fe1d6f3669d375abeb74fcecb0fe8ac0e384744eafcd7cec4f190da290246a54

Analysis

max time kernel
142s
max time network
106s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
02/05/2024, 05:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fe1d6f3669d375abeb74fcecb0fe8ac0e384744eafcd7cec4f190da290246a54.exe
Size

144KB
MD5

ae76c75df574e6f60cb48d3269b49773
SHA1

b77f95bc8e057f83b688d061e3b27e5c00abf556
SHA256

fe1d6f3669d375abeb74fcecb0fe8ac0e384744eafcd7cec4f190da290246a54
SHA512

049c012e57d8c7bbe14965b7855f0d89388c1eab9b626627f844b3053ebc0ce7950d8379284745d7247a8e63aa86a41ec8c06e42dfae3d3c94deb07d8285c8c8
SSDEEP

3072:Q9i3HmM/6iZMphvEetWa8Cp5GURlSjgjxxt8vgHq/Wp+YmKfxg:QbM/6HfPf5LRlUivKvUmKy

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ipldfi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnfipekh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gjocgdkg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hbckbepg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jpjqhgol.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jplmmfmi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kilhgk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Laopdgcg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jibeql32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kpccnefa.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gcekkjcj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hmfbjnbp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jidbflcj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kacphh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nnolfdcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hmfbjnbp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ifopiajn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kbfiep32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hcnnaikp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hbeghene.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lgpagm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lddbqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ndbnboqb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kgdbkohf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ldaeka32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njljefql.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gjapmdid.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iinlemia.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jpjqhgol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jkdnpo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Laalifad.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mahbje32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gjapmdid.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jmkdlkph.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jbhmdbnp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgbnmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nacbfdao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gpnhekgl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ibjqcd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Iiibkn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jkfkfohj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ldaeka32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mglack32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkgmcjld.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgidml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mgidml32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kilhgk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Laalifad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nklfoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gameonno.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jbhmdbnp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kaqcbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kckbqpnj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lalcng32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jaedgjjd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lkiqbl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpaifalo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nacbfdao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hmdedo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ifhiib32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mpaifalo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hboagf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mahbje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mkgmcjld.exe

Executes dropped EXE 64 IoCs

pid	Process
5952	Gcekkjcj.exe
3616	Gjocgdkg.exe
4836	Giacca32.exe
4152	Gjapmdid.exe
2456	Gpnhekgl.exe
5192	Gcidfi32.exe
5420	Gameonno.exe
6116	Hboagf32.exe
1288	Hmdedo32.exe
1664	Hcnnaikp.exe
3696	Hfljmdjc.exe
4092	Hmfbjnbp.exe
4816	Hbckbepg.exe
3468	Hjjbcbqj.exe
3644	Hmioonpn.exe
5100	Hbeghene.exe
4160	Hmklen32.exe
3860	Hcedaheh.exe
1632	Hjolnb32.exe
3652	Ipldfi32.exe
4628	Ibjqcd32.exe
4076	Impepm32.exe
4924	Ipnalhii.exe
4944	Ifhiib32.exe
5208	Imbaemhc.exe
636	Ipqnahgf.exe
2072	Ibojncfj.exe
1232	Iiibkn32.exe
5396	Ifmcdblq.exe
2388	Imgkql32.exe
2864	Ifopiajn.exe
1440	Iinlemia.exe
1520	Jaedgjjd.exe
4960	Jdcpcf32.exe
3292	Jfaloa32.exe
2384	Jmkdlkph.exe
2936	Jpjqhgol.exe
3400	Jbhmdbnp.exe
2000	Jibeql32.exe
5696	Jaimbj32.exe
2332	Jplmmfmi.exe
5680	Jfffjqdf.exe
1072	Jidbflcj.exe
2768	Jpojcf32.exe
4488	Jfhbppbc.exe
2984	Jkdnpo32.exe
3192	Jpaghf32.exe
4984	Jkfkfohj.exe
1748	Kaqcbi32.exe
5828	Kpccnefa.exe
4516	Kbapjafe.exe
5400	Kilhgk32.exe
452	Kacphh32.exe
4388	Kbdmpqcb.exe
4352	Kinemkko.exe
720	Kbfiep32.exe
3676	Kmlnbi32.exe
1280	Kpjjod32.exe
5500	Kgdbkohf.exe
3232	Kajfig32.exe
2256	Kckbqpnj.exe
3976	Liekmj32.exe
5088	Lalcng32.exe
2136	Lgikfn32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Nbhkac32.exe	Njacpf32.exe
File created	C:\Windows\SysWOW64\Hmklen32.exe	Hbeghene.exe
File opened for modification	C:\Windows\SysWOW64\Imbaemhc.exe	Ifhiib32.exe
File opened for modification	C:\Windows\SysWOW64\Jpjqhgol.exe	Jmkdlkph.exe
File opened for modification	C:\Windows\SysWOW64\Ndbnboqb.exe	Nacbfdao.exe
File opened for modification	C:\Windows\SysWOW64\Nklfoi32.exe	Ngpjnkpf.exe
File created	C:\Windows\SysWOW64\Mlilmlna.dll	Imbaemhc.exe
File created	C:\Windows\SysWOW64\Jdcpcf32.exe	Jaedgjjd.exe
File created	C:\Windows\SysWOW64\Ichhhi32.dll	Jkfkfohj.exe
File opened for modification	C:\Windows\SysWOW64\Mgidml32.exe	Mdkhapfj.exe
File opened for modification	C:\Windows\SysWOW64\Ifmcdblq.exe	Iiibkn32.exe
File opened for modification	C:\Windows\SysWOW64\Njljefql.exe	Nkjjij32.exe
File opened for modification	C:\Windows\SysWOW64\Ndidbn32.exe	Nnolfdcn.exe
File created	C:\Windows\SysWOW64\Ppmeid32.dll	Hbeghene.exe
File created	C:\Windows\SysWOW64\Ndninjfg.dll	Jmkdlkph.exe
File opened for modification	C:\Windows\SysWOW64\Lgikfn32.exe	Lalcng32.exe
File created	C:\Windows\SysWOW64\Fnelfilp.dll	Mncmjfmk.exe
File created	C:\Windows\SysWOW64\Nklfoi32.exe	Ngpjnkpf.exe
File created	C:\Windows\SysWOW64\Cnacjn32.dll	Mdkhapfj.exe
File created	C:\Windows\SysWOW64\Mnfipekh.exe	Mkgmcjld.exe
File created	C:\Windows\SysWOW64\Nddkgonp.exe	Nnjbke32.exe
File created	C:\Windows\SysWOW64\Pjpdme32.dll	Hboagf32.exe
File created	C:\Windows\SysWOW64\Iinlemia.exe	Ifopiajn.exe
File created	C:\Windows\SysWOW64\Bclhoo32.dll	Jbhmdbnp.exe
File created	C:\Windows\SysWOW64\Kckbqpnj.exe	Kajfig32.exe
File opened for modification	C:\Windows\SysWOW64\Lijdhiaa.exe	Lgkhlnbn.exe
File created	C:\Windows\SysWOW64\Kbdmpqcb.exe	Kacphh32.exe
File opened for modification	C:\Windows\SysWOW64\Kckbqpnj.exe	Kajfig32.exe
File opened for modification	C:\Windows\SysWOW64\Liekmj32.exe	Kckbqpnj.exe
File created	C:\Windows\SysWOW64\Ibjqcd32.exe	Ipldfi32.exe
File opened for modification	C:\Windows\SysWOW64\Ibojncfj.exe	Ipqnahgf.exe
File created	C:\Windows\SysWOW64\Iiibkn32.exe	Ibojncfj.exe
File created	C:\Windows\SysWOW64\Bbbjnidp.dll	Jaimbj32.exe
File created	C:\Windows\SysWOW64\Kpccnefa.exe	Kaqcbi32.exe
File opened for modification	C:\Windows\SysWOW64\Mglack32.exe	Mdmegp32.exe
File created	C:\Windows\SysWOW64\Fhpdhp32.dll	Mpdelajl.exe
File opened for modification	C:\Windows\SysWOW64\Ngcgcjnc.exe	Nddkgonp.exe
File opened for modification	C:\Windows\SysWOW64\Jkfkfohj.exe	Jpaghf32.exe
File created	C:\Windows\SysWOW64\Lmccchkn.exe	Lgikfn32.exe
File opened for modification	C:\Windows\SysWOW64\Mgghhlhq.exe	Mpmokb32.exe
File created	C:\Windows\SysWOW64\Kbapjafe.exe	Kpccnefa.exe
File created	C:\Windows\SysWOW64\Bkankc32.dll	Mnocof32.exe
File opened for modification	C:\Windows\SysWOW64\Hboagf32.exe	Gameonno.exe
File opened for modification	C:\Windows\SysWOW64\Impepm32.exe	Ibjqcd32.exe
File created	C:\Windows\SysWOW64\Cdcbljie.dll	Ifhiib32.exe
File created	C:\Windows\SysWOW64\Jpaghf32.exe	Jkdnpo32.exe
File created	C:\Windows\SysWOW64\Bheenp32.dll	Lgpagm32.exe
File created	C:\Windows\SysWOW64\Eagncfoj.dll	Gameonno.exe
File created	C:\Windows\SysWOW64\Imgkql32.exe	Ifmcdblq.exe
File created	C:\Windows\SysWOW64\Mnapdf32.exe	Mgghhlhq.exe
File created	C:\Windows\SysWOW64\Lgkhlnbn.exe	Laopdgcg.exe
File opened for modification	C:\Windows\SysWOW64\Lddbqa32.exe	Laefdf32.exe
File created	C:\Windows\SysWOW64\Mahbje32.exe	Lknjmkdo.exe
File created	C:\Windows\SysWOW64\Jmkefnli.dll	Hjjbcbqj.exe
File created	C:\Windows\SysWOW64\Hcedaheh.exe	Hmklen32.exe
File created	C:\Windows\SysWOW64\Hjolnb32.exe	Hcedaheh.exe
File created	C:\Windows\SysWOW64\Bclgpkgk.dll	Ifmcdblq.exe
File created	C:\Windows\SysWOW64\Dnkdikig.dll	Lalcng32.exe
File created	C:\Windows\SysWOW64\Nacbfdao.exe	Njljefql.exe
File created	C:\Windows\SysWOW64\Mdmegp32.exe	Mpaifalo.exe
File created	C:\Windows\SysWOW64\Lmbnpm32.dll	Ngcgcjnc.exe
File opened for modification	C:\Windows\SysWOW64\Ndghmo32.exe	Nbhkac32.exe
File created	C:\Windows\SysWOW64\Gpnhekgl.exe	Gjapmdid.exe
File opened for modification	C:\Windows\SysWOW64\Ipnalhii.exe	Impepm32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1296	2468	WerFault.exe	203

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	fe1d6f3669d375abeb74fcecb0fe8ac0e384744eafcd7cec4f190da290246a54.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kinemkko.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mdmegp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ngpjnkpf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Denfkg32.dll"	Hbckbepg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ipnalhii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bclgpkgk.dll"	Ifmcdblq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mahbje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfbhfihj.dll"	Mdfofakp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mkpgck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nacbfdao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ehbccoaj.dll"	Hmfbjnbp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ppmeid32.dll"	Hbeghene.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Liekmj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lklnhlfb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lddbqa32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mdfofakp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Gameonno.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogijli32.dll"	Lgkhlnbn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Njcqqgjb.dll"	Mnapdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipkobd32.dll"	Njacpf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Giacca32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jpaghf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Gjocgdkg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aqnhjk32.dll"	Impepm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ipnalhii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jkdnpo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Efhikhod.dll"	Liekmj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ndghmo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jbhmdbnp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kilhgk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnkdikig.dll"	Lalcng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mdpalp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Laefdf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hmdedo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hmfbjnbp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hjolnb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jmkdlkph.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fogjfmfe.dll"	Kpjjod32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lalcng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekipni32.dll"	Mglack32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ngcgcjnc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hfljmdjc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lmmcfa32.dll"	Kpccnefa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ojmmkpmf.dll"	Kacphh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pellipfm.dll"	Lmccchkn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekiidlll.dll"	Lcbiao32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lgbnmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kaqcbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kmlnbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndclfb32.dll"	Laopdgcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Gcekkjcj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hjjbcbqj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jidbflcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Akanejnd.dll"	Kbfiep32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hjolnb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nkjjij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dihcoe32.dll"	Nacbfdao.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nddkgonp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kpjjod32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ldaeka32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Gcidfi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lkbhbe32.dll"	Hcedaheh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cdcbljie.dll"	Ifhiib32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1648 wrote to memory of 5952	1648	fe1d6f3669d375abeb74fcecb0fe8ac0e384744eafcd7cec4f190da290246a54.exe	83
PID 1648 wrote to memory of 5952	1648	fe1d6f3669d375abeb74fcecb0fe8ac0e384744eafcd7cec4f190da290246a54.exe	83
PID 1648 wrote to memory of 5952	1648	fe1d6f3669d375abeb74fcecb0fe8ac0e384744eafcd7cec4f190da290246a54.exe	83
PID 5952 wrote to memory of 3616	5952	Gcekkjcj.exe	84
PID 5952 wrote to memory of 3616	5952	Gcekkjcj.exe	84
PID 5952 wrote to memory of 3616	5952	Gcekkjcj.exe	84
PID 3616 wrote to memory of 4836	3616	Gjocgdkg.exe	85
PID 3616 wrote to memory of 4836	3616	Gjocgdkg.exe	85
PID 3616 wrote to memory of 4836	3616	Gjocgdkg.exe	85
PID 4836 wrote to memory of 4152	4836	Giacca32.exe	86
PID 4836 wrote to memory of 4152	4836	Giacca32.exe	86
PID 4836 wrote to memory of 4152	4836	Giacca32.exe	86
PID 4152 wrote to memory of 2456	4152	Gjapmdid.exe	87
PID 4152 wrote to memory of 2456	4152	Gjapmdid.exe	87
PID 4152 wrote to memory of 2456	4152	Gjapmdid.exe	87
PID 2456 wrote to memory of 5192	2456	Gpnhekgl.exe	88
PID 2456 wrote to memory of 5192	2456	Gpnhekgl.exe	88
PID 2456 wrote to memory of 5192	2456	Gpnhekgl.exe	88
PID 5192 wrote to memory of 5420	5192	Gcidfi32.exe	89
PID 5192 wrote to memory of 5420	5192	Gcidfi32.exe	89
PID 5192 wrote to memory of 5420	5192	Gcidfi32.exe	89
PID 5420 wrote to memory of 6116	5420	Gameonno.exe	90
PID 5420 wrote to memory of 6116	5420	Gameonno.exe	90
PID 5420 wrote to memory of 6116	5420	Gameonno.exe	90
PID 6116 wrote to memory of 1288	6116	Hboagf32.exe	91
PID 6116 wrote to memory of 1288	6116	Hboagf32.exe	91
PID 6116 wrote to memory of 1288	6116	Hboagf32.exe	91
PID 1288 wrote to memory of 1664	1288	Hmdedo32.exe	92
PID 1288 wrote to memory of 1664	1288	Hmdedo32.exe	92
PID 1288 wrote to memory of 1664	1288	Hmdedo32.exe	92
PID 1664 wrote to memory of 3696	1664	Hcnnaikp.exe	93
PID 1664 wrote to memory of 3696	1664	Hcnnaikp.exe	93
PID 1664 wrote to memory of 3696	1664	Hcnnaikp.exe	93
PID 3696 wrote to memory of 4092	3696	Hfljmdjc.exe	94
PID 3696 wrote to memory of 4092	3696	Hfljmdjc.exe	94
PID 3696 wrote to memory of 4092	3696	Hfljmdjc.exe	94
PID 4092 wrote to memory of 4816	4092	Hmfbjnbp.exe	95
PID 4092 wrote to memory of 4816	4092	Hmfbjnbp.exe	95
PID 4092 wrote to memory of 4816	4092	Hmfbjnbp.exe	95
PID 4816 wrote to memory of 3468	4816	Hbckbepg.exe	96
PID 4816 wrote to memory of 3468	4816	Hbckbepg.exe	96
PID 4816 wrote to memory of 3468	4816	Hbckbepg.exe	96
PID 3468 wrote to memory of 3644	3468	Hjjbcbqj.exe	98
PID 3468 wrote to memory of 3644	3468	Hjjbcbqj.exe	98
PID 3468 wrote to memory of 3644	3468	Hjjbcbqj.exe	98
PID 3644 wrote to memory of 5100	3644	Hmioonpn.exe	99
PID 3644 wrote to memory of 5100	3644	Hmioonpn.exe	99
PID 3644 wrote to memory of 5100	3644	Hmioonpn.exe	99
PID 5100 wrote to memory of 4160	5100	Hbeghene.exe	100
PID 5100 wrote to memory of 4160	5100	Hbeghene.exe	100
PID 5100 wrote to memory of 4160	5100	Hbeghene.exe	100
PID 4160 wrote to memory of 3860	4160	Hmklen32.exe	101
PID 4160 wrote to memory of 3860	4160	Hmklen32.exe	101
PID 4160 wrote to memory of 3860	4160	Hmklen32.exe	101
PID 3860 wrote to memory of 1632	3860	Hcedaheh.exe	103
PID 3860 wrote to memory of 1632	3860	Hcedaheh.exe	103
PID 3860 wrote to memory of 1632	3860	Hcedaheh.exe	103
PID 1632 wrote to memory of 3652	1632	Hjolnb32.exe	104
PID 1632 wrote to memory of 3652	1632	Hjolnb32.exe	104
PID 1632 wrote to memory of 3652	1632	Hjolnb32.exe	104
PID 3652 wrote to memory of 4628	3652	Ipldfi32.exe	105
PID 3652 wrote to memory of 4628	3652	Ipldfi32.exe	105
PID 3652 wrote to memory of 4628	3652	Ipldfi32.exe	105
PID 4628 wrote to memory of 4076	4628	Ibjqcd32.exe	106

C:\Users\Admin\AppData\Local\Temp\fe1d6f3669d375abeb74fcecb0fe8ac0e384744eafcd7cec4f190da290246a54.exe
"C:\Users\Admin\AppData\Local\Temp\fe1d6f3669d375abeb74fcecb0fe8ac0e384744eafcd7cec4f190da290246a54.exe"
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1648
- C:\Windows\SysWOW64\Gcekkjcj.exe
  C:\Windows\system32\Gcekkjcj.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:5952
- - C:\Windows\SysWOW64\Gjocgdkg.exe
    C:\Windows\system32\Gjocgdkg.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:3616
  - - C:\Windows\SysWOW64\Giacca32.exe
      C:\Windows\system32\Giacca32.exe
      4⤵
      Executes dropped EXE
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:4836
    - - C:\Windows\SysWOW64\Gjapmdid.exe
        
        C:\Windows\system32\Gjapmdid.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4152
      - C:\Windows\SysWOW64\Gpnhekgl.exe
        
        C:\Windows\system32\Gpnhekgl.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2456
        
        C:\Windows\SysWOW64\Gcidfi32.exe
        
        C:\Windows\system32\Gcidfi32.exe
        7⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5192
        
        C:\Windows\SysWOW64\Gameonno.exe
        
        C:\Windows\system32\Gameonno.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5420
        
        C:\Windows\SysWOW64\Hboagf32.exe
        
        C:\Windows\system32\Hboagf32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:6116
        
        C:\Windows\SysWOW64\Hmdedo32.exe
        
        C:\Windows\system32\Hmdedo32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1288
        
        C:\Windows\SysWOW64\Hcnnaikp.exe
        
        C:\Windows\system32\Hcnnaikp.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1664
        
        C:\Windows\SysWOW64\Hfljmdjc.exe
        
        C:\Windows\system32\Hfljmdjc.exe
        12⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3696
        
        C:\Windows\SysWOW64\Hmfbjnbp.exe
        
        C:\Windows\system32\Hmfbjnbp.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4092
        
        C:\Windows\SysWOW64\Hbckbepg.exe
        
        C:\Windows\system32\Hbckbepg.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4816
        
        C:\Windows\SysWOW64\Hjjbcbqj.exe
        
        C:\Windows\system32\Hjjbcbqj.exe
        15⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3468
        
        C:\Windows\SysWOW64\Hmioonpn.exe
        
        C:\Windows\system32\Hmioonpn.exe
        16⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3644
        
        C:\Windows\SysWOW64\Hbeghene.exe
        
        C:\Windows\system32\Hbeghene.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5100
        
        C:\Windows\SysWOW64\Hmklen32.exe
        
        C:\Windows\system32\Hmklen32.exe
        18⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4160
        
        C:\Windows\SysWOW64\Hcedaheh.exe
        
        C:\Windows\system32\Hcedaheh.exe
        19⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3860
        
        C:\Windows\SysWOW64\Hjolnb32.exe
        
        C:\Windows\system32\Hjolnb32.exe
        20⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1632
        
        C:\Windows\SysWOW64\Ipldfi32.exe
        
        C:\Windows\system32\Ipldfi32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3652
        
        C:\Windows\SysWOW64\Ibjqcd32.exe
        
        C:\Windows\system32\Ibjqcd32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4628
        
        C:\Windows\SysWOW64\Impepm32.exe
        
        C:\Windows\system32\Impepm32.exe
        23⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4076
        
        C:\Windows\SysWOW64\Ipnalhii.exe
        
        C:\Windows\system32\Ipnalhii.exe
        24⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4924
        
        C:\Windows\SysWOW64\Ifhiib32.exe
        
        C:\Windows\system32\Ifhiib32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4944
        
        C:\Windows\SysWOW64\Imbaemhc.exe
        
        C:\Windows\system32\Imbaemhc.exe
        26⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5208
        
        C:\Windows\SysWOW64\Ipqnahgf.exe
        
        C:\Windows\system32\Ipqnahgf.exe
        27⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:636
        
        C:\Windows\SysWOW64\Ibojncfj.exe
        
        C:\Windows\system32\Ibojncfj.exe
        28⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2072
        
        C:\Windows\SysWOW64\Iiibkn32.exe
        
        C:\Windows\system32\Iiibkn32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1232
        
        C:\Windows\SysWOW64\Ifmcdblq.exe
        
        C:\Windows\system32\Ifmcdblq.exe
        30⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5396
        
        C:\Windows\SysWOW64\Imgkql32.exe
        
        C:\Windows\system32\Imgkql32.exe
        31⤵
        Executes dropped EXE
        
        PID:2388
        
        C:\Windows\SysWOW64\Ifopiajn.exe
        
        C:\Windows\system32\Ifopiajn.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2864
        
        C:\Windows\SysWOW64\Iinlemia.exe
        
        C:\Windows\system32\Iinlemia.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1440
        
        C:\Windows\SysWOW64\Jaedgjjd.exe
        
        C:\Windows\system32\Jaedgjjd.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1520
        
        C:\Windows\SysWOW64\Jdcpcf32.exe
        
        C:\Windows\system32\Jdcpcf32.exe
        35⤵
        Executes dropped EXE
        
        PID:4960
        
        C:\Windows\SysWOW64\Jfaloa32.exe
        
        C:\Windows\system32\Jfaloa32.exe
        36⤵
        Executes dropped EXE
        
        PID:3292
        
        C:\Windows\SysWOW64\Jmkdlkph.exe
        
        C:\Windows\system32\Jmkdlkph.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2384
        
        C:\Windows\SysWOW64\Jpjqhgol.exe
        
        C:\Windows\system32\Jpjqhgol.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2936
        
        C:\Windows\SysWOW64\Jbhmdbnp.exe
        
        C:\Windows\system32\Jbhmdbnp.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3400
        
        C:\Windows\SysWOW64\Jibeql32.exe
        
        C:\Windows\system32\Jibeql32.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2000
        
        C:\Windows\SysWOW64\Jaimbj32.exe
        
        C:\Windows\system32\Jaimbj32.exe
        41⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5696
        
        C:\Windows\SysWOW64\Jplmmfmi.exe
        
        C:\Windows\system32\Jplmmfmi.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2332
        
        C:\Windows\SysWOW64\Jfffjqdf.exe
        
        C:\Windows\system32\Jfffjqdf.exe
        43⤵
        Executes dropped EXE
        
        PID:5680
        
        C:\Windows\SysWOW64\Jidbflcj.exe
        
        C:\Windows\system32\Jidbflcj.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1072
        
        C:\Windows\SysWOW64\Jpojcf32.exe
        
        C:\Windows\system32\Jpojcf32.exe
        45⤵
        Executes dropped EXE
        
        PID:2768
        
        C:\Windows\SysWOW64\Jfhbppbc.exe
        
        C:\Windows\system32\Jfhbppbc.exe
        46⤵
        Executes dropped EXE
        
        PID:4488
        
        C:\Windows\SysWOW64\Jkdnpo32.exe
        
        C:\Windows\system32\Jkdnpo32.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2984
        
        C:\Windows\SysWOW64\Jpaghf32.exe
        
        C:\Windows\system32\Jpaghf32.exe
        48⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3192
        
        C:\Windows\SysWOW64\Jkfkfohj.exe
        
        C:\Windows\system32\Jkfkfohj.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4984
        
        C:\Windows\SysWOW64\Kaqcbi32.exe
        
        C:\Windows\system32\Kaqcbi32.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1748
        
        C:\Windows\SysWOW64\Kpccnefa.exe
        
        C:\Windows\system32\Kpccnefa.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5828
        
        C:\Windows\SysWOW64\Kbapjafe.exe
        
        C:\Windows\system32\Kbapjafe.exe
        52⤵
        Executes dropped EXE
        
        PID:4516
        
        C:\Windows\SysWOW64\Kilhgk32.exe
        
        C:\Windows\system32\Kilhgk32.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:5400
        
        C:\Windows\SysWOW64\Kacphh32.exe
        
        C:\Windows\system32\Kacphh32.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:452
        
        C:\Windows\SysWOW64\Kbdmpqcb.exe
        
        C:\Windows\system32\Kbdmpqcb.exe
        55⤵
        Executes dropped EXE
        
        PID:4388
        
        C:\Windows\SysWOW64\Kinemkko.exe
        
        C:\Windows\system32\Kinemkko.exe
        56⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4352
        
        C:\Windows\SysWOW64\Kbfiep32.exe
        
        C:\Windows\system32\Kbfiep32.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:720
        
        C:\Windows\SysWOW64\Kmlnbi32.exe
        
        C:\Windows\system32\Kmlnbi32.exe
        58⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3676
        
        C:\Windows\SysWOW64\Kpjjod32.exe
        
        C:\Windows\system32\Kpjjod32.exe
        59⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1280
        
        C:\Windows\SysWOW64\Kgdbkohf.exe
        
        C:\Windows\system32\Kgdbkohf.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:5500
        
        C:\Windows\SysWOW64\Kajfig32.exe
        
        C:\Windows\system32\Kajfig32.exe
        61⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3232
        
        C:\Windows\SysWOW64\Kckbqpnj.exe
        
        C:\Windows\system32\Kckbqpnj.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2256
        
        C:\Windows\SysWOW64\Liekmj32.exe
        
        C:\Windows\system32\Liekmj32.exe
        63⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3976
        
        C:\Windows\SysWOW64\Lalcng32.exe
        
        C:\Windows\system32\Lalcng32.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5088
        
        C:\Windows\SysWOW64\Lgikfn32.exe
        
        C:\Windows\system32\Lgikfn32.exe
        65⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2136
        
        C:\Windows\SysWOW64\Lmccchkn.exe
        
        C:\Windows\system32\Lmccchkn.exe
        66⤵
        Modifies registry class
        
        PID:2688
        
        C:\Windows\SysWOW64\Laopdgcg.exe
        
        C:\Windows\system32\Laopdgcg.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5444
        
        C:\Windows\SysWOW64\Lgkhlnbn.exe
        
        C:\Windows\system32\Lgkhlnbn.exe
        68⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5460
        
        C:\Windows\SysWOW64\Lijdhiaa.exe
        
        C:\Windows\system32\Lijdhiaa.exe
        69⤵
        
        PID:5044
        
        C:\Windows\SysWOW64\Laalifad.exe
        
        C:\Windows\system32\Laalifad.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6084
        
        C:\Windows\SysWOW64\Lcbiao32.exe
        
        C:\Windows\system32\Lcbiao32.exe
        71⤵
        Modifies registry class
        
        PID:5800
        
        C:\Windows\SysWOW64\Lkiqbl32.exe
        
        C:\Windows\system32\Lkiqbl32.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6128
        
        C:\Windows\SysWOW64\Lpfijcfl.exe
        
        C:\Windows\system32\Lpfijcfl.exe
        73⤵
        
        PID:768
        
        C:\Windows\SysWOW64\Ldaeka32.exe
        
        C:\Windows\system32\Ldaeka32.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:3412
        
        C:\Windows\SysWOW64\Lgpagm32.exe
        
        C:\Windows\system32\Lgpagm32.exe
        75⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:3768
        
        C:\Windows\SysWOW64\Lklnhlfb.exe
        
        C:\Windows\system32\Lklnhlfb.exe
        76⤵
        Modifies registry class
        
        PID:1396
        
        C:\Windows\SysWOW64\Laefdf32.exe
        
        C:\Windows\system32\Laefdf32.exe
        77⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5340
        
        C:\Windows\SysWOW64\Lddbqa32.exe
        
        C:\Windows\system32\Lddbqa32.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:184
        
        C:\Windows\SysWOW64\Lgbnmm32.exe
        
        C:\Windows\system32\Lgbnmm32.exe
        79⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:2492
        
        C:\Windows\SysWOW64\Lknjmkdo.exe
        
        C:\Windows\system32\Lknjmkdo.exe
        80⤵
        Drops file in System32 directory
        
        PID:1688
        
        C:\Windows\SysWOW64\Mahbje32.exe
        
        C:\Windows\system32\Mahbje32.exe
        81⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:1684
        
        C:\Windows\SysWOW64\Mdfofakp.exe
        
        C:\Windows\system32\Mdfofakp.exe
        82⤵
        Modifies registry class
        
        PID:3436
        
        C:\Windows\SysWOW64\Mkpgck32.exe
        
        C:\Windows\system32\Mkpgck32.exe
        83⤵
        Modifies registry class
        
        PID:3036
        
        C:\Windows\SysWOW64\Mnocof32.exe
        
        C:\Windows\system32\Mnocof32.exe
        84⤵
        Drops file in System32 directory
        
        PID:5020
        
        C:\Windows\SysWOW64\Mpmokb32.exe
        
        C:\Windows\system32\Mpmokb32.exe
        85⤵
        Drops file in System32 directory
        
        PID:5312
        
        C:\Windows\SysWOW64\Mgghhlhq.exe
        
        C:\Windows\system32\Mgghhlhq.exe
        86⤵
        Drops file in System32 directory
        
        PID:4876
        
        C:\Windows\SysWOW64\Mnapdf32.exe
        
        C:\Windows\system32\Mnapdf32.exe
        87⤵
        Modifies registry class
        
        PID:232
        
        C:\Windows\SysWOW64\Mdkhapfj.exe
        
        C:\Windows\system32\Mdkhapfj.exe
        88⤵
        Drops file in System32 directory
        
        PID:5804
        
        C:\Windows\SysWOW64\Mgidml32.exe
        
        C:\Windows\system32\Mgidml32.exe
        89⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:812
        
        C:\Windows\SysWOW64\Mncmjfmk.exe
        
        C:\Windows\system32\Mncmjfmk.exe
        90⤵
        Drops file in System32 directory
        
        PID:1416
        
        C:\Windows\SysWOW64\Mpaifalo.exe
        
        C:\Windows\system32\Mpaifalo.exe
        91⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4564
        
        C:\Windows\SysWOW64\Mdmegp32.exe
        
        C:\Windows\system32\Mdmegp32.exe
        92⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4420
        
        C:\Windows\SysWOW64\Mglack32.exe
        
        C:\Windows\system32\Mglack32.exe
        93⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5220
        
        C:\Windows\SysWOW64\Mkgmcjld.exe
        
        C:\Windows\system32\Mkgmcjld.exe
        94⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5648
        
        C:\Windows\SysWOW64\Mnfipekh.exe
        
        C:\Windows\system32\Mnfipekh.exe
        95⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2344
        
        C:\Windows\SysWOW64\Mpdelajl.exe
        
        C:\Windows\system32\Mpdelajl.exe
        96⤵
        Drops file in System32 directory
        
        PID:2376
        
        C:\Windows\SysWOW64\Mdpalp32.exe
        
        C:\Windows\system32\Mdpalp32.exe
        97⤵
        Modifies registry class
        
        PID:1500
        
        C:\Windows\SysWOW64\Mgnnhk32.exe
        
        C:\Windows\system32\Mgnnhk32.exe
        98⤵
        
        PID:3828
        
        C:\Windows\SysWOW64\Nkjjij32.exe
        
        C:\Windows\system32\Nkjjij32.exe
        99⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5972
        
        C:\Windows\SysWOW64\Njljefql.exe
        
        C:\Windows\system32\Njljefql.exe
        100⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:1796
        
        C:\Windows\SysWOW64\Nacbfdao.exe
        
        C:\Windows\system32\Nacbfdao.exe
        101⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:3416
        
        C:\Windows\SysWOW64\Ndbnboqb.exe
        
        C:\Windows\system32\Ndbnboqb.exe
        102⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4132
        
        C:\Windows\SysWOW64\Ngpjnkpf.exe
        
        C:\Windows\system32\Ngpjnkpf.exe
        103⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1816
        
        C:\Windows\SysWOW64\Nklfoi32.exe
        
        C:\Windows\system32\Nklfoi32.exe
        104⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4504
        
        C:\Windows\SysWOW64\Nnjbke32.exe
        
        C:\Windows\system32\Nnjbke32.exe
        105⤵
        Drops file in System32 directory
        
        PID:2204
        
        C:\Windows\SysWOW64\Nddkgonp.exe
        
        C:\Windows\system32\Nddkgonp.exe
        106⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1972
        
        C:\Windows\SysWOW64\Ngcgcjnc.exe
        
        C:\Windows\system32\Ngcgcjnc.exe
        107⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:2672
        
        C:\Windows\SysWOW64\Njacpf32.exe
        
        C:\Windows\system32\Njacpf32.exe
        108⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:428
        
        C:\Windows\SysWOW64\Nbhkac32.exe
        
        C:\Windows\system32\Nbhkac32.exe
        109⤵
        Drops file in System32 directory
        
        PID:4532
        
        C:\Windows\SysWOW64\Ndghmo32.exe
        
        C:\Windows\system32\Ndghmo32.exe
        110⤵
        Modifies registry class
        
        PID:4596
        
        C:\Windows\SysWOW64\Ngedij32.exe
        
        C:\Windows\system32\Ngedij32.exe
        111⤵
        
        PID:5576
        
        C:\Windows\SysWOW64\Nnolfdcn.exe
        
        C:\Windows\system32\Nnolfdcn.exe
        112⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:3312
        
        C:\Windows\SysWOW64\Ndidbn32.exe
        
        C:\Windows\system32\Ndidbn32.exe
        113⤵
        
        PID:1780
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        114⤵
        
        PID:2468
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2468 -s 416
        115⤵
        Program crash
        
        PID:1296

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2468 -ip 2468
1⤵
PID:1600

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Gameonno.exe

Filesize
144KB

MD5
ad3f63f8a2255626f865edc5587e4c20

SHA1
dda76a1d811c84090894a57af69fd67c56fb6bd0

SHA256
dba1fdafa2af9a08aaee5a8f4cc8f4e0240c9a49662d601fccce9fa246439ba6

SHA512
feb93e831f047d50d10fe00a6d3b63416657888fc50ee31a61779dbed7f10d045f83c4b05fb5e5123be634103e8bf524a57df325e060711e3e215fb31cef2e00

Download Submit
C:\Windows\SysWOW64\Gcekkjcj.exe

Filesize
144KB

MD5
d0e2401790b52f192e4575c4f3d93a99

SHA1
bfcf7d5faa69bd904a8b1f2a35db3c74a67d1bca

SHA256
3c166f8bf41e41e639dbe639acc66f7789d79902d91d57fd2cf93d84b4278a71

SHA512
0b319d1f4d41b55e942eae8afb4715761d4a4b374e736e0dd037b16ba611bfeac58e0df49a7d1bb48ea3fbaeedb21fc977186af44e1c2645cbfdd2363c9eeddc

Download Submit
C:\Windows\SysWOW64\Gcidfi32.exe

Filesize
144KB

MD5
c1b73d30bb67d96d45fb19aee52ba502

SHA1
d574c833511df157b8b5124408b520d535e1b999

SHA256
a4b8f9af7c938214a77538668c48e58b8432985df41552c98c0a5c407c93b32b

SHA512
e61ace717791840871e862795025dbe96f19f3800b231fac94bfe5a4c048d728af828471fe6ec59ac1ad847bab097437aeb7117372f84b7a83217efabb464031

Download Submit
C:\Windows\SysWOW64\Giacca32.exe

Filesize
144KB

MD5
9b33b1d8b018a812c0ec8dfe18fefdb3

SHA1
fbe785fa69a40f348d798765ffed40248582be41

SHA256
ef22ab357d897c478f7ffab6ce6db48e9084b779b2126dfc87cfdb94cf1ea42f

SHA512
a832b33badca559f18d6a00d9767ad88689e67b396acb1e32dcc8310ed858fa8d30cd6f270f78d18fa430b50b8e9c3652abc03f9c3af06c866c745a6aba04739

Download Submit
C:\Windows\SysWOW64\Gjapmdid.exe

Filesize
144KB

MD5
ac8dcae835fafe344bbe6579f5f29297

SHA1
ae76a696533232a986edaa46e58733828cb6c06f

SHA256
79d25af24534a0ea59b563f54bb38a139f52b23996ab9e64148b7d6e1dd8e225

SHA512
bdf1da02cbbd411fb0980b681113cbff4b076efb1a45306eca351d9138bd11d0fdc88da54b13ef1af69086575624fd2cf035db4affa7e8defad68972c718392d

Download Submit
C:\Windows\SysWOW64\Gjocgdkg.exe

Filesize
144KB

MD5
375d78f62bb0d57234fa5789adb4d529

SHA1
8ab18f90ba0d598d9594177c0fb15ec63c8e458b

SHA256
24d74513450a1208927d5291f096fe4c79f2aecb7c5a8b3a3a986d0319511130

SHA512
06d50a2d0b7b9e9bf40eee65dd6e3e8ffb2cd20edc27f960529af300c888815da0aa1b60ca02262ee110c479c1083e137f7bec214c59d95f2c96ae2317d6fd62

Download Submit
C:\Windows\SysWOW64\Gpnhekgl.exe

Filesize
144KB

MD5
32b5ff3cd3e006c44b426aca4aebab3f

SHA1
d0e0446667ed5664d4783a3a03897f91282757a3

SHA256
716215d5021c61c60fcb4cb1d20be16c4fe061d34dcc2da8a273d1db1225cd36

SHA512
b349b3a5be071cb655ae75862d3f0dd78dd4249d7cc04c9dcf7bb489b97e7d43766265722855f0290f6a8e3fbedc80ff8e8e6dcb500ccd7cf01b5a7ab9355264

Download Submit
C:\Windows\SysWOW64\Hbckbepg.exe

Filesize
144KB

MD5
d4a7ff80501d47f79d41dd8e79045896

SHA1
583592ab58b880d20cb092f21ce9cdc074f85dcb

SHA256
eeb4a41deb119af56cca8d100f1ec589b4f5c0ca4260d9d75baf8ed11ca7ad7b

SHA512
90564d12fb1badcfad7978df903ceefa7cc5aebaab9883aeb5ccbfba0db64fe615f2a316016111028bba5e9f4424eae5304d65ab632d8876b7b8ba291f885e96

Download Submit
C:\Windows\SysWOW64\Hbeghene.exe

Filesize
144KB

MD5
6d7ef978308a946c75e9d30556a1b874

SHA1
fe8a5e67f2934acaa86d05adfdf025e7e1cbe1d3

SHA256
c7afb689610c61e797877872db98426cf352d6223c4c513b86e178fbe4bca1af

SHA512
2812f6fa0703b1f7717995681c877a54fe764cee99ebf0c875700d9d115311158a0007df1269529f6b297eaa72c5a62ebf04ca96cac06c5ab6fdbb951e08a9d5

Download Submit
C:\Windows\SysWOW64\Hboagf32.exe

Filesize
144KB

MD5
5df183d75f55b3fed685f2f75bb460c1

SHA1
559c62a630dd346e1d7647e4f6c0ba98d354056b

SHA256
4bc1c26b92efe705559dd79d982a028e22400e2ebbf6be8d7631433b2feb56ca

SHA512
543a5ed88095116b8fbc24dc33f1ae58494170bbe210c7a4cb1dc6755f4c8f4533ffcce73c68fda715d5e307fd79fb28d26043af855f12efdd6d77135a424e67

Download Submit
C:\Windows\SysWOW64\Hcedaheh.exe

Filesize
144KB

MD5
67258fe6b3ca194cd53f0fef4f812017

SHA1
2b069412614a4d23a95fbf4ffbb73c03dd9733b0

SHA256
faaf1b2bf8541276586f128363a97f4462193efebea76b28b12f14e50f32dca5

SHA512
802f899dbf72d937c58a1c5135f04e67b127130345a3c67d9e6a42605d6b9028789967d8919e87b03ffa749d7a39f96363e82d8ae604ebb423a5bad8006bccd6

Download Submit
C:\Windows\SysWOW64\Hcnnaikp.exe

Filesize
144KB

MD5
7c190d440a21a4908797d6ef868e3194

SHA1
8b1c05c65f0f9c3a09710ccdef9cc83c2a30d727

SHA256
0db2a10993979f1712424721fa1240d6939fcaa01272e5bef79fa1653fe6497b

SHA512
0d171976368d09aeb5ec12e60f23a44e1f86d567a5ffd1670622c417e422d575f9fb0bd360dafb05fb7cb86eb9030cc9ba2fcc52c02d0204c70f8794b88e5e0c

Download Submit
C:\Windows\SysWOW64\Hfljmdjc.exe

Filesize
144KB

MD5
70f9f1b3b8cad2df18037111892e0c27

SHA1
713ac0be25f57e1af4b855b03ff514eecba06372

SHA256
bc8536fa3adf447eb8bf524a6f1b9ef86d0c7f9d4d09f019b904c163bbb3f799

SHA512
5e011778d49150c830576fdaa7edcd582e0aec7800da79e2f4ec2384b97e03b2628c66d931c7450cf6e5cea237e92f1836208feeb78becb01698bf10908153f3

Download Submit
C:\Windows\SysWOW64\Hjjbcbqj.exe

Filesize
144KB

MD5
cf955737a1e697b4be0cbf317ad627c9

SHA1
b6f7038f72ea815fc1e19a4616b27a72001235bb

SHA256
9f7399a0f8e93766c0a923fbe39dfb31517c11837bd4dcce95af0ff29bcdfe08

SHA512
b609920a2975ef8aab6b7ef60862eeadb04d42ff6a21028c7833bbf6c9d36d8814ce9f1784fb446f4c6a5a4de5b8254034df79929d11c0d2df4bb5518e26779a

Download Submit
C:\Windows\SysWOW64\Hjolnb32.exe

Filesize
144KB

MD5
a87ed3e1ee687b3524420ab363fa0518

SHA1
e137a1ca6fc674562fc1862118311a4ec9ad360e

SHA256
0a84d58e3ffe12ce9efa3c2c6d1ec6449daf8f5ca76ca01de0a1850f68c1a7cd

SHA512
54251873e3fc91a266c8a6d502d95778b9d2910d504765b9fc42d44615cb72e9aafe7d9ced209a1d039d12a3a7a07082f517451bdf4637c933419a3a24e287e3

Download Submit
C:\Windows\SysWOW64\Hmdedo32.exe

Filesize
144KB

MD5
b7fa9d1c26e7197e0d143c994bcaac84

SHA1
b78ff529925ca00e3b2593b54bc739d2fd093d04

SHA256
940a4ee8db01fa9314d2b19ff79feb88cafe6ec883c6e193981a2bb3cb7e7335

SHA512
da29ed098b383c4905225b6bdb4299ab8c90ae6402e4aed711cf11a35c543c65f7a5b6c3a50fd4b7c58bffa1dbeb345e10ecbb99d2ccd9bdbecfe7ff14e283b3

Download Submit
C:\Windows\SysWOW64\Hmfbjnbp.exe

Filesize
144KB

MD5
4aa9fc90e6536de88cbf39d3458904ea

SHA1
91ac1df85a92dfb71f9185514653998dff5b2f13

SHA256
5f086509ae26db0c097c385abff5397f43adf735ef1caa65d0c2fb16e3d6656f

SHA512
f0a16bbf7491daf699acead1be363d3bd3738c13c5bfb97d3247eb84a7b934b8b9dbb1c4f5b749dd96e5b21df77cd13b30f55632e7d324e9dd730fb6427e1fa3

Download Submit
C:\Windows\SysWOW64\Hmioonpn.exe

Filesize
144KB

MD5
b93a95410fecf2bcc1a2717ca976fbdf

SHA1
03f62cad5aae467cf65457a92e44c4f2fc8ba51c

SHA256
e2282f7610f4b3cae31add1b8410dcb05c4580cbbe381686c761b8fca38c16e6

SHA512
bc5ab2ca40a0bd7e646d60d370639ad78fe370018be21bf2f8324f818d12fd888b0bdffab54256f4cc0ad988c7ec879597a9f8fb4b5b940d6f0f066dbba0132d

Download Submit
C:\Windows\SysWOW64\Hmklen32.exe

Filesize
144KB

MD5
046643cd0996996554a0526ad5cfdd55

SHA1
9433929093d559976a7e2b76b2b488ef4a839959

SHA256
037052bb3eec18cb5e432e4f695c7840bce4243d6fffba8525de290ef4cfce54

SHA512
2c67aaaf4310d0c132a0921f7079f5b86f40a8479828129424c2740741efff2f1b155d42de3441dbf589be8a7b8526d00a1dcfd4fe791a154a6f421fcad95aec

Download Submit
C:\Windows\SysWOW64\Ibjqcd32.exe

Filesize
144KB

MD5
ef67087a621f6fe5f36e511056f6c735

SHA1
14143b4858aa8c0a167b8ac275956d1205dd9281

SHA256
9ac606011474a109e11910d942459b4bf148dc6a33ed354ca01d200d0bcb84ef

SHA512
56f63479c5f36ce1ca9bd1ecbf4a4c12dd9347481171227384dd2f3d330fbe7506b02371b32c37cd97d35db6b29ae8c3098d10fbac82a2b07fb0cb5a68f9ce48

Download Submit
C:\Windows\SysWOW64\Ibojncfj.exe

Filesize
144KB

MD5
53281e977b5b8006548bd448975beedc

SHA1
a9d08ac8fa94cceaf92c53e3d184b135e2ae40ed

SHA256
a5c2d29573dcf7dd8861bcb03b511b802cf4e48a32b8949f628c904e97568483

SHA512
ed2eb34334b4b777d6cd80c21340bf5490af1f7b24e3fb7d554616fde955e0baa55a5a4a9f6649d7ce488acf4236c3d1018e9e0c5bea5b4ef7ac7b16a93e8acb

Download Submit
C:\Windows\SysWOW64\Ifhiib32.exe

Filesize
144KB

MD5
b30cbe555d123a3815c1dbc909864502

SHA1
c8f33ec121d9a68526738e5ce4c41eb44685b1e3

SHA256
f1891a7b65acb9c3d4e23d1062a05262b36b0b8aac9ab51e2bcbc4b45759aef3

SHA512
358b6cf5319753e594f075df7b32bd99cf6b8482b6c43522d91f2eda074ec0456c7f34429c467cefab27cf6327dd10e6573d044aaf56b910ff8e2b3cb2f43bc5

Download Submit
C:\Windows\SysWOW64\Ifmcdblq.exe

Filesize
144KB

MD5
79807e90f18b4b0eb6c2e04102a6043e

SHA1
af16d20cefa205d19afe12b059318634c0bbde5f

SHA256
06527de91b1407bca13732ba09ec876f94a0197069ff6250db3f72fdfd5e1bc9

SHA512
5c4ae3949349602d92d01a15a2e675fd52f89ef21fa58b66326cb9893fe258cc966bd04a895ccbbabba8cc5b307f280301a0031165d4d72ba8223c6b4f561069

Download Submit
C:\Windows\SysWOW64\Ifopiajn.exe

Filesize
144KB

MD5
372f170f9bc9cd4706118de2ebd0d3a4

SHA1
1ecfa6cb5bc49bb45db67235c6840d32ffce5e86

SHA256
d8ed6e815eb6b09cb12d694d9f3de7f87744ecc189024f1e3eea6a9c877d9636

SHA512
0d5de713616207bae81ba42ab9f8a6f6fbd2c50755232a322f231b799ba3f76f352df0fb54552b5ae162eac3c565daf6e117c0a08c80a5df980324b26e40d0b4

Download Submit
C:\Windows\SysWOW64\Iiibkn32.exe

Filesize
144KB

MD5
c0b523d944809e999f40e1809109616f

SHA1
aa499000bf23200e002365f69faabfa962721316

SHA256
9f4cfcf769c84a45f7bfa4c932b870507788da300d4dd5981b340eaee871c09d

SHA512
7453e68906ca739127663434b666f2c23b80966f42a839202399a1791203e79b97a2977a790374b459d9a0042d64e167ac419c7e483431bcf676921ae5ac55e2

Download Submit
C:\Windows\SysWOW64\Iinlemia.exe

Filesize
144KB

MD5
c4439bad0bddaba8dad004a93208d30f

SHA1
119dd05af5ce047a147a49f07ae45f85f36e73b0

SHA256
f76be059cee2344424827c777f36b4dee42e952c22f19ab777c55136d6049673

SHA512
19ca8653dee5871b368c63da65b1e1149e00f68e38ccc934f50ae7c86a3847899152aff31f2ea99c95cec34f067942e78b7129f6c4aeb3f810420c46e6be7eb4

Download Submit
C:\Windows\SysWOW64\Imbaemhc.exe

Filesize
144KB

MD5
4747ca99af11881f1e816f83dc51f62f

SHA1
0e9d5dff0557b1984412b4ba23b87a45f9e4f6c8

SHA256
6e4c73c417a691817539cddebf7b3b087d7db2bde216c0876fd7bfe7d3555096

SHA512
78ad40064da3a30427bdcb47a96b2eb70d7dcabee3e4bde60d34629651032bdf62abe05443543bd5aeaf65d202b4b08a22792b654cd95161098ee18ce9f4418a

Download Submit
C:\Windows\SysWOW64\Imgkql32.exe

Filesize
144KB

MD5
095da07ae8278508609459e5bf6c4903

SHA1
0c371de1721c5b8d7a365924ad89bdfea397c12d

SHA256
7d0f93beefc67fe45631bbf201666d33a123cdb87836a5753b7867cdc0b6e881

SHA512
65b5eac0d0afe967761935051d4daff208fa57b8a9119126e84b8d047ffc7a118324f78578e3aa7710333a6cc5c9f11c2b24ea07e82a17f6da67713bc40999f9

Download Submit
C:\Windows\SysWOW64\Impepm32.exe

Filesize
144KB

MD5
3a4367dcb264d066a3c18a53347dd33d

SHA1
9961fb225649050075eaec3c7b713b9540e0fe96

SHA256
7a32ee16b9f211f78d552e9909ba652a71b5af0312268a24bfa4e02543c89f52

SHA512
1a35eade47f40361062631299acea6c148eb542d8cc92d4846afc19cd5f5fd5144fd39f7fef0edfc9b93a0d11c5375cba4eeea1b713c4c6334c43355e3b36a60

Download Submit
C:\Windows\SysWOW64\Ipldfi32.exe

Filesize
144KB

MD5
b48d5c5e51508f5a1a9032066dbef786

SHA1
d678b3dcf4721f235810d95565b4f8e87d68e17b

SHA256
3c0e21be1d63db2d14e2c7bb39f63e71c1c9b489f2408b85b59c699a5e4ed03f

SHA512
249394d44f0d3516fd96d6e5cc4cef2dccdd0f902f20503a8ce72a2e479e9439e6e287362a5c02710a545202f7ac3eb926fdef5a97cc9c1f593e0f18425d7f55

Download Submit
C:\Windows\SysWOW64\Ipnalhii.exe

Filesize
144KB

MD5
98b25009a1a9d7bdd2a7fc59345bbd74

SHA1
e89262d0c8ebe6719d87cf9a0f1baa9c257e95ff

SHA256
ee6db26d079f12dc415df5aeb86145f0a8c16cd851d46984ac0be12ca555329a

SHA512
2a83639586c44bd562a84b55e7e96f1e509065b80295876133cb8277ff650ae47a0a247d14aa72470f3fae3518bb8720efbe39d8d83469acd7ff536bcfcccb61

Download Submit
C:\Windows\SysWOW64\Ipqnahgf.exe

Filesize
144KB

MD5
cb9c72c97b2081d51b923bd1f607a480

SHA1
15a0c25bc3571210ae7c5ed78623a15e6440414f

SHA256
80e138b3c2bead130b11f3d424f79fa502f43c74feb4a4e2ab959e365b5b0bb4

SHA512
69d0154742e13b50659e8ec90ab29a31ba0fb32ba6297bd9bb7b93a1b8d0b3f244c77d0e467b0a7cfc161b94de25e424f8bbfb50c2044b545dbe1677cdeff117

Download Submit
C:\Windows\SysWOW64\Jpaghf32.exe

Filesize
144KB

MD5
0431599cf968cc3c8ff734fa3138b3e9

SHA1
008a83f59a96f6045894d82b5de4bed30c324c55

SHA256
37356c53e86cf73e5e07c4a915b6d80cbb4ed85b22bcf961fd792eff0ba5f9fc

SHA512
9efe05163850101aa21269c1f02ab24dd57b5394dff92507c093387a840b5b82e1fe6362ca08735436d9b00f61385776863320049996fe7c524c25be93d5ebf9

Download Submit
C:\Windows\SysWOW64\Kbapjafe.exe

Filesize
144KB

MD5
3d775b868b5be384708d5b2a449e8111

SHA1
5bf499843c1b9bf273e7c2f488a44ccfb715063b

SHA256
8534f674db48a735445a1612dee0efd3420236c3992f34b463f107d874ad2561

SHA512
c8fc37ba272ab5efbd1ef3b1103fcf3495e5165c86dde4ab48971a3ab237bcd939fee24061b8f1c5c08f65e0628f66d60709de0499b6623afe225e5b035106c8

Download Submit
C:\Windows\SysWOW64\Kbdmpqcb.exe

Filesize
144KB

MD5
d5888603c3588cae837b0dc1bacbdb9d

SHA1
cddb58efc0fd7a582c14e62b654c8fc988e6b6ef

SHA256
f23fff4a6af3b6cfebda6bf680c7c3c48f83eef34c3d82b32e24d4c015aa975c

SHA512
38dbe8c2202428abe90b5457d5cb0bdd6fff291f57b651b467a1ebc0d440c55ac1d34a546bbba58d055f580744773e952187e9fc61e25c8a83a9d7caa6df4264

Download Submit
C:\Windows\SysWOW64\Kbfiep32.exe

Filesize
144KB

MD5
556a69a7477767cfd70c9e9c92126831

SHA1
5e7afd3407ce34dbea9c4616bf2a4914c6f995a4

SHA256
89013a6603096188b548dd382c1ad07c408eb6f696228177c88ae0e56d2bfe93

SHA512
f5b76ee5f2e2c3c4e5e645fcbf44a3cae2dfdac2ffdf7006950f3771ff8d0f137c92f527385215f01da02bc93773545a48a19a6d838512079dc2d31da6e90216

Download Submit
C:\Windows\SysWOW64\Kgdbkohf.exe

Filesize
144KB

MD5
ee5e6dea6b7ba612345c37a5b6c83fa3

SHA1
4834d3ac2b1fa9c8577fd3e3e79e770769ac2807

SHA256
b371598941565368f05977418b2cc87fbbe4c4a766abcf5b9c2a19af41184d0a

SHA512
9b2b6952083987f21885e6fecee1f70553f427fa3f905272440a976ae4a5f118099b4cb89c06182fd30064b0319b4823abceb8eedb75dfc222eed683aebdd760

Download Submit
C:\Windows\SysWOW64\Laopdgcg.exe

Filesize
144KB

MD5
95628389847519b88b811bad514215f2

SHA1
a7341c6c2139c0a197606c5d2626011dcb613e8e

SHA256
879b565737823c5ceecd2c0fe22d240550d113e5d9d9892970e4f2ca1b1f5bb4

SHA512
114762f8e1f72ddbe3d19ba8da725aa0ae517fbd0f9c96cb606c95fe7508a99c6c91440684010b75f6ba71d1a0dca9678acd118adcd3adff4cbc7a9ef6698e55

Download Submit
C:\Windows\SysWOW64\Lpacnb32.dll

Filesize
7KB

MD5
f975b7d3e4078fd524d5a805ef66bbd5

SHA1
4aee58593f35c408eae387043ef89503d6de60a9

SHA256
09ce18ade9a77b80c089f910966b0e9a8914a44646b5db89b05adab4bfb09404

SHA512
42aab1b21fcda2e67df0ee99e0645f0f075db95c1ca1b95c973e60704fb86da707d1c7fd22a4db8fb2ebd4f9b6987c984df02ffe9cc7f5c272a777663d2c58e4

Download Submit
C:\Windows\SysWOW64\Ndidbn32.exe

Filesize
144KB

MD5
ed1927433574a356e03a1090969ec575

SHA1
93ef215a7f2e5281239eaef92b4dd4c2edaf6b94

SHA256
9c314f891556610a07ca9e0cec6af94dab20a5418305905b7dc2b69cae298341

SHA512
7dbbb21e4ec00570f9f239b7c3b6501ed48ddd4dcfe52a479f73b5c638fafb2a8dfa260d41fb8cf039dcbbff538a56e7311c1b88543f70f7c9c184d158b861bf

Download Submit
memory/184-526-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/232-586-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/452-382-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/636-213-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/720-400-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/768-496-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1072-322-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1232-223-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1280-412-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1288-71-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1396-514-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1440-256-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1520-262-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1632-152-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1648-0-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1648-548-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1664-80-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1684-550-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1688-538-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1748-362-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2000-299-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2072-221-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2136-448-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2256-430-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2332-310-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2384-280-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2388-240-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2456-40-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2456-578-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2492-537-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2688-454-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2768-328-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2864-247-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2936-287-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2984-340-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3036-558-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3192-346-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3232-424-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3292-274-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3400-292-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3412-506-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3436-552-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3468-112-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3616-20-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3644-120-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3652-164-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3676-406-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3696-87-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3768-508-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3860-144-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3976-436-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4076-176-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4092-95-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4152-571-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4152-32-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4160-136-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4352-394-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4388-392-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4488-334-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4516-370-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4628-168-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4816-104-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4836-24-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4836-568-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4876-579-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4924-188-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4944-196-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4960-271-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4984-352-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5020-570-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5044-472-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5088-442-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5100-128-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5192-47-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5192-585-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5208-200-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5312-576-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5340-520-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5396-232-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5400-376-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5420-55-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5420-592-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5444-460-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5460-470-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5500-418-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5680-320-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5696-304-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5800-488-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5804-597-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5828-364-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5952-551-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5952-8-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/6084-478-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/6116-64-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/6116-599-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/6128-490-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads