c870e5e40cf7795afbf9c602d3988803680bf2c37e557fa546c7eea2b2f02ef1

Analysis

max time kernel
147s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
16/04/2024, 01:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c870e5e40cf7795afbf9c602d3988803680bf2c37e557fa546c7eea2b2f02ef1.exe
Size

125KB
MD5

c291e38137c53466520c9bb7e1aad70c
SHA1

4d9451f4dae605d45acd6b6b852a74e42bc3888c
SHA256

c870e5e40cf7795afbf9c602d3988803680bf2c37e557fa546c7eea2b2f02ef1
SHA512

8572462515704e8bbe90f63a81016b4b415762d31fdfcf4b7d3d2fb00c6092c861fff290debf37fb1e8ba9c0e2da2261a0903a8f325bbdcc5ebbdbde01338d3c
SSDEEP

3072:CXRh4zXBywtz0AAhR5cu1WdTCn93OGey/ZhJakrPF:Gj2BgpcFTCndOGeKTaG

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gcfqfc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Klgqcqkl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lenamdem.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Neeqea32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddonekbl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjkjpgfi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jmbdbd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hkkhqd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kdeoemeg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aepefb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Immapg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Iblfnn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ipbdmaah.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kfjhkjle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kmncnb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	c870e5e40cf7795afbf9c602d3988803680bf2c37e557fa546c7eea2b2f02ef1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jfcbjk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Aqncedbp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Baicac32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hflcbngh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Miifeq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Baicac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bfkedibe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gdjjckag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hopnqdan.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hihbijhn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nnjlpo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pqbdjfln.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdmnlj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ojaelm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pjeoglgc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bagflcje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jfeopj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kfankifm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gcagkdba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jcbihpel.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oneklm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfkedibe.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jmpgldhg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oqfdnhfk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cjkjpgfi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgokmgjm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pjcbbmif.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pdpmpdbd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bnpppgdj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gbbkaako.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lenamdem.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bapiabak.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhmgki32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mmbfpp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajckij32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdqejn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lmbmibhb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pjcbbmif.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfknkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hfifmnij.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nggjdc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ajkaii32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ibcmom32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jioaqfcc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lmbmibhb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ocbddc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hcdmga32.exe

Executes dropped EXE 64 IoCs

pid	Process
1592	Fbpnkama.exe
2616	Glebhjlg.exe
4420	Gbbkaako.exe
2376	Ghlcnk32.exe
1808	Gcagkdba.exe
3392	Ghopckpi.exe
4748	Gdeqhl32.exe
3168	Gcfqfc32.exe
732	Gmoeoidl.exe
3404	Gdjjckag.exe
4032	Hopnqdan.exe
1792	Hfifmnij.exe
2980	Hihbijhn.exe
4784	Hflcbngh.exe
1500	Hcpclbfa.exe
460	Hkkhqd32.exe
5064	Hioiji32.exe
4464	Hcdmga32.exe
324	Immapg32.exe
3948	Iblfnn32.exe
1220	Ildkgc32.exe
4100	Ifjodl32.exe
2212	Ipbdmaah.exe
4864	Ifllil32.exe
824	Ilidbbgl.exe
4048	Ibcmom32.exe
1268	Jimekgff.exe
3464	Jcbihpel.exe
2320	Jioaqfcc.exe
4448	Jpijnqkp.exe
2308	Jfcbjk32.exe
1652	Jfeopj32.exe
456	Jmpgldhg.exe
1812	Jmbdbd32.exe
4536	Kfjhkjle.exe
3696	Klgqcqkl.exe
2940	Kbaipkbi.exe
5088	Kikame32.exe
4492	Kdqejn32.exe
1688	Kfoafi32.exe
640	Kfankifm.exe
1160	Kdeoemeg.exe
2596	Kmncnb32.exe
3316	Leihbeib.exe
4300	Llcpoo32.exe
3932	Lfhdlh32.exe
2724	Lmbmibhb.exe
3524	Lenamdem.exe
900	Llgjjnlj.exe
3008	Likjcbkc.exe
1784	Lpebpm32.exe
4888	Lgokmgjm.exe
2536	Mdehlk32.exe
3060	Mdhdajea.exe
924	Mdjagjco.exe
4216	Mmbfpp32.exe
4960	Mdmnlj32.exe
3300	Miifeq32.exe
2488	Ndokbi32.exe
2956	Nngokoej.exe
5048	Ngpccdlj.exe
4948	Nnjlpo32.exe
4820	Nphhmj32.exe
3816	Neeqea32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Ncianepl.exe	Nloiakho.exe
File created	C:\Windows\SysWOW64\Nlaegk32.exe	Ncianepl.exe
File created	C:\Windows\SysWOW64\Djnkap32.dll	Pdpmpdbd.exe
File created	C:\Windows\SysWOW64\Bqbodd32.dll	Qceiaa32.exe
File opened for modification	C:\Windows\SysWOW64\Bcjlcn32.exe	Bffkij32.exe
File opened for modification	C:\Windows\SysWOW64\Mdmnlj32.exe	Mmbfpp32.exe
File created	C:\Windows\SysWOW64\Neeqea32.exe	Nphhmj32.exe
File created	C:\Windows\SysWOW64\Kdeoemeg.exe	Kfankifm.exe
File opened for modification	C:\Windows\SysWOW64\Lpebpm32.exe	Likjcbkc.exe
File created	C:\Windows\SysWOW64\Miifeq32.exe	Mdmnlj32.exe
File created	C:\Windows\SysWOW64\Ifndpaoq.dll	Neeqea32.exe
File created	C:\Windows\SysWOW64\Ifmafkkf.dll	Gcfqfc32.exe
File created	C:\Windows\SysWOW64\Ghkmacoj.dll	Jfeopj32.exe
File opened for modification	C:\Windows\SysWOW64\Bganhm32.exe	Bagflcje.exe
File created	C:\Windows\SysWOW64\Dmcibama.exe	Ddjejl32.exe
File created	C:\Windows\SysWOW64\Lbabpnmn.dll	Dhmgki32.exe
File created	C:\Windows\SysWOW64\Likjcbkc.exe	Llgjjnlj.exe
File created	C:\Windows\SysWOW64\Glgmkm32.dll	Nggjdc32.exe
File opened for modification	C:\Windows\SysWOW64\Oqfdnhfk.exe	Ocbddc32.exe
File created	C:\Windows\SysWOW64\Panfqmhb.dll	Pgefeajb.exe
File opened for modification	C:\Windows\SysWOW64\Qqijje32.exe	Qceiaa32.exe
File created	C:\Windows\SysWOW64\Amgapeea.exe	Aqppkd32.exe
File created	C:\Windows\SysWOW64\Ndokbi32.exe	Miifeq32.exe
File opened for modification	C:\Windows\SysWOW64\Nlaegk32.exe	Ncianepl.exe
File opened for modification	C:\Windows\SysWOW64\Bnpppgdj.exe	Bcjlcn32.exe
File created	C:\Windows\SysWOW64\Jmpgldhg.exe	Jfeopj32.exe
File created	C:\Windows\SysWOW64\Aqppkd32.exe	Aqncedbp.exe
File created	C:\Windows\SysWOW64\Allebf32.dll	Lfhdlh32.exe
File created	C:\Windows\SysWOW64\Mdhdajea.exe	Megdccmb.exe
File opened for modification	C:\Windows\SysWOW64\Ndokbi32.exe	Miifeq32.exe
File opened for modification	C:\Windows\SysWOW64\Amgapeea.exe	Aqppkd32.exe
File opened for modification	C:\Windows\SysWOW64\Cagobalc.exe	Cdcoim32.exe
File opened for modification	C:\Windows\SysWOW64\Hcdmga32.exe	Hioiji32.exe
File opened for modification	C:\Windows\SysWOW64\Klgqcqkl.exe	Kfjhkjle.exe
File opened for modification	C:\Windows\SysWOW64\Iblfnn32.exe	Immapg32.exe
File created	C:\Windows\SysWOW64\Kfjhkjle.exe	Jmbdbd32.exe
File opened for modification	C:\Windows\SysWOW64\Llgjjnlj.exe	Lenamdem.exe
File created	C:\Windows\SysWOW64\Ncianepl.exe	Nloiakho.exe
File created	C:\Windows\SysWOW64\Jlklhm32.dll	Aqncedbp.exe
File created	C:\Windows\SysWOW64\Ajkaii32.exe	Amgapeea.exe
File created	C:\Windows\SysWOW64\Bagflcje.exe	Bnhjohkb.exe
File created	C:\Windows\SysWOW64\Ghlcnk32.exe	Gbbkaako.exe
File opened for modification	C:\Windows\SysWOW64\Hcpclbfa.exe	Hflcbngh.exe
File created	C:\Windows\SysWOW64\Ddonekbl.exe	Dfknkg32.exe
File opened for modification	C:\Windows\SysWOW64\Kbaipkbi.exe	Klgqcqkl.exe
File created	C:\Windows\SysWOW64\Abkobg32.dll	Bnhjohkb.exe
File created	C:\Windows\SysWOW64\Ibcmom32.exe	Ilidbbgl.exe
File created	C:\Windows\SysWOW64\Jcbihpel.exe	Jimekgff.exe
File created	C:\Windows\SysWOW64\Phaedfje.dll	Jimekgff.exe
File opened for modification	C:\Windows\SysWOW64\Nngokoej.exe	Ndokbi32.exe
File opened for modification	C:\Windows\SysWOW64\Aqncedbp.exe	Ajckij32.exe
File created	C:\Windows\SysWOW64\Baicac32.exe	Bganhm32.exe
File created	C:\Windows\SysWOW64\Lejfpelg.dll	Hopnqdan.exe
File created	C:\Windows\SysWOW64\Hkkhqd32.exe	Hcpclbfa.exe
File created	C:\Windows\SysWOW64\Bneljh32.dll	Bganhm32.exe
File created	C:\Windows\SysWOW64\Bfajji32.dll	Lmbmibhb.exe
File opened for modification	C:\Windows\SysWOW64\Ocbddc32.exe	Oneklm32.exe
File created	C:\Windows\SysWOW64\Fpnnia32.dll	Baicac32.exe
File created	C:\Windows\SysWOW64\Mnbcedcn.dll	Ipbdmaah.exe
File opened for modification	C:\Windows\SysWOW64\Nphhmj32.exe	Nnjlpo32.exe
File created	C:\Windows\SysWOW64\Jioaqfcc.exe	Jcbihpel.exe
File opened for modification	C:\Windows\SysWOW64\Pjcbbmif.exe	Pgefeajb.exe
File created	C:\Windows\SysWOW64\Aoglcqao.dll	Cfmajipb.exe
File created	C:\Windows\SysWOW64\Cogflbdn.dll	Dmcibama.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
6072	6020	WerFault.exe	202

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Llcpoo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lenamdem.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Glgmkm32.dll"	Nggjdc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cagobalc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Llcpoo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gpaekf32.dll"	Ocbddc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Aqkgpedc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dkifae32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Gcagkdba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hflcbngh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Miifeq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hlfofiig.dll"	Nphhmj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hddeok32.dll"	Nloiakho.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Acpcoaap.dll"	Oqfdnhfk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bganhm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hfifmnij.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ladjgikj.dll"	Ojgbfocc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bagflcje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhbffb32.dll"	Bfkedibe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jmpgldhg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oahicipe.dll"	Amgapeea.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cmqmma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ipbdmaah.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Keajjc32.dll"	Hioiji32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aihbcp32.dll"	Megdccmb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ojaelm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdheac32.dll"	Ddonekbl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hkkhqd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kbaipkbi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kikame32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kmncnb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Qqijje32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Aqkgpedc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dhmgki32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	c870e5e40cf7795afbf9c602d3988803680bf2c37e557fa546c7eea2b2f02ef1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hfanhp32.dll"	Cmqmma32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lpebpm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hfifmnij.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ncbhll32.dll"	Hflcbngh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ifjodl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jpijnqkp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ojaelm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Qceiaa32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bffkij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ifmafkkf.dll"	Gcfqfc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Okgoadbf.dll"	Cagobalc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbabpnmn.dll"	Dhmgki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bnpppgdj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hihbijhn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kikame32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kmncnb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lpebpm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ifndpaoq.dll"	Neeqea32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ddjejl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hopnqdan.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jcbihpel.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jioaqfcc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Leihbeib.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Idodkeom.dll"	Miifeq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	c870e5e40cf7795afbf9c602d3988803680bf2c37e557fa546c7eea2b2f02ef1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ooajidfn.dll"	Ibcmom32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bqbodd32.dll"	Qceiaa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Amgapeea.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bapiabak.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4248 wrote to memory of 1592	4248	c870e5e40cf7795afbf9c602d3988803680bf2c37e557fa546c7eea2b2f02ef1.exe	84
PID 4248 wrote to memory of 1592	4248	c870e5e40cf7795afbf9c602d3988803680bf2c37e557fa546c7eea2b2f02ef1.exe	84
PID 4248 wrote to memory of 1592	4248	c870e5e40cf7795afbf9c602d3988803680bf2c37e557fa546c7eea2b2f02ef1.exe	84
PID 1592 wrote to memory of 2616	1592	Fbpnkama.exe	85
PID 1592 wrote to memory of 2616	1592	Fbpnkama.exe	85
PID 1592 wrote to memory of 2616	1592	Fbpnkama.exe	85
PID 2616 wrote to memory of 4420	2616	Glebhjlg.exe	86
PID 2616 wrote to memory of 4420	2616	Glebhjlg.exe	86
PID 2616 wrote to memory of 4420	2616	Glebhjlg.exe	86
PID 4420 wrote to memory of 2376	4420	Gbbkaako.exe	87
PID 4420 wrote to memory of 2376	4420	Gbbkaako.exe	87
PID 4420 wrote to memory of 2376	4420	Gbbkaako.exe	87
PID 2376 wrote to memory of 1808	2376	Ghlcnk32.exe	88
PID 2376 wrote to memory of 1808	2376	Ghlcnk32.exe	88
PID 2376 wrote to memory of 1808	2376	Ghlcnk32.exe	88
PID 1808 wrote to memory of 3392	1808	Gcagkdba.exe	89
PID 1808 wrote to memory of 3392	1808	Gcagkdba.exe	89
PID 1808 wrote to memory of 3392	1808	Gcagkdba.exe	89
PID 3392 wrote to memory of 4748	3392	Ghopckpi.exe	90
PID 3392 wrote to memory of 4748	3392	Ghopckpi.exe	90
PID 3392 wrote to memory of 4748	3392	Ghopckpi.exe	90
PID 4748 wrote to memory of 3168	4748	Gdeqhl32.exe	91
PID 4748 wrote to memory of 3168	4748	Gdeqhl32.exe	91
PID 4748 wrote to memory of 3168	4748	Gdeqhl32.exe	91
PID 3168 wrote to memory of 732	3168	Gcfqfc32.exe	92
PID 3168 wrote to memory of 732	3168	Gcfqfc32.exe	92
PID 3168 wrote to memory of 732	3168	Gcfqfc32.exe	92
PID 732 wrote to memory of 3404	732	Gmoeoidl.exe	93
PID 732 wrote to memory of 3404	732	Gmoeoidl.exe	93
PID 732 wrote to memory of 3404	732	Gmoeoidl.exe	93
PID 3404 wrote to memory of 4032	3404	Gdjjckag.exe	95
PID 3404 wrote to memory of 4032	3404	Gdjjckag.exe	95
PID 3404 wrote to memory of 4032	3404	Gdjjckag.exe	95
PID 4032 wrote to memory of 1792	4032	Hopnqdan.exe	96
PID 4032 wrote to memory of 1792	4032	Hopnqdan.exe	96
PID 4032 wrote to memory of 1792	4032	Hopnqdan.exe	96
PID 1792 wrote to memory of 2980	1792	Hfifmnij.exe	97
PID 1792 wrote to memory of 2980	1792	Hfifmnij.exe	97
PID 1792 wrote to memory of 2980	1792	Hfifmnij.exe	97
PID 2980 wrote to memory of 4784	2980	Hihbijhn.exe	98
PID 2980 wrote to memory of 4784	2980	Hihbijhn.exe	98
PID 2980 wrote to memory of 4784	2980	Hihbijhn.exe	98
PID 4784 wrote to memory of 1500	4784	Hflcbngh.exe	100
PID 4784 wrote to memory of 1500	4784	Hflcbngh.exe	100
PID 4784 wrote to memory of 1500	4784	Hflcbngh.exe	100
PID 1500 wrote to memory of 460	1500	Hcpclbfa.exe	101
PID 1500 wrote to memory of 460	1500	Hcpclbfa.exe	101
PID 1500 wrote to memory of 460	1500	Hcpclbfa.exe	101
PID 460 wrote to memory of 5064	460	Hkkhqd32.exe	102
PID 460 wrote to memory of 5064	460	Hkkhqd32.exe	102
PID 460 wrote to memory of 5064	460	Hkkhqd32.exe	102
PID 5064 wrote to memory of 4464	5064	Hioiji32.exe	104
PID 5064 wrote to memory of 4464	5064	Hioiji32.exe	104
PID 5064 wrote to memory of 4464	5064	Hioiji32.exe	104
PID 4464 wrote to memory of 324	4464	Hcdmga32.exe	105
PID 4464 wrote to memory of 324	4464	Hcdmga32.exe	105
PID 4464 wrote to memory of 324	4464	Hcdmga32.exe	105
PID 324 wrote to memory of 3948	324	Immapg32.exe	106
PID 324 wrote to memory of 3948	324	Immapg32.exe	106
PID 324 wrote to memory of 3948	324	Immapg32.exe	106
PID 3948 wrote to memory of 1220	3948	Iblfnn32.exe	107
PID 3948 wrote to memory of 1220	3948	Iblfnn32.exe	107
PID 3948 wrote to memory of 1220	3948	Iblfnn32.exe	107
PID 1220 wrote to memory of 4100	1220	Ildkgc32.exe	109

C:\Users\Admin\AppData\Local\Temp\c870e5e40cf7795afbf9c602d3988803680bf2c37e557fa546c7eea2b2f02ef1.exe
"C:\Users\Admin\AppData\Local\Temp\c870e5e40cf7795afbf9c602d3988803680bf2c37e557fa546c7eea2b2f02ef1.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4248
- C:\Windows\SysWOW64\Fbpnkama.exe
  C:\Windows\system32\Fbpnkama.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1592
- - C:\Windows\SysWOW64\Glebhjlg.exe
    C:\Windows\system32\Glebhjlg.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2616
  - - C:\Windows\SysWOW64\Gbbkaako.exe
      C:\Windows\system32\Gbbkaako.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious use of WriteProcessMemory
      PID:4420
    - - C:\Windows\SysWOW64\Ghlcnk32.exe
        
        C:\Windows\system32\Ghlcnk32.exe
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2376
      - C:\Windows\SysWOW64\Gcagkdba.exe
        
        C:\Windows\system32\Gcagkdba.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1808
        
        C:\Windows\SysWOW64\Ghopckpi.exe
        
        C:\Windows\system32\Ghopckpi.exe
        7⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3392
        
        C:\Windows\SysWOW64\Gdeqhl32.exe
        
        C:\Windows\system32\Gdeqhl32.exe
        8⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4748
        
        C:\Windows\SysWOW64\Gcfqfc32.exe
        
        C:\Windows\system32\Gcfqfc32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3168
        
        C:\Windows\SysWOW64\Gmoeoidl.exe
        
        C:\Windows\system32\Gmoeoidl.exe
        10⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:732
        
        C:\Windows\SysWOW64\Gdjjckag.exe
        
        C:\Windows\system32\Gdjjckag.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3404
        
        C:\Windows\SysWOW64\Hopnqdan.exe
        
        C:\Windows\system32\Hopnqdan.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4032
        
        C:\Windows\SysWOW64\Hfifmnij.exe
        
        C:\Windows\system32\Hfifmnij.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1792
        
        C:\Windows\SysWOW64\Hihbijhn.exe
        
        C:\Windows\system32\Hihbijhn.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2980
        
        C:\Windows\SysWOW64\Hflcbngh.exe
        
        C:\Windows\system32\Hflcbngh.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4784
        
        C:\Windows\SysWOW64\Hcpclbfa.exe
        
        C:\Windows\system32\Hcpclbfa.exe
        16⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1500
        
        C:\Windows\SysWOW64\Hkkhqd32.exe
        
        C:\Windows\system32\Hkkhqd32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:460
        
        C:\Windows\SysWOW64\Hioiji32.exe
        
        C:\Windows\system32\Hioiji32.exe
        18⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5064
        
        C:\Windows\SysWOW64\Hcdmga32.exe
        
        C:\Windows\system32\Hcdmga32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4464
        
        C:\Windows\SysWOW64\Immapg32.exe
        
        C:\Windows\system32\Immapg32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:324
        
        C:\Windows\SysWOW64\Iblfnn32.exe
        
        C:\Windows\system32\Iblfnn32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3948
        
        C:\Windows\SysWOW64\Ildkgc32.exe
        
        C:\Windows\system32\Ildkgc32.exe
        22⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1220
        
        C:\Windows\SysWOW64\Ifjodl32.exe
        
        C:\Windows\system32\Ifjodl32.exe
        23⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4100
        
        C:\Windows\SysWOW64\Ipbdmaah.exe
        
        C:\Windows\system32\Ipbdmaah.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2212
        
        C:\Windows\SysWOW64\Ifllil32.exe
        
        C:\Windows\system32\Ifllil32.exe
        25⤵
        Executes dropped EXE
        
        PID:4864
        
        C:\Windows\SysWOW64\Ilidbbgl.exe
        
        C:\Windows\system32\Ilidbbgl.exe
        26⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:824
        
        C:\Windows\SysWOW64\Ibcmom32.exe
        
        C:\Windows\system32\Ibcmom32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4048
        
        C:\Windows\SysWOW64\Jimekgff.exe
        
        C:\Windows\system32\Jimekgff.exe
        28⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1268
        
        C:\Windows\SysWOW64\Jcbihpel.exe
        
        C:\Windows\system32\Jcbihpel.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3464
        
        C:\Windows\SysWOW64\Jioaqfcc.exe
        
        C:\Windows\system32\Jioaqfcc.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2320
        
        C:\Windows\SysWOW64\Jpijnqkp.exe
        
        C:\Windows\system32\Jpijnqkp.exe
        31⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4448
        
        C:\Windows\SysWOW64\Jfcbjk32.exe
        
        C:\Windows\system32\Jfcbjk32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2308
        
        C:\Windows\SysWOW64\Jfeopj32.exe
        
        C:\Windows\system32\Jfeopj32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1652
        
        C:\Windows\SysWOW64\Jmpgldhg.exe
        
        C:\Windows\system32\Jmpgldhg.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:456
        
        C:\Windows\SysWOW64\Jmbdbd32.exe
        
        C:\Windows\system32\Jmbdbd32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1812
        
        C:\Windows\SysWOW64\Kfjhkjle.exe
        
        C:\Windows\system32\Kfjhkjle.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4536
        
        C:\Windows\SysWOW64\Klgqcqkl.exe
        
        C:\Windows\system32\Klgqcqkl.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3696
        
        C:\Windows\SysWOW64\Kbaipkbi.exe
        
        C:\Windows\system32\Kbaipkbi.exe
        38⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2940
        
        C:\Windows\SysWOW64\Kikame32.exe
        
        C:\Windows\system32\Kikame32.exe
        39⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:5088
        
        C:\Windows\SysWOW64\Kdqejn32.exe
        
        C:\Windows\system32\Kdqejn32.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4492
        
        C:\Windows\SysWOW64\Kfoafi32.exe
        
        C:\Windows\system32\Kfoafi32.exe
        41⤵
        Executes dropped EXE
        
        PID:1688
        
        C:\Windows\SysWOW64\Kfankifm.exe
        
        C:\Windows\system32\Kfankifm.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:640
        
        C:\Windows\SysWOW64\Kdeoemeg.exe
        
        C:\Windows\system32\Kdeoemeg.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1160
        
        C:\Windows\SysWOW64\Kmncnb32.exe
        
        C:\Windows\system32\Kmncnb32.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2596
        
        C:\Windows\SysWOW64\Leihbeib.exe
        
        C:\Windows\system32\Leihbeib.exe
        45⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3316
        
        C:\Windows\SysWOW64\Llcpoo32.exe
        
        C:\Windows\system32\Llcpoo32.exe
        46⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4300
        
        C:\Windows\SysWOW64\Lfhdlh32.exe
        
        C:\Windows\system32\Lfhdlh32.exe
        47⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3932
        
        C:\Windows\SysWOW64\Lmbmibhb.exe
        
        C:\Windows\system32\Lmbmibhb.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2724
        
        C:\Windows\SysWOW64\Lenamdem.exe
        
        C:\Windows\system32\Lenamdem.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3524
        
        C:\Windows\SysWOW64\Llgjjnlj.exe
        
        C:\Windows\system32\Llgjjnlj.exe
        50⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:900
        
        C:\Windows\SysWOW64\Likjcbkc.exe
        
        C:\Windows\system32\Likjcbkc.exe
        51⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3008
        
        C:\Windows\SysWOW64\Lpebpm32.exe
        
        C:\Windows\system32\Lpebpm32.exe
        52⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1784
        
        C:\Windows\SysWOW64\Lgokmgjm.exe
        
        C:\Windows\system32\Lgokmgjm.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4888
        
        C:\Windows\SysWOW64\Mdehlk32.exe
        
        C:\Windows\system32\Mdehlk32.exe
        54⤵
        Executes dropped EXE
        
        PID:2536
        
        C:\Windows\SysWOW64\Megdccmb.exe
        
        C:\Windows\system32\Megdccmb.exe
        55⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:948
        
        C:\Windows\SysWOW64\Mdhdajea.exe
        
        C:\Windows\system32\Mdhdajea.exe
        56⤵
        Executes dropped EXE
        
        PID:3060
        
        C:\Windows\SysWOW64\Mdjagjco.exe
        
        C:\Windows\system32\Mdjagjco.exe
        57⤵
        Executes dropped EXE
        
        PID:924
        
        C:\Windows\SysWOW64\Mmbfpp32.exe
        
        C:\Windows\system32\Mmbfpp32.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4216
        
        C:\Windows\SysWOW64\Mdmnlj32.exe
        
        C:\Windows\system32\Mdmnlj32.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4960
        
        C:\Windows\SysWOW64\Miifeq32.exe
        
        C:\Windows\system32\Miifeq32.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3300
        
        C:\Windows\SysWOW64\Ndokbi32.exe
        
        C:\Windows\system32\Ndokbi32.exe
        61⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2488
        
        C:\Windows\SysWOW64\Nngokoej.exe
        
        C:\Windows\system32\Nngokoej.exe
        62⤵
        Executes dropped EXE
        
        PID:2956
        
        C:\Windows\SysWOW64\Ngpccdlj.exe
        
        C:\Windows\system32\Ngpccdlj.exe
        63⤵
        Executes dropped EXE
        
        PID:5048
        
        C:\Windows\SysWOW64\Nnjlpo32.exe
        
        C:\Windows\system32\Nnjlpo32.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4948
        
        C:\Windows\SysWOW64\Nphhmj32.exe
        
        C:\Windows\system32\Nphhmj32.exe
        65⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4820
        
        C:\Windows\SysWOW64\Neeqea32.exe
        
        C:\Windows\system32\Neeqea32.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3816
        
        C:\Windows\SysWOW64\Nloiakho.exe
        
        C:\Windows\system32\Nloiakho.exe
        67⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:3000
        
        C:\Windows\SysWOW64\Ncianepl.exe
        
        C:\Windows\system32\Ncianepl.exe
        68⤵
        Drops file in System32 directory
        
        PID:4932
        
        C:\Windows\SysWOW64\Nlaegk32.exe
        
        C:\Windows\system32\Nlaegk32.exe
        69⤵
        
        PID:2384
        
        C:\Windows\SysWOW64\Nggjdc32.exe
        
        C:\Windows\system32\Nggjdc32.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:3860
        
        C:\Windows\SysWOW64\Odkjng32.exe
        
        C:\Windows\system32\Odkjng32.exe
        71⤵
        
        PID:4072
        
        C:\Windows\SysWOW64\Ojgbfocc.exe
        
        C:\Windows\system32\Ojgbfocc.exe
        72⤵
        Modifies registry class
        
        PID:2668
        
        C:\Windows\SysWOW64\Oneklm32.exe
        
        C:\Windows\system32\Oneklm32.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:2860
        
        C:\Windows\SysWOW64\Ocbddc32.exe
        
        C:\Windows\system32\Ocbddc32.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:3884
        
        C:\Windows\SysWOW64\Oqfdnhfk.exe
        
        C:\Windows\system32\Oqfdnhfk.exe
        75⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:1396
        
        C:\Windows\SysWOW64\Oqhacgdh.exe
        
        C:\Windows\system32\Oqhacgdh.exe
        76⤵
        
        PID:4396
        
        C:\Windows\SysWOW64\Ojaelm32.exe
        
        C:\Windows\system32\Ojaelm32.exe
        77⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4372
        
        C:\Windows\SysWOW64\Pgefeajb.exe
        
        C:\Windows\system32\Pgefeajb.exe
        78⤵
        Drops file in System32 directory
        
        PID:3268
        
        C:\Windows\SysWOW64\Pjcbbmif.exe
        
        C:\Windows\system32\Pjcbbmif.exe
        79⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3200
        
        C:\Windows\SysWOW64\Pjeoglgc.exe
        
        C:\Windows\system32\Pjeoglgc.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2964
        
        C:\Windows\SysWOW64\Pqbdjfln.exe
        
        C:\Windows\system32\Pqbdjfln.exe
        81⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3556
        
        C:\Windows\SysWOW64\Pdpmpdbd.exe
        
        C:\Windows\system32\Pdpmpdbd.exe
        82⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:1720
        
        C:\Windows\SysWOW64\Qceiaa32.exe
        
        C:\Windows\system32\Qceiaa32.exe
        83⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:2436
        
        C:\Windows\SysWOW64\Qqijje32.exe
        
        C:\Windows\system32\Qqijje32.exe
        84⤵
        Modifies registry class
        
        PID:2520
        
        C:\Windows\SysWOW64\Aqkgpedc.exe
        
        C:\Windows\system32\Aqkgpedc.exe
        85⤵
        Modifies registry class
        
        PID:4556
        
        C:\Windows\SysWOW64\Ajckij32.exe
        
        C:\Windows\system32\Ajckij32.exe
        86⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:2016
        
        C:\Windows\SysWOW64\Aqncedbp.exe
        
        C:\Windows\system32\Aqncedbp.exe
        87⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4168
        
        C:\Windows\SysWOW64\Aqppkd32.exe
        
        C:\Windows\system32\Aqppkd32.exe
        88⤵
        Drops file in System32 directory
        
        PID:2196
        
        C:\Windows\SysWOW64\Amgapeea.exe
        
        C:\Windows\system32\Amgapeea.exe
        89⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1316
        
        C:\Windows\SysWOW64\Ajkaii32.exe
        
        C:\Windows\system32\Ajkaii32.exe
        90⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2808
        
        C:\Windows\SysWOW64\Aepefb32.exe
        
        C:\Windows\system32\Aepefb32.exe
        91⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2952
        
        C:\Windows\SysWOW64\Bnhjohkb.exe
        
        C:\Windows\system32\Bnhjohkb.exe
        92⤵
        Drops file in System32 directory
        
        PID:2764
        
        C:\Windows\SysWOW64\Bagflcje.exe
        
        C:\Windows\system32\Bagflcje.exe
        93⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:2924
        
        C:\Windows\SysWOW64\Bganhm32.exe
        
        C:\Windows\system32\Bganhm32.exe
        94⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5132
        
        C:\Windows\SysWOW64\Baicac32.exe
        
        C:\Windows\system32\Baicac32.exe
        95⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5176
        
        C:\Windows\SysWOW64\Bffkij32.exe
        
        C:\Windows\system32\Bffkij32.exe
        96⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5220
        
        C:\Windows\SysWOW64\Bcjlcn32.exe
        
        C:\Windows\system32\Bcjlcn32.exe
        97⤵
        Drops file in System32 directory
        
        PID:5264
        
        C:\Windows\SysWOW64\Bnpppgdj.exe
        
        C:\Windows\system32\Bnpppgdj.exe
        98⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5308
        
        C:\Windows\SysWOW64\Bfkedibe.exe
        
        C:\Windows\system32\Bfkedibe.exe
        99⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5348
        
        C:\Windows\SysWOW64\Bapiabak.exe
        
        C:\Windows\system32\Bapiabak.exe
        100⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5396
        
        C:\Windows\SysWOW64\Cfmajipb.exe
        
        C:\Windows\system32\Cfmajipb.exe
        101⤵
        Drops file in System32 directory
        
        PID:5440
        
        C:\Windows\SysWOW64\Chmndlge.exe
        
        C:\Windows\system32\Chmndlge.exe
        102⤵
        
        PID:5488
        
        C:\Windows\SysWOW64\Cjkjpgfi.exe
        
        C:\Windows\system32\Cjkjpgfi.exe
        103⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5532
        
        C:\Windows\SysWOW64\Cdcoim32.exe
        
        C:\Windows\system32\Cdcoim32.exe
        104⤵
        Drops file in System32 directory
        
        PID:5580
        
        C:\Windows\SysWOW64\Cagobalc.exe
        
        C:\Windows\system32\Cagobalc.exe
        105⤵
        Modifies registry class
        
        PID:5624
        
        C:\Windows\SysWOW64\Cmqmma32.exe
        
        C:\Windows\system32\Cmqmma32.exe
        106⤵
        Modifies registry class
        
        PID:5668
        
        C:\Windows\SysWOW64\Ddjejl32.exe
        
        C:\Windows\system32\Ddjejl32.exe
        107⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5708
        
        C:\Windows\SysWOW64\Dmcibama.exe
        
        C:\Windows\system32\Dmcibama.exe
        108⤵
        Drops file in System32 directory
        
        PID:5756
        
        C:\Windows\SysWOW64\Dfknkg32.exe
        
        C:\Windows\system32\Dfknkg32.exe
        109⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5800
        
        C:\Windows\SysWOW64\Ddonekbl.exe
        
        C:\Windows\system32\Ddonekbl.exe
        110⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5844
        
        C:\Windows\SysWOW64\Dkifae32.exe
        
        C:\Windows\system32\Dkifae32.exe
        111⤵
        Modifies registry class
        
        PID:5888
        
        C:\Windows\SysWOW64\Dhmgki32.exe
        
        C:\Windows\system32\Dhmgki32.exe
        112⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5932
        
        C:\Windows\SysWOW64\Dogogcpo.exe
        
        C:\Windows\system32\Dogogcpo.exe
        113⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5976
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        114⤵
        
        PID:6020
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6020 -s 420
        115⤵
        Program crash
        
        PID:6072

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 6020 -ip 6020
1⤵
PID:6044

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Amgapeea.exe

Filesize
125KB

MD5
4cfb8ba0f6af16fd01974c2acb969847

SHA1
97ef58092641f799be772c133058a7f888842d44

SHA256
2190dbd86316ac7b3d6d41528608dee3215091bad4e93bc5c9e515345b23954e

SHA512
272bf5b0474cbdb9daf9b5098c7c96dd4c1036d298bce12640cd6fc5b5f183373569782b2e3e02f1593085e0b7a95b1d3c115efa900c4abf2c6ac848d9ac3b4e

Download Submit
C:\Windows\SysWOW64\Fbpnkama.exe

Filesize
125KB

MD5
a748714653666bb0366688cc67d95965

SHA1
f64da0a14e0695ae0206b9e90aec1d85b4c70fc3

SHA256
ff0e60bcc037e9d2f5a91eaef744248ac1472bcc0b1bcbf2f07eceb9c6e551ee

SHA512
b9f647b247f560f9bc81944710a7e29c5cc106d55d8acccb99a76faddb09a7e714b9ce9cdf377c8e59b1cad555c4486645dfee158e43cdfb4b7c764c1203aa4e

Download Submit
C:\Windows\SysWOW64\Gbbkaako.exe

Filesize
125KB

MD5
f2637772e97a75fd9a695e8b03987aed

SHA1
5fbf2ebd19a8b780777b2bf2ea4630dc78352a95

SHA256
af52852a6c5b4ad52ac7e15189573a9bf9b8a25e4f24dd249e85bbdecc825c82

SHA512
ebd7a33632a389a0a1da7a20f13ff4f4c81cd7c1c054e72ea2c4a7996cadbf78e626a95da6ecddaf1267804d3861f0a42f617c6703b91b7945020584ce5c64ee

Download Submit
C:\Windows\SysWOW64\Gcagkdba.exe

Filesize
125KB

MD5
c0dc034c16cd0872415707967ee8a779

SHA1
10a56a8456d4bfc988e5cbb137c29e8efabb61d7

SHA256
a30274db825394f77a68cd4ea2dd57b99f6b44e303c7972af4b709878e9899db

SHA512
077e71afa49094fbaea34bd545bfb5847f4aa6d7e301283d2abc5431de3323605200dc30b38c9f8894a72b40ca0bb0baaea3ce7aa928a1f9403aff67ede0d2eb

Download Submit
C:\Windows\SysWOW64\Gcfqfc32.exe

Filesize
125KB

MD5
6fc27d642fd3be2f9bce50b6192514c8

SHA1
e5af69dfc8f5c125ee845a1dbdc6ad0a71caeaf1

SHA256
898e1b4e4086c0e015ad1a6a5dd0e7cbead4d11a2ce7eb8f56e44e60073aebd2

SHA512
ed4de6e6dc669785c28749979c8fee8fd23a7ee40fce58be23434d037f4293618a77943cef216e15816d04cd4bb515fe7d7060e2acf3ed3b94c2bc558d64b383

Download Submit
C:\Windows\SysWOW64\Gdeqhl32.exe

Filesize
125KB

MD5
add6302ab405fd96b7419ffc29f7f58a

SHA1
9fa56055c3f5b46320ea1d373a329cb394b08f54

SHA256
df59af858d475c3a69755d58323124223d88f52aace6f28fc1a76a6ff622139e

SHA512
1ef393041120325332a933e5c44812de29abf55824e0a2607244468bae6a38f375f1199c7fe67ea550387e5129aae0bb71561f6d9a782dde924787b9e6144a84

Download Submit
C:\Windows\SysWOW64\Gdjjckag.exe

Filesize
125KB

MD5
509e35c86d1b8f895b9da41a49cbbc64

SHA1
d4c5cbb0a51d06781abd69d3c2335bfd2dd38519

SHA256
7a0680470a6a0d4dd39f0d2b6879c35ea7c9704a8e96b5830938369919cec3e7

SHA512
9b7252776cc753035c47d1ea952087063bf915c46dea451e619659fb2a7a67264ccff13349dc37b4faabc1a6a091ac46b739e2c30d334a9404d4df0f3f3663d1

Download Submit
C:\Windows\SysWOW64\Gfgkmfoj.dll

Filesize
7KB

MD5
e71f5fdd0c254d92f4f57592ad396d02

SHA1
2839e9992c097dfa26178444c513e02c26ff9f2d

SHA256
2675fa0c3aaecbe64fa55f571c1a8e2ac8a8280abcbd57e041f094c7f64416a9

SHA512
4767def9f43f47d39dec6b7d4b77c08bd94a95bfd63e97b19349670e37f88c9b8474f98c107388c0fb3bbf72cdef4cbd58d31399309e51c652cb1d8b1c02417a

Download Submit
C:\Windows\SysWOW64\Ghlcnk32.exe

Filesize
125KB

MD5
5f75f57f12d47a90a6a7e1e465b4c007

SHA1
20c3692324dfa219315c06b952e4aca452264a24

SHA256
a77014c1b358ada6599abbbca956d57c07d5c4225f7db6cdc3e035612cabdb3f

SHA512
2f9775fd3ed9488468ed09f2d0b939c5bceba9c5e4ad26336d83367523f0a739e3ef999601a5a484a435ad174883ce552008f1a0451b1719df7d947bb715eca1

Download Submit
C:\Windows\SysWOW64\Ghopckpi.exe

Filesize
125KB

MD5
2ec3fda7f7953af31df0f65c225ea651

SHA1
afbcd494447b6a3f949aa958012b7f0390acb208

SHA256
203da7b4a3e2373cc2aaf512e3a224fab7a8622062f78b834d4786c82550bd53

SHA512
1054131358c2cf8e665e2a356de207d03049150d360781e3fb202a4f1a86920cbb238ee7bc9a2bf7a0dafd1c579a9905de645e31123687d30e5683092a530cb7

Download Submit
C:\Windows\SysWOW64\Glebhjlg.exe

Filesize
125KB

MD5
7a3563d53b0f06bd287dde237e257845

SHA1
2530571d561ded4d99f62db63b991c12abc5c562

SHA256
dfbe1ecf47d6fa6ac79251d7d246184784bb32724e95426a5375d7b3dde941d1

SHA512
f82f0e22a35a908bf8bee934bd285b099c2bd9254f902fb38a817b9138e425f5f0d031d65954ee9cd4d91c9c5ac08bc8c80699cc3fbf4c3f29b7e4828f690cb3

Download Submit
C:\Windows\SysWOW64\Gmoeoidl.exe

Filesize
125KB

MD5
0a3e24274bd347e97a4f2432f31bbce3

SHA1
ee5eb954bb4cb7d19a7d5869d3cdf45a1e388242

SHA256
afc828b71217cbf8dac20a9689f738c4ce29f9cb475d58df3a5a8e029f9e896d

SHA512
42d4bac12ccf7eac1ce20c2bf0ed648ccda6cf6b67886b2e11642f6f2d3c08036e6789c764143d697e9c5ff215284a879ebcf0b096fc733c94792bdd7310c102

Download Submit
C:\Windows\SysWOW64\Hcdmga32.exe

Filesize
125KB

MD5
9cad2e37d36894d46bd04efe61bfdfb5

SHA1
15c3e45c26ee3e1768e76f9ddd04907d24e78321

SHA256
567b694022a35caae9329e84871449559b722e052b90e3153c8eaa5a8dcba0a5

SHA512
f05dfddae860ac2b245101b6607fd5136942608d199e0901d250e18332392e679fc7cce4669a73666b9395bb5058838f0915a76dfce70698d6c12d6aef9147bc

Download Submit
C:\Windows\SysWOW64\Hcpclbfa.exe

Filesize
125KB

MD5
a53b39ba0df875c439af7784f78cd9e8

SHA1
1079736ae2ababaeb208210d94bb5f505989a490

SHA256
180bc52e164cb941bef8ed2bd0db88ffca75f28e75e0f79c2dec08ebd593a706

SHA512
116b7d2012acaf6d1979b17a5964f3ebe38afbf1b5fef900b20538ceaf151539bea4081cbcdc51ed601b120974fa19e4fe632f365172a00e0679cc6c8667a52a

Download Submit
C:\Windows\SysWOW64\Hfifmnij.exe

Filesize
125KB

MD5
3788f9a84e53dd8f9020954f43a694f8

SHA1
0a6b4daf2849455e7da8e66fd6e51e3473d609a8

SHA256
020ce7bec4fbed5c3f4bf70cccf6bf4aab1daad65c7bc5ab2b0d33997ad040b7

SHA512
e89c3a48e2682069edfe12a50b220e119197224eddf21385ca8d9dc68b4ea2df10b5f6a92644bff22b23cfe669060ca2ac659cea908ffd93423f044bbe41d98b

Download Submit
C:\Windows\SysWOW64\Hflcbngh.exe

Filesize
125KB

MD5
3d766ad62e84b87f9b657bbee7e6bbeb

SHA1
a42c3b5e541bc4b26ec190aa4ccbf9ac3699de46

SHA256
8752f1a9a7752580afeb6beb25a4455aad69738a213c120d8d4e73c4192d3cca

SHA512
dfbb025b4c61dbfd3c242c502ff8caee935f2beebb66c31e333b9b9873a0f45dbc6b888281012f027443a2574fac32d5d013d18ab8429067e6b97744a30bbfc9

Download Submit
C:\Windows\SysWOW64\Hihbijhn.exe

Filesize
125KB

MD5
2fb29f43d85f5050dd6543e0d25e6f2c

SHA1
db72e4e77e8280494d89a9f21be851aaf8d1efbf

SHA256
9b348bac8713f21b60d2633b1aa0229ec1927eedf7626f10037edd1b9f12efc1

SHA512
badc37e7d3b935f25b191a14e2d57544b1e0723e13995610abba60a0a342eec4009720ea66212c3801a6aa35d6c1ebe67e0cb38060d126fb1369198dc0c0df63

Download Submit
C:\Windows\SysWOW64\Hioiji32.exe

Filesize
125KB

MD5
0a59b4e3d47a1f3edbb729f834abad3a

SHA1
5d2474cb6cbb973e3d65ae30b4d90d2c533785a0

SHA256
bd3280955263f52cb79e0679f8f0d6c7445d9c57564f1c27a19f3afc7d9538f5

SHA512
3ffaaf8db6164ef3e35c79ea790952db9e973780c954e612df283110b71054293d62c7269ebc371ecf45aac94574a20eadabfb1150310908d1d1fbac17e6f001

Download Submit
C:\Windows\SysWOW64\Hkkhqd32.exe

Filesize
125KB

MD5
6e93cb7c519d564a13bdcf87feb1749a

SHA1
68d23adb21a4a539cb8391d8d9a5f36d9ffe446d

SHA256
65d7ee10341a4837e37fcc2203b0bc0f419fe15b88066398ea75dae995b0f117

SHA512
fa0ea2476869fbabe1e4c77096411fc0e599632e67b88eff8afaeb3085e34f41c2bf501ed97bef5ff188af719e91ce41c98eaeabdb5f5a1069899705a2b89a23

Download Submit
C:\Windows\SysWOW64\Hopnqdan.exe

Filesize
125KB

MD5
51a26e8fe5322e58f103d70519a1e782

SHA1
6e491b6adb1ebd6c270c86c67b877cbde107732b

SHA256
1ee6cd17a8d34f0180da1874cbeabc4dc4ec30798ff7665af9afd7dd7b9b95ff

SHA512
b8b7075adca7d1c20ae7c96d3e50bf736ddbe39682d6230e3a986deafe3159874e59d4998a7ceee73d81ae6149bb76b1d71c67d8f73ff47e2002ac3a4ba63d8e

Download Submit
C:\Windows\SysWOW64\Ibcmom32.exe

Filesize
125KB

MD5
24974b09ec7567638d3e048bad7a5bf6

SHA1
66be4a5e39c24b95e4b0a516fc018413961250dc

SHA256
63c5d37c57054f374ea7fe53f16f9fe83736fde887ff7c278061ca17f5f6bed6

SHA512
bac11984519c47cf71f5963d4feac7814b341b348b145869bd4bb542aaf9234bba7e77739c1c9e7a584245dc91d417dd216098e824ceaa891c83e5c364f53921

Download Submit
C:\Windows\SysWOW64\Iblfnn32.exe

Filesize
125KB

MD5
8290d4561f17a4585ae1880e909ae3c7

SHA1
9d59cc3102f6a721469af3394dec5aa6ccd9042d

SHA256
bb097a241bcabb82241dfe30c51900df1e867b8e0f44a18044e2247c53769ca8

SHA512
27d59c942c6a15a56913354af59c8a2d536359d7698a05a6e22e4f82ea8286a819f0392cc09d72ba689935aa9a6ef2a1ab84879e68d5a5de2e55b1671472ae40

Download Submit
C:\Windows\SysWOW64\Ifjodl32.exe

Filesize
125KB

MD5
e68c445ee84dde28ff9c2fe12ed0d2a3

SHA1
42f218b8b37979856fb17c5aa2cc7c1c0150e73e

SHA256
5dc4dc054c1d9e5b00dde879716bd33daabd3b956c32f1038e632f23aee28799

SHA512
fd43be6fad8ea77c5384b3246a1782c47676fcc29c5dedd46e8f48a007df6c97a1a8d425887931fa10aaaf8a8857f175878995e50e29ca5d9eaaded1cf0354d4

Download Submit
C:\Windows\SysWOW64\Ifllil32.exe

Filesize
125KB

MD5
4943ff897bb786d27d9cb306018ba8bb

SHA1
3b940df9f912f22d020161a4514a5d2811d62b84

SHA256
97fe19bddbe143a4930d703707b49ab0604ddd7fc48879e78ae3a33c9e00d403

SHA512
700a1b7895f749d7ba71cba5b55c137e6837c59f224e3228cd171b1ad9da1d8bdcded06f2a93e27f10cdf7875d9cf53342e9ffc894767fae1a07245062322bb6

Download Submit
C:\Windows\SysWOW64\Ildkgc32.exe

Filesize
125KB

MD5
21ce5ec567ae0ba7093652a681935c93

SHA1
5b9b4f7a5dfaee77d29e1e1f7e3c02e530444061

SHA256
5ef2692d89cfa29fa97cb5246a6242251e04c3b7409d362f42fdff4bdd567c95

SHA512
ce0882378a4e2494d5c51cf276930014df24dd54ce1d750c4afc3432c818aa1edf554fd5017e724e9412dd9925aea97e5f009ec8034908de230fc319265a723a

Download Submit
C:\Windows\SysWOW64\Ilidbbgl.exe

Filesize
125KB

MD5
63c7525dd0cbedbb4f04237c0cc663e0

SHA1
c29ac1dcfb84fdfaae41da31ce094d9fb2ca8dba

SHA256
804332d11db1ec454d7ff44751557766a6e5cf186269fd8ae9777837cbc233b7

SHA512
1bdfd6a32478d2edab7d5d2edf5c6aa7e75d17aba01424938fcf95a3302a977cddc71dc1cf66c9f734b4b1135d3099d61a3bfa36d9bb3a5fb143ed5cb66caf44

Download Submit
C:\Windows\SysWOW64\Immapg32.exe

Filesize
125KB

MD5
a4c62581137ecb76af2ddab02cde0880

SHA1
c332bffae097f93e5bd689b2ab614be3e14bfc27

SHA256
e6faca862c560e97332f6020c53b18a6df22afe674f8787d515edf9f76b00076

SHA512
7a5a05cad79382bd0c267b6543160c6f17cf2a0d472a4b318574d981ac6caf82f09da8f8fc5fa9444e2b93085876bdb8de3a4333647c856bfb98e1b3df7fb6fd

Download Submit
C:\Windows\SysWOW64\Ipbdmaah.exe

Filesize
125KB

MD5
07446e5947c5909ccd6f9808f4b30eda

SHA1
902992442114726b36e1671602c04f5d0d7f491b

SHA256
f96fae0b4fd797f4e599ca0fe43107f208a4bbb8768a6d8da5d438e97c29cc81

SHA512
9561ebc06185d1f3a43beb3dc2299f4faa615c699854c274390a920d158732dc19c536180e092955f414e19a12c769471f86cf9d0ca51fd0cfb6edd9b01204a6

Download Submit
C:\Windows\SysWOW64\Jcbihpel.exe

Filesize
125KB

MD5
e503118f46338fe1d07713d52230e795

SHA1
2eca2e64a6f27a0744c1de41b73e88a398e9b861

SHA256
7428eccb6e085655027d4f381ba595fee315f917422aac98c3c16dc56b9e76ca

SHA512
e7ddad48b54e6cac6f7f95dd9c045fc9889fb99f3d495c487aa4484e9876647279aef9e7e110c8464f1233fafe0aa52abb26757f85c1b31ff51de3b1da870e8c

Download Submit
C:\Windows\SysWOW64\Jfcbjk32.exe

Filesize
125KB

MD5
1b2bc9ea4dd50dd720942073548e6a00

SHA1
1820c63d0c8aad9b502a87bcf396328284e28b23

SHA256
e5df03afe2841161347fa5e1742e5a7b868dde78acdc18d330c4941180fa6d7f

SHA512
771d32e33549bad51b8bca9f7696f46a7cf7a434cabdd26e5f3fa89d2c80ea559176439bee0fb58acbfd76b831c5fe9f729369e983d35871498dbeaa055d6c64

Download Submit
C:\Windows\SysWOW64\Jfeopj32.exe

Filesize
125KB

MD5
58486c909cca284578bad10a99e1e16e

SHA1
2c37d181a307f89ef9769183cc55d7ed826ef819

SHA256
6fed1aa5ea95cc111ca42653ad37e4dab969ee93c352a87c94d57e9a2ce602f4

SHA512
d38e7e4b1c18335bbf14c3eafe1756758a0363641a69e2934d72857ac0c25505fbf2f80377834a14f54101bffd83207c837cd6c6c462fa3e740c4c228a18b381

Download Submit
C:\Windows\SysWOW64\Jimekgff.exe

Filesize
125KB

MD5
163f0b1222507ac4eb95a1a844d7ca63

SHA1
e992a82350b666519464a3b592dd8969f0867663

SHA256
723305e39a8ee5876207b0c1b3c7406c07c3207923b829bfd7491f3aafcb0e02

SHA512
89fcec73a81116a65774b9e06b2ba5d52f1491b3f398a3541517e50c3fd3521bf5f134c6f9814bd1d1db89d358fce7c5f5c8aa98fc64afb97859cee99494a35e

Download Submit
C:\Windows\SysWOW64\Jioaqfcc.exe

Filesize
125KB

MD5
4f7128717b38fa78bfe4b98ab8afcbab

SHA1
b40e22ffaab15b70ca72b71874c6380cafcbc1ad

SHA256
b7708a20b43e09aedb91ead0e981204b2c57700f4cb1591c3a40b23786e9457c

SHA512
4f5cc6ecce07c2ec54256293c7a1ff5bb46af58a37325fa67d118aca0d7326b645b7323d974151884742f2c03cf4c1b66d5d49ebf9cc1e505f679cc4a73463dc

Download Submit
C:\Windows\SysWOW64\Jpijnqkp.exe

Filesize
125KB

MD5
283ae90fbf89a584e96d44f2657babe3

SHA1
a76d26df3656f406fce6c26c857baed6c5471af1

SHA256
14859c5f1791548dcdacd3ba29a532d6207c8581f6ef2a56a95ac2f16429460c

SHA512
292e7fa417fc4a0faa5b1c5678835950c2ab0b358fade48f0e49ddb8ddc7d561aacc8cb57d0e00a4e988be6fb668a8e9fffe1a49878e877ee7caf38bda0b4cc9

Download Submit
C:\Windows\SysWOW64\Kfankifm.exe

Filesize
125KB

MD5
e46b0a49ccb93c913ab07cdd0eaa8942

SHA1
39621b2dffe460fb4b0535b99efb6218112ce8dd

SHA256
5ef36550c7de22eb249a79fa24ae5d715e2e2205898e12800da91e5414494352

SHA512
b3b4414c0854437c02957dfb585c66611d6313aadaa6201d09d80adec0e47a6b1cda6b0f408ad5676f553c6868ee6ad664cf3163d8e65aaf9abcf45dc445ed20

Download Submit
C:\Windows\SysWOW64\Mdehlk32.exe

Filesize
125KB

MD5
0c57903c339b07e793e9b8a02fbcd004

SHA1
478696b54a9012b60a7351cf62dd62beef526bbd

SHA256
29aeb612d49bccc45447d9f69092bcf1fb50ab256517714f28463a02056b694c

SHA512
8d4f7673b8c8145200f756e614496f8c98af3dca0f62cc15a001ce1875f2afe4d061bf107517794e7c05777b5bb39bfee0671876d64d16f8a460b67878b26fef

Download Submit
C:\Windows\SysWOW64\Ocbddc32.exe

Filesize
125KB

MD5
2d1cabe008241e89f4757cfabaf8d8e7

SHA1
892a6d58dbe6f6d73303daea8af3bcc45ca7a67a

SHA256
7858928b92f456f70c68d46475b0eb0e8343e1045f0232e7d436db4febace494

SHA512
9b1644d5d95ec01d68f821d11f591aaf2241fe562ce9d93dc071f1ea3be02b950425f1074ba6b38dae08930a19e28c8b9d76732d9cbe2fb35bdf666beb8458a8

Download Submit
C:\Windows\SysWOW64\Ojgbfocc.exe

Filesize
125KB

MD5
49668438cb5ce6a01faf4c29c7bd1778

SHA1
618e431b7ff7d23ba447428e2122e9d008ba0d3f

SHA256
39ca27cd96f5e57a85894567298d5c1be1e6dae20ef1bf8c3244d77b5a440bab

SHA512
8e6d811c0b37d53a3c1c10910409b53fc704b5bddfaa4bb6b5973be9a2a7c1eaa33fe59c20f63ef37b49f2ead88f715fc996ea8a9f1d57c13cafdbdbda936377

Download Submit
C:\Windows\SysWOW64\Oqhacgdh.exe

Filesize
125KB

MD5
9eb66be3cabaa4e89f4a892d5dbe3844

SHA1
1a04140d0dbb38c40a2ddf9fb5452d1f29d2523e

SHA256
fa698c2f9971ab837d7d35358b57235ccd0265bdda5ec65de875e010993b384d

SHA512
4d1f9f99a5729afbd29f5bf72b2804593289209888830f51cc164bcef3bd5c9144015371c9cc76527a7f9c2eedb563c579b5ca59a6d355396a15f499e4173d1e

Download Submit
C:\Windows\SysWOW64\Pjeoglgc.exe

Filesize
125KB

MD5
b7a8721fd0d8d2ddb1dda7232b86e5c3

SHA1
0c8ba8fc95223991d6c73faeeee3add2e80e87a1

SHA256
4d7e51b4934c6b984cfae330b6559bc936b84e80cbc092844c5ab9f52924268d

SHA512
36d21b43922de21197cf2e21d9902265270869b8d64ac1a12813ff3612c0097a59961c00d59b48895deac437af3c93ffda38ee8ad3fe1d9f8991440179f8be97

Download Submit
memory/324-151-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/456-266-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/460-127-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/640-310-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/732-72-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/824-200-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/900-358-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/924-395-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/948-383-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/1160-316-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/1220-168-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/1268-216-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/1500-120-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/1592-12-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/1652-256-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/1688-304-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/1784-370-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/1792-100-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/1808-40-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/1812-268-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2212-184-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2308-247-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2320-232-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2376-32-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2488-419-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2536-382-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2596-322-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2616-16-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2724-346-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2940-290-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2956-426-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2980-104-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/3008-364-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/3060-389-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/3168-63-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/3300-413-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/3316-328-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/3392-48-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/3404-79-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/3464-224-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/3524-352-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/3696-284-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/3932-340-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/3948-160-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/4032-88-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/4048-212-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/4100-176-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/4216-401-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/4248-0-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/4300-334-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/4420-28-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/4448-240-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/4464-143-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/4492-298-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/4536-274-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/4748-56-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/4784-112-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/4864-192-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/4888-376-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/4948-442-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/4960-407-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/5048-432-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/5064-136-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/5088-292-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads