdcd60792276970fed70c60e278d

SHA512
d9247548c06d26fdb3915c6ad7eb588cc2e8e673867c1722cbd6942ac039c1eb35e488dce0c53430bdbeeb861e12512d91e801f97a203cc0282540aeed663271

Download Submit
C:\Windows\SysWOW64\Gimjhafg.exe

Filesize
96KB

MD5
26b858a9c6bf98a69591f332f23e2439

SHA1
c0817dfced5d1a512d95bb5cd1c04028885852a7

SHA256
3f6625e0ebc4695e0df2ac547e4efe8eba2978a3110ffb9bfc6eac3deeac20d7

SHA512
ceda17f7533ba7d85b45be08a57c28082f5b8ccc2d3101c81c06f3ea29c3103eb263353851ee889d2bf3e9f2a8e9f99404316f831d8aa98b4f862228d38cae8d

Download Submit
C:\Windows\SysWOW64\Giofnacd.exe

Filesize
96KB

MD5
9c0b95204534d41a617c7ec5cbeacab4

SHA1
effb106b65be399077ce198e1bcf9a76541e53f7

SHA256
670e4dc549e04e21c6f4cd35d820d78bc532cff1409df4083a346d0e715ce914

SHA512
2f480135754c24ec1f20c073ffd9efc5d0e39ad91db906d5c072a3d97606ab2de3c4969df336d0397dc1342131a3642f77232a5b59a60bed9073211802a74812

Download Submit
C:\Windows\SysWOW64\Gjclbc32.exe

Filesize
96KB

MD5
a67db5d472cdd6787531ff56806044c8

SHA1
e2f086f9b6409dc1cc3132a02ca2828105c9dce6

SHA256
07bdf38edc489403726c946cf72f19707b055795d7f7ae4c9a9c3e965d3bd41e

SHA512
9c1ef00f2a1471805d9cf3b25b116dc53f222a10d9e3e37e2eb31fac0663cd2394be620aaabe754bac736664ddc76a9a82e3874332612ffb546ae5f4b52b79b7

Download Submit
C:\Windows\SysWOW64\Gjocgdkg.exe

Filesize
96KB

MD5
b114e598bc6464186e295c5938d75024

SHA1
7972370bd7be15d949ff53d137fdcdbefb3cdc3a

SHA256
be1f1d3f3178cec139e65083ce73d8fc18e83abaac92fa5284bc303c78200346

SHA512
671d5314d9910206fc2bacdecb8c971634d67ad8401c82df2e9c6f42ceb478219004872d231768d4ce927dbc7b319e8b34f4f8cd6db6e24c0bdb4bd92eed5489

Download Submit
C:\Windows\SysWOW64\Gmhfhp32.exe

Filesize
96KB

MD5
8a399f9242cefd98c616d7e44225e064

SHA1
1617d38b5fec30f5154ad418826a311b915f9528

SHA256
e0da019e74fee463234b3b34a052e8747a8d5b444375a68aa61cb14a4a8c0f6e

SHA512
72b2b51b96e21a3dee95bdd48ffb24ce9a70a0cbef7f6d964e30efcd019fbfc6c74289363e678a3b5aea482d5464fb013ba3e2e42667b9321d3fe178ff89d3e4

Download Submit
C:\Windows\SysWOW64\Gmmocpjk.exe

Filesize
96KB

MD5
d802fb9aa879676cc9d4d42d1de74e47

SHA1
ee282a8aa4c4e2b6a4f73817beb588531f8f9c81

SHA256
a9ddafa2b8441d617861daf57a82c4392f1ce325023744fd6971fa2ea581c535

SHA512
adc5ec9c704d9dc0f0a147922c6da6537c8fcbea5bde34b37a3254c8126962e5868485b9b08097b2841642664a900bf62f74f6749ac3e36bb4847cd01cafeb42

Download Submit
C:\Windows\SysWOW64\Gmoliohh.exe

Filesize
96KB

MD5
3ba634dad7b9d8348147990e49cfbbb4

SHA1
9a5ae6816480b1a5bd7d8348eb1e59839a88f5db

SHA256
99677dafbea0300439049f10122e2531cda99bf0895433789d2abd3024a50c6e

SHA512
3934e94bfefc83dce4798f85c903d44064cdff0011b9b741177467e41eab0d34f211cfb9ce39600a6f5b00045aaa0cb9f075b2458c570e24385542ecc519aeb6

Download Submit
C:\Windows\SysWOW64\Gppekj32.exe

Filesize
96KB

MD5
639225b47a9051ea7c26213bd36c1fec

SHA1
277d2b6edee50f9e398d26f6abb46e6a80980c95

SHA256
4eae4e00bf7fb69c317d29d1f647509736a15d98929e933069b51a0c700f2aae

SHA512
55692782c4f2a5ceffacfb172fc03e3f618f860e32a7b959089e46f1581fd72507f2ac495c3752faa24b1e0107883ec517b7a86053ac51d468d7470490e45199

Download Submit
C:\Windows\SysWOW64\Gqfooodg.exe

Filesize
96KB

MD5
a771fcc68a3ccca3dd64fcb0d309ae8a

SHA1
3ff97bfc06f4cd5ed9e8f503018967c9570d3cb3

SHA256
1381d5769e53744afa7e077e35e08c8ab8e7670d999af667888a40ea71a97eb4

SHA512
9f8037c70aa93c91c9942f6f40e6999027d7d2a8a3e78cfba0683df5367aee90c801665b925f985e601695c019d527207f34ce8380d8c452a40780f2ab8f692a

Download Submit
C:\Windows\SysWOW64\Hadkpm32.exe

Filesize
96KB

MD5
9cd7766066e3515191f84ed474f53e48

SHA1
724973b9c7fd0bf41210135d617d93f0dff67b96

SHA256
82cd926d108eecc421fb93f89f1acf478e9744bb9ea97988a8224f20e6bab73f

SHA512
27b04f4661d2a99317543af2a0c73473978c7c2d415ee5df62e22d4796240b3ee80fc876d9f566c75a1ff8958d77f6cb4e366d1a21b168cb2b93c52b769bd015

Download Submit
C:\Windows\SysWOW64\Hbanme32.exe

Filesize
96KB

MD5
e0fbb1a6dcf21fd584be2586deae8172

SHA1
f94bc7f860666946e40d376d10ab1c0d7af18710

SHA256
1a436ff1b04be4fb107e1e4450ebd780f6bd38c94c0ab44ab8188d184ab0d97b

SHA512
43be65c7fab0789786535faae50bcd046bb03d92e1ea3d939bad26b38ce18f1defab8409f9291938989d50e8be2efd305a034cd21c13f53baac8ffe91f0f814d

Download Submit
C:\Windows\SysWOW64\Hbeghene.exe

Filesize
96KB

MD5
bada280d0f19b62aee3b86ae6a0a8e6a

SHA1
1b0e8ed60d68a64ccc9b3fd9861da135eb6a50ac

SHA256
2e705558a098f7f11ff77a569f69e20db060b4d18a51dadafd42fde6cac0d5a7

SHA512
c63f765288969645847c300e6e5c59d413666af9ea376c9461b54b9768df5f13fb7ddae95ff0f774add2db8847c2688e30f54ced6292245cb0e944ecc31ece35

Download Submit
C:\Windows\SysWOW64\Hbhdmd32.exe

Filesize
96KB

MD5
7bcb58e0035a9ac323116258b30b5121

SHA1
34b49eb2c32a0eb32d32d04d2034de2a47f77067

SHA256
fcd45d07811e43afdfa95ba87d17f66f3905aaa8b69467a5e656902c49d6ccfd

SHA512
2f1e4ebeb43afe253228fa581394bdb8a8d37400c3d31d79df08c15c93604e46d5b98944beb8648db6b8dc0ce40b3135a3b021150e23ff8bf6fe3438af442199

Download Submit
C:\Windows\SysWOW64\Hfofbd32.exe

Filesize
96KB

MD5
8ab5ccc2e21bd5da29379cd27295fabf

SHA1
d1d79f154745fd3ad10aedd76ebe87ce8bc4f199

SHA256
0ac7e9c7e89a6292c77ada829715bd0ff54e7dc348d78ef2f1396b3d3880d7f7

SHA512
2d65db928eb6f91334a5914a738d6867796c0eeff0e7b01c2b00b34b4fa3ba91d75eac39770f538224fc9e6cbbf1d6c6b9d3be6e9d8763b7d659bf9e8bc0d23b

Download Submit
C:\Windows\SysWOW64\Hibljoco.exe

Filesize
96KB

MD5
7ed2842113e53c1f91f7d2618359c098

SHA1
35247ad506d1845d6899ef61ef8b2bb815d95ce1

SHA256
4ec04e86804803222fc8755846876073208206b4ec13ffd2730deac05ac6943f

SHA512
fd66d1130678986f0a8bd35508b4e6a19f4e83168f5e4493887aa6adecedbf0d852eb50b53a38c614f1a9b5804a550e56d7c75f30abe645a746667da4aa5e953

Download Submit
C:\Windows\SysWOW64\Hippdo32.exe

Filesize
96KB

MD5
383191987c82d5df49ccd4e4d130a488

SHA1
50c700f0f367bcbc839366693932af1b6e182efa

SHA256
ee50606e7f62fc5add35203ffb581263d61daaa481c5d4e76d9d404d426cfd26

SHA512
7196d3302d55878f3580a123a600f6ca0764a735c708667ee318ea4371eca6c7d1c2cf909f2c14296d7e3e40c583c9871be03ec42c2ffefc401eb94eabd8ef45

Download Submit
C:\Windows\SysWOW64\Hjfihc32.exe

Filesize
96KB

MD5
e6e8578816230e143e3846af69db2199

SHA1
ce496db47b0652fdce603b9580bccd34cf58e20a

SHA256
b9c11ec221259bd291b8311d3bca0c6cdcbc7cf7e89851f560dccaa832a742f8

SHA512
7168159bd166c1dd602432a8da839530dfe390fe3aa07c324f4b519dc727a3e60df1b963bf86bc278e4fce4e30111e16c2fa008912550c81a5fbbf8f3ebd9a83

Download Submit
C:\Windows\SysWOW64\Hjhfnccl.exe

Filesize
96KB

MD5
a9c98712deb3a56ae9fc00db54cf777b

SHA1
319048cbb653a1c7a13ae3c44c71082a223c2cd8

SHA256
4343850c3280b499646498263858c608444793337bf6820ba0a1cf0180d2cbc3

SHA512
13c136e7ad5b2d8741faf99ab2b2133459da063f3b335961f71bc260d42e8ffb74db4bae71af303ce88497898991f17ca6865501b433d6fd8dc9b73793227c0c

Download Submit
C:\Windows\SysWOW64\Hmfbjnbp.exe

Filesize
96KB

MD5
5bb2dfd4cba7380f16a387c246851d52

SHA1
410c148d1223d5293652314f8478bb6dbe762935

SHA256
41483a29a419f30cffccc3c67cfb5d1d4d7c135de4a842e75eebc695170bb847

SHA512
c17a0f6c71c8a584788aa76d9003df32d3a64e12f9ce8ca6b4abff87d27fd4ecf010518e9e76e869ace535bbce806061803ff692b041139343fee64271588cb2

Download Submit
C:\Windows\SysWOW64\Hpbaqj32.exe

Filesize
96KB

MD5
611f499c72e5b2cfe0d3761c382bf472

SHA1
d05874e3bc16252b0266f04df6d768f69b1a2216

SHA256
a907599998474fce23e8fa0b6364e34be8d41c9e5c2c8a1131078d87fd44ae4b

SHA512
51cb4e51fed5cab4e3fd71a4088be2438d8fd4f6c992f253527be33944eacf66babd175bb2c54070fa7e781c46400d9cd5bf606c392bca96f411ddae08fcfe7a

Download Submit
C:\Windows\SysWOW64\Hpihai32.exe

Filesize
96KB

MD5
864d2153674ca27094bdaf7ee74f645a

SHA1
a275759e98b25f997a52ed2eed9ec2b88d63e8ff

SHA256
df13260199f415646b4dabc949c89eaa272c19dd58319eb5e95208e5d9dbddfb

SHA512
4e6ded71c753a248f5d454da78b1e5cf7ff15d25970933c2fb99cdebed94be10f807080e3d7e6d8f04f3c1bf66f1de9956fd598ccdcddb2e6b9c03b0d20aa4e8

Download Submit
C:\Windows\SysWOW64\Iakaql32.exe

Filesize
96KB

MD5
3d057b024e445448ad30a782366851aa

SHA1
e89d3e0717fe57eaa014faf5ed11a21dc8cf6642

SHA256
e4790b249e025e351377694f40ac189b5f32a697367c803dea688296d6efd72c

SHA512
be9c5093e746a80068a521f71faac2cc68977019b0b6c186d8826fb75ebf3df073b4cb1117a0f17c8426df59aa2c24665fd21b47b1f7b251b045e268f5f6799b

Download Submit
C:\Windows\SysWOW64\Ibjqcd32.exe

Filesize
96KB

MD5
2e78cbc185fb980066706358c0a0e7f9

SHA1
a38b7c2247410cb283c2602b2a777b975cbae5c7

SHA256
e76023e89e2e34d4f06b8d8ba7d766f521a77f141018d41353c9eecd287eeaf3

SHA512
62eb4201a0cdfe9eb3c2a2d3ed5e39196b7d2e70a689d39341aad370fbc088bb7dc164512c01a35dffe5dd447abb58b620a1b646a610f1dcc8f02c09945797f8

Download Submit
C:\Windows\SysWOW64\Iidipnal.exe

Filesize
96KB

MD5
c8867da9ef2aea34487b6176c668476c

SHA1
46a5555596427f19b33526b209447b104ed1f869

SHA256
192741363b6ee81bc93e1c02db9ea3d96641827ec7f90381c6f823df0a0e5062

SHA512
e213ed45236c4a0a4d6a34b4c7601769127fa8f1e46a7a643449be73787dd2cd0200b95c7ae9b55902ba2a9d4748c9faef46da7a3c7e48caefebb68016112547

Download Submit
C:\Windows\SysWOW64\Kinemkko.exe

Filesize
96KB

MD5
e09061028cdeadba55f840d529c42272

SHA1
56e54db53caaafe8c87ae736f80c938fae0d47ef

SHA256
40372054f58b5ef61bce015819c8d971bc669164c2b4ca7158292b0a686c104b

SHA512
efa5705fb9d4c8895512ea2360a301a254ca95261f0b79ea59d468f8c1dcc35f12c1c1e9dc8aa7f2df49b16fa7ba015b0a6f8bef2aaa1ea4ecd0ece2cdaf9b66

Download Submit
C:\Windows\SysWOW64\Lddbqa32.exe

Filesize
96KB

MD5
432605c3da503a6924d9455800b6a722

SHA1
8bafc40291b849af1b96b746c9e2d47c03b52d17

SHA256
2090e6021541e49545350d4566986eb2c71052d4540e357509cfbfc229cfc338

SHA512
5a443fea0aaf44f7adbb676d07ce0568b4ece1ad0f3377d6eba05f543cd4dab0241309eafc826944496a7dd1372747016ed7c32a368d800286c792200267335c

Download Submit
memory/388-425-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/784-113-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/908-232-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1020-311-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1040-77-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1048-329-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1124-263-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1176-401-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1216-1010-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1320-177-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1436-297-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1672-137-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1740-275-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1820-437-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1828-431-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1992-423-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2092-377-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2148-96-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2196-363-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2332-249-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2364-262-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2380-323-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2388-69-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2480-335-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2560-57-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2612-347-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2636-41-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2640-129-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2660-89-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2664-49-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2672-1006-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2888-17-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2896-144-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2908-104-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3032-121-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3052-209-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3344-185-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3476-240-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3484-389-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3512-370-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3616-371-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3712-1005-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3748-25-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3848-161-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3860-33-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3944-395-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3968-229-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4012-413-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4052-285-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4200-291-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4244-305-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4252-357-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4468-12-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4604-5-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4604-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4608-193-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4612-153-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4688-411-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4696-200-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4704-80-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4796-299-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4832-273-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4860-220-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5064-317-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5080-343-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5084-168-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5092-388-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5128-978-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5140-963-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5444-960-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5464-994-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5512-993-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5568-992-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5648-958-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5688-970-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5756-969-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5824-968-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5880-956-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/6036-965-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/6084-980-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/6112-964-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/6132-979-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads