c5e5a40ef944a9474a97074f089be5b95854922101edfa356b0d6a4e88c232c6

Analysis

max time kernel
138s
max time network
104s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
02/05/2024, 03:24

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

c5e5a40ef944a9474a97074f089be5b95854922101edfa356b0d6a4e88c232c6.exe
Size

386KB
MD5

0d2a94ccae015dbc08f7c7302d598893
SHA1

14f0f34177b0715717c516cbf5ef3b95a604be3d
SHA256

c5e5a40ef944a9474a97074f089be5b95854922101edfa356b0d6a4e88c232c6
SHA512

0857dab61f4fb71234842f6f2d376110d18b08fcb017a9fa569f028a8970de95c71a7ede0b638ee41dd9be64c1395a7fbf5e028df103db920860bd6d60bf6de0
SSDEEP

12288:n52+POXwQZ7287xmPFRkfJg9qwQZ7287xmP:n8+POXZZ/aFKm9qZZ/a

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hbanme32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Iiffen32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kaqcbi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lpappc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lcpllo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gjocgdkg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hfjmgdlf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kipabjil.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndidbn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mpkbebbf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jmkdlkph.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kmgdgjek.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdaldd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Laalifad.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Himcoo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jplmmfmi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lalcng32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lnepih32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mpdelajl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ibagcc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ldaeka32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpdelajl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hjhfnccl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Iannfk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kgphpo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ldaeka32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ljnnch32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lknjmkdo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkpgck32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jmbklj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kdcijcke.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Iffmccbi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kdffocib.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kibnhjgj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kaemnhla.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kagichjo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nddkgonp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gqkhjn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iffmccbi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncihikcg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iiffen32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ipegmg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jjpeepnb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jdhine32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nkjjij32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdcijcke.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lpfijcfl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iinlemia.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jjpeepnb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jbmfoa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ldkojb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ldmlpbbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lphfpbdi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ibmmhdhm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kmjqmi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Liekmj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ifopiajn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kmjqmi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lpappc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Iinlemia.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kgmlkp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kagichjo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nacbfdao.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jdcpcf32.exe

Executes dropped EXE 64 IoCs

pid	Process
2384	Gqdbiofi.exe
4404	Gcbnejem.exe
940	Gjocgdkg.exe
2180	Gcggpj32.exe
3820	Gidphq32.exe
2520	Gqkhjn32.exe
4928	Hfjmgdlf.exe
1076	Hjfihc32.exe
100	Hbanme32.exe
2364	Hjhfnccl.exe
4696	Himcoo32.exe
3604	Hpgkkioa.exe
2060	Hbeghene.exe
4520	Hcedaheh.exe
2208	Hfcpncdk.exe
652	Iffmccbi.exe
388	Ibmmhdhm.exe
3580	Iiffen32.exe
4892	Iannfk32.exe
2172	Ifjfnb32.exe
464	Ibagcc32.exe
5088	Iikopmkd.exe
4232	Ipegmg32.exe
4392	Ifopiajn.exe
4256	Iinlemia.exe
1984	Imihfl32.exe
5024	Jpgdbg32.exe
2284	Jdcpcf32.exe
2572	Jbfpobpb.exe
2676	Jfaloa32.exe
4476	Jiphkm32.exe
4580	Jmkdlkph.exe
2320	Jpjqhgol.exe
3568	Jdemhe32.exe
4652	Jbhmdbnp.exe
1156	Jjpeepnb.exe
1432	Jibeql32.exe
4360	Jaimbj32.exe
2152	Jplmmfmi.exe
2480	Jdhine32.exe
2304	Jidbflcj.exe
4684	Jmpngk32.exe
2008	Jpojcf32.exe
4280	Jbmfoa32.exe
1048	Jmbklj32.exe
2744	Jbocea32.exe
4060	Kaqcbi32.exe
3740	Kgmlkp32.exe
4272	Kkihknfg.exe
3960	Kmgdgjek.exe
1132	Kacphh32.exe
2288	Kdaldd32.exe
4528	Kgphpo32.exe
1396	Kkkdan32.exe
1728	Kmjqmi32.exe
4808	Kaemnhla.exe
4848	Kdcijcke.exe
1200	Kbfiep32.exe
748	Kgbefoji.exe
924	Kipabjil.exe
4992	Kmlnbi32.exe
4320	Kagichjo.exe
3460	Kdffocib.exe
1988	Kgdbkohf.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Ibooqjdb.dll	Hjhfnccl.exe
File opened for modification	C:\Windows\SysWOW64\Jplmmfmi.exe	Jaimbj32.exe
File created	C:\Windows\SysWOW64\Kibnhjgj.exe	Kgdbkohf.exe
File created	C:\Windows\SysWOW64\Nacbfdao.exe	Nkjjij32.exe
File created	C:\Windows\SysWOW64\Lalcng32.exe	Lmqgnhmp.exe
File opened for modification	C:\Windows\SysWOW64\Mkpgck32.exe	Mgekbljc.exe
File opened for modification	C:\Windows\SysWOW64\Njacpf32.exe	Nddkgonp.exe
File opened for modification	C:\Windows\SysWOW64\Nbhkac32.exe	Njacpf32.exe
File created	C:\Windows\SysWOW64\Nkcmohbg.exe	Ndidbn32.exe
File created	C:\Windows\SysWOW64\Jjcfkp32.dll	Hpgkkioa.exe
File created	C:\Windows\SysWOW64\Iikopmkd.exe	Ibagcc32.exe
File opened for modification	C:\Windows\SysWOW64\Kipabjil.exe	Kgbefoji.exe
File created	C:\Windows\SysWOW64\Lknjmkdo.exe	Lphfpbdi.exe
File created	C:\Windows\SysWOW64\Lpcmec32.exe	Laalifad.exe
File opened for modification	C:\Windows\SysWOW64\Gidphq32.exe	Gcggpj32.exe
File opened for modification	C:\Windows\SysWOW64\Hpgkkioa.exe	Himcoo32.exe
File created	C:\Windows\SysWOW64\Jdhine32.exe	Jplmmfmi.exe
File opened for modification	C:\Windows\SysWOW64\Kacphh32.exe	Kmgdgjek.exe
File created	C:\Windows\SysWOW64\Hefffnbk.dll	Kmlnbi32.exe
File created	C:\Windows\SysWOW64\Lkdggmlj.exe	Lgikfn32.exe
File opened for modification	C:\Windows\SysWOW64\Gjocgdkg.exe	Gcbnejem.exe
File created	C:\Windows\SysWOW64\Ibmmhdhm.exe	Iffmccbi.exe
File created	C:\Windows\SysWOW64\Ncldlbah.dll	Ifopiajn.exe
File created	C:\Windows\SysWOW64\Jplmmfmi.exe	Jaimbj32.exe
File created	C:\Windows\SysWOW64\Jeiooj32.dll	Jpojcf32.exe
File created	C:\Windows\SysWOW64\Enbofg32.dll	Kgmlkp32.exe
File opened for modification	C:\Windows\SysWOW64\Nkjjij32.exe	Mcbahlip.exe
File opened for modification	C:\Windows\SysWOW64\Hcedaheh.exe	Hbeghene.exe
File opened for modification	C:\Windows\SysWOW64\Jdcpcf32.exe	Jpgdbg32.exe
File created	C:\Windows\SysWOW64\Jpjqhgol.exe	Jmkdlkph.exe
File created	C:\Windows\SysWOW64\Kkihknfg.exe	Kgmlkp32.exe
File created	C:\Windows\SysWOW64\Ajgblndm.dll	Kkkdan32.exe
File opened for modification	C:\Windows\SysWOW64\Ljnnch32.exe	Lklnhlfb.exe
File created	C:\Windows\SysWOW64\Pckgbakk.dll	Jdcpcf32.exe
File created	C:\Windows\SysWOW64\Hehifldd.dll	Kaqcbi32.exe
File opened for modification	C:\Windows\SysWOW64\Kagichjo.exe	Kmlnbi32.exe
File opened for modification	C:\Windows\SysWOW64\Lgkhlnbn.exe	Lcpllo32.exe
File created	C:\Windows\SysWOW64\Pdgdjjem.dll	Mnocof32.exe
File created	C:\Windows\SysWOW64\Ifjfnb32.exe	Iannfk32.exe
File created	C:\Windows\SysWOW64\Mjlcankg.dll	Jpjqhgol.exe
File opened for modification	C:\Windows\SysWOW64\Jibeql32.exe	Jjpeepnb.exe
File created	C:\Windows\SysWOW64\Kmgdgjek.exe	Kkihknfg.exe
File created	C:\Windows\SysWOW64\Emhmioko.dll	Gjocgdkg.exe
File opened for modification	C:\Windows\SysWOW64\Mncmjfmk.exe	Mkepnjng.exe
File created	C:\Windows\SysWOW64\Gqkhjn32.exe	Gidphq32.exe
File created	C:\Windows\SysWOW64\Hbeghene.exe	Hpgkkioa.exe
File created	C:\Windows\SysWOW64\Kkkdan32.exe	Kgphpo32.exe
File created	C:\Windows\SysWOW64\Kdcijcke.exe	Kaemnhla.exe
File created	C:\Windows\SysWOW64\Kagichjo.exe	Kmlnbi32.exe
File created	C:\Windows\SysWOW64\Ofdhdf32.dll	Liekmj32.exe
File opened for modification	C:\Windows\SysWOW64\Jpjqhgol.exe	Jmkdlkph.exe
File created	C:\Windows\SysWOW64\Bnjdmn32.dll	Kibnhjgj.exe
File created	C:\Windows\SysWOW64\Lcdegnep.exe	Ldaeka32.exe
File created	C:\Windows\SysWOW64\Kmdigkkd.dll	Lknjmkdo.exe
File created	C:\Windows\SysWOW64\Himcoo32.exe	Hjhfnccl.exe
File created	C:\Windows\SysWOW64\Qnoaog32.dll	Jiphkm32.exe
File created	C:\Windows\SysWOW64\Leqcod32.dll	Jibeql32.exe
File created	C:\Windows\SysWOW64\Kbfiep32.exe	Kdcijcke.exe
File created	C:\Windows\SysWOW64\Milgab32.dll	Kbfiep32.exe
File created	C:\Windows\SysWOW64\Lpfijcfl.exe	Lpcmec32.exe
File created	C:\Windows\SysWOW64\Mlhblb32.dll	Nacbfdao.exe
File created	C:\Windows\SysWOW64\Ginahd32.dll	c5e5a40ef944a9474a97074f089be5b95854922101edfa356b0d6a4e88c232c6.exe
File created	C:\Windows\SysWOW64\Gkillp32.dll	Ibmmhdhm.exe
File created	C:\Windows\SysWOW64\Imihfl32.exe	Iinlemia.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5568	5184	WerFault.exe	200

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogndib32.dll"	Lmccchkn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lcdegnep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnibdpde.dll"	Ndidbn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ipegmg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ipegmg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kgdbkohf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Liekmj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jdcpcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bbbjnidp.dll"	Jaimbj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jdhine32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bpcbnd32.dll"	Kgdbkohf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eeandl32.dll"	Ldaeka32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lklnhlfb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gncoccha.dll"	Kmjqmi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kibnhjgj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jchbak32.dll"	Lalcng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Opbnic32.dll"	Ngedij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbajhpfb.dll"	Gidphq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ldooifgl.dll"	Hjfihc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jjpeepnb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lgikfn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lgkhlnbn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lklnhlfb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mnocof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mkepnjng.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pckgbakk.dll"	Jdcpcf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jbhmdbnp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jidbflcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmalco32.dll"	Njogjfoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ngedij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jbhmdbnp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jpojcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kacphh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lalcng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ldaeka32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Gjocgdkg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hpgkkioa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hbeghene.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfbhfihj.dll"	Mgekbljc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hcedaheh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ichhhi32.dll"	Jbocea32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kkkdan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Efhikhod.dll"	Lmqgnhmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jdemhe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghmfdf32.dll"	Jplmmfmi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kmjqmi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kflflhfg.dll"	Iikopmkd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jnngob32.dll"	Lphfpbdi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mncmjfmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aaqnkb32.dll"	Iannfk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mghpbg32.dll"	Kgphpo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lcpllo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lmccchkn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lpappc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lpcmec32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nnjbke32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Himcoo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Iffmccbi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kagichjo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jbocea32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjblgaie.dll"	Kmgdgjek.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jokmgc32.dll"	Gqdbiofi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ibagcc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ifopiajn.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1088 wrote to memory of 2384	1088	c5e5a40ef944a9474a97074f089be5b95854922101edfa356b0d6a4e88c232c6.exe	84
PID 1088 wrote to memory of 2384	1088	c5e5a40ef944a9474a97074f089be5b95854922101edfa356b0d6a4e88c232c6.exe	84
PID 1088 wrote to memory of 2384	1088	c5e5a40ef944a9474a97074f089be5b95854922101edfa356b0d6a4e88c232c6.exe	84
PID 2384 wrote to memory of 4404	2384	Gqdbiofi.exe	85
PID 2384 wrote to memory of 4404	2384	Gqdbiofi.exe	85
PID 2384 wrote to memory of 4404	2384	Gqdbiofi.exe	85
PID 4404 wrote to memory of 940	4404	Gcbnejem.exe	86
PID 4404 wrote to memory of 940	4404	Gcbnejem.exe	86
PID 4404 wrote to memory of 940	4404	Gcbnejem.exe	86
PID 940 wrote to memory of 2180	940	Gjocgdkg.exe	87
PID 940 wrote to memory of 2180	940	Gjocgdkg.exe	87
PID 940 wrote to memory of 2180	940	Gjocgdkg.exe	87
PID 2180 wrote to memory of 3820	2180	Gcggpj32.exe	88
PID 2180 wrote to memory of 3820	2180	Gcggpj32.exe	88
PID 2180 wrote to memory of 3820	2180	Gcggpj32.exe	88
PID 3820 wrote to memory of 2520	3820	Gidphq32.exe	90
PID 3820 wrote to memory of 2520	3820	Gidphq32.exe	90
PID 3820 wrote to memory of 2520	3820	Gidphq32.exe	90
PID 2520 wrote to memory of 4928	2520	Gqkhjn32.exe	91
PID 2520 wrote to memory of 4928	2520	Gqkhjn32.exe	91
PID 2520 wrote to memory of 4928	2520	Gqkhjn32.exe	91
PID 4928 wrote to memory of 1076	4928	Hfjmgdlf.exe	93
PID 4928 wrote to memory of 1076	4928	Hfjmgdlf.exe	93
PID 4928 wrote to memory of 1076	4928	Hfjmgdlf.exe	93
PID 1076 wrote to memory of 100	1076	Hjfihc32.exe	95
PID 1076 wrote to memory of 100	1076	Hjfihc32.exe	95
PID 1076 wrote to memory of 100	1076	Hjfihc32.exe	95
PID 100 wrote to memory of 2364	100	Hbanme32.exe	96
PID 100 wrote to memory of 2364	100	Hbanme32.exe	96
PID 100 wrote to memory of 2364	100	Hbanme32.exe	96
PID 2364 wrote to memory of 4696	2364	Hjhfnccl.exe	97
PID 2364 wrote to memory of 4696	2364	Hjhfnccl.exe	97
PID 2364 wrote to memory of 4696	2364	Hjhfnccl.exe	97
PID 4696 wrote to memory of 3604	4696	Himcoo32.exe	98
PID 4696 wrote to memory of 3604	4696	Himcoo32.exe	98
PID 4696 wrote to memory of 3604	4696	Himcoo32.exe	98
PID 3604 wrote to memory of 2060	3604	Hpgkkioa.exe	99
PID 3604 wrote to memory of 2060	3604	Hpgkkioa.exe	99
PID 3604 wrote to memory of 2060	3604	Hpgkkioa.exe	99
PID 2060 wrote to memory of 4520	2060	Hbeghene.exe	100
PID 2060 wrote to memory of 4520	2060	Hbeghene.exe	100
PID 2060 wrote to memory of 4520	2060	Hbeghene.exe	100
PID 4520 wrote to memory of 2208	4520	Hcedaheh.exe	101
PID 4520 wrote to memory of 2208	4520	Hcedaheh.exe	101
PID 4520 wrote to memory of 2208	4520	Hcedaheh.exe	101
PID 2208 wrote to memory of 652	2208	Hfcpncdk.exe	102
PID 2208 wrote to memory of 652	2208	Hfcpncdk.exe	102
PID 2208 wrote to memory of 652	2208	Hfcpncdk.exe	102
PID 652 wrote to memory of 388	652	Iffmccbi.exe	103
PID 652 wrote to memory of 388	652	Iffmccbi.exe	103
PID 652 wrote to memory of 388	652	Iffmccbi.exe	103
PID 388 wrote to memory of 3580	388	Ibmmhdhm.exe	104
PID 388 wrote to memory of 3580	388	Ibmmhdhm.exe	104
PID 388 wrote to memory of 3580	388	Ibmmhdhm.exe	104
PID 3580 wrote to memory of 4892	3580	Iiffen32.exe	105
PID 3580 wrote to memory of 4892	3580	Iiffen32.exe	105
PID 3580 wrote to memory of 4892	3580	Iiffen32.exe	105
PID 4892 wrote to memory of 2172	4892	Iannfk32.exe	106
PID 4892 wrote to memory of 2172	4892	Iannfk32.exe	106
PID 4892 wrote to memory of 2172	4892	Iannfk32.exe	106
PID 2172 wrote to memory of 464	2172	Ifjfnb32.exe	107
PID 2172 wrote to memory of 464	2172	Ifjfnb32.exe	107
PID 2172 wrote to memory of 464	2172	Ifjfnb32.exe	107
PID 464 wrote to memory of 5088	464	Ibagcc32.exe	108

C:\Users\Admin\AppData\Local\Temp\c5e5a40ef944a9474a97074f089be5b95854922101edfa356b0d6a4e88c232c6.exe
"C:\Users\Admin\AppData\Local\Temp\c5e5a40ef944a9474a97074f089be5b95854922101edfa356b0d6a4e88c232c6.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1088
- C:\Windows\SysWOW64\Gqdbiofi.exe
  C:\Windows\system32\Gqdbiofi.exe
  2⤵
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2384
- - C:\Windows\SysWOW64\Gcbnejem.exe
    C:\Windows\system32\Gcbnejem.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious use of WriteProcessMemory
    PID:4404
  - - C:\Windows\SysWOW64\Gjocgdkg.exe
      C:\Windows\system32\Gjocgdkg.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:940
    - - C:\Windows\SysWOW64\Gcggpj32.exe
        
        C:\Windows\system32\Gcggpj32.exe
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2180
      - C:\Windows\SysWOW64\Gidphq32.exe
        
        C:\Windows\system32\Gidphq32.exe
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3820
        
        C:\Windows\SysWOW64\Gqkhjn32.exe
        
        C:\Windows\system32\Gqkhjn32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2520
        
        C:\Windows\SysWOW64\Hfjmgdlf.exe
        
        C:\Windows\system32\Hfjmgdlf.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4928
        
        C:\Windows\SysWOW64\Hjfihc32.exe
        
        C:\Windows\system32\Hjfihc32.exe
        9⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1076
        
        C:\Windows\SysWOW64\Hbanme32.exe
        
        C:\Windows\system32\Hbanme32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:100
        
        C:\Windows\SysWOW64\Hjhfnccl.exe
        
        C:\Windows\system32\Hjhfnccl.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2364
        
        C:\Windows\SysWOW64\Himcoo32.exe
        
        C:\Windows\system32\Himcoo32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4696
        
        C:\Windows\SysWOW64\Hpgkkioa.exe
        
        C:\Windows\system32\Hpgkkioa.exe
        13⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3604
        
        C:\Windows\SysWOW64\Hbeghene.exe
        
        C:\Windows\system32\Hbeghene.exe
        14⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2060
        
        C:\Windows\SysWOW64\Hcedaheh.exe
        
        C:\Windows\system32\Hcedaheh.exe
        15⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4520
        
        C:\Windows\SysWOW64\Hfcpncdk.exe
        
        C:\Windows\system32\Hfcpncdk.exe
        16⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2208
        
        C:\Windows\SysWOW64\Iffmccbi.exe
        
        C:\Windows\system32\Iffmccbi.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:652
        
        C:\Windows\SysWOW64\Ibmmhdhm.exe
        
        C:\Windows\system32\Ibmmhdhm.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:388
        
        C:\Windows\SysWOW64\Iiffen32.exe
        
        C:\Windows\system32\Iiffen32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3580
        
        C:\Windows\SysWOW64\Iannfk32.exe
        
        C:\Windows\system32\Iannfk32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4892
        
        C:\Windows\SysWOW64\Ifjfnb32.exe
        
        C:\Windows\system32\Ifjfnb32.exe
        21⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2172
        
        C:\Windows\SysWOW64\Ibagcc32.exe
        
        C:\Windows\system32\Ibagcc32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:464
        
        C:\Windows\SysWOW64\Iikopmkd.exe
        
        C:\Windows\system32\Iikopmkd.exe
        23⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:5088
        
        C:\Windows\SysWOW64\Ipegmg32.exe
        
        C:\Windows\system32\Ipegmg32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4232
        
        C:\Windows\SysWOW64\Ifopiajn.exe
        
        C:\Windows\system32\Ifopiajn.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4392
        
        C:\Windows\SysWOW64\Iinlemia.exe
        
        C:\Windows\system32\Iinlemia.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4256
        
        C:\Windows\SysWOW64\Imihfl32.exe
        
        C:\Windows\system32\Imihfl32.exe
        27⤵
        Executes dropped EXE
        
        PID:1984
        
        C:\Windows\SysWOW64\Jpgdbg32.exe
        
        C:\Windows\system32\Jpgdbg32.exe
        28⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5024
        
        C:\Windows\SysWOW64\Jdcpcf32.exe
        
        C:\Windows\system32\Jdcpcf32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2284
        
        C:\Windows\SysWOW64\Jbfpobpb.exe
        
        C:\Windows\system32\Jbfpobpb.exe
        30⤵
        Executes dropped EXE
        
        PID:2572
        
        C:\Windows\SysWOW64\Jfaloa32.exe
        
        C:\Windows\system32\Jfaloa32.exe
        31⤵
        Executes dropped EXE
        
        PID:2676
        
        C:\Windows\SysWOW64\Jiphkm32.exe
        
        C:\Windows\system32\Jiphkm32.exe
        32⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4476
        
        C:\Windows\SysWOW64\Jmkdlkph.exe
        
        C:\Windows\system32\Jmkdlkph.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4580
        
        C:\Windows\SysWOW64\Jpjqhgol.exe
        
        C:\Windows\system32\Jpjqhgol.exe
        34⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2320
        
        C:\Windows\SysWOW64\Jdemhe32.exe
        
        C:\Windows\system32\Jdemhe32.exe
        35⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3568
        
        C:\Windows\SysWOW64\Jbhmdbnp.exe
        
        C:\Windows\system32\Jbhmdbnp.exe
        36⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4652
        
        C:\Windows\SysWOW64\Jjpeepnb.exe
        
        C:\Windows\system32\Jjpeepnb.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1156
        
        C:\Windows\SysWOW64\Jibeql32.exe
        
        C:\Windows\system32\Jibeql32.exe
        38⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1432
        
        C:\Windows\SysWOW64\Jaimbj32.exe
        
        C:\Windows\system32\Jaimbj32.exe
        39⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4360
        
        C:\Windows\SysWOW64\Jplmmfmi.exe
        
        C:\Windows\system32\Jplmmfmi.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2152
        
        C:\Windows\SysWOW64\Jdhine32.exe
        
        C:\Windows\system32\Jdhine32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2480
        
        C:\Windows\SysWOW64\Jidbflcj.exe
        
        C:\Windows\system32\Jidbflcj.exe
        42⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2304
        
        C:\Windows\SysWOW64\Jmpngk32.exe
        
        C:\Windows\system32\Jmpngk32.exe
        43⤵
        Executes dropped EXE
        
        PID:4684
        
        C:\Windows\SysWOW64\Jpojcf32.exe
        
        C:\Windows\system32\Jpojcf32.exe
        44⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2008
        
        C:\Windows\SysWOW64\Jbmfoa32.exe
        
        C:\Windows\system32\Jbmfoa32.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4280
        
        C:\Windows\SysWOW64\Jmbklj32.exe
        
        C:\Windows\system32\Jmbklj32.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1048
        
        C:\Windows\SysWOW64\Jbocea32.exe
        
        C:\Windows\system32\Jbocea32.exe
        47⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2744
        
        C:\Windows\SysWOW64\Kaqcbi32.exe
        
        C:\Windows\system32\Kaqcbi32.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4060
        
        C:\Windows\SysWOW64\Kgmlkp32.exe
        
        C:\Windows\system32\Kgmlkp32.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3740
        
        C:\Windows\SysWOW64\Kkihknfg.exe
        
        C:\Windows\system32\Kkihknfg.exe
        50⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4272
        
        C:\Windows\SysWOW64\Kmgdgjek.exe
        
        C:\Windows\system32\Kmgdgjek.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3960
        
        C:\Windows\SysWOW64\Kacphh32.exe
        
        C:\Windows\system32\Kacphh32.exe
        52⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1132
        
        C:\Windows\SysWOW64\Kdaldd32.exe
        
        C:\Windows\system32\Kdaldd32.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2288
        
        C:\Windows\SysWOW64\Kgphpo32.exe
        
        C:\Windows\system32\Kgphpo32.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4528
        
        C:\Windows\SysWOW64\Kkkdan32.exe
        
        C:\Windows\system32\Kkkdan32.exe
        55⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1396
        
        C:\Windows\SysWOW64\Kmjqmi32.exe
        
        C:\Windows\system32\Kmjqmi32.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1728
        
        C:\Windows\SysWOW64\Kaemnhla.exe
        
        C:\Windows\system32\Kaemnhla.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4808
        
        C:\Windows\SysWOW64\Kdcijcke.exe
        
        C:\Windows\system32\Kdcijcke.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4848
        
        C:\Windows\SysWOW64\Kbfiep32.exe
        
        C:\Windows\system32\Kbfiep32.exe
        59⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1200
        
        C:\Windows\SysWOW64\Kgbefoji.exe
        
        C:\Windows\system32\Kgbefoji.exe
        60⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:748
        
        C:\Windows\SysWOW64\Kipabjil.exe
        
        C:\Windows\system32\Kipabjil.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:924
        
        C:\Windows\SysWOW64\Kmlnbi32.exe
        
        C:\Windows\system32\Kmlnbi32.exe
        62⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4992
        
        C:\Windows\SysWOW64\Kagichjo.exe
        
        C:\Windows\system32\Kagichjo.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4320
        
        C:\Windows\SysWOW64\Kdffocib.exe
        
        C:\Windows\system32\Kdffocib.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3460
        
        C:\Windows\SysWOW64\Kgdbkohf.exe
        
        C:\Windows\system32\Kgdbkohf.exe
        65⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1988
        
        C:\Windows\SysWOW64\Kibnhjgj.exe
        
        C:\Windows\system32\Kibnhjgj.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:1388
        
        C:\Windows\SysWOW64\Kpmfddnf.exe
        
        C:\Windows\system32\Kpmfddnf.exe
        67⤵
        
        PID:3508
        
        C:\Windows\SysWOW64\Liekmj32.exe
        
        C:\Windows\system32\Liekmj32.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:4548
        
        C:\Windows\SysWOW64\Lmqgnhmp.exe
        
        C:\Windows\system32\Lmqgnhmp.exe
        69⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1888
        
        C:\Windows\SysWOW64\Lalcng32.exe
        
        C:\Windows\system32\Lalcng32.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:1516
        
        C:\Windows\SysWOW64\Lpocjdld.exe
        
        C:\Windows\system32\Lpocjdld.exe
        71⤵
        
        PID:1276
        
        C:\Windows\SysWOW64\Ldkojb32.exe
        
        C:\Windows\system32\Ldkojb32.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4424
        
        C:\Windows\SysWOW64\Lgikfn32.exe
        
        C:\Windows\system32\Lgikfn32.exe
        73⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4816
        
        C:\Windows\SysWOW64\Lkdggmlj.exe
        
        C:\Windows\system32\Lkdggmlj.exe
        74⤵
        
        PID:5004
        
        C:\Windows\SysWOW64\Lmccchkn.exe
        
        C:\Windows\system32\Lmccchkn.exe
        75⤵
        Modifies registry class
        
        PID:32
        
        C:\Windows\SysWOW64\Lpappc32.exe
        
        C:\Windows\system32\Lpappc32.exe
        76⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4688
        
        C:\Windows\SysWOW64\Ldmlpbbj.exe
        
        C:\Windows\system32\Ldmlpbbj.exe
        77⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:888
        
        C:\Windows\SysWOW64\Lcpllo32.exe
        
        C:\Windows\system32\Lcpllo32.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:4152
        
        C:\Windows\SysWOW64\Lgkhlnbn.exe
        
        C:\Windows\system32\Lgkhlnbn.exe
        79⤵
        Modifies registry class
        
        PID:4592
        
        C:\Windows\SysWOW64\Lijdhiaa.exe
        
        C:\Windows\system32\Lijdhiaa.exe
        80⤵
        
        PID:320
        
        C:\Windows\SysWOW64\Lnepih32.exe
        
        C:\Windows\system32\Lnepih32.exe
        81⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4856
        
        C:\Windows\SysWOW64\Laalifad.exe
        
        C:\Windows\system32\Laalifad.exe
        82⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:1572
        
        C:\Windows\SysWOW64\Lpcmec32.exe
        
        C:\Windows\system32\Lpcmec32.exe
        83⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5136
        
        C:\Windows\SysWOW64\Lpfijcfl.exe
        
        C:\Windows\system32\Lpfijcfl.exe
        84⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5208
        
        C:\Windows\SysWOW64\Ldaeka32.exe
        
        C:\Windows\system32\Ldaeka32.exe
        85⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5248
        
        C:\Windows\SysWOW64\Lcdegnep.exe
        
        C:\Windows\system32\Lcdegnep.exe
        86⤵
        Modifies registry class
        
        PID:5280
        
        C:\Windows\SysWOW64\Lklnhlfb.exe
        
        C:\Windows\system32\Lklnhlfb.exe
        87⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5320
        
        C:\Windows\SysWOW64\Ljnnch32.exe
        
        C:\Windows\system32\Ljnnch32.exe
        88⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5356
        
        C:\Windows\SysWOW64\Lphfpbdi.exe
        
        C:\Windows\system32\Lphfpbdi.exe
        89⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5396
        
        C:\Windows\SysWOW64\Lknjmkdo.exe
        
        C:\Windows\system32\Lknjmkdo.exe
        90⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5448
        
        C:\Windows\SysWOW64\Mpkbebbf.exe
        
        C:\Windows\system32\Mpkbebbf.exe
        91⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5488
        
        C:\Windows\SysWOW64\Mgekbljc.exe
        
        C:\Windows\system32\Mgekbljc.exe
        92⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5524
        
        C:\Windows\SysWOW64\Mkpgck32.exe
        
        C:\Windows\system32\Mkpgck32.exe
        93⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5560
        
        C:\Windows\SysWOW64\Mnocof32.exe
        
        C:\Windows\system32\Mnocof32.exe
        94⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5612
        
        C:\Windows\SysWOW64\Mnapdf32.exe
        
        C:\Windows\system32\Mnapdf32.exe
        95⤵
        
        PID:5668
        
        C:\Windows\SysWOW64\Mdkhapfj.exe
        
        C:\Windows\system32\Mdkhapfj.exe
        96⤵
        
        PID:5708
        
        C:\Windows\SysWOW64\Mkepnjng.exe
        
        C:\Windows\system32\Mkepnjng.exe
        97⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5744
        
        C:\Windows\SysWOW64\Mncmjfmk.exe
        
        C:\Windows\system32\Mncmjfmk.exe
        98⤵
        Modifies registry class
        
        PID:5784
        
        C:\Windows\SysWOW64\Mkgmcjld.exe
        
        C:\Windows\system32\Mkgmcjld.exe
        99⤵
        
        PID:5828
        
        C:\Windows\SysWOW64\Mpdelajl.exe
        
        C:\Windows\system32\Mpdelajl.exe
        100⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5872
        
        C:\Windows\SysWOW64\Mcbahlip.exe
        
        C:\Windows\system32\Mcbahlip.exe
        101⤵
        Drops file in System32 directory
        
        PID:5908
        
        C:\Windows\SysWOW64\Nkjjij32.exe
        
        C:\Windows\system32\Nkjjij32.exe
        102⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5944
        
        C:\Windows\SysWOW64\Nacbfdao.exe
        
        C:\Windows\system32\Nacbfdao.exe
        103⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5992
        
        C:\Windows\SysWOW64\Ngpjnkpf.exe
        
        C:\Windows\system32\Ngpjnkpf.exe
        104⤵
        
        PID:6048
        
        C:\Windows\SysWOW64\Njogjfoj.exe
        
        C:\Windows\system32\Njogjfoj.exe
        105⤵
        Modifies registry class
        
        PID:6100
        
        C:\Windows\SysWOW64\Nnjbke32.exe
        
        C:\Windows\system32\Nnjbke32.exe
        106⤵
        Modifies registry class
        
        PID:952
        
        C:\Windows\SysWOW64\Nddkgonp.exe
        
        C:\Windows\system32\Nddkgonp.exe
        107⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:432
        
        C:\Windows\SysWOW64\Njacpf32.exe
        
        C:\Windows\system32\Njacpf32.exe
        108⤵
        Drops file in System32 directory
        
        PID:2968
        
        C:\Windows\SysWOW64\Nbhkac32.exe
        
        C:\Windows\system32\Nbhkac32.exe
        109⤵
        
        PID:616
        
        C:\Windows\SysWOW64\Ncihikcg.exe
        
        C:\Windows\system32\Ncihikcg.exe
        110⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5240
        
        C:\Windows\SysWOW64\Ngedij32.exe
        
        C:\Windows\system32\Ngedij32.exe
        111⤵
        Modifies registry class
        
        PID:5328
        
        C:\Windows\SysWOW64\Ndidbn32.exe
        
        C:\Windows\system32\Ndidbn32.exe
        112⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5344
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        113⤵
        
        PID:5184
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5184 -s 420
        114⤵
        Program crash
        
        PID:5568

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 5184 -ip 5184
1⤵
PID:5512

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Gcbnejem.exe

Filesize
386KB

MD5
f4ee4e26671ff043b8cbf7af21a815cc

SHA1
6d6e06b433f294579bcabda1413d784e3bef203d

SHA256
10d86d0f88b14cb981976c41013becb66431ec9c3b68bf42e112e85b8fea4a91

SHA512
19ef654be41bda6655d9e2f8a6bea50505fb4fa29f51b03d9f3bc6323ce8721f0aaf2049388942c502438d3820db09d585f87376390e7330e836525ea32441c1

Download Submit
C:\Windows\SysWOW64\Gcggpj32.exe

Filesize
386KB

MD5
53902ea8d1d6a72660adea75327b916b

SHA1
27ce1473a38c773658935914cf33a323e60ed9f2

SHA256
0664db8a4c7612b771ed75af233fa074964dfb5f5e94aff529c75529cb5d8a4c

SHA512
a4103c507c8c65fdfcbe2c76dc8dec9ffb2118057567c13c6fbfe91e473e6bb6f7adf98a19cda90aecfb21f97bf5accc94ba79b15bbc1a0a626d41d3122bc284

Download Submit
C:\Windows\SysWOW64\Gidphq32.exe

Filesize
386KB

MD5
695fdf516f2043c7579877fc2b035235

SHA1
79d76a88dcf66cc2a2dd09e3d3689ab3c36987aa

SHA256
c9502235ec2b2eba328ccdc74a4c7e29f26553ba574f5bdf47b29260e8864995

SHA512
57a50f7d017f6b82b40da99e731b7c356144fc71ba7834b20c8bfa11be84ce5aab4252b01767b339c52f505d7729d5055568c8c5f99986dafb99882b39a1fa4c

Download Submit
C:\Windows\SysWOW64\Gjocgdkg.exe

Filesize
386KB

MD5
86513784beed14f11911fba78cf49f60

SHA1
a224eb0f57a6c2b1edf8a99ff9c489bc29e6f557

SHA256
c8bcaeb11c296a2f1723e8d63ab012f82a2cc7d292a1f805f69ec439879cfb34

SHA512
80057f22086b2f67b025e4cfead0438451be531cb4b2068cdae5237b90e9a9d9a0a408a7b4caf9bc77867359827559ecfa09c23c46c89aa692e14b19f4b024bd

Download Submit
C:\Windows\SysWOW64\Gqdbiofi.exe

Filesize
386KB

MD5
0992c13de4ca4068d112d5e781d10229

SHA1
48b14225015525bb94d50aca6a3f780fa2305c29

SHA256
1c1b6c82c5c17e0bb54d3b465b80bc14f71b0107d24b7c75b83e31d01969d96b

SHA512
d1c9dac178081ce64b8146315d71c640269acc364b2ee5a8a74fc064de7ee3085354b18d73fa8db5ee588553d72b7d32aced5e101aa4b69ffc254e4cbd0924e7

Download Submit
C:\Windows\SysWOW64\Gqkhjn32.exe

Filesize
386KB

MD5
cc3f56ef1cd500df9210a08aa5904d65

SHA1
127ea0e2535dc61b7183ce3aae2972f3ef0f5878

SHA256
09af725bd66890925d6901583296405181ce039c5762be1c4f395ea062fdb03a

SHA512
ffaf2633bfbcb9dc4aafd51d1b66239bac694d3b28b528309ca8082ef440588d7a6a7a4d2cc474c2baa63f8ee5eb77dcdd3e7753fbf95ebbc3e42f7370ea242a

Download Submit
C:\Windows\SysWOW64\Hbanme32.exe

Filesize
386KB

MD5
e61f2b88051877e93dd13a664f334115

SHA1
61d34b1672d66450c0fe697a29fbf497671ed5c4

SHA256
2ee0aae9ceb523b8411f1c0041630b9432bc4bcaedb594b9927a742fb89dc259

SHA512
6ce39f6c7ef1f7e63d010921118e47ccd7b4a4b75eabea5879f43656181caf9501f1361456789560e978d934a0fc526016c642f7eb81b58927255b7889ab0871

Download Submit
C:\Windows\SysWOW64\Hbeghene.exe

Filesize
386KB

MD5
be45827a574269d4d6a9f910a6a7dc6e

SHA1
336f4d7c3e8877825881d17eb5a999bc5b99fa58

SHA256
511670cf059798b692faf218aa065b92fc8dbd0c199661546ba2839459758fab

SHA512
5bf1764f143b192eead13e656de42efa82931521de39d8396bd0fce2bcfcac5649e44377b0310d7b5d43a1bed2316b7cef1b0280431fc563c7b55e694ebdc7b9

Download Submit
C:\Windows\SysWOW64\Hcedaheh.exe

Filesize
386KB

MD5
d2eb72e9bb57879cf927c9ebca9edb0c

SHA1
e9c5a47cf2f8666258f48ce623d1e07bcbac6f3c

SHA256
1cb6caf9d7d5ebbc956f022b5996941ec3e8259298919c40c5ccc3aaa7fee542

SHA512
d708fa1069156481bb7cb3b795b5fe89c6c556b2ba83b163492da0cd62a1830ba0cdd4cb99120639545ab6f53644bc0f97a1eba5525e780782bafc39a20bfc15

Download Submit
C:\Windows\SysWOW64\Hfcpncdk.exe

Filesize
386KB

MD5
b9016b1fada65da6f04357854166400f

SHA1
b0ff664153f939da7b73f139b3c03666ce1a5095

SHA256
0d15edb6169560c632c9c66a48bcc5eef54b384a755ae1c4c4901052b2d98611

SHA512
ecfc6d351f241f46745f97ed9e99a743eb372a3f3064d6125cbbb91088c630b71439c888c455d465d11de57fa0b7c7021e2222bae58228b0eff1c24a9db5d52c

Download Submit
C:\Windows\SysWOW64\Hfjmgdlf.exe

Filesize
386KB

MD5
62366d9743706fb12a6bd1292b07abdd

SHA1
70ba9d50470fdc120fb8d74413e8996d21343f4f

SHA256
db6c4b8f50e56318f00021e45677beb7b27f1dd90b393798f9e325e6b560992e

SHA512
e270980721d5446fb881a840bddd970e56449d39f32b18f841121cea9a1a99a0a668ac4dda256cfd23e3ba073f09ad7a5dfa6eccd836ef39b8d790642a1104a9

Download Submit
C:\Windows\SysWOW64\Himcoo32.exe

Filesize
386KB

MD5
0f8b52a911ba791334a765c3a0d1148b

SHA1
5236ba5d7e2667a1b9adea2571e5e25cd2fea040

SHA256
f6183aab0dc65940cfc136ef30e96919e6dd048412bf47717d8616a31a740dfe

SHA512
f341cefd730617671fb418c645f9d4a92500c59bcb4f05401c6842829b11d9c07cd09364192fbbd5648958a9c9667c6c2e207bb887f9314dcc5146eff1e4ac02

Download Submit
C:\Windows\SysWOW64\Hjfihc32.exe

Filesize
386KB

MD5
0284e9980043f6958e4351021528755d

SHA1
31d9f1d1ae27d3864ec726e953c5b9d2f7a1ccb9

SHA256
77331afe061b17996f681e683949213ccb5134dc463a564cfcf02bc65bbc6d4a

SHA512
71d0c64ffab9ad4231bb6a9dad3753ee00bb90842f27b98f6217692f77da02728aa4e017ff9d426ea10353b0ff5272ca593c6e0c3210546330690772c126260e

Download Submit
C:\Windows\SysWOW64\Hjhfnccl.exe

Filesize
386KB

MD5
7a7604ba53bbad2caa4c04da5895285a

SHA1
10af40c13b594913aa34b9c34a1a96559ba1bbbc

SHA256
9fd5a090b62d03822b8e9c72aa20f00a9618f801053539a905010fc775d6a18d

SHA512
a1404d243d0063a30d3065b060aeef3247474a639d849d5cc92a14c23baca21ac9802241f6fd40c73f58af8e639afc4c5929bf3f07fcf7b02d3f1677173353b2

Download Submit
C:\Windows\SysWOW64\Hpgkkioa.exe

Filesize
386KB

MD5
9fec9b2c752419322c6a3e7563e5e627

SHA1
bcd64bb076de459f0b62c1a0daaa0e01c47321c7

SHA256
7c48be71be2b901a1bff42c6d1965cd590b6c1449f064d7865a6ae9fb2dcf5a8

SHA512
2d912697bcfda8075ba9f73fb5ccbafe0c5ad23112b3a529a0011ad83e1e4182d516b1e7e23f16260b62989ec67d6afa581d0fd3611e6c96ce0fcf7811b5b268

Download Submit
C:\Windows\SysWOW64\Iannfk32.exe

Filesize
386KB

MD5
0f9172228b35e30743ecdc3321dff3ec

SHA1
05e3ef439309fc760af62e2b07c75fc817a64f84

SHA256
ed3a4f7918ac3ce3abcc7ce2568f2c417cc6955395aa8058791d3a2617e89b5d

SHA512
1a64e7ccbd158db02950fe54dba46b6579da308ef29be5d325a79887c1a1d9f8bdba922a82fc38cb4d049ec1b65efce2dcced1cfc4b22e9ea8469de6629fce34

Download Submit
C:\Windows\SysWOW64\Ibagcc32.exe

Filesize
386KB

MD5
0733a9998fca72fddabcaef0224dc204

SHA1
380d393171650d5477c018d42aba288d77988d39

SHA256
41d51a16fa16e8f99f7c3b036917781f7f5677d01ee6e7e0157d3c186c0e4b92

SHA512
07de150e1b460fecbbf2cb1c5a609139e15d7ec8985e5f28b0874bd3d3e75741d5981086eb8d43ff4cf57034029b641297f8b734e3af7a6ff1d644ac07fa6510

Download Submit
C:\Windows\SysWOW64\Ibmmhdhm.exe

Filesize
386KB

MD5
1680bd5b4f782c7a69e69949c966313b

SHA1
53468162c551cd0a8667310b02dfcdd7448b29b6

SHA256
b29f68f1e1c9c1c4212d6ad706200459a8383f89ef6648f2b42d5e73ab9b585b

SHA512
888aa148060da09786e215f7af6894ff1308bbeb1d738a81b0d0dda13d364629079cde1406d9d10939e36020b16028fb3c6d77ad45f5b4142b45ce877da09939

Download Submit
C:\Windows\SysWOW64\Ifegaglc.dll

Filesize
7KB

MD5
dd2872e09fbf4d3f2d149200c911071d

SHA1
7a13f5735f22e66582f0c7da00e34c1eaf5aa98b

SHA256
66b11dfb7911fff4b141825cfb43dd7b1dd2126247790f89ec661938b5553b90

SHA512
4a38979e74aec175be4ff5e2f2a6b0bce8b4a381f3234835323d22808a05bf6c822f7e02e260e7c18bde6becbbc5cd322603153ce45969579a3c377fd40a7b78

Download Submit
C:\Windows\SysWOW64\Iffmccbi.exe

Filesize
386KB

MD5
c745bbc1a663064a326431586e998eb4

SHA1
8c81e2e95619a1dc0357b4d713c68be7ba375bf5

SHA256
0bd0431433fa214aaa7ada97d42337c1c86f792240e522165bf39111638e5df1

SHA512
9c96b4fbdf2effeaad28b148492ed88e2ef4f717505cb88788418aad61c8acc2be001af1fdf8bf1f934a137bad096a72bf51efeb4d40aeb723787ef66f35b149

Download Submit
C:\Windows\SysWOW64\Ifjfnb32.exe

Filesize
386KB

MD5
27af663fc04c8bc61c2bfe1ee4803ac6

SHA1
c6bd7fa1b7a256e1d9544cd61f6c4df68480b766

SHA256
b90c27ce87beac7a8eca0b030673ee08f0149519b45a9e3a7f8819f25801d941

SHA512
bca3f38d7dfc82e2f9eab97645ffc755d35de2da5dc35e0e15fbea1c9a16e7a1380c81005f1ee12001928c8775416c62c0432a8a54fa0f03e8f1f343f40aad85

Download Submit
C:\Windows\SysWOW64\Ifopiajn.exe

Filesize
386KB

MD5
a1be3dae7025c250e28f12de96b03792

SHA1
a6cbd519943cb2c03a4c6b375bc9a33c3df9f0f4

SHA256
1171a7a7b86c888112373f60d198a324ca242918ab15b7946742d98178b7f49a

SHA512
83010ec002c942b5aee4665b54893ebdc577353d11a2dd004a9bbf6a79a1751ad85dac88f9d8ad65ab61d6dc4e728964bddec7e0032300535e9b0052c4ac89ec

Download Submit
C:\Windows\SysWOW64\Iiffen32.exe

Filesize
386KB

MD5
7fafa5116e57960abf23b1526437c324

SHA1
5edef060f2ffa4f7b7212a51b9c6f9b0b3c2991e

SHA256
908e0a8253e51745501a238d9b352628a22b97e785b0388430ae67e0372aafe7

SHA512
628c78493537c7a3215c9f67b7906db09bd2eb1233458397109484f6204835edf530e7ed890ffabd5d9b9038150f31114e5a2ba48fda4c5a21b65c016e37426f

Download Submit
C:\Windows\SysWOW64\Iikopmkd.exe

Filesize
386KB

MD5
595cefb09659b4e1825b4116d9aa2b03

SHA1
8a36a76484efe81265c93ebde9c63df355b32599

SHA256
2e75898ca3f50c27ce45d50127bd8490e7c2703c040dace59000ec52e491da56

SHA512
3a9767a11e975fb6efb5cdb315812a2192f8cc64dc86bef73e6841981bd4ca02f8725accdf45dd238e377f30c09c29fc62137e0fae03aa116f5dac3f315e8c19

Download Submit
C:\Windows\SysWOW64\Iinlemia.exe

Filesize
386KB

MD5
31174e89c6ce5e241d017b11cdc039e8

SHA1
61c2de684a40a9339363a7a13a98603ff7b0644a

SHA256
2f0bf75ca9d04a9bbb924d3783db4b6b0af2e1f015bcc9347d6621d8b037aa16

SHA512
7478b1a484b98f0ea979adf849507a0ecb052d672bcb2258a8a6ba1e6b78ce9d2f1e69054c787341b520890fde8c688b7c35937ae5f55b3d42a213562067b336

Download Submit
C:\Windows\SysWOW64\Imihfl32.exe

Filesize
386KB

MD5
3d21893db602277e1bc4aff72473d14e

SHA1
7c35d2fc987be9cc1f6d55ca16b6997f0fa53c41

SHA256
7595fda54186cd502315adc377d9f4949c94990c4f2fd89847827e7a6cec7e3b

SHA512
754704d9363631eb0d35962c38cd2a90d81aaa28f3ae38d331b82fabe257fd2fdba1e798bf692891a33d9188de6282a9766ba7c8b54e64d9ef642a92bdce15bb

Download Submit
C:\Windows\SysWOW64\Ipegmg32.exe

Filesize
386KB

MD5
5fbadb0e35e7eb8441d2544b8936f675

SHA1
71e51b6f2803055e4eb615c7cda789ef1bbca046

SHA256
d0b55f884794d32ac68e4496dfeadb41473892a307a726b55c4e889be7b095a9

SHA512
7b0caa5f48c9d0ab3f0657264c1332a34df440cc51fec0962c81e6ceb84b87511971c55a5b0c312ba9d95a2cccd70a544860a8aa1c202279a78d40c934546e4e

Download Submit
C:\Windows\SysWOW64\Jbfpobpb.exe

Filesize
386KB

MD5
5b72d0c1f0c794237520a0253e3a00e6

SHA1
78447f43a0e5e72cb70afb9c4f9b0634c2c74d39

SHA256
08af14b5cdc6ffb39899f620590fd38be5952d61c2dc36ddbd3ae8da861e2875

SHA512
46196139a8f62bd35ee2c94d6bb81ad5dd7b94feb70f0458361d881f03ce4144581f92cdf6d38de1cda79aacac3a5db2b1f6f71f155e5062e8f7a3b12b340a62

Download Submit
C:\Windows\SysWOW64\Jdcpcf32.exe

Filesize
386KB

MD5
c2377fa0d9e2e3ee88ec230912ba5130

SHA1
412d7c24f08498ee4836c7a2f9df010a93923da5

SHA256
1351857ef9c1da8da1abf67a45bbf0ae7ba05103d41caf2747f6aaa6e88897e9

SHA512
b429f376b95139f3d189081dc39429b88cc1dd555066486f8439ffa8bc76f8b71be93a127d1d24d1e6048733f6f2c475abf66ebc3c5f350921333f543fe20a95

Download Submit
C:\Windows\SysWOW64\Jfaloa32.exe

Filesize
386KB

MD5
bc9da999ef80d215206bffffb476fd17

SHA1
3b8e496cc05bc8b40523902ba9aca74f3a68db81

SHA256
f250dacad642230eb8de7472d19316c858c0ab07f5bf8abb4e17c2bfda163fe5

SHA512
2f94a990b276eb4f7e4812ca8b76a98c1988188c2aab856bf05073fa7be1d3694c882247d329c453192b3c797cee6b0ae911f43d4fc64e563f5b6170c312a277

Download Submit
C:\Windows\SysWOW64\Jiphkm32.exe

Filesize
386KB

MD5
4773621d7ef9e0c37f512c0fedc3f0df

SHA1
f80c8678b421da68c2687fa98fa0fac25fd9ef9d

SHA256
b76a234968ecb00d9be2ec564f4225cab70f2a0cf4a529d3b4d73e9f8d568608

SHA512
e91de4fb2f3ea40ad361070b15faf61bb6c98ae3a215c9ccb979171a90746ee6e7a984216f0faf5246eb0e05b5d63107f03ec3738aa8770e95ee2e1fcc1b8b50

Download Submit
C:\Windows\SysWOW64\Jmkdlkph.exe

Filesize
386KB

MD5
f9e5658801025772f6b9b3c1fcf00d5a

SHA1
85a272597b45ac0cd2440d327fbe0422bc621886

SHA256
81927948554abddb0022cc01bd47fd890b244ec735758630a3382b8801831f54

SHA512
278f957fadbd22c94fe0585abdf4ef1970eb6e62c4a07078f52c38fa8e75145e2a0e4eeda7ee3b06ceef8c549fc81b5f967af74b3b2fe95b5b252371fb2cd2f0

Download Submit
C:\Windows\SysWOW64\Jpgdbg32.exe

Filesize
386KB

MD5
5bd520bc83cadba20355bdd35c601bc2

SHA1
1f73dbc2f48ebcc85a0d280b57a4e7b4a24b8482

SHA256
2a8ed203c04df3f04ea9164aec1a3c02492e53fae62827e6cac0b57c8f40d3cd

SHA512
4fda18eeb16b4125e0727465e70e550d43f17e39805dcf1166b51805379e0a06e086a6ef57265e0bed77c9e954ced3d14c05d6bb0469daffc319f4a7b35c55fa

Download Submit
C:\Windows\SysWOW64\Mkgmcjld.exe

Filesize
386KB

MD5
7999f16fe5771e95ca566c4c2d37ec78

SHA1
a3650905a6decd1e25700a4fec09280faac49a2a

SHA256
d9cd96d763127ecd2a279a9c7d4b95155e8bbb5424ac8bb7011f5db7da86f141

SHA512
2a25c33eb71842a7bd7b8f6a326c26134bc3eb0c854c776ab4a0470d058a522524364712ce454ec81d1570f46d9038e8658d846b65a734933aceee30ff81394c

Download Submit
C:\Windows\SysWOW64\Mpkbebbf.exe

Filesize
386KB

MD5
cdea3e2cb5897ab8a5df4ae95669e3ab

SHA1
d3f72cbd3884b85832255b61cb53971c4a58d883

SHA256
f21949e4df7a7ec195449f668d62024cee9d4d071672aff7f049bc181ad7ab96

SHA512
50d31c0bb795ed67c03081f50795108eabb234ae37e0186c84cbca9e8d4cc4adaa8af74cc381dda84bd61805aac3f3b1bb09b1bc38305b9ef9663ed80b391a0f

Download Submit
memory/32-534-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/100-72-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/388-901-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/388-134-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/432-675-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/464-172-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/616-720-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/652-126-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/748-441-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/888-536-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/940-24-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/952-725-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/1048-332-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/1076-69-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/1088-0-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/1156-316-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/1200-440-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/1388-445-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/1396-431-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/1432-322-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/1572-538-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/1728-432-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/1984-306-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/2008-327-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/2060-103-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/2172-163-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/2180-32-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/2208-120-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/2284-308-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/2288-429-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/2304-325-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/2320-313-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/2364-80-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/2384-7-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/2520-48-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/2572-309-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/2572-877-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/2676-310-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/2744-340-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/2968-685-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/2968-722-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/3460-444-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/3568-314-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/3580-899-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/3580-147-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/3740-421-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/3820-40-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/3960-428-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/4152-537-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/4232-888-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/4232-186-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/4256-305-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/4256-885-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/4272-422-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/4280-334-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/4320-443-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/4360-324-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/4404-16-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/4424-531-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/4476-311-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/4520-111-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/4528-430-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/4580-312-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/4652-315-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/4684-326-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/4688-535-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/4696-93-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/4808-437-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/4816-532-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/4848-439-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/4892-155-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/4892-897-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/4928-56-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/4992-442-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/5004-533-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/5024-307-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/5136-539-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/5184-714-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/5184-710-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/5240-717-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/5240-719-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/5240-692-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/5320-569-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/5328-716-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/5328-698-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/5344-713-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/5344-711-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/5344-704-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/5356-571-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/5448-577-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/5524-593-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/5560-594-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/5612-600-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/5668-606-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/5708-617-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/5744-623-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/5784-624-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/5828-630-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/5908-645-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/5944-648-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/5992-653-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/6048-729-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/6100-669-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/6100-727-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads