ab730d07b4288c8018cb0c9c4804f8c60d78e76c38682a30b6b0df2f1baa8358

Analysis

max time kernel
148s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
02/05/2024, 01:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ab730d07b4288c8018cb0c9c4804f8c60d78e76c38682a30b6b0df2f1baa8358.exe
Size

214KB
MD5

a339683fc22ca0f23029b1d091b4e78a
SHA1

76b5f5886e0cac306f886bc2ec23896b3f083658
SHA256

ab730d07b4288c8018cb0c9c4804f8c60d78e76c38682a30b6b0df2f1baa8358
SHA512

1e1ea1263b227da1aa4cc49e6f77e02beca71ae49724221f09147cffea8e7cf261b88d4b7930f5dbfa330f793cce5cb51ae256d71eee7e4e3b519cd5aca0adea
SSDEEP

3072:CHYy8GUmj5bEOudezAnDlmbGcGFDeaqIsKEYWyPVBweyFve3CFdagBk:CHnRj5bEOugaC9a6HYW0VBLyFviCqgBk

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kdhbec32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Hmklen32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kkihknfg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mgnnhk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kaqcbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mncmjfmk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njljefql.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ngedij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Iannfk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Iapjlk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Jidbflcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kckbqpnj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jaljgidl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mgidml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nddkgonp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kkpnlm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lpcmec32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mnlfigcc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mgghhlhq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjeddggd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Hfachc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kmnjhioc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Njcpee32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdhbec32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lkiqbl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Imihfl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jiikak32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kpmfddnf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Imbaemhc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ifmcdblq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Imihfl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jidbflcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Jaljgidl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jpojcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Jkdnpo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hmklen32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hjolnb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Liggbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lkgdml32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nceonl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nnjbke32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iiibkn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Jfhbppbc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jfhbppbc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lnepih32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnfipekh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnmopdep.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njcpee32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	ab730d07b4288c8018cb0c9c4804f8c60d78e76c38682a30b6b0df2f1baa8358.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jbmfoa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lcpllo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mdmegp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqiogp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Hippdo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iannfk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kbapjafe.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqklmpdd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jdjfcecp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Jiikak32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Jbocea32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kmnjhioc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lnjjdgee.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mciobn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Jbkjjblm.exe

Executes dropped EXE 64 IoCs

pid	Process
3872	Hfachc32.exe
2704	Hippdo32.exe
320	Hmklen32.exe
3576	Hjolnb32.exe
468	Hmmhjm32.exe
2228	Ijaida32.exe
5052	Impepm32.exe
4072	Icjmmg32.exe
3760	Imbaemhc.exe
1468	Iannfk32.exe
4844	Iiibkn32.exe
2584	Iapjlk32.exe
452	Ifmcdblq.exe
3064	Iabgaklg.exe
2540	Ifopiajn.exe
220	Imihfl32.exe
1140	Jdcpcf32.exe
1320	Jbfpobpb.exe
1720	Jfaloa32.exe
2180	Jjmhppqd.exe
2536	Jiphkm32.exe
1936	Jagqlj32.exe
4140	Jdemhe32.exe
2088	Jbhmdbnp.exe
628	Jjpeepnb.exe
4656	Jibeql32.exe
1692	Jmnaakne.exe
736	Jaimbj32.exe
2716	Jplmmfmi.exe
2900	Jdhine32.exe
4632	Jbkjjblm.exe
4664	Jfffjqdf.exe
2980	Jjbako32.exe
1684	Jidbflcj.exe
1016	Jmpngk32.exe
3640	Jaljgidl.exe
5056	Jpojcf32.exe
312	Jdjfcecp.exe
5012	Jbmfoa32.exe
1484	Jfhbppbc.exe
2916	Jfhbppbc.exe
4668	Jkdnpo32.exe
3704	Jigollag.exe
5108	Jmbklj32.exe
1488	Jangmibi.exe
4172	Jpaghf32.exe
1224	Jdmcidam.exe
4204	Jbocea32.exe
2084	Jfkoeppq.exe
2492	Jkfkfohj.exe
3892	Jiikak32.exe
3592	Kmegbjgn.exe
1584	Kaqcbi32.exe
3812	Kpccnefa.exe
3208	Kdopod32.exe
1656	Kbapjafe.exe
4148	Kgmlkp32.exe
3328	Kkihknfg.exe
4016	Kilhgk32.exe
2944	Kmjqmi32.exe
1612	Kphmie32.exe
2724	Kgbefoji.exe
3604	Kkpnlm32.exe
3712	Kibnhjgj.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Nacbfdao.exe	Njljefql.exe
File created	C:\Windows\SysWOW64\Egoqlckf.dll	Hmmhjm32.exe
File opened for modification	C:\Windows\SysWOW64\Jjpeepnb.exe	Jbhmdbnp.exe
File created	C:\Windows\SysWOW64\Jdhine32.exe	Jplmmfmi.exe
File created	C:\Windows\SysWOW64\Jpaghf32.exe	Jangmibi.exe
File created	C:\Windows\SysWOW64\Jkfkfohj.exe	Jfkoeppq.exe
File created	C:\Windows\SysWOW64\Oimhnoch.dll	Kibnhjgj.exe
File created	C:\Windows\SysWOW64\Imihfl32.exe	Ifopiajn.exe
File created	C:\Windows\SysWOW64\Jibpdc32.dll	Ifopiajn.exe
File created	C:\Windows\SysWOW64\Kibnhjgj.exe	Kkpnlm32.exe
File created	C:\Windows\SysWOW64\Mpkbebbf.exe	Mnlfigcc.exe
File opened for modification	C:\Windows\SysWOW64\Mdmegp32.exe	Mncmjfmk.exe
File created	C:\Windows\SysWOW64\Ngcgcjnc.exe	Nddkgonp.exe
File opened for modification	C:\Windows\SysWOW64\Kilhgk32.exe	Kkihknfg.exe
File created	C:\Windows\SysWOW64\Kkdeek32.dll	Kkihknfg.exe
File opened for modification	C:\Windows\SysWOW64\Kphmie32.exe	Kmjqmi32.exe
File opened for modification	C:\Windows\SysWOW64\Lpfijcfl.exe	Lkiqbl32.exe
File created	C:\Windows\SysWOW64\Mecaoggc.dll	Lddbqa32.exe
File created	C:\Windows\SysWOW64\Mamleegg.exe	Mjeddggd.exe
File created	C:\Windows\SysWOW64\Ddpfgd32.dll	Ngedij32.exe
File created	C:\Windows\SysWOW64\Kmalco32.dll	Nklfoi32.exe
File created	C:\Windows\SysWOW64\Jlnpomfk.dll	Nqiogp32.exe
File opened for modification	C:\Windows\SysWOW64\Ifopiajn.exe	Iabgaklg.exe
File created	C:\Windows\SysWOW64\Ipmack32.dll	Iabgaklg.exe
File created	C:\Windows\SysWOW64\Jiphkm32.exe	Jjmhppqd.exe
File created	C:\Windows\SysWOW64\Jbmfoa32.exe	Jdjfcecp.exe
File opened for modification	C:\Windows\SysWOW64\Kaqcbi32.exe	Kmegbjgn.exe
File created	C:\Windows\SysWOW64\Kgbefoji.exe	Kphmie32.exe
File created	C:\Windows\SysWOW64\Mgidml32.exe	Mdkhapfj.exe
File created	C:\Windows\SysWOW64\Ifmcdblq.exe	Iapjlk32.exe
File created	C:\Windows\SysWOW64\Jfaloa32.exe	Jbfpobpb.exe
File opened for modification	C:\Windows\SysWOW64\Jjmhppqd.exe	Jfaloa32.exe
File created	C:\Windows\SysWOW64\Nilhco32.dll	Jangmibi.exe
File opened for modification	C:\Windows\SysWOW64\Mnlfigcc.exe	Mjqjih32.exe
File opened for modification	C:\Windows\SysWOW64\Mciobn32.exe	Mpkbebbf.exe
File created	C:\Windows\SysWOW64\Pglanoaq.dll	Impepm32.exe
File created	C:\Windows\SysWOW64\Hjobcj32.dll	Jfaloa32.exe
File opened for modification	C:\Windows\SysWOW64\Jdemhe32.exe	Jagqlj32.exe
File created	C:\Windows\SysWOW64\Lifenaok.dll	Mpkbebbf.exe
File created	C:\Windows\SysWOW64\Nceonl32.exe	Nacbfdao.exe
File opened for modification	C:\Windows\SysWOW64\Jagqlj32.exe	Jiphkm32.exe
File opened for modification	C:\Windows\SysWOW64\Jkfkfohj.exe	Jfkoeppq.exe
File created	C:\Windows\SysWOW64\Gjoceo32.dll	Liggbi32.exe
File opened for modification	C:\Windows\SysWOW64\Mgghhlhq.exe	Majopeii.exe
File opened for modification	C:\Windows\SysWOW64\Hfachc32.exe	ab730d07b4288c8018cb0c9c4804f8c60d78e76c38682a30b6b0df2f1baa8358.exe
File created	C:\Windows\SysWOW64\Jmnaakne.exe	Jibeql32.exe
File created	C:\Windows\SysWOW64\Ggpfjejo.dll	Jkdnpo32.exe
File created	C:\Windows\SysWOW64\Mbaohn32.dll	Lkiqbl32.exe
File created	C:\Windows\SysWOW64\Nkcmohbg.exe	Ncldnkae.exe
File created	C:\Windows\SysWOW64\Lkbhbe32.dll	Hmklen32.exe
File created	C:\Windows\SysWOW64\Jaimbj32.exe	Jmnaakne.exe
File created	C:\Windows\SysWOW64\Jkdnpo32.exe	Jfhbppbc.exe
File created	C:\Windows\SysWOW64\Jplifcqp.dll	Kdhbec32.exe
File opened for modification	C:\Windows\SysWOW64\Nkcmohbg.exe	Ncldnkae.exe
File created	C:\Windows\SysWOW64\Anmklllo.dll	Jidbflcj.exe
File created	C:\Windows\SysWOW64\Kmegbjgn.exe	Jiikak32.exe
File created	C:\Windows\SysWOW64\Kcbibebo.dll	Mgnnhk32.exe
File opened for modification	C:\Windows\SysWOW64\Jaljgidl.exe	Jmpngk32.exe
File opened for modification	C:\Windows\SysWOW64\Kibnhjgj.exe	Kkpnlm32.exe
File created	C:\Windows\SysWOW64\Kdhbec32.exe	Kpmfddnf.exe
File opened for modification	C:\Windows\SysWOW64\Jmnaakne.exe	Jibeql32.exe
File created	C:\Windows\SysWOW64\Jflepa32.dll	Jkfkfohj.exe
File opened for modification	C:\Windows\SysWOW64\Kdopod32.exe	Kpccnefa.exe
File created	C:\Windows\SysWOW64\Kmjqmi32.exe	Kilhgk32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5616	5464	WerFault.exe	208

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mciobn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dlddhggk.dll"	Ndidbn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Impepm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Iabgaklg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Jibeql32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Kmnjhioc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Lddbqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lidmdfdo.dll"	Lpcmec32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mkpgck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Nklfoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Jaimbj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Jpojcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iljnde32.dll"	Jiikak32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Kkpnlm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Lkdggmlj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Nqiogp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jibpdc32.dll"	Ifopiajn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Anmklllo.dll"	Jidbflcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Lpcmec32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mdkhapfj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Nqiogp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmpfpdoi.dll"	Ijaida32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cdcbljie.dll"	Icjmmg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Jjmhppqd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Jbkjjblm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ecppdbpl.dll"	Jpaghf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ajgblndm.dll"	Kilhgk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Kmnjhioc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Lalcng32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Hmmhjm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Hmmhjm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dakcla32.dll"	Iiibkn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Iapjlk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ifopiajn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ngedij32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Lgbnmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Hfachc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Jiikak32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Kckbqpnj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjoceo32.dll"	Liggbi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Lpfijcfl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mglack32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Iannfk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdkind32.dll"	Jjmhppqd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ebaqkk32.dll"	Lnjjdgee.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Laefdf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mpkbebbf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Hmklen32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eeopdi32.dll"	Iannfk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Njcqqgjb.dll"	Mamleegg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Majknlkd.dll"	Nddkgonp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Nkncdifl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnibdpde.dll"	Ncldnkae.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Jdmcidam.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Liggbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Baefid32.dll"	Lnepih32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ljnnch32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ljfemn32.dll"	Nnmopdep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ldkojb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjblifaf.dll"	Mgghhlhq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mnfipekh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Jibeql32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ggpfjejo.dll"	Jkdnpo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Kilhgk32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 808 wrote to memory of 3872	808	ab730d07b4288c8018cb0c9c4804f8c60d78e76c38682a30b6b0df2f1baa8358.exe	84
PID 808 wrote to memory of 3872	808	ab730d07b4288c8018cb0c9c4804f8c60d78e76c38682a30b6b0df2f1baa8358.exe	84
PID 808 wrote to memory of 3872	808	ab730d07b4288c8018cb0c9c4804f8c60d78e76c38682a30b6b0df2f1baa8358.exe	84
PID 3872 wrote to memory of 2704	3872	Hfachc32.exe	85
PID 3872 wrote to memory of 2704	3872	Hfachc32.exe	85
PID 3872 wrote to memory of 2704	3872	Hfachc32.exe	85
PID 2704 wrote to memory of 320	2704	Hippdo32.exe	86
PID 2704 wrote to memory of 320	2704	Hippdo32.exe	86
PID 2704 wrote to memory of 320	2704	Hippdo32.exe	86
PID 320 wrote to memory of 3576	320	Hmklen32.exe	87
PID 320 wrote to memory of 3576	320	Hmklen32.exe	87
PID 320 wrote to memory of 3576	320	Hmklen32.exe	87
PID 3576 wrote to memory of 468	3576	Hjolnb32.exe	88
PID 3576 wrote to memory of 468	3576	Hjolnb32.exe	88
PID 3576 wrote to memory of 468	3576	Hjolnb32.exe	88
PID 468 wrote to memory of 2228	468	Hmmhjm32.exe	89
PID 468 wrote to memory of 2228	468	Hmmhjm32.exe	89
PID 468 wrote to memory of 2228	468	Hmmhjm32.exe	89
PID 2228 wrote to memory of 5052	2228	Ijaida32.exe	90
PID 2228 wrote to memory of 5052	2228	Ijaida32.exe	90
PID 2228 wrote to memory of 5052	2228	Ijaida32.exe	90
PID 5052 wrote to memory of 4072	5052	Impepm32.exe	91
PID 5052 wrote to memory of 4072	5052	Impepm32.exe	91
PID 5052 wrote to memory of 4072	5052	Impepm32.exe	91
PID 4072 wrote to memory of 3760	4072	Icjmmg32.exe	93
PID 4072 wrote to memory of 3760	4072	Icjmmg32.exe	93
PID 4072 wrote to memory of 3760	4072	Icjmmg32.exe	93
PID 3760 wrote to memory of 1468	3760	Imbaemhc.exe	94
PID 3760 wrote to memory of 1468	3760	Imbaemhc.exe	94
PID 3760 wrote to memory of 1468	3760	Imbaemhc.exe	94
PID 1468 wrote to memory of 4844	1468	Iannfk32.exe	96
PID 1468 wrote to memory of 4844	1468	Iannfk32.exe	96
PID 1468 wrote to memory of 4844	1468	Iannfk32.exe	96
PID 4844 wrote to memory of 2584	4844	Iiibkn32.exe	97
PID 4844 wrote to memory of 2584	4844	Iiibkn32.exe	97
PID 4844 wrote to memory of 2584	4844	Iiibkn32.exe	97
PID 2584 wrote to memory of 452	2584	Iapjlk32.exe	98
PID 2584 wrote to memory of 452	2584	Iapjlk32.exe	98
PID 2584 wrote to memory of 452	2584	Iapjlk32.exe	98
PID 452 wrote to memory of 3064	452	Ifmcdblq.exe	99
PID 452 wrote to memory of 3064	452	Ifmcdblq.exe	99
PID 452 wrote to memory of 3064	452	Ifmcdblq.exe	99
PID 3064 wrote to memory of 2540	3064	Iabgaklg.exe	100
PID 3064 wrote to memory of 2540	3064	Iabgaklg.exe	100
PID 3064 wrote to memory of 2540	3064	Iabgaklg.exe	100
PID 2540 wrote to memory of 220	2540	Ifopiajn.exe	102
PID 2540 wrote to memory of 220	2540	Ifopiajn.exe	102
PID 2540 wrote to memory of 220	2540	Ifopiajn.exe	102
PID 220 wrote to memory of 1140	220	Imihfl32.exe	103
PID 220 wrote to memory of 1140	220	Imihfl32.exe	103
PID 220 wrote to memory of 1140	220	Imihfl32.exe	103
PID 1140 wrote to memory of 1320	1140	Jdcpcf32.exe	104
PID 1140 wrote to memory of 1320	1140	Jdcpcf32.exe	104
PID 1140 wrote to memory of 1320	1140	Jdcpcf32.exe	104
PID 1320 wrote to memory of 1720	1320	Jbfpobpb.exe	105
PID 1320 wrote to memory of 1720	1320	Jbfpobpb.exe	105
PID 1320 wrote to memory of 1720	1320	Jbfpobpb.exe	105
PID 1720 wrote to memory of 2180	1720	Jfaloa32.exe	106
PID 1720 wrote to memory of 2180	1720	Jfaloa32.exe	106
PID 1720 wrote to memory of 2180	1720	Jfaloa32.exe	106
PID 2180 wrote to memory of 2536	2180	Jjmhppqd.exe	107
PID 2180 wrote to memory of 2536	2180	Jjmhppqd.exe	107
PID 2180 wrote to memory of 2536	2180	Jjmhppqd.exe	107
PID 2536 wrote to memory of 1936	2536	Jiphkm32.exe	108

C:\Users\Admin\AppData\Local\Temp\ab730d07b4288c8018cb0c9c4804f8c60d78e76c38682a30b6b0df2f1baa8358.exe
"C:\Users\Admin\AppData\Local\Temp\ab730d07b4288c8018cb0c9c4804f8c60d78e76c38682a30b6b0df2f1baa8358.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:808
- C:\Windows\SysWOW64\Hfachc32.exe
  C:\Windows\system32\Hfachc32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3872
- - C:\Windows\SysWOW64\Hippdo32.exe
    C:\Windows\system32\Hippdo32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2704
  - - C:\Windows\SysWOW64\Hmklen32.exe
      C:\Windows\system32\Hmklen32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:320
    - - C:\Windows\SysWOW64\Hjolnb32.exe
        
        C:\Windows\system32\Hjolnb32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3576
      - C:\Windows\SysWOW64\Hmmhjm32.exe
        
        C:\Windows\system32\Hmmhjm32.exe
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:468
        
        C:\Windows\SysWOW64\Ijaida32.exe
        
        C:\Windows\system32\Ijaida32.exe
        7⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2228
        
        C:\Windows\SysWOW64\Impepm32.exe
        
        C:\Windows\system32\Impepm32.exe
        8⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5052
        
        C:\Windows\SysWOW64\Icjmmg32.exe
        
        C:\Windows\system32\Icjmmg32.exe
        9⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4072
        
        C:\Windows\SysWOW64\Imbaemhc.exe
        
        C:\Windows\system32\Imbaemhc.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3760
        
        C:\Windows\SysWOW64\Iannfk32.exe
        
        C:\Windows\system32\Iannfk32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1468
        
        C:\Windows\SysWOW64\Iiibkn32.exe
        
        C:\Windows\system32\Iiibkn32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4844
        
        C:\Windows\SysWOW64\Iapjlk32.exe
        
        C:\Windows\system32\Iapjlk32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2584
        
        C:\Windows\SysWOW64\Ifmcdblq.exe
        
        C:\Windows\system32\Ifmcdblq.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:452
        
        C:\Windows\SysWOW64\Iabgaklg.exe
        
        C:\Windows\system32\Iabgaklg.exe
        15⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3064
        
        C:\Windows\SysWOW64\Ifopiajn.exe
        
        C:\Windows\system32\Ifopiajn.exe
        16⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2540
        
        C:\Windows\SysWOW64\Imihfl32.exe
        
        C:\Windows\system32\Imihfl32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:220
        
        C:\Windows\SysWOW64\Jdcpcf32.exe
        
        C:\Windows\system32\Jdcpcf32.exe
        18⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1140
        
        C:\Windows\SysWOW64\Jbfpobpb.exe
        
        C:\Windows\system32\Jbfpobpb.exe
        19⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1320
        
        C:\Windows\SysWOW64\Jfaloa32.exe
        
        C:\Windows\system32\Jfaloa32.exe
        20⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1720
        
        C:\Windows\SysWOW64\Jjmhppqd.exe
        
        C:\Windows\system32\Jjmhppqd.exe
        21⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2180
        
        C:\Windows\SysWOW64\Jiphkm32.exe
        
        C:\Windows\system32\Jiphkm32.exe
        22⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2536
        
        C:\Windows\SysWOW64\Jagqlj32.exe
        
        C:\Windows\system32\Jagqlj32.exe
        23⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1936
        
        C:\Windows\SysWOW64\Jdemhe32.exe
        
        C:\Windows\system32\Jdemhe32.exe
        24⤵
        Executes dropped EXE
        
        PID:4140
        
        C:\Windows\SysWOW64\Jbhmdbnp.exe
        
        C:\Windows\system32\Jbhmdbnp.exe
        25⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2088
        
        C:\Windows\SysWOW64\Jjpeepnb.exe
        
        C:\Windows\system32\Jjpeepnb.exe
        26⤵
        Executes dropped EXE
        
        PID:628
        
        C:\Windows\SysWOW64\Jibeql32.exe
        
        C:\Windows\system32\Jibeql32.exe
        27⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4656
        
        C:\Windows\SysWOW64\Jmnaakne.exe
        
        C:\Windows\system32\Jmnaakne.exe
        28⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1692
        
        C:\Windows\SysWOW64\Jaimbj32.exe
        
        C:\Windows\system32\Jaimbj32.exe
        29⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:736
        
        C:\Windows\SysWOW64\Jplmmfmi.exe
        
        C:\Windows\system32\Jplmmfmi.exe
        30⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2716
        
        C:\Windows\SysWOW64\Jdhine32.exe
        
        C:\Windows\system32\Jdhine32.exe
        31⤵
        Executes dropped EXE
        
        PID:2900
        
        C:\Windows\SysWOW64\Jbkjjblm.exe
        
        C:\Windows\system32\Jbkjjblm.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4632
        
        C:\Windows\SysWOW64\Jfffjqdf.exe
        
        C:\Windows\system32\Jfffjqdf.exe
        33⤵
        Executes dropped EXE
        
        PID:4664
        
        C:\Windows\SysWOW64\Jjbako32.exe
        
        C:\Windows\system32\Jjbako32.exe
        34⤵
        Executes dropped EXE
        
        PID:2980
        
        C:\Windows\SysWOW64\Jidbflcj.exe
        
        C:\Windows\system32\Jidbflcj.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1684
        
        C:\Windows\SysWOW64\Jmpngk32.exe
        
        C:\Windows\system32\Jmpngk32.exe
        36⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1016
        
        C:\Windows\SysWOW64\Jaljgidl.exe
        
        C:\Windows\system32\Jaljgidl.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3640
        
        C:\Windows\SysWOW64\Jpojcf32.exe
        
        C:\Windows\system32\Jpojcf32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:5056
        
        C:\Windows\SysWOW64\Jdjfcecp.exe
        
        C:\Windows\system32\Jdjfcecp.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:312
        
        C:\Windows\SysWOW64\Jbmfoa32.exe
        
        C:\Windows\system32\Jbmfoa32.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:5012
        
        C:\Windows\SysWOW64\Jfhbppbc.exe
        
        C:\Windows\system32\Jfhbppbc.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1484
        
        C:\Windows\SysWOW64\Jfhbppbc.exe
        
        C:\Windows\system32\Jfhbppbc.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2916
        
        C:\Windows\SysWOW64\Jkdnpo32.exe
        
        C:\Windows\system32\Jkdnpo32.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4668
        
        C:\Windows\SysWOW64\Jigollag.exe
        
        C:\Windows\system32\Jigollag.exe
        44⤵
        Executes dropped EXE
        
        PID:3704
        
        C:\Windows\SysWOW64\Jmbklj32.exe
        
        C:\Windows\system32\Jmbklj32.exe
        45⤵
        Executes dropped EXE
        
        PID:5108
        
        C:\Windows\SysWOW64\Jangmibi.exe
        
        C:\Windows\system32\Jangmibi.exe
        46⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1488
        
        C:\Windows\SysWOW64\Jpaghf32.exe
        
        C:\Windows\system32\Jpaghf32.exe
        47⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4172
        
        C:\Windows\SysWOW64\Jdmcidam.exe
        
        C:\Windows\system32\Jdmcidam.exe
        48⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1224
        
        C:\Windows\SysWOW64\Jbocea32.exe
        
        C:\Windows\system32\Jbocea32.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4204
        
        C:\Windows\SysWOW64\Jfkoeppq.exe
        
        C:\Windows\system32\Jfkoeppq.exe
        50⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2084
        
        C:\Windows\SysWOW64\Jkfkfohj.exe
        
        C:\Windows\system32\Jkfkfohj.exe
        51⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2492
        
        C:\Windows\SysWOW64\Jiikak32.exe
        
        C:\Windows\system32\Jiikak32.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3892
        
        C:\Windows\SysWOW64\Kmegbjgn.exe
        
        C:\Windows\system32\Kmegbjgn.exe
        53⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3592
        
        C:\Windows\SysWOW64\Kaqcbi32.exe
        
        C:\Windows\system32\Kaqcbi32.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1584
        
        C:\Windows\SysWOW64\Kpccnefa.exe
        
        C:\Windows\system32\Kpccnefa.exe
        55⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3812
        
        C:\Windows\SysWOW64\Kdopod32.exe
        
        C:\Windows\system32\Kdopod32.exe
        56⤵
        Executes dropped EXE
        
        PID:3208
        
        C:\Windows\SysWOW64\Kbapjafe.exe
        
        C:\Windows\system32\Kbapjafe.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1656
        
        C:\Windows\SysWOW64\Kgmlkp32.exe
        
        C:\Windows\system32\Kgmlkp32.exe
        58⤵
        Executes dropped EXE
        
        PID:4148
        
        C:\Windows\SysWOW64\Kkihknfg.exe
        
        C:\Windows\system32\Kkihknfg.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3328
        
        C:\Windows\SysWOW64\Kilhgk32.exe
        
        C:\Windows\system32\Kilhgk32.exe
        60⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4016
        
        C:\Windows\SysWOW64\Kmjqmi32.exe
        
        C:\Windows\system32\Kmjqmi32.exe
        61⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2944
        
        C:\Windows\SysWOW64\Kphmie32.exe
        
        C:\Windows\system32\Kphmie32.exe
        62⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1612
        
        C:\Windows\SysWOW64\Kgbefoji.exe
        
        C:\Windows\system32\Kgbefoji.exe
        63⤵
        Executes dropped EXE
        
        PID:2724
        
        C:\Windows\SysWOW64\Kkpnlm32.exe
        
        C:\Windows\system32\Kkpnlm32.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3604
        
        C:\Windows\SysWOW64\Kibnhjgj.exe
        
        C:\Windows\system32\Kibnhjgj.exe
        65⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3712
        
        C:\Windows\SysWOW64\Kmnjhioc.exe
        
        C:\Windows\system32\Kmnjhioc.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:3856
        
        C:\Windows\SysWOW64\Kpmfddnf.exe
        
        C:\Windows\system32\Kpmfddnf.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4040
        
        C:\Windows\SysWOW64\Kdhbec32.exe
        
        C:\Windows\system32\Kdhbec32.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:2804
        
        C:\Windows\SysWOW64\Kckbqpnj.exe
        
        C:\Windows\system32\Kckbqpnj.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:3176
        
        C:\Windows\SysWOW64\Kgfoan32.exe
        
        C:\Windows\system32\Kgfoan32.exe
        70⤵
        
        PID:4364
        
        C:\Windows\SysWOW64\Lalcng32.exe
        
        C:\Windows\system32\Lalcng32.exe
        71⤵
        Modifies registry class
        
        PID:640
        
        C:\Windows\SysWOW64\Ldkojb32.exe
        
        C:\Windows\system32\Ldkojb32.exe
        72⤵
        Modifies registry class
        
        PID:212
        
        C:\Windows\SysWOW64\Lcmofolg.exe
        
        C:\Windows\system32\Lcmofolg.exe
        73⤵
        
        PID:2276
        
        C:\Windows\SysWOW64\Lgikfn32.exe
        
        C:\Windows\system32\Lgikfn32.exe
        74⤵
        
        PID:5044
        
        C:\Windows\SysWOW64\Lkdggmlj.exe
        
        C:\Windows\system32\Lkdggmlj.exe
        75⤵
        Modifies registry class
        
        PID:1376
        
        C:\Windows\SysWOW64\Liggbi32.exe
        
        C:\Windows\system32\Liggbi32.exe
        76⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:3192
        
        C:\Windows\SysWOW64\Lcpllo32.exe
        
        C:\Windows\system32\Lcpllo32.exe
        77⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1588
        
        C:\Windows\SysWOW64\Lkgdml32.exe
        
        C:\Windows\system32\Lkgdml32.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1808
        
        C:\Windows\SysWOW64\Lnepih32.exe
        
        C:\Windows\system32\Lnepih32.exe
        79⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:2896
        
        C:\Windows\SysWOW64\Lpcmec32.exe
        
        C:\Windows\system32\Lpcmec32.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4520
        
        C:\Windows\SysWOW64\Lcbiao32.exe
        
        C:\Windows\system32\Lcbiao32.exe
        81⤵
        
        PID:5096
        
        C:\Windows\SysWOW64\Lkiqbl32.exe
        
        C:\Windows\system32\Lkiqbl32.exe
        82⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4440
        
        C:\Windows\SysWOW64\Lpfijcfl.exe
        
        C:\Windows\system32\Lpfijcfl.exe
        83⤵
        Modifies registry class
        
        PID:3316
        
        C:\Windows\SysWOW64\Lcdegnep.exe
        
        C:\Windows\system32\Lcdegnep.exe
        84⤵
        
        PID:4964
        
        C:\Windows\SysWOW64\Ljnnch32.exe
        
        C:\Windows\system32\Ljnnch32.exe
        85⤵
        Modifies registry class
        
        PID:2100
        
        C:\Windows\SysWOW64\Lnjjdgee.exe
        
        C:\Windows\system32\Lnjjdgee.exe
        86⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4548
        
        C:\Windows\SysWOW64\Laefdf32.exe
        
        C:\Windows\system32\Laefdf32.exe
        87⤵
        Modifies registry class
        
        PID:2040
        
        C:\Windows\SysWOW64\Lddbqa32.exe
        
        C:\Windows\system32\Lddbqa32.exe
        88⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:3692
        
        C:\Windows\SysWOW64\Lgbnmm32.exe
        
        C:\Windows\system32\Lgbnmm32.exe
        89⤵
        Modifies registry class
        
        PID:3708
        
        C:\Windows\SysWOW64\Mjqjih32.exe
        
        C:\Windows\system32\Mjqjih32.exe
        90⤵
        Drops file in System32 directory
        
        PID:2628
        
        C:\Windows\SysWOW64\Mnlfigcc.exe
        
        C:\Windows\system32\Mnlfigcc.exe
        91⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4296
        
        C:\Windows\SysWOW64\Mpkbebbf.exe
        
        C:\Windows\system32\Mpkbebbf.exe
        92⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:3184
        
        C:\Windows\SysWOW64\Mciobn32.exe
        
        C:\Windows\system32\Mciobn32.exe
        93⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4652
        
        C:\Windows\SysWOW64\Mkpgck32.exe
        
        C:\Windows\system32\Mkpgck32.exe
        94⤵
        Modifies registry class
        
        PID:3168
        
        C:\Windows\SysWOW64\Majopeii.exe
        
        C:\Windows\system32\Majopeii.exe
        95⤵
        Drops file in System32 directory
        
        PID:1048
        
        C:\Windows\SysWOW64\Mgghhlhq.exe
        
        C:\Windows\system32\Mgghhlhq.exe
        96⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5156
        
        C:\Windows\SysWOW64\Mjeddggd.exe
        
        C:\Windows\system32\Mjeddggd.exe
        97⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5200
        
        C:\Windows\SysWOW64\Mamleegg.exe
        
        C:\Windows\system32\Mamleegg.exe
        98⤵
        Modifies registry class
        
        PID:5264
        
        C:\Windows\SysWOW64\Mdkhapfj.exe
        
        C:\Windows\system32\Mdkhapfj.exe
        99⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5312
        
        C:\Windows\SysWOW64\Mgidml32.exe
        
        C:\Windows\system32\Mgidml32.exe
        100⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5356
        
        C:\Windows\SysWOW64\Mncmjfmk.exe
        
        C:\Windows\system32\Mncmjfmk.exe
        101⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5400
        
        C:\Windows\SysWOW64\Mdmegp32.exe
        
        C:\Windows\system32\Mdmegp32.exe
        102⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5444
        
        C:\Windows\SysWOW64\Mglack32.exe
        
        C:\Windows\system32\Mglack32.exe
        103⤵
        Modifies registry class
        
        PID:5488
        
        C:\Windows\SysWOW64\Mnfipekh.exe
        
        C:\Windows\system32\Mnfipekh.exe
        104⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5536
        
        C:\Windows\SysWOW64\Mgnnhk32.exe
        
        C:\Windows\system32\Mgnnhk32.exe
        105⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5580
        
        C:\Windows\SysWOW64\Njljefql.exe
        
        C:\Windows\system32\Njljefql.exe
        106⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5624
        
        C:\Windows\SysWOW64\Nacbfdao.exe
        
        C:\Windows\system32\Nacbfdao.exe
        107⤵
        Drops file in System32 directory
        
        PID:5672
        
        C:\Windows\SysWOW64\Nceonl32.exe
        
        C:\Windows\system32\Nceonl32.exe
        108⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5716
        
        C:\Windows\SysWOW64\Nklfoi32.exe
        
        C:\Windows\system32\Nklfoi32.exe
        109⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5760
        
        C:\Windows\SysWOW64\Nnjbke32.exe
        
        C:\Windows\system32\Nnjbke32.exe
        110⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5804
        
        C:\Windows\SysWOW64\Nqiogp32.exe
        
        C:\Windows\system32\Nqiogp32.exe
        111⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5848
        
        C:\Windows\SysWOW64\Nddkgonp.exe
        
        C:\Windows\system32\Nddkgonp.exe
        112⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5908
        
        C:\Windows\SysWOW64\Ngcgcjnc.exe
        
        C:\Windows\system32\Ngcgcjnc.exe
        113⤵
        
        PID:5964
        
        C:\Windows\SysWOW64\Nkncdifl.exe
        
        C:\Windows\system32\Nkncdifl.exe
        114⤵
        Modifies registry class
        
        PID:6008
        
        C:\Windows\SysWOW64\Nnmopdep.exe
        
        C:\Windows\system32\Nnmopdep.exe
        115⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6076
        
        C:\Windows\SysWOW64\Nqklmpdd.exe
        
        C:\Windows\system32\Nqklmpdd.exe
        116⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6124
        
        C:\Windows\SysWOW64\Ngedij32.exe
        
        C:\Windows\system32\Ngedij32.exe
        117⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5152
        
        C:\Windows\SysWOW64\Njcpee32.exe
        
        C:\Windows\system32\Njcpee32.exe
        118⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3888
        
        C:\Windows\SysWOW64\Ndidbn32.exe
        
        C:\Windows\system32\Ndidbn32.exe
        119⤵
        Modifies registry class
        
        PID:5320
        
        C:\Windows\SysWOW64\Ncldnkae.exe
        
        C:\Windows\system32\Ncldnkae.exe
        120⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5388
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        121⤵
        
        PID:5464
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5464 -s 236
        122⤵
        Program crash
        
        PID:5616

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 5464 -ip 5464
1⤵
PID:5572

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Hfachc32.exe

Filesize
214KB

MD5
54c8e139e2281e37a01652dc78320d3d

SHA1
b829b0f96fae68b5ff3c8aaf87ee9d427cb27cbe

SHA256
171c536f35e1fce1b0e812a00252a8bb8ac622ab2ea5cb10e29553b27e8592ed

SHA512
9833232e37421b4d96d0054250b5932a46b5a69889d4f6884680767921b547bd62f4295c98b254d7914c6ab534e58ab9bd49871d443c151a39c34d5c80e7f385

Download Submit
C:\Windows\SysWOW64\Hippdo32.exe

Filesize
214KB

MD5
47b7a73dfa337f282b76304b341db3f7

SHA1
8ccfe8ab4e23feecc3de79e6e9046b2775064f41

SHA256
e21ee2c6dc0c7c79f6e2b69a498cc4f06590020b2148972041a373422bcce2b2

SHA512
bc32409ef792350f61564da4f046122ed235c2a805cb3677f2e41c214a2f23aca7f960ee4282e4fa8ec0419b9c8afd711178fa5a18cf0faf9de08792544d2de6

Download Submit
C:\Windows\SysWOW64\Hjolnb32.exe

Filesize
214KB

MD5
c7cb53cdd2120fff6b12ce5e994901ac

SHA1
e1447fbfd17dd443d51dd6ed2368176c1df9e75f

SHA256
b47e6e9a5d032789d23c671f4737ccdd6848806ef00878b86ac79313d0bb8663

SHA512
eb86ded561928a3701fa213e098a61741b15d87f7e16707387a8c390ff56b8e4c7969b7ddf79b169ba7fac4a4be0ddde1212eae20ff9086a6b4065c1880c1050

Download Submit
C:\Windows\SysWOW64\Hmklen32.exe

Filesize
214KB

MD5
409fc9de57f842a0fcbc979c4e3568cf

SHA1
31ec3375b4f0b18ff37d9cc797c508e4ccc4abc5

SHA256
fa6bbbe5e19c35e862c102004ccfa4d291fd68a373179b116da871a7e0b8d387

SHA512
fa7c8a6962eb7a428ca141ad3a1afaf97d7af525a80a27a9650018c80f0b9e18d8e5edabffe58a8740b3f2b9a9a2aa94a2bfaf8b0e61c2c7703bacb3de3695ca

Download Submit
C:\Windows\SysWOW64\Hmmhjm32.exe

Filesize
214KB

MD5
e4d53a6121917eb1dbe6f47b3c306603

SHA1
3e9c868b6cd96483db8620e25d3f27eca1a9b26d

SHA256
753d5a8ca7366f48ffdc42b6fd939cd7efeb1c543eb87f087a2b104cdc0eac86

SHA512
b44059ff5f854b9fc7355b544afe82bc29b8cbd4cafed3a8ab887f83f655249ae247ed6aaa659848efa9517b47a518a82c6a8184ed50379959a3d003b2bd00fe

Download Submit
C:\Windows\SysWOW64\Iabgaklg.exe

Filesize
214KB

MD5
7d6ddb881a0f41f7951b0ab18afdb4c7

SHA1
01d95419b1d8a1a900b00b6ece36c46bf1220c98

SHA256
9a6338563d1bb82e72e600e0882e4b2be9b53a159a6c46ca4a4ab7f59036ba58

SHA512
0a1995f492f6f9a13eae498033467f624d00e390f78613a4d7922c7f4b2d643b6c8a797491e3f725b8f7cf53608a1ce2d96c36031b620bdc9bb0c0ef90e0816b

Download Submit
C:\Windows\SysWOW64\Iannfk32.exe

Filesize
214KB

MD5
3ca2d2b0be0e62faed5642e1d312056b

SHA1
c9dba1f811ac05dccfa6be6f6a7c6faf3de64c8e

SHA256
64775be889782f3bb6d7d4b07aeade7f9ef45a8012e39fab3ddef93a1684512b

SHA512
f28a4bf01fa3a1c27889aee3bfd6b1fb5c07b1b40d1c8e3233c05288cef669ccf647dfadbe667dd8e9bde826c0a8d2104a7901399efd64989f450e3431c90dd3

Download Submit
C:\Windows\SysWOW64\Iapjlk32.exe

Filesize
214KB

MD5
0df4a6b1ad5208d9e2a74cfe1b1eca88

SHA1
1c69b104afbf4818982bec4850c97a89cc9a269c

SHA256
8816f0166d9e653bdd7d8e3e252571c997e46854c95c4a816a07eb4047a8ae65

SHA512
cc8b93a8fa4684e15cd131cccab5c8ede00abbacf560bf7848933cfdf5c00b25df6fa751dd48ca0ca9fc6793ff51492f96ead0b021ffa23f16d04199ffc045a3

Download Submit
C:\Windows\SysWOW64\Icjmmg32.exe

Filesize
214KB

MD5
2ad6c85ed3a4e1bba36acd78800adae6

SHA1
6dbc10283cdd09764a5a5684c24cd51f7b940bf8

SHA256
8090e09fbccec682c022a50a1280561f1d4d0ce0a065944138867b2ec2dd6588

SHA512
ca3ca3b610e24f8f139d4a60304e8dfaaa14f1a65c008d0e03f3e555445b825a3090509e5871fe6e017d44ba5aa7b77b75bf39e8f709465823e6bb4b8fda52f0

Download Submit
C:\Windows\SysWOW64\Ifmcdblq.exe

Filesize
214KB

MD5
486ba2f073d95d81f6d9ef27455b8879

SHA1
e928ead7643fd6dff5e2ab3e65ffcfc0e67d6d77

SHA256
d66f22549734159507e5590a83b7d451e6d118043d2ea1fcefafe3dfc6c6ebe1

SHA512
c691c2416c790f005ae99765e68b3554731d0bed7b8d8603515f9c4ee99b569cea6cf741ecdb5f72da65a1200fa3d33c200f7835c82dbb7b352ba594b4ee1acf

Download Submit
C:\Windows\SysWOW64\Ifopiajn.exe

Filesize
214KB

MD5
d5306d410c4493225755cfcff661562d

SHA1
228f1e0206162d8b86827aa4d62ee87b5c021cdf

SHA256
99ff0c3b7409d0467beae541e187beb8a0d811c299803404ec910b1f8415bd05

SHA512
d942a8631cad5650cb7ed2cd313f351ee29f5872110360b97121c5addb666d4d63b4eb9cf4d924d4093d89f98d4266bf91dd7f54987ccbdd4f2e8ed75c45567a

Download Submit
C:\Windows\SysWOW64\Iiibkn32.exe

Filesize
214KB

MD5
c34ea94a4a872b334e027577aef6fac0

SHA1
52b7db93a2745ebbf96ac51dbbf5fd934d0be7a6

SHA256
b9e28afc111ba2a18fdf1dc56cc7d164dd78dacc78539a9dd86e8673ef038346

SHA512
95899bff01f258a3b922cef57b1c8814b05d61aa9ac01d0d34e51b30ad2623c309626201a526a03ce510caaf411db9a394fb1485cb11cd6a4ef2f97467cc8893

Download Submit
C:\Windows\SysWOW64\Ijaida32.exe

Filesize
214KB

MD5
6614ecf0b9a245aefbdd73f79d61557d

SHA1
8e0504fadb47c7c3cbb60258c905faab260d0edf

SHA256
954b2357147ff86f15473aee96ec5da89d063b911e4a168953210415f9a90a98

SHA512
d99b7c831f055d40d387380698b8da77591677fa5e90e3250994e790a0265aed2b150972912463d393dddc6f9d1ca62a4d83860a195cbf7cca2aede44074860d

Download Submit
C:\Windows\SysWOW64\Imbaemhc.exe

Filesize
214KB

MD5
f9b4df79574c1b9a30935e2ef58908fd

SHA1
2a308547ce6a6bb647c51d00238a201c5e4cb6cb

SHA256
ff486c1c02e0ec5c9819f365a5586ac6722e6f661468040a9f09a4a5297934db

SHA512
45d55471c2d1a18657d2f59a61d6ad9673d0197f1e27d0075dd4d2dff98c69981f935b95a42e5cf3181c9d12c6e54d37c356f2d1c78a713bc1c2ee0afd2624f1

Download Submit
C:\Windows\SysWOW64\Imihfl32.exe

Filesize
214KB

MD5
9e835538fc54304af28db5fe310f8491

SHA1
3de6a66b05df6f24107e126abdbeb079a311d533

SHA256
175398c20e35163de2d02e5051947e80ed48b46fe99264c24ab9ed40ca0538c2

SHA512
02be0250439e11b602d733c3e9088fbca2e842695978624c8acb52feebf9fb77dbfd2726d901b50698ed06f58414e191191750fc0c199fec52609b7a38cc9cbd

Download Submit
C:\Windows\SysWOW64\Impepm32.exe

Filesize
214KB

MD5
f667d6ef5a5af528472f72669b861738

SHA1
8922452c0a26f9dbe6ab638430e899c15e3509d4

SHA256
0218ae36a80d238474c576212256d9c7778ad2cfd9480b67aa28516ad89e5228

SHA512
98b7fb9f7cb4afa80d7960c981ca9f71355621a0bfc6cbc9c8644937eb67c4f72fa7bad66da9a5e3bafd1f400abed77cff507b74e6fe04208d4cf141b34887e1

Download Submit
C:\Windows\SysWOW64\Jagqlj32.exe

Filesize
214KB

MD5
a62e671700f8e575cf801cb3809bc4e5

SHA1
5123c33a147500f5e6da8ebc99acd59cb1849aa1

SHA256
64d7296e7e646c3b05df123a5413555b0b7f74711d9d163dc64be7f287d16186

SHA512
6a5c900651741173413d784bacc3f81d2a44906b711c2217b6088aadce4529ae9d27645c20bdc61b81fa651b64b6a74b1544f592f44b17a313298d1bdea7db70

Download Submit
C:\Windows\SysWOW64\Jaimbj32.exe

Filesize
214KB

MD5
02b466d3a7e3721578d3b8d121899f3e

SHA1
7836882718ae4fa3cb605ff66bdbf8f1e469c54b

SHA256
e6286d9ae4f70501e20167ab05a67d1c6c0918727f676cab0f9fe3f3deed22da

SHA512
693f6d56c32f9cc74a0271699a8292094968eb00768fd5fc3891a596ff4fea953dfd985468b540d751d66c6ca657f3d844910d6db006996d148ba31fc1abf7ff

Download Submit
C:\Windows\SysWOW64\Jbfpobpb.exe

Filesize
214KB

MD5
364b32f30bbc3a605341cedae3414e03

SHA1
757caead1efb285152778bf4930cb120705b182b

SHA256
6b61c520031e487cd9be886ee28965be682549b802a50a2983529fa16d433789

SHA512
7e1067538aff90e76e2ab78169add06bc87dcb527b428d287becf53d7deb3bcab10bbefb84de9770271f843db8126f3c7685b4a36a8017132decfc1988971774

Download Submit
C:\Windows\SysWOW64\Jbhmdbnp.exe

Filesize
214KB

MD5
ce114f597d5cef0a02fa027786883f84

SHA1
41a7d7fad83bb4f8d678bbb6b6544d5f99fbcc11

SHA256
69810d96470073b1ce3e3c7cfa71f10c3a442d77e2eb16cf22879ae170bf9cbf

SHA512
74a662d542cb2f4470ef4fad03d662d43a2c1898274b1cc23d39aa8166a9ae419f3b355a9d7c54df596bff6dd95f0e1963c960720a690bce17c72ddbe9e4d509

Download Submit
C:\Windows\SysWOW64\Jbkjjblm.exe

Filesize
214KB

MD5
746efa2960dd11ba6a57b3d9a60773ef

SHA1
b4690f24077016d89454755e028e7cc0ddfeec1c

SHA256
0969c8a54c2797c2f47ab93328418682f1d166f501437929e40dad4c9486d53b

SHA512
c77616b7b801b8c3fbed92ea432b29df2a8974445fc6dce7a198e7ffd7b40c31f7f3eb3d2bfc5fca078cc4ba8e83d4ec1489a5f9a948481ee67424cf7eae1539

Download Submit
C:\Windows\SysWOW64\Jdcpcf32.exe

Filesize
214KB

MD5
b5f1535e960bb173d28dcda313a70792

SHA1
1c40756bc47f8af7b265bab20b0b3d1986517725

SHA256
668c157085840af9fca02dff2f9ea3a4c71455e7465233e1dc936a5c385a5e13

SHA512
67f7a959eb0e849ab95a5a454f278dc30bf22ff5d91428ad29078413167755302abc797267c1d419162ff5957f4c4fbade3d171379f7508ff087f4523999de18

Download Submit
C:\Windows\SysWOW64\Jdemhe32.exe

Filesize
214KB

MD5
8e40b741ceed0ecc69371765768e3c07

SHA1
c68d1ee046c210aff3ecca5fcabce8ab576d1ac5

SHA256
514cfa01a5c9bb696521b9effbf4470c390c611b3c6d14ea0cbd2ac6d1fb27eb

SHA512
2f6f875fe92c72cc84e1422bdfb9543248f080fc4936a795cc901cce9158b5f4862992a86b5686d9b38e1da7b2935e6b795ea90e3b69b997e3088c455fcceb1c

Download Submit
C:\Windows\SysWOW64\Jdhine32.exe

Filesize
214KB

MD5
4f61735e46aac072b998377e85edc71e

SHA1
d2a92f078785e29b12a4c2b4f8c3b44791543a8b

SHA256
0a38eafb5ec46281b28afa665a08d869ed4dddfad2c2ec8e82de312eab1a64f0

SHA512
b42a9e165d90542e2efc11c7b1d9bf3c9ac78918e31eb0aefc69e62c2eb778e72736399e4b860540cc00129a589d475e6cc0f9d017f67bbe9d8c18156297c93b

Download Submit
C:\Windows\SysWOW64\Jfaloa32.exe

Filesize
214KB

MD5
626dab0db99c1fe7099367db7f208298

SHA1
44950f63e2643b16177a02440ca173662490f581

SHA256
65cb42dcecf2d282e9571b380c716a1ac8d083c12d386e71f1487bd357de6df6

SHA512
747ec792a7b3c6316e3d031136aaf0febc2664f44a0e62cfd8548c9fce5c8e3d39ef81c03cef8c8128b2b487aaf6ce82f4e2cd86a424be9643ca00b3529bd26a

Download Submit
C:\Windows\SysWOW64\Jfffjqdf.exe

Filesize
214KB

MD5
fd91a28e13a4cb86cc41d91b530cd4a5

SHA1
91587a347c38a882cab9062db11700722ba11f35

SHA256
c76349a4f6917c7188495fe6ebe1b1757ed15b9aa8d66bbcee2d71501e554e2c

SHA512
1c7c292ccb25664178b8657cb06b4dd43ef9ee9769cfeb9d09c0859684f52ec21039c922e8749fb38ed7ab3c4d0fbe2a8f0846232cd08439f1a8ad81b270dba4

Download Submit
C:\Windows\SysWOW64\Jibeql32.exe

Filesize
214KB

MD5
f2b78f49faa00a1cf35316592da44a69

SHA1
9dd2244d3d6605980bd626b5b680d75027786a43

SHA256
96586bcf949260fe7cc95094c325b38ca30a26afb3383e250e1fcb5db476c9eb

SHA512
61b63d6a61a3141fd4a5d1ae6abe339a534c0b5dc1bf2832c69d4407df10b5a00b234d9d40608968b6473a7db1e4c012e597c18dcf22995bd445c43ddaf0d146

Download Submit
C:\Windows\SysWOW64\Jiphkm32.exe

Filesize
214KB

MD5
c2d3bb6d5d5260e5097a539aaf99d99d

SHA1
448cdf3302c6310ba18b80dd2e3c470036b19a66

SHA256
0d9938c9a007c152bab69e85d7b63b769162fec46c8621cb8749825e91625c7d

SHA512
43ac3de3aa3b654b47085423dbca6599624758bff1296d6651c2ba1eeff3e322a3fed58333a606f949964140cf30b2d4db906accd46ffcabaa33251b9e9b90f7

Download Submit
C:\Windows\SysWOW64\Jjmhppqd.exe

Filesize
214KB

MD5
fbc8e64bb618f87aeee4fd17778fadfc

SHA1
8e51542fd140e0f36b573b8246279a8f5c21b9cf

SHA256
c0aae96a04ab8c7ef1774d7a130ad102c013835429334bd2f71cdd91fbd1d19b

SHA512
7c5781b0ac4288ab88cf132cbf54a53fe86f3462aaec417d735d59dde2a6b17912bd285e5d53f6e0586b71f7e0da974f391decd7d9b980579df930cf002f97bd

Download Submit
C:\Windows\SysWOW64\Jjpeepnb.exe

Filesize
214KB

MD5
1c94634c89dfe2d29749496914490f18

SHA1
868778b1705f40af1ba625ad65cf1d641df8984f

SHA256
06d86147338bbb4dcbaa685fcd3943a649de77109577c3ff7c4180ed0f22f9a0

SHA512
d58f8bb39ec57e5f1030f2f3c43d203f98bffe07971a9d2c05dc297b5a57bc2b3a9e069100c56403abd274ec247a042059d25b85dcf9bb180d86d37dcb8253f5

Download Submit
C:\Windows\SysWOW64\Jmnaakne.exe

Filesize
214KB

MD5
6a8e91b09195ec67d005aef1dd862c12

SHA1
e13a5e591830207a6eed9c60e26be4186075801b

SHA256
055a0cb5e10416ffc7b4f178032a7d0fa52037d0656fe3d3fbf6e4ea5fa1b52f

SHA512
2570021ab41f53f2f35f27356a3083465fdbe079a701e3dc0ab35eab7be5064414c445c8be1332f9652fc5761c0af76bd4c51071c6b3e3a92c5f42e6560d7a4e

Download Submit
C:\Windows\SysWOW64\Jplmmfmi.exe

Filesize
214KB

MD5
e350d35bc27b750eec7e893030480e33

SHA1
68ab175d1e1ac3b40b846b14f1893dfeb2affa28

SHA256
87a59d0ecac0a2ba6efd98c28c314fd180b83fafdf07f0df8f3884b628931616

SHA512
aea9910a246633c2cbd9f597beead80915e559b3d0bf68892d887dccc23a0bac1917561f6a436830375336bd44dc889b21f5537fe46d94e81bb28470753c3110

Download Submit
C:\Windows\SysWOW64\Lcdegnep.exe

Filesize
214KB

MD5
3078750d2daf4ec5f92ae536cf449fc5

SHA1
90e108a2bff27650d921849789d3eb8bdb44bcbb

SHA256
122c21e7acea363cb132b9a290a1dc11db6974ded016211186835600fc6674d7

SHA512
bb01bcdc97774e6368af5fd5283577f9b431584cc464f4f3ced229f4d6f6f0370b3d8ea439478fae31f636ef4ebf4f113a818c21fecf8d12416600dcec3356e9

Download Submit
C:\Windows\SysWOW64\Lddbqa32.exe

Filesize
214KB

MD5
1ff75f45992df6a94e7ab1b19d60956b

SHA1
4b5e13c0826b964e2d82c943923718df153ed23e

SHA256
ac89791068625301cea45f7a6112e969bfc22c157ea651ae41d81b45bb752e3e

SHA512
2bfa41f3ae111a3675c73148ed430e24272ec0ff761508041bc3c102d8dfb5232b372e09f8c94d2faa0837c8250ba862018ec8e27a5e1fdb4ed875d0ba008989

Download Submit
C:\Windows\SysWOW64\Majopeii.exe

Filesize
214KB

MD5
018dd4a8ff7d2529f585b977c5d741a9

SHA1
5d3655f747b46e71b239a954c49559619d89ab55

SHA256
666094fe2b901e17203ac8db2d123ea73701e97ad81b550b2e581552b4e2f195

SHA512
e4e2a3ea0d2b228506bdf91b8ec2c37774dd424d28d06c1e0cd68fdd01794d8204698af1a8dc413979bb863e24ff1966f7c791284dc32f6204ffd78c37129bcb

Download Submit
C:\Windows\SysWOW64\Mamleegg.exe

Filesize
214KB

MD5
2737f3031f362b4c2771327e3e2d9cea

SHA1
6458136b98bbdb1a873ba2fd9761127d2788edc9

SHA256
b03fad8cca3173632fc7896f349ec81e845dfed549f0056e72f8f828ec827863

SHA512
4be82bdeb4ffe4705a916eedb9ba018e871d86476ab20ae42b09d8a9f8399f70526b5bd20a3cbdea3deaffe17bc473b6ed8a6f0b7d9997d4fce60b0f2895cae3

Download Submit
C:\Windows\SysWOW64\Nacbfdao.exe

Filesize
214KB

MD5
7c554a1d80944bba3ebb4deacbf2ad3a

SHA1
be0f01a0e0ebff85c52f3a9c89432ef325426516

SHA256
57ad20d1204f1c40ce005c18677b317a97f16fefa807bc510b4f48f7dc07d2e7

SHA512
36df424034f3a8e8f3d1518b43b4e1e2c5b8f50f1ed4d0592defe04e2dcbc16abcb3d3db472ff501c5656af707940f19499dcd34e6a019143853975859d773dc

Download Submit
C:\Windows\SysWOW64\Nqklmpdd.exe

Filesize
214KB

MD5
8ee9ab7740fbd37198f2048c07d6af5d

SHA1
34d796db601f94bcf9a256e480c78a889051431b

SHA256
28931c4b0ff846224d76e7216c92c9935e9f3e75389bd7dcdbd0efc2a7943e4c

SHA512
5e6bd0060f8786d29706d2ab7fd4fc16da7a59353f16ceeb6660d5c04f94bb8bfd06ca96936d2238e95818721a4bb86e7a68f05e8666d494f89aa6c5f71951c5

Download Submit
C:\Windows\SysWOW64\Opocad32.dll

Filesize
7KB

MD5
a2746c9319e4b3ddc95fc684dbce32f1

SHA1
c6bd8ae6f8091608983ade4c17a40eef02eebeb3

SHA256
a3bd6ce93547ac05601c3fa01b7c376f46b907b194014ec5ba1c9e374285dbf2

SHA512
f31a81d6de542755e7987a9206e3744d9c1ff2564ce8df52e811403e6cf5d720e487e6861ed344c3701e99249a7dae341370fd5c9e4f0c4a09822baa9c8f7dc7

Download Submit
memory/212-518-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/220-160-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/312-403-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/320-24-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/320-106-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/452-490-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/452-108-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/468-124-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/468-40-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/628-389-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/640-513-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/736-393-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/808-80-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/808-0-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1016-400-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1140-161-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1224-417-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1320-162-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1376-522-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1468-387-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1468-81-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1484-409-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1488-415-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1584-428-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1588-529-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1612-441-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1656-431-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1684-399-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1692-392-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1720-163-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1808-535-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1936-196-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2084-419-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2088-388-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2180-171-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2228-48-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2228-159-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2276-519-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2492-424-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2536-181-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2540-130-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2584-476-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2584-98-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2704-15-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2704-97-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2716-394-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2724-477-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2804-482-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2896-545-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2900-395-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2916-410-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2944-440-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2980-398-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3064-512-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3064-116-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3176-483-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3192-527-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3208-430-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3316-565-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3328-437-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3576-36-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3592-427-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3604-478-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3640-401-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3704-413-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3712-479-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3760-195-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3760-72-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3812-429-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3856-480-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3872-8-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3872-93-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3892-425-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4016-439-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4040-481-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4072-63-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4072-180-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4140-197-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4148-436-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4172-416-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4204-418-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4364-491-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4440-559-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4520-552-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4632-396-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4656-391-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4664-397-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4668-412-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4844-94-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5012-404-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5044-520-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5052-170-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5052-55-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5056-402-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5096-558-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5108-414-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads