941fd9e73a333609fbbafd3ef54c7db2400e07b59f75abff571d1b0343af7de5

Analysis

max time kernel
136s
max time network
99s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
02/05/2024, 00:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

941fd9e73a333609fbbafd3ef54c7db2400e07b59f75abff571d1b0343af7de5.exe
Size

256KB
MD5

31a0bff1bc6b66bb35de8acadef866ca
SHA1

a2b44e881453bfdbe9a84b7da64715a34ded5be7
SHA256

941fd9e73a333609fbbafd3ef54c7db2400e07b59f75abff571d1b0343af7de5
SHA512

7a0611b8cc8a42d464fc350832c328e57e9db7d9fce58418a0184e8428cebeed1217d07b3b85366a4af25201d965f94dc5ba10e4ce1a1ef6bab336c85b45d9cb
SSDEEP

6144:ewmZjeY853XBpnTfwNPbAvjDAcXxxXfY09cnEWPDZj:6jpQBpnchWcZj

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Liekmj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mpaifalo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqklmpdd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jigollag.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdopod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kgphpo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Laciofpa.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcdegnep.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gcpapkgp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nklfoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gmaioo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jjpeepnb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jbocea32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kgbefoji.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mgghhlhq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lpfijcfl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgekbljc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mdiklqhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nqklmpdd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jaimbj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mkepnjng.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gjjjle32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Goiojk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hfljmdjc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hjmoibog.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Laopdgcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kaemnhla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mjqjih32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hcedaheh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Idacmfkj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jjpeepnb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jaimbj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lklnhlfb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdmegp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jbocea32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lcmofolg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lddbqa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkbchk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncldnkae.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gfedle32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mpkbebbf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Iikopmkd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ijkljp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jpjqhgol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kdopod32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kgphpo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcnhmm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcbahlip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lpcmec32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mahbje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lnepih32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngcgcjnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ncihikcg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdiklqhm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nafokcol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hjmoibog.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpolqa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iapjlk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jkfkfohj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kaemnhla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mkbchk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gbenqg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gcidfi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kmgdgjek.exe

Executes dropped EXE 64 IoCs

pid	Process
3704	Fqaeco32.exe
4244	Gcpapkgp.exe
3920	Gjjjle32.exe
5112	Gbenqg32.exe
4916	Gjlfbd32.exe
1552	Goiojk32.exe
452	Gfcgge32.exe
2156	Gqikdn32.exe
3448	Gfedle32.exe
2440	Gqkhjn32.exe
3220	Gcidfi32.exe
2136	Gmaioo32.exe
3952	Gppekj32.exe
2332	Hmdedo32.exe
4372	Hcnnaikp.exe
4424	Hfljmdjc.exe
4092	Hikfip32.exe
1036	Hfofbd32.exe
464	Hmioonpn.exe
3116	Hjmoibog.exe
1908	Hcedaheh.exe
2152	Iapjlk32.exe
3280	Ifmcdblq.exe
1860	Iikopmkd.exe
3484	Idacmfkj.exe
3660	Ijkljp32.exe
2536	Jbfpobpb.exe
3616	Jiphkm32.exe
4236	Jpjqhgol.exe
4428	Jjpeepnb.exe
5044	Jaimbj32.exe
404	Jbkjjblm.exe
1312	Jjbako32.exe
4296	Jfhbppbc.exe
1032	Jigollag.exe
3100	Jangmibi.exe
3440	Jbocea32.exe
4716	Jkfkfohj.exe
2436	Kmegbjgn.exe
4932	Kdopod32.exe
1956	Kgmlkp32.exe
1344	Kkihknfg.exe
3940	Kmgdgjek.exe
3964	Kdaldd32.exe
3968	Kgphpo32.exe
2016	Kinemkko.exe
220	Kaemnhla.exe
3008	Kgbefoji.exe
3496	Kipabjil.exe
2128	Kagichjo.exe
4524	Kgdbkohf.exe
536	Kkpnlm32.exe
4480	Kajfig32.exe
2568	Kdhbec32.exe
1940	Kckbqpnj.exe
2280	Liekmj32.exe
1740	Lcmofolg.exe
3188	Lkdggmlj.exe
3000	Liggbi32.exe
4420	Laopdgcg.exe
1708	Lgkhlnbn.exe
2896	Lnepih32.exe
1276	Lpcmec32.exe
4484	Lkiqbl32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Kagichjo.exe	Kipabjil.exe
File opened for modification	C:\Windows\SysWOW64\Lkiqbl32.exe	Lpcmec32.exe
File created	C:\Windows\SysWOW64\Laciofpa.exe	Lkiqbl32.exe
File created	C:\Windows\SysWOW64\Mkgmcjld.exe	Mdmegp32.exe
File created	C:\Windows\SysWOW64\Feambf32.dll	Jbkjjblm.exe
File created	C:\Windows\SysWOW64\Jfhbppbc.exe	Jjbako32.exe
File opened for modification	C:\Windows\SysWOW64\Jbocea32.exe	Jangmibi.exe
File created	C:\Windows\SysWOW64\Kdopod32.exe	Kmegbjgn.exe
File opened for modification	C:\Windows\SysWOW64\Kkpnlm32.exe	Kgdbkohf.exe
File opened for modification	C:\Windows\SysWOW64\Lcmofolg.exe	Liekmj32.exe
File created	C:\Windows\SysWOW64\Nngcpm32.dll	Lgkhlnbn.exe
File opened for modification	C:\Windows\SysWOW64\Lphfpbdi.exe	Lnjjdgee.exe
File created	C:\Windows\SysWOW64\Gqikdn32.exe	Gfcgge32.exe
File created	C:\Windows\SysWOW64\Ncihikcg.exe	Nqklmpdd.exe
File created	C:\Windows\SysWOW64\Lppbjjia.dll	Lgbnmm32.exe
File created	C:\Windows\SysWOW64\Lifenaok.dll	Mpkbebbf.exe
File created	C:\Windows\SysWOW64\Lklnhlfb.exe	Lcdegnep.exe
File opened for modification	C:\Windows\SysWOW64\Gfedle32.exe	Gqikdn32.exe
File opened for modification	C:\Windows\SysWOW64\Gppekj32.exe	Gmaioo32.exe
File opened for modification	C:\Windows\SysWOW64\Kgmlkp32.exe	Kdopod32.exe
File created	C:\Windows\SysWOW64\Enbofg32.dll	Kgmlkp32.exe
File opened for modification	C:\Windows\SysWOW64\Kaemnhla.exe	Kinemkko.exe
File opened for modification	C:\Windows\SysWOW64\Lddbqa32.exe	Lphfpbdi.exe
File created	C:\Windows\SysWOW64\Fojjgcdm.dll	Gbenqg32.exe
File created	C:\Windows\SysWOW64\Gfedle32.exe	Gqikdn32.exe
File created	C:\Windows\SysWOW64\Baefid32.dll	Lnepih32.exe
File opened for modification	C:\Windows\SysWOW64\Mgekbljc.exe	Mciobn32.exe
File opened for modification	C:\Windows\SysWOW64\Ngpjnkpf.exe	Ndbnboqb.exe
File opened for modification	C:\Windows\SysWOW64\Goiojk32.exe	Gjlfbd32.exe
File created	C:\Windows\SysWOW64\Kipabjil.exe	Kgbefoji.exe
File opened for modification	C:\Windows\SysWOW64\Lcdegnep.exe	Lpfijcfl.exe
File opened for modification	C:\Windows\SysWOW64\Lgbnmm32.exe	Lddbqa32.exe
File opened for modification	C:\Windows\SysWOW64\Mjqjih32.exe	Lgbnmm32.exe
File created	C:\Windows\SysWOW64\Mjcgohig.exe	Mgekbljc.exe
File opened for modification	C:\Windows\SysWOW64\Mncmjfmk.exe	Mkepnjng.exe
File created	C:\Windows\SysWOW64\Ijkljp32.exe	Idacmfkj.exe
File created	C:\Windows\SysWOW64\Dkfpkkqa.dll	Gcidfi32.exe
File created	C:\Windows\SysWOW64\Hmdedo32.exe	Gppekj32.exe
File created	C:\Windows\SysWOW64\Hcnnaikp.exe	Hmdedo32.exe
File created	C:\Windows\SysWOW64\Hmjdia32.dll	Hcnnaikp.exe
File opened for modification	C:\Windows\SysWOW64\Kinemkko.exe	Kgphpo32.exe
File created	C:\Windows\SysWOW64\Imppcc32.dll	Kckbqpnj.exe
File opened for modification	C:\Windows\SysWOW64\Lkdggmlj.exe	Lcmofolg.exe
File created	C:\Windows\SysWOW64\Gbenqg32.exe	Gjjjle32.exe
File opened for modification	C:\Windows\SysWOW64\Mpolqa32.exe	Mnapdf32.exe
File created	C:\Windows\SysWOW64\Nnhfee32.exe	Nkjjij32.exe
File opened for modification	C:\Windows\SysWOW64\Mjcgohig.exe	Mgekbljc.exe
File opened for modification	C:\Windows\SysWOW64\Gqikdn32.exe	Gfcgge32.exe
File created	C:\Windows\SysWOW64\Gbajhpfb.dll	Gfedle32.exe
File opened for modification	C:\Windows\SysWOW64\Jigollag.exe	Jfhbppbc.exe
File opened for modification	C:\Windows\SysWOW64\Kmegbjgn.exe	Jkfkfohj.exe
File created	C:\Windows\SysWOW64\Ogdimilg.dll	Kajfig32.exe
File created	C:\Windows\SysWOW64\Mahbje32.exe	Mjqjih32.exe
File created	C:\Windows\SysWOW64\Mkepnjng.exe	Mcnhmm32.exe
File created	C:\Windows\SysWOW64\Ilaidmmo.dll	Gjjjle32.exe
File created	C:\Windows\SysWOW64\Jiphkm32.exe	Jbfpobpb.exe
File opened for modification	C:\Windows\SysWOW64\Laopdgcg.exe	Liggbi32.exe
File created	C:\Windows\SysWOW64\Lcdegnep.exe	Lpfijcfl.exe
File created	C:\Windows\SysWOW64\Ncldnkae.exe	Nbkhfc32.exe
File created	C:\Windows\SysWOW64\Ocaapo32.dll	Gcpapkgp.exe
File created	C:\Windows\SysWOW64\Ndninjfg.dll	Jiphkm32.exe
File opened for modification	C:\Windows\SysWOW64\Majopeii.exe	Mjcgohig.exe
File created	C:\Windows\SysWOW64\Odegmceb.dll	Mnapdf32.exe
File opened for modification	C:\Windows\SysWOW64\Mcnhmm32.exe	Mpolqa32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5808	5620	WerFault.exe	202

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Majknlkd.dll"	Nddkgonp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ncihikcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lkfbjdpq.dll"	Nnolfdcn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	941fd9e73a333609fbbafd3ef54c7db2400e07b59f75abff571d1b0343af7de5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmlgol32.dll"	Jangmibi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kgphpo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lphfpbdi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hmioonpn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jiphkm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eilljncf.dll"	Jbocea32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gjlfbd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kdhbec32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lklnhlfb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lphfpbdi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kinemkko.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mdiklqhm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nnjbke32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oeahce32.dll"	Goiojk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Goiojk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Klebid32.dll"	Hfljmdjc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hjmoibog.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibhblqpo.dll"	Mjqjih32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mpolqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mlhblb32.dll"	Ndbnboqb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fibjjh32.dll"	Ngpjnkpf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gmaioo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jbocea32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kgmlkp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lcdegnep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nqklmpdd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ngpjnkpf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jangmibi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kgphpo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kaemnhla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Milgab32.dll"	Kaemnhla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mnapdf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Maaepd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnplgc32.dll"	Hikfip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jigollag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogdimilg.dll"	Kajfig32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lklnhlfb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bnckcnhb.dll"	Kmgdgjek.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kinemkko.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mjqjih32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lifenaok.dll"	Mpkbebbf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gcpapkgp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jiphkm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jaimbj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Enbofg32.dll"	Kgmlkp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mjjmog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lelgbkio.dll"	Mpdelajl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ncihikcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ggpfjejo.dll"	Jfhbppbc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lcmofolg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Laopdgcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bpqnnk32.dll"	Iikopmkd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gqffnmfa.dll"	Mgghhlhq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Egqcbapl.dll"	Mcbahlip.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fqaeco32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jplifcqp.dll"	Kdhbec32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bheenp32.dll"	Lcdegnep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mahbje32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kkihknfg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lnjjdgee.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 828 wrote to memory of 3704	828	941fd9e73a333609fbbafd3ef54c7db2400e07b59f75abff571d1b0343af7de5.exe	83
PID 828 wrote to memory of 3704	828	941fd9e73a333609fbbafd3ef54c7db2400e07b59f75abff571d1b0343af7de5.exe	83
PID 828 wrote to memory of 3704	828	941fd9e73a333609fbbafd3ef54c7db2400e07b59f75abff571d1b0343af7de5.exe	83
PID 3704 wrote to memory of 4244	3704	Fqaeco32.exe	84
PID 3704 wrote to memory of 4244	3704	Fqaeco32.exe	84
PID 3704 wrote to memory of 4244	3704	Fqaeco32.exe	84
PID 4244 wrote to memory of 3920	4244	Gcpapkgp.exe	85
PID 4244 wrote to memory of 3920	4244	Gcpapkgp.exe	85
PID 4244 wrote to memory of 3920	4244	Gcpapkgp.exe	85
PID 3920 wrote to memory of 5112	3920	Gjjjle32.exe	86
PID 3920 wrote to memory of 5112	3920	Gjjjle32.exe	86
PID 3920 wrote to memory of 5112	3920	Gjjjle32.exe	86
PID 5112 wrote to memory of 4916	5112	Gbenqg32.exe	87
PID 5112 wrote to memory of 4916	5112	Gbenqg32.exe	87
PID 5112 wrote to memory of 4916	5112	Gbenqg32.exe	87
PID 4916 wrote to memory of 1552	4916	Gjlfbd32.exe	88
PID 4916 wrote to memory of 1552	4916	Gjlfbd32.exe	88
PID 4916 wrote to memory of 1552	4916	Gjlfbd32.exe	88
PID 1552 wrote to memory of 452	1552	Goiojk32.exe	89
PID 1552 wrote to memory of 452	1552	Goiojk32.exe	89
PID 1552 wrote to memory of 452	1552	Goiojk32.exe	89
PID 452 wrote to memory of 2156	452	Gfcgge32.exe	90
PID 452 wrote to memory of 2156	452	Gfcgge32.exe	90
PID 452 wrote to memory of 2156	452	Gfcgge32.exe	90
PID 2156 wrote to memory of 3448	2156	Gqikdn32.exe	91
PID 2156 wrote to memory of 3448	2156	Gqikdn32.exe	91
PID 2156 wrote to memory of 3448	2156	Gqikdn32.exe	91
PID 3448 wrote to memory of 2440	3448	Gfedle32.exe	92
PID 3448 wrote to memory of 2440	3448	Gfedle32.exe	92
PID 3448 wrote to memory of 2440	3448	Gfedle32.exe	92
PID 2440 wrote to memory of 3220	2440	Gqkhjn32.exe	93
PID 2440 wrote to memory of 3220	2440	Gqkhjn32.exe	93
PID 2440 wrote to memory of 3220	2440	Gqkhjn32.exe	93
PID 3220 wrote to memory of 2136	3220	Gcidfi32.exe	94
PID 3220 wrote to memory of 2136	3220	Gcidfi32.exe	94
PID 3220 wrote to memory of 2136	3220	Gcidfi32.exe	94
PID 2136 wrote to memory of 3952	2136	Gmaioo32.exe	95
PID 2136 wrote to memory of 3952	2136	Gmaioo32.exe	95
PID 2136 wrote to memory of 3952	2136	Gmaioo32.exe	95
PID 3952 wrote to memory of 2332	3952	Gppekj32.exe	96
PID 3952 wrote to memory of 2332	3952	Gppekj32.exe	96
PID 3952 wrote to memory of 2332	3952	Gppekj32.exe	96
PID 2332 wrote to memory of 4372	2332	Hmdedo32.exe	97
PID 2332 wrote to memory of 4372	2332	Hmdedo32.exe	97
PID 2332 wrote to memory of 4372	2332	Hmdedo32.exe	97
PID 4372 wrote to memory of 4424	4372	Hcnnaikp.exe	99
PID 4372 wrote to memory of 4424	4372	Hcnnaikp.exe	99
PID 4372 wrote to memory of 4424	4372	Hcnnaikp.exe	99
PID 4424 wrote to memory of 4092	4424	Hfljmdjc.exe	100
PID 4424 wrote to memory of 4092	4424	Hfljmdjc.exe	100
PID 4424 wrote to memory of 4092	4424	Hfljmdjc.exe	100
PID 4092 wrote to memory of 1036	4092	Hikfip32.exe	102
PID 4092 wrote to memory of 1036	4092	Hikfip32.exe	102
PID 4092 wrote to memory of 1036	4092	Hikfip32.exe	102
PID 1036 wrote to memory of 464	1036	Hfofbd32.exe	103
PID 1036 wrote to memory of 464	1036	Hfofbd32.exe	103
PID 1036 wrote to memory of 464	1036	Hfofbd32.exe	103
PID 464 wrote to memory of 3116	464	Hmioonpn.exe	104
PID 464 wrote to memory of 3116	464	Hmioonpn.exe	104
PID 464 wrote to memory of 3116	464	Hmioonpn.exe	104
PID 3116 wrote to memory of 1908	3116	Hjmoibog.exe	105
PID 3116 wrote to memory of 1908	3116	Hjmoibog.exe	105
PID 3116 wrote to memory of 1908	3116	Hjmoibog.exe	105
PID 1908 wrote to memory of 2152	1908	Hcedaheh.exe	106

C:\Users\Admin\AppData\Local\Temp\941fd9e73a333609fbbafd3ef54c7db2400e07b59f75abff571d1b0343af7de5.exe
"C:\Users\Admin\AppData\Local\Temp\941fd9e73a333609fbbafd3ef54c7db2400e07b59f75abff571d1b0343af7de5.exe"
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:828
- C:\Windows\SysWOW64\Fqaeco32.exe
  C:\Windows\system32\Fqaeco32.exe
  2⤵
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3704
- - C:\Windows\SysWOW64\Gcpapkgp.exe
    C:\Windows\system32\Gcpapkgp.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:4244
  - - C:\Windows\SysWOW64\Gjjjle32.exe
      C:\Windows\system32\Gjjjle32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious use of WriteProcessMemory
      PID:3920
    - - C:\Windows\SysWOW64\Gbenqg32.exe
        
        C:\Windows\system32\Gbenqg32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:5112
      - C:\Windows\SysWOW64\Gjlfbd32.exe
        
        C:\Windows\system32\Gjlfbd32.exe
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4916
        
        C:\Windows\SysWOW64\Goiojk32.exe
        
        C:\Windows\system32\Goiojk32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1552
        
        C:\Windows\SysWOW64\Gfcgge32.exe
        
        C:\Windows\system32\Gfcgge32.exe
        8⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:452
        
        C:\Windows\SysWOW64\Gqikdn32.exe
        
        C:\Windows\system32\Gqikdn32.exe
        9⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2156
        
        C:\Windows\SysWOW64\Gfedle32.exe
        
        C:\Windows\system32\Gfedle32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3448
        
        C:\Windows\SysWOW64\Gqkhjn32.exe
        
        C:\Windows\system32\Gqkhjn32.exe
        11⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2440
        
        C:\Windows\SysWOW64\Gcidfi32.exe
        
        C:\Windows\system32\Gcidfi32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3220
        
        C:\Windows\SysWOW64\Gmaioo32.exe
        
        C:\Windows\system32\Gmaioo32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2136
        
        C:\Windows\SysWOW64\Gppekj32.exe
        
        C:\Windows\system32\Gppekj32.exe
        14⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3952
        
        C:\Windows\SysWOW64\Hmdedo32.exe
        
        C:\Windows\system32\Hmdedo32.exe
        15⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2332
        
        C:\Windows\SysWOW64\Hcnnaikp.exe
        
        C:\Windows\system32\Hcnnaikp.exe
        16⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4372
        
        C:\Windows\SysWOW64\Hfljmdjc.exe
        
        C:\Windows\system32\Hfljmdjc.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4424
        
        C:\Windows\SysWOW64\Hikfip32.exe
        
        C:\Windows\system32\Hikfip32.exe
        18⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4092
        
        C:\Windows\SysWOW64\Hfofbd32.exe
        
        C:\Windows\system32\Hfofbd32.exe
        19⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1036
        
        C:\Windows\SysWOW64\Hmioonpn.exe
        
        C:\Windows\system32\Hmioonpn.exe
        20⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:464
        
        C:\Windows\SysWOW64\Hjmoibog.exe
        
        C:\Windows\system32\Hjmoibog.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3116
        
        C:\Windows\SysWOW64\Hcedaheh.exe
        
        C:\Windows\system32\Hcedaheh.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1908
        
        C:\Windows\SysWOW64\Iapjlk32.exe
        
        C:\Windows\system32\Iapjlk32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2152
        
        C:\Windows\SysWOW64\Ifmcdblq.exe
        
        C:\Windows\system32\Ifmcdblq.exe
        24⤵
        Executes dropped EXE
        
        PID:3280
        
        C:\Windows\SysWOW64\Iikopmkd.exe
        
        C:\Windows\system32\Iikopmkd.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1860
        
        C:\Windows\SysWOW64\Idacmfkj.exe
        
        C:\Windows\system32\Idacmfkj.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3484
        
        C:\Windows\SysWOW64\Ijkljp32.exe
        
        C:\Windows\system32\Ijkljp32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3660
        
        C:\Windows\SysWOW64\Jbfpobpb.exe
        
        C:\Windows\system32\Jbfpobpb.exe
        28⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2536
        
        C:\Windows\SysWOW64\Jiphkm32.exe
        
        C:\Windows\system32\Jiphkm32.exe
        29⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3616
        
        C:\Windows\SysWOW64\Jpjqhgol.exe
        
        C:\Windows\system32\Jpjqhgol.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4236
        
        C:\Windows\SysWOW64\Jjpeepnb.exe
        
        C:\Windows\system32\Jjpeepnb.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4428
        
        C:\Windows\SysWOW64\Jaimbj32.exe
        
        C:\Windows\system32\Jaimbj32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:5044
        
        C:\Windows\SysWOW64\Jbkjjblm.exe
        
        C:\Windows\system32\Jbkjjblm.exe
        33⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:404
        
        C:\Windows\SysWOW64\Jjbako32.exe
        
        C:\Windows\system32\Jjbako32.exe
        34⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1312
        
        C:\Windows\SysWOW64\Jfhbppbc.exe
        
        C:\Windows\system32\Jfhbppbc.exe
        35⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4296
        
        C:\Windows\SysWOW64\Jigollag.exe
        
        C:\Windows\system32\Jigollag.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1032
        
        C:\Windows\SysWOW64\Jangmibi.exe
        
        C:\Windows\system32\Jangmibi.exe
        37⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3100
        
        C:\Windows\SysWOW64\Jbocea32.exe
        
        C:\Windows\system32\Jbocea32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3440
        
        C:\Windows\SysWOW64\Jkfkfohj.exe
        
        C:\Windows\system32\Jkfkfohj.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4716
        
        C:\Windows\SysWOW64\Kmegbjgn.exe
        
        C:\Windows\system32\Kmegbjgn.exe
        40⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2436
        
        C:\Windows\SysWOW64\Kdopod32.exe
        
        C:\Windows\system32\Kdopod32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4932
        
        C:\Windows\SysWOW64\Kgmlkp32.exe
        
        C:\Windows\system32\Kgmlkp32.exe
        42⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1956
        
        C:\Windows\SysWOW64\Kkihknfg.exe
        
        C:\Windows\system32\Kkihknfg.exe
        43⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1344
        
        C:\Windows\SysWOW64\Kmgdgjek.exe
        
        C:\Windows\system32\Kmgdgjek.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3940
        
        C:\Windows\SysWOW64\Kdaldd32.exe
        
        C:\Windows\system32\Kdaldd32.exe
        45⤵
        Executes dropped EXE
        
        PID:3964
        
        C:\Windows\SysWOW64\Kgphpo32.exe
        
        C:\Windows\system32\Kgphpo32.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3968
        
        C:\Windows\SysWOW64\Kinemkko.exe
        
        C:\Windows\system32\Kinemkko.exe
        47⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2016
        
        C:\Windows\SysWOW64\Kaemnhla.exe
        
        C:\Windows\system32\Kaemnhla.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:220
        
        C:\Windows\SysWOW64\Kgbefoji.exe
        
        C:\Windows\system32\Kgbefoji.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3008
        
        C:\Windows\SysWOW64\Kipabjil.exe
        
        C:\Windows\system32\Kipabjil.exe
        50⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3496
        
        C:\Windows\SysWOW64\Kagichjo.exe
        
        C:\Windows\system32\Kagichjo.exe
        51⤵
        Executes dropped EXE
        
        PID:2128
        
        C:\Windows\SysWOW64\Kgdbkohf.exe
        
        C:\Windows\system32\Kgdbkohf.exe
        52⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4524
        
        C:\Windows\SysWOW64\Kkpnlm32.exe
        
        C:\Windows\system32\Kkpnlm32.exe
        53⤵
        Executes dropped EXE
        
        PID:536
        
        C:\Windows\SysWOW64\Kajfig32.exe
        
        C:\Windows\system32\Kajfig32.exe
        54⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4480
        
        C:\Windows\SysWOW64\Kdhbec32.exe
        
        C:\Windows\system32\Kdhbec32.exe
        55⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2568
        
        C:\Windows\SysWOW64\Kckbqpnj.exe
        
        C:\Windows\system32\Kckbqpnj.exe
        56⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1940
        
        C:\Windows\SysWOW64\Liekmj32.exe
        
        C:\Windows\system32\Liekmj32.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2280
        
        C:\Windows\SysWOW64\Lcmofolg.exe
        
        C:\Windows\system32\Lcmofolg.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1740
        
        C:\Windows\SysWOW64\Lkdggmlj.exe
        
        C:\Windows\system32\Lkdggmlj.exe
        59⤵
        Executes dropped EXE
        
        PID:3188
        
        C:\Windows\SysWOW64\Liggbi32.exe
        
        C:\Windows\system32\Liggbi32.exe
        60⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3000
        
        C:\Windows\SysWOW64\Laopdgcg.exe
        
        C:\Windows\system32\Laopdgcg.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4420
        
        C:\Windows\SysWOW64\Lgkhlnbn.exe
        
        C:\Windows\system32\Lgkhlnbn.exe
        62⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1708
        
        C:\Windows\SysWOW64\Lnepih32.exe
        
        C:\Windows\system32\Lnepih32.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2896
        
        C:\Windows\SysWOW64\Lpcmec32.exe
        
        C:\Windows\system32\Lpcmec32.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1276
        
        C:\Windows\SysWOW64\Lkiqbl32.exe
        
        C:\Windows\system32\Lkiqbl32.exe
        65⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4484
        
        C:\Windows\SysWOW64\Laciofpa.exe
        
        C:\Windows\system32\Laciofpa.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4744
        
        C:\Windows\SysWOW64\Lpfijcfl.exe
        
        C:\Windows\system32\Lpfijcfl.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:3872
        
        C:\Windows\SysWOW64\Lcdegnep.exe
        
        C:\Windows\system32\Lcdegnep.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5060
        
        C:\Windows\SysWOW64\Lklnhlfb.exe
        
        C:\Windows\system32\Lklnhlfb.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:1464
        
        C:\Windows\SysWOW64\Lnjjdgee.exe
        
        C:\Windows\system32\Lnjjdgee.exe
        70⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:2140
        
        C:\Windows\SysWOW64\Lphfpbdi.exe
        
        C:\Windows\system32\Lphfpbdi.exe
        71⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:3556
        
        C:\Windows\SysWOW64\Lddbqa32.exe
        
        C:\Windows\system32\Lddbqa32.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:2544
        
        C:\Windows\SysWOW64\Lgbnmm32.exe
        
        C:\Windows\system32\Lgbnmm32.exe
        73⤵
        Drops file in System32 directory
        
        PID:3912
        
        C:\Windows\SysWOW64\Mjqjih32.exe
        
        C:\Windows\system32\Mjqjih32.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:1704
        
        C:\Windows\SysWOW64\Mahbje32.exe
        
        C:\Windows\system32\Mahbje32.exe
        75⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:3120
        
        C:\Windows\SysWOW64\Mpkbebbf.exe
        
        C:\Windows\system32\Mpkbebbf.exe
        76⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:1900
        
        C:\Windows\SysWOW64\Mciobn32.exe
        
        C:\Windows\system32\Mciobn32.exe
        77⤵
        Drops file in System32 directory
        
        PID:372
        
        C:\Windows\SysWOW64\Mgekbljc.exe
        
        C:\Windows\system32\Mgekbljc.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:3016
        
        C:\Windows\SysWOW64\Mjcgohig.exe
        
        C:\Windows\system32\Mjcgohig.exe
        79⤵
        Drops file in System32 directory
        
        PID:2168
        
        C:\Windows\SysWOW64\Majopeii.exe
        
        C:\Windows\system32\Majopeii.exe
        80⤵
        
        PID:2484
        
        C:\Windows\SysWOW64\Mdiklqhm.exe
        
        C:\Windows\system32\Mdiklqhm.exe
        81⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:680
        
        C:\Windows\SysWOW64\Mgghhlhq.exe
        
        C:\Windows\system32\Mgghhlhq.exe
        82⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:3480
        
        C:\Windows\SysWOW64\Mkbchk32.exe
        
        C:\Windows\system32\Mkbchk32.exe
        83⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3504
        
        C:\Windows\SysWOW64\Mnapdf32.exe
        
        C:\Windows\system32\Mnapdf32.exe
        84⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1652
        
        C:\Windows\SysWOW64\Mpolqa32.exe
        
        C:\Windows\system32\Mpolqa32.exe
        85⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:4332
        
        C:\Windows\SysWOW64\Mcnhmm32.exe
        
        C:\Windows\system32\Mcnhmm32.exe
        86⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4404
        
        C:\Windows\SysWOW64\Mkepnjng.exe
        
        C:\Windows\system32\Mkepnjng.exe
        87⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5144
        
        C:\Windows\SysWOW64\Mncmjfmk.exe
        
        C:\Windows\system32\Mncmjfmk.exe
        88⤵
        
        PID:5192
        
        C:\Windows\SysWOW64\Mpaifalo.exe
        
        C:\Windows\system32\Mpaifalo.exe
        89⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5236
        
        C:\Windows\SysWOW64\Mdmegp32.exe
        
        C:\Windows\system32\Mdmegp32.exe
        90⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5280
        
        C:\Windows\SysWOW64\Mkgmcjld.exe
        
        C:\Windows\system32\Mkgmcjld.exe
        91⤵
        
        PID:5340
        
        C:\Windows\SysWOW64\Mjjmog32.exe
        
        C:\Windows\system32\Mjjmog32.exe
        92⤵
        Modifies registry class
        
        PID:5384
        
        C:\Windows\SysWOW64\Maaepd32.exe
        
        C:\Windows\system32\Maaepd32.exe
        93⤵
        Modifies registry class
        
        PID:5444
        
        C:\Windows\SysWOW64\Mpdelajl.exe
        
        C:\Windows\system32\Mpdelajl.exe
        94⤵
        Modifies registry class
        
        PID:5520
        
        C:\Windows\SysWOW64\Mcbahlip.exe
        
        C:\Windows\system32\Mcbahlip.exe
        95⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5568
        
        C:\Windows\SysWOW64\Nkjjij32.exe
        
        C:\Windows\system32\Nkjjij32.exe
        96⤵
        Drops file in System32 directory
        
        PID:5628
        
        C:\Windows\SysWOW64\Nnhfee32.exe
        
        C:\Windows\system32\Nnhfee32.exe
        97⤵
        
        PID:5692
        
        C:\Windows\SysWOW64\Nqfbaq32.exe
        
        C:\Windows\system32\Nqfbaq32.exe
        98⤵
        
        PID:5740
        
        C:\Windows\SysWOW64\Ndbnboqb.exe
        
        C:\Windows\system32\Ndbnboqb.exe
        99⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5824
        
        C:\Windows\SysWOW64\Ngpjnkpf.exe
        
        C:\Windows\system32\Ngpjnkpf.exe
        100⤵
        Modifies registry class
        
        PID:5872
        
        C:\Windows\SysWOW64\Nklfoi32.exe
        
        C:\Windows\system32\Nklfoi32.exe
        101⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5912
        
        C:\Windows\SysWOW64\Nnjbke32.exe
        
        C:\Windows\system32\Nnjbke32.exe
        102⤵
        Modifies registry class
        
        PID:5960
        
        C:\Windows\SysWOW64\Nafokcol.exe
        
        C:\Windows\system32\Nafokcol.exe
        103⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6000
        
        C:\Windows\SysWOW64\Nddkgonp.exe
        
        C:\Windows\system32\Nddkgonp.exe
        104⤵
        Modifies registry class
        
        PID:6048
        
        C:\Windows\SysWOW64\Ngcgcjnc.exe
        
        C:\Windows\system32\Ngcgcjnc.exe
        105⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6092
        
        C:\Windows\SysWOW64\Nnmopdep.exe
        
        C:\Windows\system32\Nnmopdep.exe
        106⤵
        
        PID:5128
        
        C:\Windows\SysWOW64\Nqklmpdd.exe
        
        C:\Windows\system32\Nqklmpdd.exe
        107⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5200
        
        C:\Windows\SysWOW64\Ncihikcg.exe
        
        C:\Windows\system32\Ncihikcg.exe
        108⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5264
        
        C:\Windows\SysWOW64\Nnolfdcn.exe
        
        C:\Windows\system32\Nnolfdcn.exe
        109⤵
        Modifies registry class
        
        PID:5360
        
        C:\Windows\SysWOW64\Nbkhfc32.exe
        
        C:\Windows\system32\Nbkhfc32.exe
        110⤵
        Drops file in System32 directory
        
        PID:5436
        
        C:\Windows\SysWOW64\Ncldnkae.exe
        
        C:\Windows\system32\Ncldnkae.exe
        111⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5536
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        112⤵
        
        PID:5620
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5620 -s 400
        113⤵
        Program crash
        
        PID:5808

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 5620 -ip 5620
1⤵
PID:5752

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Fqaeco32.exe

Filesize
256KB

MD5
e47680b24f1cea88e68490daabb498ce

SHA1
fb47e94c59b93899a56b1f2bcc4be9fd612384fc

SHA256
0b73589fb865b67834e95c9e042723bea62b1e24c9d8c8191742ebfd945eb4cc

SHA512
281d871d9e593afdb11c4d4bec435ed4683c4bc336e1051fcef7e15b6a0f7344ee78362681ac649f2d332c9b743cfba727b140f8fee9496279c9d62555b01470

Download Submit
C:\Windows\SysWOW64\Gbenqg32.exe

Filesize
256KB

MD5
f28f0f6e32627724a495ff1e6b48d424

SHA1
875177a2f408f0da4b4defa170fce932e70c23b3

SHA256
f39d59bc2b992c1464d99f3e13ff3e8a9f35ce5fb67e1af8c70d3c24cfd07f26

SHA512
80ffca9a3224f3af8d5004f427557ff3f71992000a68a8d39388eddb6ef79322212130cfb00a2a4a830e4acb23735ca400bfe760fbc29d0d3ec3bd465bfae2de

Download Submit
C:\Windows\SysWOW64\Gcidfi32.exe

Filesize
256KB

MD5
eaa53a18384b265b54c07b980e0e124e

SHA1
0cba459d1ad73ee81a764e1fea54216eca22e9d1

SHA256
f06992295ca2825de747ee54a65f669863d7666057ed9758dc89f8a4fb80d47e

SHA512
6bb7c413e3b591767e6adfcb484096ef409ab3cde1289c668acb0f21f3a4b1e4217677f588e74a3ddf7a0b4cc243e0903209ca3c74c87667866b0fd78b0327e3

Download Submit
C:\Windows\SysWOW64\Gcpapkgp.exe

Filesize
256KB

MD5
7f94ebb35234249e1d288e7f65630b35

SHA1
83a0b82d7ba28f9b70bf9cb10808b8afb8823f88

SHA256
a92210295e693fc721fbfc2f54ecf81e17cf62ab69859afe9c9e3b0ccc062d8b

SHA512
a5af231c92825f8dec970aa1ba9cfa57ec1e9f5b66a64597b53fd13e0c59f5b64245a1905af978aae9d6afc24b39931da490fe3babe50d13a356d1ffa07ceac8

Download Submit
C:\Windows\SysWOW64\Gfcgge32.exe

Filesize
256KB

MD5
5898d48a21a855b87ec0dbd18db06d0a

SHA1
4cd788e510103b098bdc41ddc499340a449444d3

SHA256
1a6fb32fce5962e7c63bce91f2a19a998ce9ae3099d317059c1023b693b075b8

SHA512
c99a35aef0bd3516247377e1096c29a6337a97ca43a9ad8cdee6475fa8d3019a48bcb568949308c91d7aa2347922cd652c71413bbd1ab6a4b1a68bec21ec74d6

Download Submit
C:\Windows\SysWOW64\Gfedle32.exe

Filesize
256KB

MD5
0f4bbb5cc08ee1362a37bcc3b28db3b6

SHA1
d2538da2712e3222ecc77441710779673eb0d06b

SHA256
221eb9520c75dd5282823cad0281703d1de9715fde572e811e7047623f7cdfdf

SHA512
4e91c43409ed74c900ab46c2844d9728d9e169a5f0ceaf42625e9771f9a7ab02162917840d86449859f710539c8f58b5b05adb95b5cdb9772f4c19f341a9cb71

Download Submit
C:\Windows\SysWOW64\Gjjjle32.exe

Filesize
256KB

MD5
1125b0bec11b53be75d7323e5d542b03

SHA1
81122cf1eb865de0a9b1af1f5fdac050f0448631

SHA256
a221453f0ccad70c591f5f5e54344ffed7ccc46f6f793c100ed8f041eab9d93b

SHA512
4db9cf50a7a05bb191d56d9e582838abce3e11409b1369a48aece3169bd668ed6f6789835e4cf7cb03ef6965e22aa27e484b93a51b298d46ac74c54830f12e76

Download Submit
C:\Windows\SysWOW64\Gjlfbd32.exe

Filesize
256KB

MD5
ed93c913fc3485f98083a20b8124cace

SHA1
861289e8e82e1fb182b9c05d01be276208276c7b

SHA256
d46bb17ee6433162cd25120249f5f0c52d066c6b8e7990c8d373bf351cd9f1a7

SHA512
96dbb63c2af2dddc185c1610a2125a4eaae01804dab3ee804104c00be0398f64dd18738deb2ad9a9da7bda694865e5b376787a24ac6e3494cb4d2744d14159ce

Download Submit
C:\Windows\SysWOW64\Gmaioo32.exe

Filesize
256KB

MD5
84e273ff05d1672bd44721ced297819d

SHA1
f0b308f06ce1b0d6ae1487984d50d37c8bbcb833

SHA256
908031b20db0903a72ba80ac5ca2bbdff21aa515c585ae3da810cb9a036ecd51

SHA512
f0bfc5fab5b489ff664d5c89b57cc57f3ddf6a8937579c0e9fb4c0f0fa2960ceecd2f64040f84b5efa43f5ebce6c7ea2f29cbb3b6495f8ab63e8f0608fb1d43b

Download Submit
C:\Windows\SysWOW64\Goiojk32.exe

Filesize
256KB

MD5
cb01360514aad301ee1371b513eed89c

SHA1
74e160d4c74133fd5b93019d0b0f582be425b91a

SHA256
0fff460b80dcd659566a30ba21cc47104fed581fcf5a4cd9e0da16717e9e6e2b

SHA512
f7c4e71120883351a5544b4bc886e76f84990ae44cdd00073482d05de8314e1751caa180e65add6c015c36a20927a5e1ceb63d2a189c419292a19b5efb6e04b2

Download Submit
C:\Windows\SysWOW64\Gppekj32.exe

Filesize
256KB

MD5
218b49e0f8870c0d004a44fc88082d89

SHA1
34bc4f7a1747b64616a2fc5de4ff99d9e1fc119a

SHA256
b42822bbc5fb4720bd8d1fa7f1ff606508a647a5aeaea50031447284f75c76db

SHA512
c77ba80d885843716bf77529617c2f8c3852c67aefdaea503814f68ccd6d937e497e05bb6c44527d5d41b059bfa783124bb78a86a363a715f73e5f139706bccf

Download Submit
C:\Windows\SysWOW64\Gqikdn32.exe

Filesize
256KB

MD5
d79596bfb1a287629fbee8446aa6a4da

SHA1
caae191645d2d2f73b8bdbf5d23f7040d9e9097e

SHA256
f5daf20d8eef35a3c131a452b5c01d7c6075884bcc2ae0a75817b47ac07c4967

SHA512
2850ea6b1e352e114d341f0fb09527c3c5a83df3ff6475ac7d85cc51926274decb24b450c69e36242fc2e3fe5f22b790fef0098c77fb3099c9e520522d9600c8

Download Submit
C:\Windows\SysWOW64\Gqkhjn32.exe

Filesize
256KB

MD5
e23bef52b1a816b4665045e38e71ff9e

SHA1
01497b2aaa0c1bc1e76c8883e2c72ae6a7454630

SHA256
9fbed4cdd5436d1ca009a291d9b545aca62291acf22870fc20f756ed6bc41c97

SHA512
061c41f8210f59168811ac56121dc72a41bfb66b70f21cad019ebc2d080a82c334521b570e4d94d99ce6b12ee7aa72a012c4187be0a00a5af92ec0373709dcb8

Download Submit
C:\Windows\SysWOW64\Hcedaheh.exe

Filesize
256KB

MD5
7cb5bfd80e01b3ded671713392c38c49

SHA1
6ba05d3260839317f2d791414995c023986e39e9

SHA256
9c2f73cd2a1150042c2c9cfde61fb78007845becdf09672330c0b9db88e7d101

SHA512
8bfff6e04e0787fa61622c51e42588e60183598b0480c33c0c42339b4aa49d42647a73d4ef6cc294d6f982e4b62525c19a1032123039571a8281fb89863ab32e

Download Submit
C:\Windows\SysWOW64\Hcnnaikp.exe

Filesize
256KB

MD5
347c342ccf60fd738da29002e9a57033

SHA1
80e62aa3dbcb03a2d2a502027cc45ba18e99ccc3

SHA256
27950759dc4512d838a9407bd1dc413151e701593a4fd37fe2214bd5cbaedc5c

SHA512
46a12de4072a3b318a5d2649f77e160d590f31609430adfa5094b03e273ad0aee453294d17664e12dd8ac8e53083bff8378f08802d3a20605fe9cb92f4639f23

Download Submit
C:\Windows\SysWOW64\Hfljmdjc.exe

Filesize
256KB

MD5
d28f5b06839f3b34e25df6864a82c5da

SHA1
d1a18348a053284e0819b0c9b24133ee64e4fc1f

SHA256
0e7fffac9be763411a570c2b7fc08f9eb1a1fbbea1b1012d3c65f0ebe8f31dbe

SHA512
8a07f2407223f7ab503d271c18e2098b893d7e579c5a4cf621b2da06d39b30bf8b6101e9d8fe734a32d92349df59f9211f856eb9756109dcb7bb20ee14716034

Download Submit
C:\Windows\SysWOW64\Hfofbd32.exe

Filesize
256KB

MD5
538e32a6b4ad2322039a303502a8cdce

SHA1
ed025eddf7dd36969e0035610f8231b002b1d49a

SHA256
36c18fb84d4e9587a505d9bec8d6c356a6a83951eda47235f88649a4bae2ed79

SHA512
b2bb90f7a71e6bc7f16787a4c7aff9009ea06371fe4570379a069d55b035833b86668d74df0c4204c6aa89bedf9a65bb3768c7052fcccee82b28006f626087ed

Download Submit
C:\Windows\SysWOW64\Hikfip32.exe

Filesize
256KB

MD5
4b1a5477a090c7cf0994b1d044dc0e6e

SHA1
9f4b374d4f4e529f292f47660925fc7d11feaced

SHA256
05a26e391e9b51c29888b46c9f0dbea964e3a9af9ade99dc3c85ebc164d453fa

SHA512
9b077d837a8de79dd8b9852075a033c4047177b6d780b73907ba7e9321fc1d223ada4cb2d6ec44888a0aae6109416cd5c8e5aaf2776a4816248e420fbd2d5027

Download Submit
C:\Windows\SysWOW64\Hjmoibog.exe

Filesize
256KB

MD5
6daa59500d16b5e3e1616059749e35cb

SHA1
2bcb06b5a7ead8f2c16c06e390eae0ce2d9fcb44

SHA256
e7bcf5da5f7370ce07a5662ede045d706be65c69218f73faf4994f2b7591931c

SHA512
41378494a5ca432460eb750327dcff1072980076a6d1f60e095dc0a9dae27a91653a453bc901ec1bc6573d045bbf8f3bda93d27f68ef4e4c912972c45019dbf2

Download Submit
C:\Windows\SysWOW64\Hmdedo32.exe

Filesize
256KB

MD5
3b7a7d0f0ffd4e77dd2f23ba4818f999

SHA1
f62f014f52e7dee5e48f6d46f8ec7be5260b05ad

SHA256
c616fa0bfe02255a07256b5048f3e820b17e783fa4c25a4debf82874e7790ad5

SHA512
2d2d99837d1e0b0d6d4f275e482954130483d5107ca68fc9776fc16f44aa50fea9036a2bfc2cb46cefb0f1cf57a0fc16b86177cc050c6842f955f9f9458b310f

Download Submit
C:\Windows\SysWOW64\Hmioonpn.exe

Filesize
256KB

MD5
204f0c37b73c0a8e919dda09dc2e55f6

SHA1
610954833fc4082ce900c8bfd5b0109784449d4a

SHA256
f070d1057ed3dbc65003f1683416bcecc31e8c8f8ebcb1eea806a4ccbcdc9cf7

SHA512
3ca7d155d005ff29f21831565061dc935f39df7a4d25f700f41994b62591d934b2def391338cbcb246a100951559378f02fdee42acd5defe2223ee5f98110cf1

Download Submit
C:\Windows\SysWOW64\Iapjlk32.exe

Filesize
256KB

MD5
18ae71239af4b36e45fe72d9c9df949d

SHA1
91bb71bbc08adfcc68c5382947d30d1cd7812a4b

SHA256
4254550538c89647d9d1552b816031fdb0c3bcb0a44e8fabfde3bb9670b47507

SHA512
6a5338d3be4e2d95932239bdb29483af1481c2ece4d10d6933d736fdb8dc202e9f4900913392782fd16be1ee139843e77573475bda80e80bd05ebf4e2bddf726

Download Submit
C:\Windows\SysWOW64\Idacmfkj.exe

Filesize
256KB

MD5
626a215281750aec9f82954ed8cbd650

SHA1
7ec9c199e8c3523a9ed11eb799ecec7a4fe85d47

SHA256
83d57a072bd021e46891ebb87e8bc80c0a549c7496e10b200eea2f026f935876

SHA512
c12efe1cb0f67fb3e388d6b691708fbe864f639e4d0563ed6f9980d11d3f0e34a66242bc1ef47bac2726fc72ffd1110835d94c2979f57d1f948e95e5e0f4387c

Download Submit
C:\Windows\SysWOW64\Ifmcdblq.exe

Filesize
256KB

MD5
f72bb5d4e864ee691fb92161d4aad433

SHA1
ea620c15119f1dbc8200bd466a53efa5546603ed

SHA256
a93946975a4172d7b24211d88e1afb020f0d8624b2ce489cd668935324b375c0

SHA512
04a77da1715617ce67fed05014093a4e18a5def878d4bc0f0250b20b9dbe44ca1108ca58d8d940a0102ffb5b51e89ca4de5bada82ea1ab9b146f18f35dfbf751

Download Submit
C:\Windows\SysWOW64\Iikopmkd.exe

Filesize
256KB

MD5
4fd34d66f8a3c1a7e6ddad204f285daf

SHA1
97fbed9a4330905c3555da1f08a52e88e4d7692c

SHA256
95f0898041320d618b108f70c1f9ba7e93a5d343885fa17a21a376a7ee99cf66

SHA512
a4adfd5d3cf314a0fdfa342dfa0e0f13c03c56de13e9e4acefb9fb8baad86c2978179df61618869c282e5f5f76396d7fad1112f05f804caab756d0172717d8f5

Download Submit
C:\Windows\SysWOW64\Ijkljp32.exe

Filesize
256KB

MD5
ffd0c65f3af4d92baec8cae9310c0744

SHA1
a8cf6920c44886e321aafe2a9b0c86124dc8048c

SHA256
753434a416633ab7be9a21ec3ca43e18d0ad5558171af087cc765795c7e60b3b

SHA512
e43a8ac135c394ed12a456a6abfc3f54356ddb2eb09ee0071b71dbc083686248808c0bc1d7e3274cf641e296a3ebf2505f4494210f578922f4dfd6a283afc6b3

Download Submit
C:\Windows\SysWOW64\Jaimbj32.exe

Filesize
256KB

MD5
8261fe60d4325571063c3018086065e3

SHA1
dc3694d18e082bdaddde7cc7a3a424a1daca6080

SHA256
89eb83307bae4825e8e52f63addde352c7bc4697a552fb664634faad33ab7594

SHA512
0d930ac22d25d3ba87cf9c8546459c0dbfb6eb1d15359e7c8968909ded9eda76d8d2eb8da38e6478affe53f3c128eaaeb4eebba54243ddc8f35963ac8423bc78

Download Submit
C:\Windows\SysWOW64\Jbfpobpb.exe

Filesize
256KB

MD5
21f952fd4167bcf3ed53c4f642d2cdee

SHA1
2b6e79439c1a9c9d1895a4b614beda86acbe8bfd

SHA256
babb1ac2a79d627b9b2998de88c9d0b5c38f0591bec243ad289a74f7c6a36f68

SHA512
7894ce07d4e2f978c16e0e86ab4a81a4735103ff31263e8c15e0f8a061835ae145f0650134d58f0411f7d3d74f72eb0e468f236d2b467df4bab2d3fdcebb675d

Download Submit
C:\Windows\SysWOW64\Jbkjjblm.exe

Filesize
256KB

MD5
71b5c811dffdbd334bb6fdb15981dc52

SHA1
81ef840421f96702cf752d5838aa66a6def98e91

SHA256
046156338e109e540c49c87f270982b7cc4c2056fa5d20fa13ef52db7428e9b5

SHA512
9ebcd25d9be8a1357d3e54079df9821c380c6f247cabe3504b164b1f49edfdd25dee115a7ebe4d659ba12860aaa51b2ee88e1cab01c3e7bd59b5de7ded44535a

Download Submit
C:\Windows\SysWOW64\Jiphkm32.exe

Filesize
256KB

MD5
5342cc9587a6ee6b75c1c2fe6a7918bc

SHA1
580e7532e44b7c9e9b65c94c100b415c67aa1309

SHA256
b59be41adf5335619d46f0aca0f6e8105567429833a9d4b45e39f9dc31ff2d6d

SHA512
fcd0cefec20c07fe76f7eb8d6b828964946a9c2fd9b1d6deb2f8f60afc453fc554fef6cd14ec1f2a8c275e1a8797abab1163d6007169af7195ada49f20fb2ecb

Download Submit
C:\Windows\SysWOW64\Jjpeepnb.exe

Filesize
256KB

MD5
6adb9238375da98bf5799710bc394285

SHA1
267d30fb15288b7c2c573970fc50af0a931f84b0

SHA256
32cc90e8300951438222bd56e35fe06a80ccab15c5ea3cce367657bdaf7285df

SHA512
0770a0dc0257284af9461638b775de4475f5c27cded20e76d83e7820501674e36d17f661f992acc1973ca68af4ab24067c4e40a16f8e2fb8745372024e033b45

Download Submit
C:\Windows\SysWOW64\Jpjqhgol.exe

Filesize
256KB

MD5
5e911d4dc277f4327bd35f08f22ef9b0

SHA1
4c5ad4bd8121bbbee93316dd26d3de47738289bb

SHA256
e7b1c108ec835665ae387b674acb82385b2f727fdd18715f9283c937529a4cad

SHA512
ed8a42b42d5736466a66e8406d231bc2f9032be010074b195f6b2b07736f4566c2a69cf7cd4f7f259cc6e382d71bf8aa3b895a2a252fd5ab409fb8d468b7e8ed

Download Submit
C:\Windows\SysWOW64\Laopdgcg.exe

Filesize
256KB

MD5
ae1620bd21c0daeecec2bde48718a337

SHA1
50a8d445ee3df2f815a3638b127843a56ea8a28f

SHA256
0106ef6c148ca38d808dd6e949c9863af1021d5ccddd7a868d94b98a699accfa

SHA512
f20601d6081c5b185675710404b4223f5eca2ebe279bb2db31d6f47f50d78032c875a0f49e8d05f1fd2d2eb026e0833ca2ae963c601e40e80a68bf4cac2ec7b6

Download Submit
C:\Windows\SysWOW64\Liekmj32.exe

Filesize
256KB

MD5
03f39340168862853a5b37be5461fd4a

SHA1
16e1ae54a7b1c8afb38ac9ae6db19028dccd4123

SHA256
9763ad6da47cb3594530957d7c2cc5ffc08aae4f4061c9e6808c3fe09244e4e5

SHA512
86d5e271db96a8f81c12983533e1d6aa0f6a901f07b18e96fcb1c877b21e3f2a3506254de3aee1f85973114f6ea8739a8a4fffc17a65d804f370341429c474e2

Download Submit
C:\Windows\SysWOW64\Majopeii.exe

Filesize
256KB

MD5
6d6c0f5d26fce7535b1781ae80f7ba76

SHA1
d0aff501d2eeac5c0da24e446203f6c8458285ae

SHA256
d2a78a49e8af5e6ff03f9bb05a003b50490ff5005900615072a2bcaac36beb8b

SHA512
6284701235cfb3b5f4cce2f528a0aa8bad81d1ada8eeda1c182ce3a79507fbe09cd299f92b4063feadac0781ce1c90fac9fe2d5f1486e725bad1b9b1397aac57

Download Submit
C:\Windows\SysWOW64\Mciobn32.exe

Filesize
256KB

MD5
ff65282d3b177a122c9cdf833c6211d0

SHA1
f32be31030804e9410777d776bb7eaab39b59098

SHA256
79e3a6ec3236a9c178ab924ef5de6bf82fa1ad3d0bb06070788a392aba987c86

SHA512
e147ec2993bd79997613f33976ca5311803157dda97803d9903ee87f36734610aeaf1339f0a3a38f0ebee6b6a38bd320e9677a2581fa6f52cfd83f5e08fa10df

Download Submit
C:\Windows\SysWOW64\Mdmegp32.exe

Filesize
256KB

MD5
a485caee96111c8dd7562b79c1cf5396

SHA1
a451222fd289d591827bbe70c07c4e475bfeddd4

SHA256
c75599a955f66886574fd2ce5ba96d9dd48d11d419fbdc99f964496545fa0ec0

SHA512
4956a128d646f3b73ba05ca35561814eecb141886a2ef0d6e04d3a21a8588292647e870fac567c212bec940e51d806dafe9c38a3c8083fe2145098464ec804a7

Download Submit
C:\Windows\SysWOW64\Mpdelajl.exe

Filesize
256KB

MD5
b128ff1e263d2a6d3f0b4cf2d0dd9b23

SHA1
d850df7df817e9e5c0f6fa98ccfc9a59a569642a

SHA256
bc6b7332e1cee963084aecf2a27987b769e0ef9d2061499ec18daf5e191de0ed

SHA512
6e94fd1b7323a9f49463c029ca8b33846e561a066ac4ea7a0a2e1890c3cf40f93bc7879bc9d5a242363f81ad13f604e4e24d56de04a69ff471111ffc03bcc8a2

Download Submit
C:\Windows\SysWOW64\Mpolqa32.exe

Filesize
256KB

MD5
aae2c2f3ac8ba68770bb5666efe56990

SHA1
4523c34f4eeaa3a769e745beddd71eb2ca362f53

SHA256
51031e93a667f44d0a6758ae165bb1ba3aa30520af5f4042dbc543d9a94df4ba

SHA512
24b6e40f7f888377305a7d6537a36c39847b65f4d22c65d68b52c24c5a420caf5b8bff39bd07553df2e65d4cc9af4024ce41d58f6068b86f48c5436b09594409

Download Submit
C:\Windows\SysWOW64\Ndbnboqb.exe

Filesize
256KB

MD5
57865eb0cad95c66dda561230ecbdf7d

SHA1
8b7e1460e0359c7bf1db1302ba44231924c51708

SHA256
269027fe4d232a18fc5ee952e581af22b4026f101c33720b23896e60fa56885e

SHA512
99202316574ac4575029859892d6cc0811590b12fc7d121286939f915ec7a09b536a02a47255195178977445edd52defc05ff8a0bee1796c0f73d99adeba3ada

Download Submit
memory/220-379-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/404-348-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/404-279-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/452-140-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/452-56-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/464-249-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/464-160-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/536-412-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/828-0-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/828-80-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1032-302-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1036-239-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1036-151-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1312-284-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1312-351-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1344-349-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1552-48-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1552-132-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1860-205-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1860-290-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1908-177-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1908-272-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1940-432-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1956-342-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2016-372-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2016-438-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2128-400-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2136-98-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2136-185-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2152-186-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2152-278-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2156-150-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2156-63-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2280-439-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2332-115-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2332-204-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2436-392-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2436-325-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2440-81-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2440-167-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2536-236-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2568-425-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3008-386-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3100-305-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3100-371-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3116-168-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3116-258-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3220-89-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3220-176-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3280-283-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3280-195-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3440-378-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3440-311-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3448-71-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3448-159-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3484-301-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3484-214-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3496-393-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3616-317-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3616-240-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3660-222-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3660-304-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3704-12-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3920-105-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3920-23-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3940-352-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3940-418-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3952-194-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3952-106-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3964-364-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3968-431-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3968-365-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4092-141-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4092-235-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4236-324-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4236-250-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4244-15-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4244-96-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4296-291-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4296-363-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4372-124-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4372-213-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4424-134-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4424-221-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4428-331-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4428-259-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4480-423-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4524-411-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4716-385-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4716-318-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4916-44-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4932-399-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4932-332-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5044-273-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5112-35-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5112-114-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5536-818-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/6048-830-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/6092-829-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads