354e81763f2eaeecd4de4a6e8e6808b24d09ab7febb55dd39e7537fa747a3e8d

Analysis

max time kernel
149s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
26-04-2024 10:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8740a100ba8ac796053ee93d4d3e9ad0.exe
Size

110KB
MD5

8740a100ba8ac796053ee93d4d3e9ad0
SHA1

b836f09c53b5965c98253b4246646bab2cd646ae
SHA256

354e81763f2eaeecd4de4a6e8e6808b24d09ab7febb55dd39e7537fa747a3e8d
SHA512

6c7278f9841c76b6d4e3aa8b44f421b63c51ebc9931614c38731fcdaff24242f09e67d77437d3034a5b5169db253775f68305a4b2128ed2bc031a8546fa4064e
SSDEEP

3072:gekdkk/tQRssLB87gD10IcTLJiXSk6IXP:Ck6tARGIhSk6k

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hmfbjnbp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kinemkko.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncihikcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hpgkkioa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jkdnpo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kpjjod32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gidphq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Impepm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mgghhlhq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lalcng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lknjmkdo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mpkbebbf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gfcgge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hcedaheh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kinemkko.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kdcijcke.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jigollag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lmccchkn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mpolqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gbldaffp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Imbaemhc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdcijcke.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nkqpjidj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqklmpdd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ijaida32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kgbefoji.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcdegnep.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncgkcl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kcifkp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ldkojb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mdiklqhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Njljefql.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gmkbnp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gidphq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jjpeepnb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kacphh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kmnjhioc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Liekmj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hbckbepg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jdcpcf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jiphkm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kmlnbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kckbqpnj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lpappc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lilanioo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ldaeka32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gmkbnp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Himcoo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hbeghene.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Imgkql32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lcgblncm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mnfipekh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kpccnefa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kajfig32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqfbaq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hbeghene.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ipegmg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jdemhe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kmegbjgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ifopiajn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jjpeepnb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kmnjhioc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mnlfigcc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ipnalhii.exe

Executes dropped EXE 64 IoCs

pid	Process
3704	Gmkbnp32.exe
3776	Gcekkjcj.exe
1928	Gfcgge32.exe
2064	Gmmocpjk.exe
2492	Gpklpkio.exe
1544	Gbjhlfhb.exe
4340	Gidphq32.exe
5076	Gqkhjn32.exe
1428	Gbldaffp.exe
1736	Gmaioo32.exe
5096	Gppekj32.exe
624	Hjfihc32.exe
3332	Hapaemll.exe
8	Hcnnaikp.exe
1636	Hmfbjnbp.exe
1976	Hpenfjad.exe
876	Hbckbepg.exe
1108	Himcoo32.exe
1120	Hpgkkioa.exe
4456	Hbeghene.exe
4424	Hjmoibog.exe
2080	Hcedaheh.exe
3292	Hfcpncdk.exe
5100	Hibljoco.exe
2400	Haidklda.exe
3716	Ibjqcd32.exe
4068	Ijaida32.exe
3892	Impepm32.exe
112	Ipnalhii.exe
4288	Ifhiib32.exe
5032	Ijdeiaio.exe
632	Imbaemhc.exe
3252	Icljbg32.exe
4628	Iiibkn32.exe
2788	Iapjlk32.exe
4824	Ipckgh32.exe
4784	Ifmcdblq.exe
4712	Iikopmkd.exe
4404	Imgkql32.exe
2924	Ipegmg32.exe
3204	Ibccic32.exe
1924	Ifopiajn.exe
2020	Imihfl32.exe
4740	Jpgdbg32.exe
4324	Jdcpcf32.exe
1140	Jfaloa32.exe
2280	Jiphkm32.exe
3988	Jagqlj32.exe
3128	Jdemhe32.exe
2864	Jjpeepnb.exe
3080	Jmnaakne.exe
3452	Jplmmfmi.exe
2436	Jbkjjblm.exe
3096	Jjbako32.exe
3472	Jidbflcj.exe
4024	Jdjfcecp.exe
1400	Jbmfoa32.exe
4788	Jkdnpo32.exe
3788	Jigollag.exe
4972	Jpaghf32.exe
4576	Jbocea32.exe
532	Jkfkfohj.exe
3940	Kmegbjgn.exe
2252	Kpccnefa.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Lijiaonm.dll	Hibljoco.exe
File opened for modification	C:\Windows\SysWOW64\Mcnhmm32.exe	Mpolqa32.exe
File created	C:\Windows\SysWOW64\Nkqpjidj.exe	Ncihikcg.exe
File created	C:\Windows\SysWOW64\Nkcmohbg.exe	Ncldnkae.exe
File created	C:\Windows\SysWOW64\Gidphq32.exe	Gbjhlfhb.exe
File created	C:\Windows\SysWOW64\Bnckcnhb.dll	Kacphh32.exe
File opened for modification	C:\Windows\SysWOW64\Mpdelajl.exe	Mnfipekh.exe
File created	C:\Windows\SysWOW64\Egmhjb32.dll	Hapaemll.exe
File created	C:\Windows\SysWOW64\Mmpfpdoi.dll	Ijaida32.exe
File created	C:\Windows\SysWOW64\Qngfmkdl.dll	Ifhiib32.exe
File opened for modification	C:\Windows\SysWOW64\Jfaloa32.exe	Jdcpcf32.exe
File created	C:\Windows\SysWOW64\Jdkind32.dll	Jfaloa32.exe
File opened for modification	C:\Windows\SysWOW64\Jigollag.exe	Jkdnpo32.exe
File created	C:\Windows\SysWOW64\Hdgpjm32.dll	Haidklda.exe
File created	C:\Windows\SysWOW64\Milgab32.dll	Kdcijcke.exe
File opened for modification	C:\Windows\SysWOW64\Lklnhlfb.exe	Lcdegnep.exe
File opened for modification	C:\Windows\SysWOW64\Mgghhlhq.exe	Mdiklqhm.exe
File created	C:\Windows\SysWOW64\Pnfmmb32.dll	8740a100ba8ac796053ee93d4d3e9ad0.exe
File created	C:\Windows\SysWOW64\Jkfkfohj.exe	Jbocea32.exe
File opened for modification	C:\Windows\SysWOW64\Mamleegg.exe	Mjeddggd.exe
File created	C:\Windows\SysWOW64\Impepm32.exe	Ijaida32.exe
File created	C:\Windows\SysWOW64\Kgphpo32.exe	Kdaldd32.exe
File created	C:\Windows\SysWOW64\Ockcknah.dll	Mciobn32.exe
File opened for modification	C:\Windows\SysWOW64\Nqfbaq32.exe	Nnhfee32.exe
File created	C:\Windows\SysWOW64\Nqjfoc32.dll	Kdaldd32.exe
File created	C:\Windows\SysWOW64\Egoqlckf.dll	Ibjqcd32.exe
File created	C:\Windows\SysWOW64\Haidklda.exe	Hibljoco.exe
File created	C:\Windows\SysWOW64\Kflflhfg.dll	Imgkql32.exe
File opened for modification	C:\Windows\SysWOW64\Nceonl32.exe	Nqfbaq32.exe
File opened for modification	C:\Windows\SysWOW64\Nqiogp32.exe	Njogjfoj.exe
File created	C:\Windows\SysWOW64\Pkckjila.dll	Nqklmpdd.exe
File created	C:\Windows\SysWOW64\Gmaioo32.exe	Gbldaffp.exe
File opened for modification	C:\Windows\SysWOW64\Hibljoco.exe	Hfcpncdk.exe
File created	C:\Windows\SysWOW64\Lgabcngj.dll	Gppekj32.exe
File opened for modification	C:\Windows\SysWOW64\Mpkbebbf.exe	Mnlfigcc.exe
File created	C:\Windows\SysWOW64\Baefid32.dll	Lnepih32.exe
File opened for modification	C:\Windows\SysWOW64\Jbocea32.exe	Jpaghf32.exe
File created	C:\Windows\SysWOW64\Nqiogp32.exe	Njogjfoj.exe
File opened for modification	C:\Windows\SysWOW64\Nqklmpdd.exe	Nbhkac32.exe
File opened for modification	C:\Windows\SysWOW64\Hmfbjnbp.exe	Hcnnaikp.exe
File opened for modification	C:\Windows\SysWOW64\Mcbahlip.exe	Mpdelajl.exe
File created	C:\Windows\SysWOW64\Aajjaf32.dll	Jdcpcf32.exe
File opened for modification	C:\Windows\SysWOW64\Jbmfoa32.exe	Jdjfcecp.exe
File created	C:\Windows\SysWOW64\Jifkeoll.dll	Lalcng32.exe
File created	C:\Windows\SysWOW64\Dakcla32.dll	Iiibkn32.exe
File created	C:\Windows\SysWOW64\Liekmj32.exe	Kckbqpnj.exe
File created	C:\Windows\SysWOW64\Lcdegnep.exe	Ldaeka32.exe
File opened for modification	C:\Windows\SysWOW64\Hapaemll.exe	Hjfihc32.exe
File opened for modification	C:\Windows\SysWOW64\Imihfl32.exe	Ifopiajn.exe
File opened for modification	C:\Windows\SysWOW64\Jjpeepnb.exe	Jdemhe32.exe
File created	C:\Windows\SysWOW64\Kgbefoji.exe	Kdcijcke.exe
File created	C:\Windows\SysWOW64\Khehmdgi.dll	Lilanioo.exe
File created	C:\Windows\SysWOW64\Lknjmkdo.exe	Lcgblncm.exe
File opened for modification	C:\Windows\SysWOW64\Hjfihc32.exe	Gppekj32.exe
File opened for modification	C:\Windows\SysWOW64\Ifhiib32.exe	Ipnalhii.exe
File created	C:\Windows\SysWOW64\Oimhnoch.dll	Kgdbkohf.exe
File created	C:\Windows\SysWOW64\Mglppmnd.dll	Lnjjdgee.exe
File created	C:\Windows\SysWOW64\Ncldnkae.exe	Nqmhbpba.exe
File created	C:\Windows\SysWOW64\Hionfema.dll	Hjmoibog.exe
File created	C:\Windows\SysWOW64\Feambf32.dll	Jbkjjblm.exe
File created	C:\Windows\SysWOW64\Imppcc32.dll	Kckbqpnj.exe
File created	C:\Windows\SysWOW64\Imbaemhc.exe	Ijdeiaio.exe
File created	C:\Windows\SysWOW64\Ikjmhmfd.dll	Iapjlk32.exe
File created	C:\Windows\SysWOW64\Dnkdikig.dll	Ldkojb32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5432	2892	WerFault.exe	225

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Iiibkn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bheenp32.dll"	Lcdegnep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mcbahlip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Chbijmok.dll"	Gmkbnp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dlddhggk.dll"	Nqmhbpba.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Iikopmkd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jdcpcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jiphkm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ncldnkae.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ijdeiaio.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dngdgf32.dll"	Lcpllo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ifhiib32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jgiacnii.dll"	Jpgdbg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mdiklqhm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ifopiajn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hehifldd.dll"	Kpccnefa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckegia32.dll"	Laciofpa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ehifigof.dll"	Jidbflcj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lcpllo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lnjjdgee.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lifenaok.dll"	Mpkbebbf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ldaeka32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Njogjfoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Gmmocpjk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Impepm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Honcnp32.dll"	Jjbako32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Liekmj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lnepih32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mgghhlhq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mamleegg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nqfbaq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nklfoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibooqjdb.dll"	Hbckbepg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hbeghene.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jiphogop.dll"	Ipegmg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Omfnojog.dll"	Jjpeepnb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjblgaie.dll"	Kilhgk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pponmema.dll"	Njogjfoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ggcjqj32.dll"	Jiphkm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jjbako32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mglack32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nnolfdcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjcfkp32.dll"	Hpgkkioa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hiaohfpc.dll"	Ipckgh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kgphpo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kpjjod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjblifaf.dll"	Mgghhlhq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jpgdbg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmdigkkd.dll"	Mnlfigcc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Gmaioo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Iiibkn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kpccnefa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lilanioo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ncgkcl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kgdbkohf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mamleegg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mjhqjg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ipegmg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ibccic32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jfaloa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kinemkko.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kaemnhla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Njacpf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bghhihab.dll"	Nnolfdcn.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1416 wrote to memory of 3704	1416	8740a100ba8ac796053ee93d4d3e9ad0.exe	85
PID 1416 wrote to memory of 3704	1416	8740a100ba8ac796053ee93d4d3e9ad0.exe	85
PID 1416 wrote to memory of 3704	1416	8740a100ba8ac796053ee93d4d3e9ad0.exe	85
PID 3704 wrote to memory of 3776	3704	Gmkbnp32.exe	86
PID 3704 wrote to memory of 3776	3704	Gmkbnp32.exe	86
PID 3704 wrote to memory of 3776	3704	Gmkbnp32.exe	86
PID 3776 wrote to memory of 1928	3776	Gcekkjcj.exe	87
PID 3776 wrote to memory of 1928	3776	Gcekkjcj.exe	87
PID 3776 wrote to memory of 1928	3776	Gcekkjcj.exe	87
PID 1928 wrote to memory of 2064	1928	Gfcgge32.exe	88
PID 1928 wrote to memory of 2064	1928	Gfcgge32.exe	88
PID 1928 wrote to memory of 2064	1928	Gfcgge32.exe	88
PID 2064 wrote to memory of 2492	2064	Gmmocpjk.exe	89
PID 2064 wrote to memory of 2492	2064	Gmmocpjk.exe	89
PID 2064 wrote to memory of 2492	2064	Gmmocpjk.exe	89
PID 2492 wrote to memory of 1544	2492	Gpklpkio.exe	90
PID 2492 wrote to memory of 1544	2492	Gpklpkio.exe	90
PID 2492 wrote to memory of 1544	2492	Gpklpkio.exe	90
PID 1544 wrote to memory of 4340	1544	Gbjhlfhb.exe	91
PID 1544 wrote to memory of 4340	1544	Gbjhlfhb.exe	91
PID 1544 wrote to memory of 4340	1544	Gbjhlfhb.exe	91
PID 4340 wrote to memory of 5076	4340	Gidphq32.exe	92
PID 4340 wrote to memory of 5076	4340	Gidphq32.exe	92
PID 4340 wrote to memory of 5076	4340	Gidphq32.exe	92
PID 5076 wrote to memory of 1428	5076	Gqkhjn32.exe	93
PID 5076 wrote to memory of 1428	5076	Gqkhjn32.exe	93
PID 5076 wrote to memory of 1428	5076	Gqkhjn32.exe	93
PID 1428 wrote to memory of 1736	1428	Gbldaffp.exe	94
PID 1428 wrote to memory of 1736	1428	Gbldaffp.exe	94
PID 1428 wrote to memory of 1736	1428	Gbldaffp.exe	94
PID 1736 wrote to memory of 5096	1736	Gmaioo32.exe	95
PID 1736 wrote to memory of 5096	1736	Gmaioo32.exe	95
PID 1736 wrote to memory of 5096	1736	Gmaioo32.exe	95
PID 5096 wrote to memory of 624	5096	Gppekj32.exe	96
PID 5096 wrote to memory of 624	5096	Gppekj32.exe	96
PID 5096 wrote to memory of 624	5096	Gppekj32.exe	96
PID 624 wrote to memory of 3332	624	Hjfihc32.exe	97
PID 624 wrote to memory of 3332	624	Hjfihc32.exe	97
PID 624 wrote to memory of 3332	624	Hjfihc32.exe	97
PID 3332 wrote to memory of 8	3332	Hapaemll.exe	98
PID 3332 wrote to memory of 8	3332	Hapaemll.exe	98
PID 3332 wrote to memory of 8	3332	Hapaemll.exe	98
PID 8 wrote to memory of 1636	8	Hcnnaikp.exe	99
PID 8 wrote to memory of 1636	8	Hcnnaikp.exe	99
PID 8 wrote to memory of 1636	8	Hcnnaikp.exe	99
PID 1636 wrote to memory of 1976	1636	Hmfbjnbp.exe	100
PID 1636 wrote to memory of 1976	1636	Hmfbjnbp.exe	100
PID 1636 wrote to memory of 1976	1636	Hmfbjnbp.exe	100
PID 1976 wrote to memory of 876	1976	Hpenfjad.exe	101
PID 1976 wrote to memory of 876	1976	Hpenfjad.exe	101
PID 1976 wrote to memory of 876	1976	Hpenfjad.exe	101
PID 876 wrote to memory of 1108	876	Hbckbepg.exe	103
PID 876 wrote to memory of 1108	876	Hbckbepg.exe	103
PID 876 wrote to memory of 1108	876	Hbckbepg.exe	103
PID 1108 wrote to memory of 1120	1108	Himcoo32.exe	104
PID 1108 wrote to memory of 1120	1108	Himcoo32.exe	104
PID 1108 wrote to memory of 1120	1108	Himcoo32.exe	104
PID 1120 wrote to memory of 4456	1120	Hpgkkioa.exe	105
PID 1120 wrote to memory of 4456	1120	Hpgkkioa.exe	105
PID 1120 wrote to memory of 4456	1120	Hpgkkioa.exe	105
PID 4456 wrote to memory of 4424	4456	Hbeghene.exe	106
PID 4456 wrote to memory of 4424	4456	Hbeghene.exe	106
PID 4456 wrote to memory of 4424	4456	Hbeghene.exe	106
PID 4424 wrote to memory of 2080	4424	Hjmoibog.exe	107

C:\Users\Admin\AppData\Local\Temp\8740a100ba8ac796053ee93d4d3e9ad0.exe
"C:\Users\Admin\AppData\Local\Temp\8740a100ba8ac796053ee93d4d3e9ad0.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1416
- C:\Windows\SysWOW64\Gmkbnp32.exe
  C:\Windows\system32\Gmkbnp32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3704
- - C:\Windows\SysWOW64\Gcekkjcj.exe
    C:\Windows\system32\Gcekkjcj.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:3776
  - - C:\Windows\SysWOW64\Gfcgge32.exe
      C:\Windows\system32\Gfcgge32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:1928
    - - C:\Windows\SysWOW64\Gmmocpjk.exe
        
        C:\Windows\system32\Gmmocpjk.exe
        5⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2064
      - C:\Windows\SysWOW64\Gpklpkio.exe
        
        C:\Windows\system32\Gpklpkio.exe
        6⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2492
        
        C:\Windows\SysWOW64\Gbjhlfhb.exe
        
        C:\Windows\system32\Gbjhlfhb.exe
        7⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1544
        
        C:\Windows\SysWOW64\Gidphq32.exe
        
        C:\Windows\system32\Gidphq32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4340
        
        C:\Windows\SysWOW64\Gqkhjn32.exe
        
        C:\Windows\system32\Gqkhjn32.exe
        9⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:5076
        
        C:\Windows\SysWOW64\Gbldaffp.exe
        
        C:\Windows\system32\Gbldaffp.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1428
        
        C:\Windows\SysWOW64\Gmaioo32.exe
        
        C:\Windows\system32\Gmaioo32.exe
        11⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1736
        
        C:\Windows\SysWOW64\Gppekj32.exe
        
        C:\Windows\system32\Gppekj32.exe
        12⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:5096
        
        C:\Windows\SysWOW64\Hjfihc32.exe
        
        C:\Windows\system32\Hjfihc32.exe
        13⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:624
        
        C:\Windows\SysWOW64\Hapaemll.exe
        
        C:\Windows\system32\Hapaemll.exe
        14⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3332
        
        C:\Windows\SysWOW64\Hcnnaikp.exe
        
        C:\Windows\system32\Hcnnaikp.exe
        15⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:8
        
        C:\Windows\SysWOW64\Hmfbjnbp.exe
        
        C:\Windows\system32\Hmfbjnbp.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1636
        
        C:\Windows\SysWOW64\Hpenfjad.exe
        
        C:\Windows\system32\Hpenfjad.exe
        17⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1976
        
        C:\Windows\SysWOW64\Hbckbepg.exe
        
        C:\Windows\system32\Hbckbepg.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:876
        
        C:\Windows\SysWOW64\Himcoo32.exe
        
        C:\Windows\system32\Himcoo32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1108
        
        C:\Windows\SysWOW64\Hpgkkioa.exe
        
        C:\Windows\system32\Hpgkkioa.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1120
        
        C:\Windows\SysWOW64\Hbeghene.exe
        
        C:\Windows\system32\Hbeghene.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4456
        
        C:\Windows\SysWOW64\Hjmoibog.exe
        
        C:\Windows\system32\Hjmoibog.exe
        22⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4424
        
        C:\Windows\SysWOW64\Hcedaheh.exe
        
        C:\Windows\system32\Hcedaheh.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2080
        
        C:\Windows\SysWOW64\Hfcpncdk.exe
        
        C:\Windows\system32\Hfcpncdk.exe
        24⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3292
        
        C:\Windows\SysWOW64\Hibljoco.exe
        
        C:\Windows\system32\Hibljoco.exe
        25⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5100
        
        C:\Windows\SysWOW64\Haidklda.exe
        
        C:\Windows\system32\Haidklda.exe
        26⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2400
        
        C:\Windows\SysWOW64\Ibjqcd32.exe
        
        C:\Windows\system32\Ibjqcd32.exe
        27⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3716
        
        C:\Windows\SysWOW64\Ijaida32.exe
        
        C:\Windows\system32\Ijaida32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4068
        
        C:\Windows\SysWOW64\Impepm32.exe
        
        C:\Windows\system32\Impepm32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3892
        
        C:\Windows\SysWOW64\Ipnalhii.exe
        
        C:\Windows\system32\Ipnalhii.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:112
        
        C:\Windows\SysWOW64\Ifhiib32.exe
        
        C:\Windows\system32\Ifhiib32.exe
        31⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4288
        
        C:\Windows\SysWOW64\Ijdeiaio.exe
        
        C:\Windows\system32\Ijdeiaio.exe
        32⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5032
        
        C:\Windows\SysWOW64\Imbaemhc.exe
        
        C:\Windows\system32\Imbaemhc.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:632
        
        C:\Windows\SysWOW64\Icljbg32.exe
        
        C:\Windows\system32\Icljbg32.exe
        34⤵
        Executes dropped EXE
        
        PID:3252
        
        C:\Windows\SysWOW64\Iiibkn32.exe
        
        C:\Windows\system32\Iiibkn32.exe
        35⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4628
        
        C:\Windows\SysWOW64\Iapjlk32.exe
        
        C:\Windows\system32\Iapjlk32.exe
        36⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2788
        
        C:\Windows\SysWOW64\Ipckgh32.exe
        
        C:\Windows\system32\Ipckgh32.exe
        37⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4824
        
        C:\Windows\SysWOW64\Ifmcdblq.exe
        
        C:\Windows\system32\Ifmcdblq.exe
        38⤵
        Executes dropped EXE
        
        PID:4784
        
        C:\Windows\SysWOW64\Iikopmkd.exe
        
        C:\Windows\system32\Iikopmkd.exe
        39⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4712
        
        C:\Windows\SysWOW64\Imgkql32.exe
        
        C:\Windows\system32\Imgkql32.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4404
        
        C:\Windows\SysWOW64\Ipegmg32.exe
        
        C:\Windows\system32\Ipegmg32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2924
        
        C:\Windows\SysWOW64\Ibccic32.exe
        
        C:\Windows\system32\Ibccic32.exe
        42⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3204
        
        C:\Windows\SysWOW64\Ifopiajn.exe
        
        C:\Windows\system32\Ifopiajn.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1924
        
        C:\Windows\SysWOW64\Imihfl32.exe
        
        C:\Windows\system32\Imihfl32.exe
        44⤵
        Executes dropped EXE
        
        PID:2020
        
        C:\Windows\SysWOW64\Jpgdbg32.exe
        
        C:\Windows\system32\Jpgdbg32.exe
        45⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4740
        
        C:\Windows\SysWOW64\Jdcpcf32.exe
        
        C:\Windows\system32\Jdcpcf32.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4324
        
        C:\Windows\SysWOW64\Jfaloa32.exe
        
        C:\Windows\system32\Jfaloa32.exe
        47⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1140
        
        C:\Windows\SysWOW64\Jiphkm32.exe
        
        C:\Windows\system32\Jiphkm32.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2280
        
        C:\Windows\SysWOW64\Jagqlj32.exe
        
        C:\Windows\system32\Jagqlj32.exe
        49⤵
        Executes dropped EXE
        
        PID:3988
        
        C:\Windows\SysWOW64\Jdemhe32.exe
        
        C:\Windows\system32\Jdemhe32.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3128
        
        C:\Windows\SysWOW64\Jjpeepnb.exe
        
        C:\Windows\system32\Jjpeepnb.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2864
        
        C:\Windows\SysWOW64\Jmnaakne.exe
        
        C:\Windows\system32\Jmnaakne.exe
        52⤵
        Executes dropped EXE
        
        PID:3080
        
        C:\Windows\SysWOW64\Jplmmfmi.exe
        
        C:\Windows\system32\Jplmmfmi.exe
        53⤵
        Executes dropped EXE
        
        PID:3452
        
        C:\Windows\SysWOW64\Jbkjjblm.exe
        
        C:\Windows\system32\Jbkjjblm.exe
        54⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2436
        
        C:\Windows\SysWOW64\Jjbako32.exe
        
        C:\Windows\system32\Jjbako32.exe
        55⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3096
        
        C:\Windows\SysWOW64\Jidbflcj.exe
        
        C:\Windows\system32\Jidbflcj.exe
        56⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3472
        
        C:\Windows\SysWOW64\Jdjfcecp.exe
        
        C:\Windows\system32\Jdjfcecp.exe
        57⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4024
        
        C:\Windows\SysWOW64\Jbmfoa32.exe
        
        C:\Windows\system32\Jbmfoa32.exe
        58⤵
        Executes dropped EXE
        
        PID:1400
        
        C:\Windows\SysWOW64\Jkdnpo32.exe
        
        C:\Windows\system32\Jkdnpo32.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4788
        
        C:\Windows\SysWOW64\Jigollag.exe
        
        C:\Windows\system32\Jigollag.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3788
        
        C:\Windows\SysWOW64\Jpaghf32.exe
        
        C:\Windows\system32\Jpaghf32.exe
        61⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4972
        
        C:\Windows\SysWOW64\Jbocea32.exe
        
        C:\Windows\system32\Jbocea32.exe
        62⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4576
        
        C:\Windows\SysWOW64\Jkfkfohj.exe
        
        C:\Windows\system32\Jkfkfohj.exe
        63⤵
        Executes dropped EXE
        
        PID:532
        
        C:\Windows\SysWOW64\Kmegbjgn.exe
        
        C:\Windows\system32\Kmegbjgn.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3940
        
        C:\Windows\SysWOW64\Kpccnefa.exe
        
        C:\Windows\system32\Kpccnefa.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2252
        
        C:\Windows\SysWOW64\Kgmlkp32.exe
        
        C:\Windows\system32\Kgmlkp32.exe
        66⤵
        
        PID:4180
        
        C:\Windows\SysWOW64\Kilhgk32.exe
        
        C:\Windows\system32\Kilhgk32.exe
        67⤵
        Modifies registry class
        
        PID:3784
        
        C:\Windows\SysWOW64\Kacphh32.exe
        
        C:\Windows\system32\Kacphh32.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:1580
        
        C:\Windows\SysWOW64\Kdaldd32.exe
        
        C:\Windows\system32\Kdaldd32.exe
        69⤵
        Drops file in System32 directory
        
        PID:1672
        
        C:\Windows\SysWOW64\Kgphpo32.exe
        
        C:\Windows\system32\Kgphpo32.exe
        70⤵
        Modifies registry class
        
        PID:4128
        
        C:\Windows\SysWOW64\Kinemkko.exe
        
        C:\Windows\system32\Kinemkko.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:1528
        
        C:\Windows\SysWOW64\Kaemnhla.exe
        
        C:\Windows\system32\Kaemnhla.exe
        72⤵
        Modifies registry class
        
        PID:3588
        
        C:\Windows\SysWOW64\Kdcijcke.exe
        
        C:\Windows\system32\Kdcijcke.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:3312
        
        C:\Windows\SysWOW64\Kgbefoji.exe
        
        C:\Windows\system32\Kgbefoji.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1892
        
        C:\Windows\SysWOW64\Kmlnbi32.exe
        
        C:\Windows\system32\Kmlnbi32.exe
        75⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:528
        
        C:\Windows\SysWOW64\Kpjjod32.exe
        
        C:\Windows\system32\Kpjjod32.exe
        76⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:3880
        
        C:\Windows\SysWOW64\Kcifkp32.exe
        
        C:\Windows\system32\Kcifkp32.exe
        77⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4708
        
        C:\Windows\SysWOW64\Kgdbkohf.exe
        
        C:\Windows\system32\Kgdbkohf.exe
        78⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4436
        
        C:\Windows\SysWOW64\Kmnjhioc.exe
        
        C:\Windows\system32\Kmnjhioc.exe
        79⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4656
        
        C:\Windows\SysWOW64\Kajfig32.exe
        
        C:\Windows\system32\Kajfig32.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3624
        
        C:\Windows\SysWOW64\Kckbqpnj.exe
        
        C:\Windows\system32\Kckbqpnj.exe
        81⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:2288
        
        C:\Windows\SysWOW64\Liekmj32.exe
        
        C:\Windows\system32\Liekmj32.exe
        82⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:1500
        
        C:\Windows\SysWOW64\Lalcng32.exe
        
        C:\Windows\system32\Lalcng32.exe
        83⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:3004
        
        C:\Windows\SysWOW64\Ldkojb32.exe
        
        C:\Windows\system32\Ldkojb32.exe
        84⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4356
        
        C:\Windows\SysWOW64\Lgikfn32.exe
        
        C:\Windows\system32\Lgikfn32.exe
        85⤵
        
        PID:1940
        
        C:\Windows\SysWOW64\Liggbi32.exe
        
        C:\Windows\system32\Liggbi32.exe
        86⤵
        
        PID:4412
        
        C:\Windows\SysWOW64\Lmccchkn.exe
        
        C:\Windows\system32\Lmccchkn.exe
        87⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1584
        
        C:\Windows\SysWOW64\Lpappc32.exe
        
        C:\Windows\system32\Lpappc32.exe
        88⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3660
        
        C:\Windows\SysWOW64\Lcpllo32.exe
        
        C:\Windows\system32\Lcpllo32.exe
        89⤵
        Modifies registry class
        
        PID:4476
        
        C:\Windows\SysWOW64\Lkgdml32.exe
        
        C:\Windows\system32\Lkgdml32.exe
        90⤵
        
        PID:1124
        
        C:\Windows\SysWOW64\Lnepih32.exe
        
        C:\Windows\system32\Lnepih32.exe
        91⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4232
        
        C:\Windows\SysWOW64\Lpcmec32.exe
        
        C:\Windows\system32\Lpcmec32.exe
        92⤵
        
        PID:5160
        
        C:\Windows\SysWOW64\Lcbiao32.exe
        
        C:\Windows\system32\Lcbiao32.exe
        93⤵
        
        PID:5200
        
        C:\Windows\SysWOW64\Lgneampk.exe
        
        C:\Windows\system32\Lgneampk.exe
        94⤵
        
        PID:5252
        
        C:\Windows\SysWOW64\Lilanioo.exe
        
        C:\Windows\system32\Lilanioo.exe
        95⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5300
        
        C:\Windows\SysWOW64\Laciofpa.exe
        
        C:\Windows\system32\Laciofpa.exe
        96⤵
        Modifies registry class
        
        PID:5348
        
        C:\Windows\SysWOW64\Ldaeka32.exe
        
        C:\Windows\system32\Ldaeka32.exe
        97⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5388
        
        C:\Windows\SysWOW64\Lcdegnep.exe
        
        C:\Windows\system32\Lcdegnep.exe
        98⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5436
        
        C:\Windows\SysWOW64\Lklnhlfb.exe
        
        C:\Windows\system32\Lklnhlfb.exe
        99⤵
        
        PID:5480
        
        C:\Windows\SysWOW64\Lnjjdgee.exe
        
        C:\Windows\system32\Lnjjdgee.exe
        100⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5520
        
        C:\Windows\SysWOW64\Lphfpbdi.exe
        
        C:\Windows\system32\Lphfpbdi.exe
        101⤵
        
        PID:5568
        
        C:\Windows\SysWOW64\Lcgblncm.exe
        
        C:\Windows\system32\Lcgblncm.exe
        102⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5608
        
        C:\Windows\SysWOW64\Lknjmkdo.exe
        
        C:\Windows\system32\Lknjmkdo.exe
        103⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5648
        
        C:\Windows\SysWOW64\Mnlfigcc.exe
        
        C:\Windows\system32\Mnlfigcc.exe
        104⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5696
        
        C:\Windows\SysWOW64\Mpkbebbf.exe
        
        C:\Windows\system32\Mpkbebbf.exe
        105⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5744
        
        C:\Windows\SysWOW64\Mciobn32.exe
        
        C:\Windows\system32\Mciobn32.exe
        106⤵
        Drops file in System32 directory
        
        PID:5792
        
        C:\Windows\SysWOW64\Mdiklqhm.exe
        
        C:\Windows\system32\Mdiklqhm.exe
        107⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5836
        
        C:\Windows\SysWOW64\Mgghhlhq.exe
        
        C:\Windows\system32\Mgghhlhq.exe
        108⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5876
        
        C:\Windows\SysWOW64\Mjeddggd.exe
        
        C:\Windows\system32\Mjeddggd.exe
        109⤵
        Drops file in System32 directory
        
        PID:5916
        
        C:\Windows\SysWOW64\Mamleegg.exe
        
        C:\Windows\system32\Mamleegg.exe
        110⤵
        Modifies registry class
        
        PID:5964
        
        C:\Windows\SysWOW64\Mpolqa32.exe
        
        C:\Windows\system32\Mpolqa32.exe
        111⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6004
        
        C:\Windows\SysWOW64\Mcnhmm32.exe
        
        C:\Windows\system32\Mcnhmm32.exe
        112⤵
        
        PID:6052
        
        C:\Windows\SysWOW64\Mkepnjng.exe
        
        C:\Windows\system32\Mkepnjng.exe
        113⤵
        
        PID:6096
        
        C:\Windows\SysWOW64\Mjhqjg32.exe
        
        C:\Windows\system32\Mjhqjg32.exe
        114⤵
        Modifies registry class
        
        PID:6136
        
        C:\Windows\SysWOW64\Mpaifalo.exe
        
        C:\Windows\system32\Mpaifalo.exe
        115⤵
        
        PID:5156
        
        C:\Windows\SysWOW64\Mdmegp32.exe
        
        C:\Windows\system32\Mdmegp32.exe
        116⤵
        
        PID:5208
        
        C:\Windows\SysWOW64\Mglack32.exe
        
        C:\Windows\system32\Mglack32.exe
        117⤵
        Modifies registry class
        
        PID:5288
        
        C:\Windows\SysWOW64\Mkgmcjld.exe
        
        C:\Windows\system32\Mkgmcjld.exe
        118⤵
        
        PID:5356
        
        C:\Windows\SysWOW64\Mnfipekh.exe
        
        C:\Windows\system32\Mnfipekh.exe
        119⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5416
        
        C:\Windows\SysWOW64\Mpdelajl.exe
        
        C:\Windows\system32\Mpdelajl.exe
        120⤵
        Drops file in System32 directory
        
        PID:5488
        
        C:\Windows\SysWOW64\Mcbahlip.exe
        
        C:\Windows\system32\Mcbahlip.exe
        121⤵
        Modifies registry class
        
        PID:5548
        
        C:\Windows\SysWOW64\Nkjjij32.exe
        
        C:\Windows\system32\Nkjjij32.exe
        122⤵
        
        PID:5616
        
        C:\Windows\SysWOW64\Njljefql.exe
        
        C:\Windows\system32\Njljefql.exe
        123⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5684
        
        C:\Windows\SysWOW64\Nnhfee32.exe
        
        C:\Windows\system32\Nnhfee32.exe
        124⤵
        Drops file in System32 directory
        
        PID:5752
        
        C:\Windows\SysWOW64\Nqfbaq32.exe
        
        C:\Windows\system32\Nqfbaq32.exe
        125⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5820
        
        C:\Windows\SysWOW64\Nceonl32.exe
        
        C:\Windows\system32\Nceonl32.exe
        126⤵
        
        PID:5912
        
        C:\Windows\SysWOW64\Nklfoi32.exe
        
        C:\Windows\system32\Nklfoi32.exe
        127⤵
        Modifies registry class
        
        PID:5956
        
        C:\Windows\SysWOW64\Njogjfoj.exe
        
        C:\Windows\system32\Njogjfoj.exe
        128⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6040
        
        C:\Windows\SysWOW64\Nqiogp32.exe
        
        C:\Windows\system32\Nqiogp32.exe
        129⤵
        
        PID:6120
        
        C:\Windows\SysWOW64\Ncgkcl32.exe
        
        C:\Windows\system32\Ncgkcl32.exe
        130⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5124
        
        C:\Windows\SysWOW64\Njacpf32.exe
        
        C:\Windows\system32\Njacpf32.exe
        131⤵
        Modifies registry class
        
        PID:5196
        
        C:\Windows\SysWOW64\Nbhkac32.exe
        
        C:\Windows\system32\Nbhkac32.exe
        132⤵
        Drops file in System32 directory
        
        PID:5384
        
        C:\Windows\SysWOW64\Nqklmpdd.exe
        
        C:\Windows\system32\Nqklmpdd.exe
        133⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5500
        
        C:\Windows\SysWOW64\Ncihikcg.exe
        
        C:\Windows\system32\Ncihikcg.exe
        134⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5584
        
        C:\Windows\SysWOW64\Nkqpjidj.exe
        
        C:\Windows\system32\Nkqpjidj.exe
        135⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5728
        
        C:\Windows\SysWOW64\Nnolfdcn.exe
        
        C:\Windows\system32\Nnolfdcn.exe
        136⤵
        Modifies registry class
        
        PID:5844
        
        C:\Windows\SysWOW64\Nqmhbpba.exe
        
        C:\Windows\system32\Nqmhbpba.exe
        137⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5952
        
        C:\Windows\SysWOW64\Ncldnkae.exe
        
        C:\Windows\system32\Ncldnkae.exe
        138⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6048
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        139⤵
        
        PID:2892
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2892 -s 420
        140⤵
        Program crash
        
        PID:5432

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 2892 -ip 2892
1⤵
PID:5244

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Gbjhlfhb.exe

Filesize
110KB

MD5
01598560b96cfed17ee58a6cf4b56c1d

SHA1
eda1ec87fd993f001623bdd7919becea34f3acd9

SHA256
f4f86aa737008df0e65173a61bdd964d783a44644bdc9888584262355d51f442

SHA512
e61ad784aef55ee58e7f5757eb3e79d754da1fbce67fbfe81639a66a80b03687ab1c17c8c900ff33331b2f5e52c96895c8f8ba5b0096fd4bdbd8783d5f2862fc

Download Submit
C:\Windows\SysWOW64\Gbldaffp.exe

Filesize
110KB

MD5
a7b72aa6570ab14b518555d2c2b49e42

SHA1
0fe20b0211156f9ade1d6e60185ed42b8ba8b392

SHA256
82180bc38485a6994a1114240cc6f394877ffd98a9de2c87d98dd7526893c675

SHA512
f4cc9cd6d306ec38865be5209d2f6f569cdd6044f1a58223500d5e2babc2987129af49553163dfd22ace076add85df31d0443f511ebf262cd21788b98df70f70

Download Submit
C:\Windows\SysWOW64\Gcekkjcj.exe

Filesize
110KB

MD5
6c146f817edbb8a6b0193e422b78552c

SHA1
b2180040c0513130382fd30f5b846ba063ca0158

SHA256
c3c13641ede9ab021691f96f1ed9c20e3daa93e92499bf02d1e32626e7aa1b69

SHA512
fe951e942ebc37012ffbabfcad0e0c07cbaa0a35a6d9116b679b432be89022b4a53d6cf403fe77a39c1bf08a0990bb0a2357d3019fa0bc9b6025d7698459cd6a

Download Submit
C:\Windows\SysWOW64\Gfcgge32.exe

Filesize
110KB

MD5
62b6743254d591b57403175cd55e631a

SHA1
6a756cfafbb4480046310425924815e98a1f1bc2

SHA256
1637696c987b0af2185895ee6dfe7f266603dc7690fb1331fa65e50617daf4a3

SHA512
c047dc4274df5db2b0ba23918d7a33b758432a6dc4d08d6d05c6fefa8aea96da1bcd0c49ad41634f000d4be81e8a93982335f45a1af90a28a8381991b99c1bbb

Download Submit
C:\Windows\SysWOW64\Gidphq32.exe

Filesize
110KB

MD5
c10900dcfa8962fec1860f0123952b7b

SHA1
2fb4659ca971a635a18d4b3f86b38cf69e4f70ff

SHA256
29d0bf2ede0a751cd597c21d54ac0b7f90dbef428f74d304357330d2cb544524

SHA512
3a8663d452e3d9adbd7c117ca87d565bca0613a55675d1c4f2bed018571cae28b077f8970b04ac84ebe6bc47e0ed3cc0a4b183ebd38708716cd48173921f5232

Download Submit
C:\Windows\SysWOW64\Gmaioo32.exe

Filesize
110KB

MD5
84b0e1b49cbe42f008bb5ec16b5eca63

SHA1
1193e416d2f0f52e956defc18fcedca4833ed076

SHA256
a6f1ca0006e92071f0e9339cb987a8bcd9dc45ef0346c4e606eca6c1306141bf

SHA512
8846be77803bd3f602a342176960b744b9610658196c9a96f274dd5afc693837a92ab80455f1d7f5fd5175fcfb1d538542a71f9bb4d16a53dd2e603afadde89c

Download Submit
C:\Windows\SysWOW64\Gmkbnp32.exe

Filesize
110KB

MD5
8da1de46343239c8ce1b7d9a861b90d6

SHA1
a3183cc8fe05e8d7267190b783c8b436d64cf7a9

SHA256
8d1c28e8376b6312063aee3775d99ea48e5a82e5d9b84931dba23ce38334cc70

SHA512
9e790347b2a6b2aabe007f490fd5b9eecb7840daa6600a27c3434408aea567db34858fc1de33c70589d7bdd336eed2bc5963a15b0eb0262be2ba00c194bc1651

Download Submit
C:\Windows\SysWOW64\Gmmocpjk.exe

Filesize
110KB

MD5
24360404125ad87ed4ad4bf3a79215dc

SHA1
ca7136cf648e94eca6c81e2805b8ef1efc21c499

SHA256
cfbc74df771f8dbb58977c6e98d30a2521e93d5d361610f0cda28f5cb77a762f

SHA512
33880cc8ac8db43182055c26e676c856ca15e271efe8056cb8893cde0399bf6fdd7b38bae06ef2076008d9032842f69cc5fc4bfbd94d60d260302005d91ca902

Download Submit
C:\Windows\SysWOW64\Gpklpkio.exe

Filesize
110KB

MD5
71c1df775568641654da7314d12fa409

SHA1
2ce0529efacb14926341c68c11054412abd3a68a

SHA256
78ea31ffff9219de4610aea1decf40f4cfa9ff0b918a237058fc59f2cf0c6032

SHA512
0d30a017683ed1a6ab69e201ce6455a4b5194519fe31af1a54acf00dbe14f4edfd0d33cc4b820dfd9d94b176249011a91803d0dac4a28207bfde0851e9fc18d8

Download Submit
C:\Windows\SysWOW64\Gppekj32.exe

Filesize
110KB

MD5
ef79680b6c56f5c96591b2ed6a2453d7

SHA1
712ce0eade1da2a365ae03e07aacf00d8b6c2992

SHA256
08fc92a116d27235770a25f5f0da76b281311769d42fdeccd4577b463d2fcd05

SHA512
2d4c8b65393cceab4066cc9334538cb3147484abf2386e4bab0cb01239001fe917153e425aa9d1b1b62561bf83ad787af1f4240ee7a4267b60293d4a2ae700b4

Download Submit
C:\Windows\SysWOW64\Gqkhjn32.exe

Filesize
110KB

MD5
0d354f2d097b6fe5b44dcd3a04d80657

SHA1
4cf767ca7242b77480ee45f529ec3653db3e48de

SHA256
aa0cc7c29d2824b3c959b3802208bd71952c57b89fbafb2aee6f71de53d442fc

SHA512
76e812cf5fe52d07c9ccd7b9f375773cb97c31c206bc08c943db53972b3d4bb94e232128b8017ca62d26cd6f4ad8dd20126344e4180411bef35d531a3cee4e9a

Download Submit
C:\Windows\SysWOW64\Haidklda.exe

Filesize
110KB

MD5
f22879a55f7ea2333c0e1c28731ec43d

SHA1
3655453f62f21524c1fb81d060c9afc77a99e017

SHA256
9ca7c888aa1eeffd7635bfe089bd56809263d37340fdf2590165b2aad1dc5ff9

SHA512
583248ba1b487571e2652bb4803f0f5208335bd96f751ad00e243439e96405befb86384f6a52db3a702afc665daef6dc024727502b2ce1a27672aa52e437dc98

Download Submit
C:\Windows\SysWOW64\Hapaemll.exe

Filesize
110KB

MD5
08bc7b600ac31c3bf534e252f41d925f

SHA1
96601d8518abe45ea82c94e79ef35e74cefe0b47

SHA256
807ecd202deef63d9415c8012c0170b382913af9a0621054e3eba2676ed0c15a

SHA512
ca7d658837c910177480d7c1ef745ca7d1a65659e2e03824729d42c300568ce524f1254a768d14e2bbab4d22465f2a0b340e8ae71567a97a5becb9d778d00faa

Download Submit
C:\Windows\SysWOW64\Hbckbepg.exe

Filesize
110KB

MD5
bbdbb543b8cc0f751566f67a0af957f0

SHA1
3a8eea3c976551a9966942c368344654e0ec261a

SHA256
6f77a4a7328aa6779bf78a32366f37c3e96bd0dc49b71049c513b5a2cfb67327

SHA512
5e1f5c0d3ae05cde2b8dea224c06279a5e1ac839b9a42edf1edbf4e47d7bf09e8c69c48cda5ecf6456ff2ab2e033190f2d546fcb4ea7d8acdd6aba29dc15cfdf

Download Submit
C:\Windows\SysWOW64\Hbeghene.exe

Filesize
110KB

MD5
b2308a68fe0d35fc40932c2283bbfd37

SHA1
30086c86bba4f78fa784d204ada1cde0a10a0c83

SHA256
b8da30cebd6a571cd4047554b42417d6796a1b8b5461b21cf60400d8316c39fc

SHA512
687336c18eb1a9608c3ca80a4c1e8c0cb84f0fae4b342a71eb5469165d991ef3c156383b8a82d3beb05d19697a8ca5b193018a63e3b7195177842fb566347046

Download Submit
C:\Windows\SysWOW64\Hcedaheh.exe

Filesize
110KB

MD5
c86be1f0f0c694bcd5e10fc37626f296

SHA1
3f2070b573eecaca2661617aee5259d3e4cab3a9

SHA256
65b6c97cd10a3992b866d80037c0d2742c750d58eaa6dbaee9de8221ec202ba9

SHA512
c86a5898701c821f2ee1103ad287916e887653e9861dbb27752487513c1633fbd51608df997901a4e0cd371fcdae7d38b32daaa5f73eb5ee8cb379ce9d1da1b8

Download Submit
C:\Windows\SysWOW64\Hcedaheh.exe

Filesize
110KB

MD5
68e2e4cac5e8a32c37210037211ccb14

SHA1
554fda91f9e32fcb2264b0f44e0c71e7a7c9ffea

SHA256
cdfb5c674b752ac104dfb59c9c4f3afdeb7a42f624b024e646c067a0a22fc9f1

SHA512
26f972478b900459cb4782d3e8cebb9e647335e61279ee902a751ee9be8d323b75405656fd4b00189c657de94697dbada22b44aa0ffb045bb54a7dd1da98444b

Download Submit
C:\Windows\SysWOW64\Hcnnaikp.exe

Filesize
110KB

MD5
8da6ee43f19a8860fc2c90a908dc7628

SHA1
cb9d03ec9886f9f1c5c6123b1be94c0c55028c80

SHA256
2d12f434b462cdd479f5660c609735b15b0a710e4e7538124f9578569f3e3279

SHA512
47adb4566e4ffb92ecd93f118513648d008996a2f0b8c3a5b59806bf047cdcd9c75fc33726546b32d8396df457b688ba44aa305ba392a134a9d80b1ec97596ad

Download Submit
C:\Windows\SysWOW64\Hfcpncdk.exe

Filesize
110KB

MD5
87a7dfc9e11dbea5611673885d235a88

SHA1
1f416de266fb36de4faf478fdab1a04f8db7dc00

SHA256
4eec7a103bf03b3a0258a7df32eda2c2ec1ed59f1510df4774837785ce458e63

SHA512
45c9fb50bce4a41f92e499112274dc189108bacce213a5ca3e4fb6cf308d54cbacfac1d00703aaf8a5c7215973485b3a5965b9b10eab833ec75315963e1d4f7c

Download Submit
C:\Windows\SysWOW64\Hibljoco.exe

Filesize
110KB

MD5
5b44b2a4fe1b0c00052e892a8e151758

SHA1
699c7f1796b7b42df05678f6bb83ed8c196d5954

SHA256
ac2b796a00aa9c8b0ab1cc076ad5e63b68eb3c74e4586d92ca3985e7f07a1d84

SHA512
00bb4d57970952593ae471a92286b82c1df04f6de85b68c5360a2a50a1286d5c149381ac12239cdb7ae5a8f9c4be6544aa758149b53dab609e70b6066e1ed7b0

Download Submit
C:\Windows\SysWOW64\Himcoo32.exe

Filesize
110KB

MD5
4d4516b5a8d1882df43c3126f396c04c

SHA1
10db47a1d139e9161b36a710d52c145026befd46

SHA256
e08cc482f95245249fe47f6882598429e4dfb880b60163d4c09a42c3b28fb13a

SHA512
2a9a4405e2f9011f18aede5cbe84b820b62a65b7ad0eefd7dedaacbe0f8e4d85e39f2ca46fa3c262fbbedac5379c8556765ebd988768e4fa70fcc177bfe85828

Download Submit
C:\Windows\SysWOW64\Hjfihc32.exe

Filesize
110KB

MD5
6cbb7cc7d77b04b62612120437be651b

SHA1
bcf7055323756d79e979d2e096386e29873851bc

SHA256
af144030458f6a203d56644bfe99233abef19c02827fde4baa35c617c42e752a

SHA512
9934b5d414d7a7261e456887ac08782586994ef2dc236e83575aebf65854a244ea3cc6110d8f02418d3082176e4b7fe58ee68421f8c2671856718126bfb6201b

Download Submit
C:\Windows\SysWOW64\Hjmoibog.exe

Filesize
110KB

MD5
8dd423d9b83173f1c386191b43841e07

SHA1
46458946e237aab8d60a3c4e219c94ed6d60cfc6

SHA256
4f3d6147f82984c2b1c912b7cd341182c6d22388761cbe8e7b36160affeef019

SHA512
7d9008995881959aee6037ed23f2449ad259f98088996375be8d10906ffe20f8b83712f7b3db88943ffe41e404c9661f83b0b2721eb04317c21d82a6b6d77b95

Download Submit
C:\Windows\SysWOW64\Hmfbjnbp.exe

Filesize
110KB

MD5
fa8aa4c3304d0da14ef92ad4ea422703

SHA1
5c81cec638db3e6b271fb6cf127c4629fe495d0c

SHA256
f68a8faf59b9ad2de12b0f4dc94f529c00372257adf145449900f521ef9c226e

SHA512
2b8fcae730a40fcf6628f689256664ff6521fbbd00496826e2c82370ac33decb7500599354096f8960a58cb345525902eb0c3abdd5fc8555cc5a45a39ea4a599

Download Submit
C:\Windows\SysWOW64\Hpenfjad.exe

Filesize
110KB

MD5
f0f8c5d5ee9372ccb5856123ce5b8e59

SHA1
1ac1727cb65e825de30080eb74d1ec6ef0689f72

SHA256
7db37c2670b47e5fcb6b86cf36ebe7088c9b13bdf1619e37413766c13c21756a

SHA512
1204f4923874974df4bdd6d1083881a0c13031fe5036d762550f89c20e9796745090497751b15a0fd8cb3da246f07d05205acff9faf481db5800cd03c60dc9fb

Download Submit
C:\Windows\SysWOW64\Hpgkkioa.exe

Filesize
110KB

MD5
eea6686f2ead08ade7f45ee1248adffd

SHA1
2e3cca15a8d291ec0d5cf3d7bdbf9967a9a2529b

SHA256
7b821af4af2c9c624408fb7703812a11e32eca2001165f6fe6b024ce70d36063

SHA512
d380ea81dd9a3d06e35038b0a9acaa77dd9ba62055e910c72ffbd17948223580b731d758b3ff31dfef57549ccf05e9bd0b4e12838b088eee2b8e2b863656ec79

Download Submit
C:\Windows\SysWOW64\Ibjqcd32.exe

Filesize
110KB

MD5
34dcf5ce68a88735c8d251021f3d1008

SHA1
1ba3b507c1279d853cfbd17a869fc01e74261f7d

SHA256
4cf37ea74675e732aa67cb0507bd1023597dbf0c0fb9fdfe319884c06a5c22d6

SHA512
7579f7407a6b620f3e457c67ce45bda71904fa9e1a774a466a18223bb1310b1431a1a51d9eae82db600dc524c61493b0bdb064dfe4fb85d7dd68c1840dee2c92

Download Submit
C:\Windows\SysWOW64\Ifhiib32.exe

Filesize
110KB

MD5
1a0332b6d6922daf61a1f6b5e1c90457

SHA1
0037685d82259c140483a2fe6187be08cda3d00f

SHA256
2c45b012478fcf9624e1a8e331245e41e1fe3d3bdfbb82eb48709c84ee46edc9

SHA512
1696ac4714f825d4ee7656632ff1ec53a880c9af560826f3cef3a0697c377ec096594ada42cd0a6f7c1e3769e8a057bcfcfc82485153dfea58f48c22f7bba2d2

Download Submit
C:\Windows\SysWOW64\Ijaida32.exe

Filesize
110KB

MD5
3f29ef863dc02d6b5eda1202261c126b

SHA1
15b585adee2bd5c98bc97d0e5c7e985445d2e3a5

SHA256
7c73104063596613541462cdfec3a4bdfd237824aeaea5d19763480f03fd32ad

SHA512
66ad5e301be4b108fd05d70dd5d788e680aea94075671fdbd73fa52f599bf1af4b2519a5fe26b05c633f6a8e7b610daa6afb2ceb4240ae18893b0891ee4f27e4

Download Submit
C:\Windows\SysWOW64\Ijdeiaio.exe

Filesize
110KB

MD5
edc19e6509d79ad79ff60249e2bacd10

SHA1
4e22eeb8a7cad30480b65010cf3f8645cecc4c37

SHA256
94c3bc992b9af798c6473828fa6d4d59ae614162da540ff04580a12328d1bba4

SHA512
f2ce06191f044a00c111290023aef802afac4967da171fb508eae620480916ac45474c49b94f119e360276e44d2cafaf4cd0ba3f6ee0d883d6cede5a149d2c60

Download Submit
C:\Windows\SysWOW64\Imbaemhc.exe

Filesize
110KB

MD5
08fc32517614af64e253087993ffc6ba

SHA1
042484c087054dc914e18119e86b2f2e897a452f

SHA256
05f4748cfa8f0e3d72fc17bba2d63588c1d7b6ec361cd1cbce03e9e5682fa119

SHA512
4505063fb30a397346780a66ffac06c5fe9b4f407a878e32434915e942e32b46769e3847e7652fdfaf452e07712343b140d9528b35d2c2d11469477c9891bcb6

Download Submit
C:\Windows\SysWOW64\Impepm32.exe

Filesize
110KB

MD5
91e64974f767ece01855caf6b3d0c484

SHA1
e6068f85e3001dca8b312326f900546a9fbf9833

SHA256
79b94b2aab0eeeb4907568231a745411b8c9856536a385d168e1f4dc71ca0265

SHA512
87dec31fe526cfc6b3e300bfb1c8c378879d89bd1a2e4fba980a441de909beddd1c9deec028f33f30139ff2b3e98ebc747009607470a5852df6c86648017bbb2

Download Submit
C:\Windows\SysWOW64\Ipnalhii.exe

Filesize
110KB

MD5
f0dcf65321435dc501005180f9d8f3b6

SHA1
413f9687d1f68fac11517c4b7b56c4e91667fecd

SHA256
b028ce70006a3105a3fab10f85a2ca28fdb7ca45948f6949fe7491ac855275bf

SHA512
99ce28f2ca42fd4a08a29a9ac509b7ec2f1bccf5791e1a100b10f9385b917812181e41110a5405bf97521736c5659ab1409a6605d7e392104f5cdaec1e4e6e79

Download Submit
C:\Windows\SysWOW64\Jdcpcf32.exe

Filesize
110KB

MD5
49a1be0f6167adfcc58012b119011f94

SHA1
be94aae2efe2a2afac3cf5f15cd615878bd40e06

SHA256
207f098b1e73ffce957facd0b5df98dfb96dbde61964a20012138c6b7757863b

SHA512
46ee5386e797cbb741e9a727945d2a41acbd0af486aa283ae009dee233f9b4fffcd5895d96eb68c198627a653b33c551df23d8cfe1ab11352c72574121686515

Download Submit
C:\Windows\SysWOW64\Ocdehlgh.dll

Filesize
7KB

MD5
d113526e36ce797fa2a16cd867f4272c

SHA1
4165d0212168ea16ac457a393be717f7774ef4bc

SHA256
04402268a1717885999a4b15d35a7a8dc6b3f35d9cd5304ff58532516e6596dd

SHA512
41187c72c0b9d98320577ac77389104e8d0e7bb7be944fa02bbbb5c447fc2a9049405b5af49e070f1fefa0443d307f2a3718b0e2933705fc328d0640fa0c075b

Download Submit
memory/8-111-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/112-232-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/532-436-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/624-96-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/632-256-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/876-138-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1108-144-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1120-156-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1140-340-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1400-406-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1416-0-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1428-72-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1544-48-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1636-120-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1736-84-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1924-318-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1928-24-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1976-128-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2020-326-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2064-32-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2080-176-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2280-346-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2400-204-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2436-382-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2492-40-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2788-274-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2864-367-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2924-308-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3080-374-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3096-392-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3128-358-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3204-310-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3252-262-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3292-183-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3332-104-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3452-376-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3472-394-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3704-7-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3716-208-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3776-16-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3788-418-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3892-224-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3940-442-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3988-352-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4024-400-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4068-216-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4288-240-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4324-334-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4340-56-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4404-298-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4424-167-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4456-160-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4576-430-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4628-272-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4712-295-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4740-328-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4784-290-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4788-416-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4824-284-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4972-424-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/5032-248-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/5076-63-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/5096-88-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/5100-192-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads