391a8e993bd67d59902cb2b15b3e62aad3d6b63d767579768a6b9a113343bb61

Analysis

max time kernel
136s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
03/05/2024, 20:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

391a8e993bd67d59902cb2b15b3e62aad3d6b63d767579768a6b9a113343bb61.exe
Size

64KB
MD5

66b6ee757120e170cffaa702df404c03
SHA1

390cdeb974bdbdefd9b27fe4874932ab88969800
SHA256

391a8e993bd67d59902cb2b15b3e62aad3d6b63d767579768a6b9a113343bb61
SHA512

7724a577d14c1705c62d51e0aa12ebfd3f566d060842c7e5df77c4692dc295a02d8e9c58bc75f720d45c9aa4d6d243d1c95dab7bde83b5f283ac76a6ee480dac
SSDEEP

1536:8mCkJtrKRLkRFizNE74XTfI66vlJly5VP:8mGi27I1vlJlkt

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Impepm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kaqcbi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kgbefoji.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcdegnep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lcpllo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Laciofpa.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcklgm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mjhqjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kbapjafe.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdaldd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mahbje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	391a8e993bd67d59902cb2b15b3e62aad3d6b63d767579768a6b9a113343bb61.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ifmcdblq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jaimbj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kpccnefa.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgidml32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nggqoj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Habnjm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jbfpobpb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jfkoeppq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpolqa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iiffen32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgkhlnbn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mcbahlip.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnjbke32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ngpjnkpf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngedij32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hmfbjnbp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hfachc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jjmhppqd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kilhgk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Idacmfkj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kdaldd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mahbje32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ljnnch32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mjjmog32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcbahlip.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ijaida32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jjmhppqd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jidbflcj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lkdggmlj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mgidml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mpdelajl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Iannfk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ijkljp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jfkoeppq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkbchk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lknjmkdo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndbnboqb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ipldfi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jjpeepnb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ncgkcl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hjolnb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ijkljp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kaemnhla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lgpagm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nddkgonp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hbckbepg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jbfpobpb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ndbnboqb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nddkgonp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hfofbd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hmklen32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nklfoi32.exe

Executes dropped EXE 64 IoCs

pid	Process
3140	Hjhfnccl.exe
1056	Hmfbjnbp.exe
1656	Habnjm32.exe
1948	Hpenfjad.exe
1780	Hbckbepg.exe
936	Hfofbd32.exe
3364	Hmioonpn.exe
716	Hccglh32.exe
1192	Hfachc32.exe
1100	Hmklen32.exe
2596	Haggelfd.exe
3248	Hcedaheh.exe
3032	Hjolnb32.exe
4224	Hmmhjm32.exe
1704	Ipldfi32.exe
4484	Ibjqcd32.exe
4412	Ijaida32.exe
3844	Impepm32.exe
3136	Icjmmg32.exe
4516	Ijdeiaio.exe
1744	Iiffen32.exe
1020	Iannfk32.exe
2760	Icljbg32.exe
3628	Ibojncfj.exe
4984	Ijfboafl.exe
3320	Iapjlk32.exe
2876	Idofhfmm.exe
1968	Ifmcdblq.exe
4644	Iikopmkd.exe
4472	Iabgaklg.exe
1016	Idacmfkj.exe
3048	Ifopiajn.exe
920	Ijkljp32.exe
1424	Jbfpobpb.exe
1436	Jfaloa32.exe
1060	Jjmhppqd.exe
4768	Jagqlj32.exe
2288	Jdemhe32.exe
1920	Jjpeepnb.exe
3304	Jibeql32.exe
3724	Jaimbj32.exe
2604	Jbkjjblm.exe
1784	Jjbako32.exe
3648	Jidbflcj.exe
4240	Jaljgidl.exe
3584	Jdjfcecp.exe
4616	Jfhbppbc.exe
3212	Jkdnpo32.exe
2520	Jpaghf32.exe
4512	Jfkoeppq.exe
756	Jkfkfohj.exe
4168	Kaqcbi32.exe
4024	Kpccnefa.exe
4136	Kbapjafe.exe
4204	Kkihknfg.exe
5000	Kilhgk32.exe
1936	Kacphh32.exe
2508	Kdaldd32.exe
2504	Kgphpo32.exe
4788	Kinemkko.exe
4864	Kaemnhla.exe
4376	Kdcijcke.exe
3164	Kgbefoji.exe
3152	Kipabjil.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Njljefql.exe	Nkjjij32.exe
File opened for modification	C:\Windows\SysWOW64\Ncgkcl32.exe	Nddkgonp.exe
File created	C:\Windows\SysWOW64\Gkillp32.dll	Ijdeiaio.exe
File created	C:\Windows\SysWOW64\Jidbflcj.exe	Jjbako32.exe
File created	C:\Windows\SysWOW64\Bnckcnhb.dll	Kacphh32.exe
File opened for modification	C:\Windows\SysWOW64\Lgpagm32.exe	Lcdegnep.exe
File created	C:\Windows\SysWOW64\Lifenaok.dll	Mpkbebbf.exe
File opened for modification	C:\Windows\SysWOW64\Mcpebmkb.exe	Maohkd32.exe
File created	C:\Windows\SysWOW64\Kkbkamnl.exe	Kckbqpnj.exe
File created	C:\Windows\SysWOW64\Jbkjjblm.exe	Jaimbj32.exe
File created	C:\Windows\SysWOW64\Hmfbjnbp.exe	Hjhfnccl.exe
File created	C:\Windows\SysWOW64\Cmafhe32.dll	Lkdggmlj.exe
File created	C:\Windows\SysWOW64\Pglanoaq.dll	Impepm32.exe
File opened for modification	C:\Windows\SysWOW64\Jaljgidl.exe	Jidbflcj.exe
File created	C:\Windows\SysWOW64\Bebboiqi.dll	Mjjmog32.exe
File created	C:\Windows\SysWOW64\Nddkgonp.exe	Nafokcol.exe
File created	C:\Windows\SysWOW64\Kijjfe32.dll	Habnjm32.exe
File created	C:\Windows\SysWOW64\Mjlcankg.dll	Jagqlj32.exe
File created	C:\Windows\SysWOW64\Ogndib32.dll	Lmccchkn.exe
File created	C:\Windows\SysWOW64\Egoqlckf.dll	Ibjqcd32.exe
File opened for modification	C:\Windows\SysWOW64\Iiffen32.exe	Ijdeiaio.exe
File created	C:\Windows\SysWOW64\Mgidml32.exe	Mdkhapfj.exe
File created	C:\Windows\SysWOW64\Hfachc32.exe	Hccglh32.exe
File opened for modification	C:\Windows\SysWOW64\Kgphpo32.exe	Kdaldd32.exe
File opened for modification	C:\Windows\SysWOW64\Lcgblncm.exe	Lphfpbdi.exe
File opened for modification	C:\Windows\SysWOW64\Lnhmng32.exe	Lgneampk.exe
File opened for modification	C:\Windows\SysWOW64\Iikopmkd.exe	Ifmcdblq.exe
File opened for modification	C:\Windows\SysWOW64\Nklfoi32.exe	Ngpjnkpf.exe
File opened for modification	C:\Windows\SysWOW64\Njcpee32.exe	Ngedij32.exe
File created	C:\Windows\SysWOW64\Jibeql32.exe	Jjpeepnb.exe
File created	C:\Windows\SysWOW64\Mfpoqooh.dll	Jpaghf32.exe
File created	C:\Windows\SysWOW64\Ljnnch32.exe	Lgpagm32.exe
File created	C:\Windows\SysWOW64\Akihmf32.dll	Kipabjil.exe
File created	C:\Windows\SysWOW64\Kpccnefa.exe	Kaqcbi32.exe
File created	C:\Windows\SysWOW64\Iannfk32.exe	Iiffen32.exe
File created	C:\Windows\SysWOW64\Idofhfmm.exe	Iapjlk32.exe
File created	C:\Windows\SysWOW64\Kaemnhla.exe	Kinemkko.exe
File created	C:\Windows\SysWOW64\Kmalco32.dll	Nklfoi32.exe
File created	C:\Windows\SysWOW64\Njcpee32.exe	Ngedij32.exe
File created	C:\Windows\SysWOW64\Jifkeoll.dll	Lpocjdld.exe
File opened for modification	C:\Windows\SysWOW64\Lijdhiaa.exe	Lgkhlnbn.exe
File opened for modification	C:\Windows\SysWOW64\Mjeddggd.exe	Mkbchk32.exe
File created	C:\Windows\SysWOW64\Lkfbjdpq.dll	Njcpee32.exe
File created	C:\Windows\SysWOW64\Fojkiimn.dll	Icljbg32.exe
File opened for modification	C:\Windows\SysWOW64\Ijkljp32.exe	Ifopiajn.exe
File created	C:\Windows\SysWOW64\Kbapjafe.exe	Kpccnefa.exe
File opened for modification	C:\Windows\SysWOW64\Kkbkamnl.exe	Kckbqpnj.exe
File opened for modification	C:\Windows\SysWOW64\Lmqgnhmp.exe	Kkbkamnl.exe
File created	C:\Windows\SysWOW64\Hpenfjad.exe	Habnjm32.exe
File opened for modification	C:\Windows\SysWOW64\Hcedaheh.exe	Haggelfd.exe
File created	C:\Windows\SysWOW64\Mmpfpdoi.dll	Ijaida32.exe
File opened for modification	C:\Windows\SysWOW64\Maohkd32.exe	Mjhqjg32.exe
File created	C:\Windows\SysWOW64\Gncoccha.dll	Kinemkko.exe
File created	C:\Windows\SysWOW64\Lpcmec32.exe	Laalifad.exe
File opened for modification	C:\Windows\SysWOW64\Mkbchk32.exe	Mcklgm32.exe
File created	C:\Windows\SysWOW64\Kcbibebo.dll	Nkjjij32.exe
File created	C:\Windows\SysWOW64\Impepm32.exe	Ijaida32.exe
File created	C:\Windows\SysWOW64\Eeecjqkd.dll	Kdffocib.exe
File opened for modification	C:\Windows\SysWOW64\Njljefql.exe	Nkjjij32.exe
File created	C:\Windows\SysWOW64\Ddpfgd32.dll	Ngedij32.exe
File created	C:\Windows\SysWOW64\Jjpeepnb.exe	Jdemhe32.exe
File opened for modification	C:\Windows\SysWOW64\Kdffocib.exe	Kipabjil.exe
File opened for modification	C:\Windows\SysWOW64\Nggqoj32.exe	Ndidbn32.exe
File opened for modification	C:\Windows\SysWOW64\Ibojncfj.exe	Icljbg32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
6188	5784	WerFault.exe	222

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gcdihi32.dll"	Kckbqpnj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ijfboafl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jfkoeppq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Enbofg32.dll"	Kbapjafe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nacbfdao.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jbkjjblm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mcklgm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ipldfi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjobcj32.dll"	Jfaloa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jnngob32.dll"	Lcgblncm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ipldfi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mahbje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ngedij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Geegicjl.dll"	Mkgmcjld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pipfna32.dll"	Nddkgonp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipkobd32.dll"	Ncgkcl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hmklen32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Idofhfmm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Iikopmkd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mgidml32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	391a8e993bd67d59902cb2b15b3e62aad3d6b63d767579768a6b9a113343bb61.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lknjmkdo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mpdelajl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hcedaheh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kgphpo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Akihmf32.dll"	Kipabjil.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dendnoah.dll"	Iannfk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kbapjafe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Epmjjbbj.dll"	Mpmokb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hmmhjm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lcgblncm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lelgbkio.dll"	Mpdelajl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ndbnboqb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jbfpobpb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbbkdl32.dll"	Maaepd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Haggelfd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lkbhbe32.dll"	Hcedaheh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jkdnpo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ndghmo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnplgc32.dll"	Hbckbepg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hmioonpn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jbfpobpb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kdffocib.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hfachc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gncoccha.dll"	Kinemkko.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ifmcdblq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hccglh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mkbchk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jjbako32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kinemkko.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kpccnefa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lijdhiaa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nnjbke32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Idacmfkj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mgidml32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jkfkfohj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lmmcfa32.dll"	Kpccnefa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lgkhlnbn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mciobn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Icljbg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mkbchk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Njcqqgjb.dll"	Mpolqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Addjcmqn.dll"	Ndidbn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ibojncfj.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4928 wrote to memory of 3140	4928	391a8e993bd67d59902cb2b15b3e62aad3d6b63d767579768a6b9a113343bb61.exe	86
PID 4928 wrote to memory of 3140	4928	391a8e993bd67d59902cb2b15b3e62aad3d6b63d767579768a6b9a113343bb61.exe	86
PID 4928 wrote to memory of 3140	4928	391a8e993bd67d59902cb2b15b3e62aad3d6b63d767579768a6b9a113343bb61.exe	86
PID 3140 wrote to memory of 1056	3140	Hjhfnccl.exe	87
PID 3140 wrote to memory of 1056	3140	Hjhfnccl.exe	87
PID 3140 wrote to memory of 1056	3140	Hjhfnccl.exe	87
PID 1056 wrote to memory of 1656	1056	Hmfbjnbp.exe	88
PID 1056 wrote to memory of 1656	1056	Hmfbjnbp.exe	88
PID 1056 wrote to memory of 1656	1056	Hmfbjnbp.exe	88
PID 1656 wrote to memory of 1948	1656	Habnjm32.exe	89
PID 1656 wrote to memory of 1948	1656	Habnjm32.exe	89
PID 1656 wrote to memory of 1948	1656	Habnjm32.exe	89
PID 1948 wrote to memory of 1780	1948	Hpenfjad.exe	90
PID 1948 wrote to memory of 1780	1948	Hpenfjad.exe	90
PID 1948 wrote to memory of 1780	1948	Hpenfjad.exe	90
PID 1780 wrote to memory of 936	1780	Hbckbepg.exe	91
PID 1780 wrote to memory of 936	1780	Hbckbepg.exe	91
PID 1780 wrote to memory of 936	1780	Hbckbepg.exe	91
PID 936 wrote to memory of 3364	936	Hfofbd32.exe	92
PID 936 wrote to memory of 3364	936	Hfofbd32.exe	92
PID 936 wrote to memory of 3364	936	Hfofbd32.exe	92
PID 3364 wrote to memory of 716	3364	Hmioonpn.exe	93
PID 3364 wrote to memory of 716	3364	Hmioonpn.exe	93
PID 3364 wrote to memory of 716	3364	Hmioonpn.exe	93
PID 716 wrote to memory of 1192	716	Hccglh32.exe	94
PID 716 wrote to memory of 1192	716	Hccglh32.exe	94
PID 716 wrote to memory of 1192	716	Hccglh32.exe	94
PID 1192 wrote to memory of 1100	1192	Hfachc32.exe	95
PID 1192 wrote to memory of 1100	1192	Hfachc32.exe	95
PID 1192 wrote to memory of 1100	1192	Hfachc32.exe	95
PID 1100 wrote to memory of 2596	1100	Hmklen32.exe	96
PID 1100 wrote to memory of 2596	1100	Hmklen32.exe	96
PID 1100 wrote to memory of 2596	1100	Hmklen32.exe	96
PID 2596 wrote to memory of 3248	2596	Haggelfd.exe	97
PID 2596 wrote to memory of 3248	2596	Haggelfd.exe	97
PID 2596 wrote to memory of 3248	2596	Haggelfd.exe	97
PID 3248 wrote to memory of 3032	3248	Hcedaheh.exe	98
PID 3248 wrote to memory of 3032	3248	Hcedaheh.exe	98
PID 3248 wrote to memory of 3032	3248	Hcedaheh.exe	98
PID 3032 wrote to memory of 4224	3032	Hjolnb32.exe	99
PID 3032 wrote to memory of 4224	3032	Hjolnb32.exe	99
PID 3032 wrote to memory of 4224	3032	Hjolnb32.exe	99
PID 4224 wrote to memory of 1704	4224	Hmmhjm32.exe	100
PID 4224 wrote to memory of 1704	4224	Hmmhjm32.exe	100
PID 4224 wrote to memory of 1704	4224	Hmmhjm32.exe	100
PID 1704 wrote to memory of 4484	1704	Ipldfi32.exe	101
PID 1704 wrote to memory of 4484	1704	Ipldfi32.exe	101
PID 1704 wrote to memory of 4484	1704	Ipldfi32.exe	101
PID 4484 wrote to memory of 4412	4484	Ibjqcd32.exe	102
PID 4484 wrote to memory of 4412	4484	Ibjqcd32.exe	102
PID 4484 wrote to memory of 4412	4484	Ibjqcd32.exe	102
PID 4412 wrote to memory of 3844	4412	Ijaida32.exe	104
PID 4412 wrote to memory of 3844	4412	Ijaida32.exe	104
PID 4412 wrote to memory of 3844	4412	Ijaida32.exe	104
PID 3844 wrote to memory of 3136	3844	Impepm32.exe	105
PID 3844 wrote to memory of 3136	3844	Impepm32.exe	105
PID 3844 wrote to memory of 3136	3844	Impepm32.exe	105
PID 3136 wrote to memory of 4516	3136	Icjmmg32.exe	106
PID 3136 wrote to memory of 4516	3136	Icjmmg32.exe	106
PID 3136 wrote to memory of 4516	3136	Icjmmg32.exe	106
PID 4516 wrote to memory of 1744	4516	Ijdeiaio.exe	107
PID 4516 wrote to memory of 1744	4516	Ijdeiaio.exe	107
PID 4516 wrote to memory of 1744	4516	Ijdeiaio.exe	107
PID 1744 wrote to memory of 1020	1744	Iiffen32.exe	108

C:\Users\Admin\AppData\Local\Temp\391a8e993bd67d59902cb2b15b3e62aad3d6b63d767579768a6b9a113343bb61.exe
"C:\Users\Admin\AppData\Local\Temp\391a8e993bd67d59902cb2b15b3e62aad3d6b63d767579768a6b9a113343bb61.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4928
- C:\Windows\SysWOW64\Hjhfnccl.exe
  C:\Windows\system32\Hjhfnccl.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:3140
- - C:\Windows\SysWOW64\Hmfbjnbp.exe
    C:\Windows\system32\Hmfbjnbp.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:1056
  - - C:\Windows\SysWOW64\Habnjm32.exe
      C:\Windows\system32\Habnjm32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious use of WriteProcessMemory
      PID:1656
    - - C:\Windows\SysWOW64\Hpenfjad.exe
        
        C:\Windows\system32\Hpenfjad.exe
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1948
      - C:\Windows\SysWOW64\Hbckbepg.exe
        
        C:\Windows\system32\Hbckbepg.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1780
        
        C:\Windows\SysWOW64\Hfofbd32.exe
        
        C:\Windows\system32\Hfofbd32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:936
        
        C:\Windows\SysWOW64\Hmioonpn.exe
        
        C:\Windows\system32\Hmioonpn.exe
        8⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3364
        
        C:\Windows\SysWOW64\Hccglh32.exe
        
        C:\Windows\system32\Hccglh32.exe
        9⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:716
        
        C:\Windows\SysWOW64\Hfachc32.exe
        
        C:\Windows\system32\Hfachc32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1192
        
        C:\Windows\SysWOW64\Hmklen32.exe
        
        C:\Windows\system32\Hmklen32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1100
        
        C:\Windows\SysWOW64\Haggelfd.exe
        
        C:\Windows\system32\Haggelfd.exe
        12⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2596
        
        C:\Windows\SysWOW64\Hcedaheh.exe
        
        C:\Windows\system32\Hcedaheh.exe
        13⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3248
        
        C:\Windows\SysWOW64\Hjolnb32.exe
        
        C:\Windows\system32\Hjolnb32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3032
        
        C:\Windows\SysWOW64\Hmmhjm32.exe
        
        C:\Windows\system32\Hmmhjm32.exe
        15⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4224
        
        C:\Windows\SysWOW64\Ipldfi32.exe
        
        C:\Windows\system32\Ipldfi32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1704
        
        C:\Windows\SysWOW64\Ibjqcd32.exe
        
        C:\Windows\system32\Ibjqcd32.exe
        17⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4484
        
        C:\Windows\SysWOW64\Ijaida32.exe
        
        C:\Windows\system32\Ijaida32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4412
        
        C:\Windows\SysWOW64\Impepm32.exe
        
        C:\Windows\system32\Impepm32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3844
        
        C:\Windows\SysWOW64\Icjmmg32.exe
        
        C:\Windows\system32\Icjmmg32.exe
        20⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3136
        
        C:\Windows\SysWOW64\Ijdeiaio.exe
        
        C:\Windows\system32\Ijdeiaio.exe
        21⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4516
        
        C:\Windows\SysWOW64\Iiffen32.exe
        
        C:\Windows\system32\Iiffen32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1744
        
        C:\Windows\SysWOW64\Iannfk32.exe
        
        C:\Windows\system32\Iannfk32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1020
        
        C:\Windows\SysWOW64\Icljbg32.exe
        
        C:\Windows\system32\Icljbg32.exe
        24⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2760
        
        C:\Windows\SysWOW64\Ibojncfj.exe
        
        C:\Windows\system32\Ibojncfj.exe
        25⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3628
        
        C:\Windows\SysWOW64\Ijfboafl.exe
        
        C:\Windows\system32\Ijfboafl.exe
        26⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4984
        
        C:\Windows\SysWOW64\Iapjlk32.exe
        
        C:\Windows\system32\Iapjlk32.exe
        27⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3320
        
        C:\Windows\SysWOW64\Idofhfmm.exe
        
        C:\Windows\system32\Idofhfmm.exe
        28⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2876
        
        C:\Windows\SysWOW64\Ifmcdblq.exe
        
        C:\Windows\system32\Ifmcdblq.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1968
        
        C:\Windows\SysWOW64\Iikopmkd.exe
        
        C:\Windows\system32\Iikopmkd.exe
        30⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4644
        
        C:\Windows\SysWOW64\Iabgaklg.exe
        
        C:\Windows\system32\Iabgaklg.exe
        31⤵
        Executes dropped EXE
        
        PID:4472
        
        C:\Windows\SysWOW64\Idacmfkj.exe
        
        C:\Windows\system32\Idacmfkj.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1016
        
        C:\Windows\SysWOW64\Ifopiajn.exe
        
        C:\Windows\system32\Ifopiajn.exe
        33⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3048
        
        C:\Windows\SysWOW64\Ijkljp32.exe
        
        C:\Windows\system32\Ijkljp32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:920
        
        C:\Windows\SysWOW64\Jbfpobpb.exe
        
        C:\Windows\system32\Jbfpobpb.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1424
        
        C:\Windows\SysWOW64\Jfaloa32.exe
        
        C:\Windows\system32\Jfaloa32.exe
        36⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1436
        
        C:\Windows\SysWOW64\Jjmhppqd.exe
        
        C:\Windows\system32\Jjmhppqd.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1060
        
        C:\Windows\SysWOW64\Jagqlj32.exe
        
        C:\Windows\system32\Jagqlj32.exe
        38⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4768
        
        C:\Windows\SysWOW64\Jdemhe32.exe
        
        C:\Windows\system32\Jdemhe32.exe
        39⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2288
        
        C:\Windows\SysWOW64\Jjpeepnb.exe
        
        C:\Windows\system32\Jjpeepnb.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1920
        
        C:\Windows\SysWOW64\Jibeql32.exe
        
        C:\Windows\system32\Jibeql32.exe
        41⤵
        Executes dropped EXE
        
        PID:3304
        
        C:\Windows\SysWOW64\Jaimbj32.exe
        
        C:\Windows\system32\Jaimbj32.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3724
        
        C:\Windows\SysWOW64\Jbkjjblm.exe
        
        C:\Windows\system32\Jbkjjblm.exe
        43⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2604
        
        C:\Windows\SysWOW64\Jjbako32.exe
        
        C:\Windows\system32\Jjbako32.exe
        44⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1784
        
        C:\Windows\SysWOW64\Jidbflcj.exe
        
        C:\Windows\system32\Jidbflcj.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3648
        
        C:\Windows\SysWOW64\Jaljgidl.exe
        
        C:\Windows\system32\Jaljgidl.exe
        46⤵
        Executes dropped EXE
        
        PID:4240
        
        C:\Windows\SysWOW64\Jdjfcecp.exe
        
        C:\Windows\system32\Jdjfcecp.exe
        47⤵
        Executes dropped EXE
        
        PID:3584
        
        C:\Windows\SysWOW64\Jfhbppbc.exe
        
        C:\Windows\system32\Jfhbppbc.exe
        48⤵
        Executes dropped EXE
        
        PID:4616
        
        C:\Windows\SysWOW64\Jkdnpo32.exe
        
        C:\Windows\system32\Jkdnpo32.exe
        49⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3212
        
        C:\Windows\SysWOW64\Jpaghf32.exe
        
        C:\Windows\system32\Jpaghf32.exe
        50⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2520
        
        C:\Windows\SysWOW64\Jfkoeppq.exe
        
        C:\Windows\system32\Jfkoeppq.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4512
        
        C:\Windows\SysWOW64\Jkfkfohj.exe
        
        C:\Windows\system32\Jkfkfohj.exe
        52⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:756
        
        C:\Windows\SysWOW64\Kaqcbi32.exe
        
        C:\Windows\system32\Kaqcbi32.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4168
        
        C:\Windows\SysWOW64\Kpccnefa.exe
        
        C:\Windows\system32\Kpccnefa.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4024
        
        C:\Windows\SysWOW64\Kbapjafe.exe
        
        C:\Windows\system32\Kbapjafe.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4136
        
        C:\Windows\SysWOW64\Kkihknfg.exe
        
        C:\Windows\system32\Kkihknfg.exe
        56⤵
        Executes dropped EXE
        
        PID:4204
        
        C:\Windows\SysWOW64\Kilhgk32.exe
        
        C:\Windows\system32\Kilhgk32.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:5000
        
        C:\Windows\SysWOW64\Kacphh32.exe
        
        C:\Windows\system32\Kacphh32.exe
        58⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1936
        
        C:\Windows\SysWOW64\Kdaldd32.exe
        
        C:\Windows\system32\Kdaldd32.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2508
        
        C:\Windows\SysWOW64\Kgphpo32.exe
        
        C:\Windows\system32\Kgphpo32.exe
        60⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2504
        
        C:\Windows\SysWOW64\Kinemkko.exe
        
        C:\Windows\system32\Kinemkko.exe
        61⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4788
        
        C:\Windows\SysWOW64\Kaemnhla.exe
        
        C:\Windows\system32\Kaemnhla.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4864
        
        C:\Windows\SysWOW64\Kdcijcke.exe
        
        C:\Windows\system32\Kdcijcke.exe
        63⤵
        Executes dropped EXE
        
        PID:4376
        
        C:\Windows\SysWOW64\Kgbefoji.exe
        
        C:\Windows\system32\Kgbefoji.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3164
        
        C:\Windows\SysWOW64\Kipabjil.exe
        
        C:\Windows\system32\Kipabjil.exe
        65⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3152
        
        C:\Windows\SysWOW64\Kdffocib.exe
        
        C:\Windows\system32\Kdffocib.exe
        66⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1664
        
        C:\Windows\SysWOW64\Kkpnlm32.exe
        
        C:\Windows\system32\Kkpnlm32.exe
        67⤵
        
        PID:1648
        
        C:\Windows\SysWOW64\Kmnjhioc.exe
        
        C:\Windows\system32\Kmnjhioc.exe
        68⤵
        
        PID:3228
        
        C:\Windows\SysWOW64\Kpmfddnf.exe
        
        C:\Windows\system32\Kpmfddnf.exe
        69⤵
        
        PID:2152
        
        C:\Windows\SysWOW64\Kckbqpnj.exe
        
        C:\Windows\system32\Kckbqpnj.exe
        70⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:3252
        
        C:\Windows\SysWOW64\Kkbkamnl.exe
        
        C:\Windows\system32\Kkbkamnl.exe
        71⤵
        Drops file in System32 directory
        
        PID:1084
        
        C:\Windows\SysWOW64\Lmqgnhmp.exe
        
        C:\Windows\system32\Lmqgnhmp.exe
        72⤵
        
        PID:1168
        
        C:\Windows\SysWOW64\Lpocjdld.exe
        
        C:\Windows\system32\Lpocjdld.exe
        73⤵
        Drops file in System32 directory
        
        PID:1940
        
        C:\Windows\SysWOW64\Ldkojb32.exe
        
        C:\Windows\system32\Ldkojb32.exe
        74⤵
        
        PID:4596
        
        C:\Windows\SysWOW64\Lkdggmlj.exe
        
        C:\Windows\system32\Lkdggmlj.exe
        75⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:2388
        
        C:\Windows\SysWOW64\Lmccchkn.exe
        
        C:\Windows\system32\Lmccchkn.exe
        76⤵
        Drops file in System32 directory
        
        PID:1136
        
        C:\Windows\SysWOW64\Lpappc32.exe
        
        C:\Windows\system32\Lpappc32.exe
        77⤵
        
        PID:4356
        
        C:\Windows\SysWOW64\Lcpllo32.exe
        
        C:\Windows\system32\Lcpllo32.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3220
        
        C:\Windows\SysWOW64\Lgkhlnbn.exe
        
        C:\Windows\system32\Lgkhlnbn.exe
        79⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:780
        
        C:\Windows\SysWOW64\Lijdhiaa.exe
        
        C:\Windows\system32\Lijdhiaa.exe
        80⤵
        Modifies registry class
        
        PID:1620
        
        C:\Windows\SysWOW64\Laalifad.exe
        
        C:\Windows\system32\Laalifad.exe
        81⤵
        Drops file in System32 directory
        
        PID:4072
        
        C:\Windows\SysWOW64\Lpcmec32.exe
        
        C:\Windows\system32\Lpcmec32.exe
        82⤵
        
        PID:4784
        
        C:\Windows\SysWOW64\Lgneampk.exe
        
        C:\Windows\system32\Lgneampk.exe
        83⤵
        Drops file in System32 directory
        
        PID:5168
        
        C:\Windows\SysWOW64\Lnhmng32.exe
        
        C:\Windows\system32\Lnhmng32.exe
        84⤵
        
        PID:5212
        
        C:\Windows\SysWOW64\Laciofpa.exe
        
        C:\Windows\system32\Laciofpa.exe
        85⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5252
        
        C:\Windows\SysWOW64\Lcdegnep.exe
        
        C:\Windows\system32\Lcdegnep.exe
        86⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5296
        
        C:\Windows\SysWOW64\Lgpagm32.exe
        
        C:\Windows\system32\Lgpagm32.exe
        87⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5364
        
        C:\Windows\SysWOW64\Ljnnch32.exe
        
        C:\Windows\system32\Ljnnch32.exe
        88⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5424
        
        C:\Windows\SysWOW64\Lphfpbdi.exe
        
        C:\Windows\system32\Lphfpbdi.exe
        89⤵
        Drops file in System32 directory
        
        PID:5476
        
        C:\Windows\SysWOW64\Lcgblncm.exe
        
        C:\Windows\system32\Lcgblncm.exe
        90⤵
        Modifies registry class
        
        PID:5516
        
        C:\Windows\SysWOW64\Lknjmkdo.exe
        
        C:\Windows\system32\Lknjmkdo.exe
        91⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5580
        
        C:\Windows\SysWOW64\Mnlfigcc.exe
        
        C:\Windows\system32\Mnlfigcc.exe
        92⤵
        
        PID:5624
        
        C:\Windows\SysWOW64\Mahbje32.exe
        
        C:\Windows\system32\Mahbje32.exe
        93⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5684
        
        C:\Windows\SysWOW64\Mpkbebbf.exe
        
        C:\Windows\system32\Mpkbebbf.exe
        94⤵
        Drops file in System32 directory
        
        PID:5728
        
        C:\Windows\SysWOW64\Mciobn32.exe
        
        C:\Windows\system32\Mciobn32.exe
        95⤵
        Modifies registry class
        
        PID:5776
        
        C:\Windows\SysWOW64\Mkpgck32.exe
        
        C:\Windows\system32\Mkpgck32.exe
        96⤵
        
        PID:5820
        
        C:\Windows\SysWOW64\Mnocof32.exe
        
        C:\Windows\system32\Mnocof32.exe
        97⤵
        
        PID:5860
        
        C:\Windows\SysWOW64\Mpmokb32.exe
        
        C:\Windows\system32\Mpmokb32.exe
        98⤵
        Modifies registry class
        
        PID:5900
        
        C:\Windows\SysWOW64\Mcklgm32.exe
        
        C:\Windows\system32\Mcklgm32.exe
        99⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5952
        
        C:\Windows\SysWOW64\Mkbchk32.exe
        
        C:\Windows\system32\Mkbchk32.exe
        100⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6004
        
        C:\Windows\SysWOW64\Mjeddggd.exe
        
        C:\Windows\system32\Mjeddggd.exe
        101⤵
        
        PID:6048
        
        C:\Windows\SysWOW64\Mpolqa32.exe
        
        C:\Windows\system32\Mpolqa32.exe
        102⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6096
        
        C:\Windows\SysWOW64\Mdkhapfj.exe
        
        C:\Windows\system32\Mdkhapfj.exe
        103⤵
        Drops file in System32 directory
        
        PID:6140
        
        C:\Windows\SysWOW64\Mgidml32.exe
        
        C:\Windows\system32\Mgidml32.exe
        104⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5152
        
        C:\Windows\SysWOW64\Mjhqjg32.exe
        
        C:\Windows\system32\Mjhqjg32.exe
        105⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5244
        
        C:\Windows\SysWOW64\Maohkd32.exe
        
        C:\Windows\system32\Maohkd32.exe
        106⤵
        Drops file in System32 directory
        
        PID:1908
        
        C:\Windows\SysWOW64\Mcpebmkb.exe
        
        C:\Windows\system32\Mcpebmkb.exe
        107⤵
        
        PID:5320
        
        C:\Windows\SysWOW64\Mkgmcjld.exe
        
        C:\Windows\system32\Mkgmcjld.exe
        108⤵
        Modifies registry class
        
        PID:5416
        
        C:\Windows\SysWOW64\Mjjmog32.exe
        
        C:\Windows\system32\Mjjmog32.exe
        109⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5512
        
        C:\Windows\SysWOW64\Maaepd32.exe
        
        C:\Windows\system32\Maaepd32.exe
        110⤵
        Modifies registry class
        
        PID:5568
        
        C:\Windows\SysWOW64\Mpdelajl.exe
        
        C:\Windows\system32\Mpdelajl.exe
        111⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5660
        
        C:\Windows\SysWOW64\Mcbahlip.exe
        
        C:\Windows\system32\Mcbahlip.exe
        112⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5744
        
        C:\Windows\SysWOW64\Nkjjij32.exe
        
        C:\Windows\system32\Nkjjij32.exe
        113⤵
        Drops file in System32 directory
        
        PID:5804
        
        C:\Windows\SysWOW64\Njljefql.exe
        
        C:\Windows\system32\Njljefql.exe
        114⤵
        
        PID:5548
        
        C:\Windows\SysWOW64\Nacbfdao.exe
        
        C:\Windows\system32\Nacbfdao.exe
        115⤵
        Modifies registry class
        
        PID:5884
        
        C:\Windows\SysWOW64\Ndbnboqb.exe
        
        C:\Windows\system32\Ndbnboqb.exe
        116⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5972
        
        C:\Windows\SysWOW64\Ngpjnkpf.exe
        
        C:\Windows\system32\Ngpjnkpf.exe
        117⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6032
        
        C:\Windows\SysWOW64\Nklfoi32.exe
        
        C:\Windows\system32\Nklfoi32.exe
        118⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6104
        
        C:\Windows\SysWOW64\Nnjbke32.exe
        
        C:\Windows\system32\Nnjbke32.exe
        119⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5144
        
        C:\Windows\SysWOW64\Nafokcol.exe
        
        C:\Windows\system32\Nafokcol.exe
        120⤵
        Drops file in System32 directory
        
        PID:5276
        
        C:\Windows\SysWOW64\Nddkgonp.exe
        
        C:\Windows\system32\Nddkgonp.exe
        121⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:3272
        
        C:\Windows\SysWOW64\Ncgkcl32.exe
        
        C:\Windows\system32\Ncgkcl32.exe
        122⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5620
        
        C:\Windows\SysWOW64\Nbhkac32.exe
        
        C:\Windows\system32\Nbhkac32.exe
        123⤵
        
        PID:5800
        
        C:\Windows\SysWOW64\Ndghmo32.exe
        
        C:\Windows\system32\Ndghmo32.exe
        124⤵
        Modifies registry class
        
        PID:5556
        
        C:\Windows\SysWOW64\Ngedij32.exe
        
        C:\Windows\system32\Ngedij32.exe
        125⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6080
        
        C:\Windows\SysWOW64\Njcpee32.exe
        
        C:\Windows\system32\Njcpee32.exe
        126⤵
        Drops file in System32 directory
        
        PID:5176
        
        C:\Windows\SysWOW64\Nbkhfc32.exe
        
        C:\Windows\system32\Nbkhfc32.exe
        127⤵
        
        PID:5372
        
        C:\Windows\SysWOW64\Ndidbn32.exe
        
        C:\Windows\system32\Ndidbn32.exe
        128⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5844
        
        C:\Windows\SysWOW64\Nggqoj32.exe
        
        C:\Windows\system32\Nggqoj32.exe
        129⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6136
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        130⤵
        
        PID:5784
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5784 -s 400
        131⤵
        Program crash
        
        PID:6188

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 5784 -ip 5784
1⤵
PID:6148

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Habnjm32.exe

Filesize
64KB

MD5
f47988934d5eb46a0c0af9fc2333d59a

SHA1
4c01b9a811bc86724216e0911e0cdbfbf01211d3

SHA256
5e005f3f401b5ad8c1f4ee6672a1644b6f63a3c1333b3171a057411781dcaef8

SHA512
42b3b96d6c9b69daa37b97eadcfbeb92fe8e2516b3cb8609e40ac4ebfde17bbf09ae3df72ce11b569e255e842374538e70e85979b24838a3830e79e1ad0e82fe

Download Submit
C:\Windows\SysWOW64\Haggelfd.exe

Filesize
64KB

MD5
e34a7c84e56474a1182543068f024814

SHA1
6b068f96b44458a82cdada90d5a185a9c86fe2c8

SHA256
8ac53c473cf99c7ac6577e206bcc600b2fb7d6a1125fd118abae6dc2ec1f9706

SHA512
ba70977893acac1b4b68396963fd32d9d978b2e9df2f8077d10a0dc507f01ff7fa1dea9f2a34d0cb27aa8b237041d06272257aa22bddd49cd3b52213d19ad2c3

Download Submit
C:\Windows\SysWOW64\Hbckbepg.exe

Filesize
64KB

MD5
4e0694b74f26e3ae2e8a4a375db28d59

SHA1
a6d86f3084dd7eeb2f27dba8a0da6de62d3be380

SHA256
7546daf339e828059dc7168e3bd1c25f5d10c992f06419b1508103edfcf44b50

SHA512
2528d94dc54c454e1bb743ae7602afc770a5b33b55f215f2864abbd8073f6073b7df3a8e716132a40d2bd6d9153d4c1865c36818ad3e17d26b18fe1010fc13ad

Download Submit
C:\Windows\SysWOW64\Hccglh32.exe

Filesize
64KB

MD5
5f9b32213a198a23395caf8b20c6b8b9

SHA1
ab0827b408ac268adc6b60d334f3344f1a61e43c

SHA256
b99a997dbd4d1cead4aa847d94605c6b9f06bc2c99ed68963bb5e4ede6e6305a

SHA512
9c8157f6ad3615c11e903913fcb5b7f68a7cb44ef12f50a9fb70bb59ea349b8abca6ecb807315d72b418c5fff5710ff4d27ec10d0d361a09ff37ec391edfb542

Download Submit
C:\Windows\SysWOW64\Hcedaheh.exe

Filesize
64KB

MD5
389f691a550e6f89ea1537dd84409c77

SHA1
4123c04d8fd31ca7c3191decdb6990e0e072b7b2

SHA256
6711d1f537d6f4e683e9f22363d97d84f24103071b98f2e6446e7887929a437d

SHA512
be4f399436e2d233c97ccf832eabf64a1bed79fd07dcacf622f6497f5a789f992c6315cfc6a188e75492070924cb7ba125c1e6dd876fe591a407cba8bd81f127

Download Submit
C:\Windows\SysWOW64\Hfachc32.exe

Filesize
64KB

MD5
bc924a67c71912d31e89a08740b9605b

SHA1
349822e7e82f4d98808807640fb622b13712848b

SHA256
9fadcaa93955a7977d8bd5eea19a5a1dd5162a8895b595d8f5c353a4de834725

SHA512
584cab6cb583bc1bb6564f52a008c8ad01d3ff7905185084c592aeb815fae6838804bb7cd61ac7199790af91043b23030916bf0219cdfe07257e77ff8fe592ec

Download Submit
C:\Windows\SysWOW64\Hfofbd32.exe

Filesize
64KB

MD5
93fb29e13a16a7d53d9760841fd06091

SHA1
0180e790895a28c828dc942a1c8fdb8b8c33a1bc

SHA256
a4b55083c5f330477cc5e8b9dd4f52fb3854a5d3133eb64f022563a9eaf5ed7c

SHA512
d1df8db8a1c675e8ca4851119980b1a84f5e4874d1e5bafa1160cc0d0b7fdfe2eeb8971479a8d276dd61c7dd92093e0671e17d31c458d60b6bc98212773b463c

Download Submit
C:\Windows\SysWOW64\Hjhfnccl.exe

Filesize
64KB

MD5
d1012d3ff7fa1d3a8230d6045c612838

SHA1
5492905f502059c3331e287d26a7345074e2c8b6

SHA256
bf49e21e54612243520162c9f03c5431137c1011d61cff28ccb3b64e012ef237

SHA512
edfa5c47af78186331526f27a319d82974c230f3dc968167f18f7370be7c3a9d53f3225c67d7fba85fb3fad0bf5e72caa261ad077298d7c55891ed91f2c4fbd9

Download Submit
C:\Windows\SysWOW64\Hjolnb32.exe

Filesize
64KB

MD5
8bd44bd60739a840b074aa3afc1cbbd9

SHA1
a01c52e92bc9ffbb051b7246a8f1958f3a341acd

SHA256
a27d7e3310069cb974a40ef726ec658f960dca2089d3169b4a387362e3def6d9

SHA512
e5e54472fd2f72bb7347a8c815eb598276f1a5d6b8aac94591ff1be3f80cdaaa77dd62b11fbc1d1db5bb0940ba9dc97f28c68bbbb5ea2393c57aa7669cf5505c

Download Submit
C:\Windows\SysWOW64\Hmfbjnbp.exe

Filesize
64KB

MD5
4d0f31138fa51da700cf87f058cbb0bb

SHA1
e4a2ebebf47a5ebe4ce12dbb1446749c224f54dc

SHA256
7015637afe1c9b0186d7d9f089bbfb5135c19682d8393b40685fc9e9fabfe9a6

SHA512
5e2ea8f44b41c1e117529924fd82e5d985ebc8b4eaed6250c5c9139abfeace82f070bae94e3f6b811d087c87c49084628631f4a6c283381cd6f8b7c883fe2ed8

Download Submit
C:\Windows\SysWOW64\Hmioonpn.exe

Filesize
64KB

MD5
575342df468e2d8b1ad724b6058afe10

SHA1
cbfcd2aee4282c9dd7c724ae4e02a07dd78fc34f

SHA256
4af952b6618ad22860a47c62521f21a4a4056cbf32bbdc74fac0982fbe9f136d

SHA512
423a8e9713d146460684d64951a672c629882185839b7719fb3d48a27332c7db55d2fced63f8a73adb84575c1e0b403e30beb9310ddc879ef2641e30761da8a4

Download Submit
C:\Windows\SysWOW64\Hmklen32.exe

Filesize
64KB

MD5
90f6e880b190d3e20fc1b6c0528ab6e0

SHA1
719788b0e9060917cfcb9fa27806d8abf852a7ba

SHA256
698408a1701748d2b963688fab088134ad0ef7acaaef4074c99e3fec8c35011c

SHA512
432515e7997d83b6c3e32b15f54f91adad7d52f285e42a015c5406049a6772eaf48280c113bb40a1c70c9f5a54332f83e9bb610725f185d8e09acd018dabcdaf

Download Submit
C:\Windows\SysWOW64\Hmmhjm32.exe

Filesize
64KB

MD5
37b11c0b856731f137723bf51770f963

SHA1
d5215582b1c525d895bbe9f360e9356e777ab004

SHA256
fe3bf35c3163e644efbcdd2bde1af42e2903d195d64931b7140e35cbfd8402de

SHA512
348805afcf2debce65b7269ae5a5d68da5f1967bc46a645155a8b6ace33b2f130b4c67f25d4e7afb46e791385e2d13d23e8c2a0550679e13b756011b941140b0

Download Submit
C:\Windows\SysWOW64\Hpenfjad.exe

Filesize
64KB

MD5
02827f1c607650b0ff99a82770d31616

SHA1
e846e5905f97d428e9900c10ffc381ef2c2d61b2

SHA256
119149f5bdc521051e1030be43cbcd1c8abb90a5179ef4352e6e41f1ee9f2efb

SHA512
3f120e8fba2e147cce02f2318c602c6c51891311083679435daf4b7418b14b4e85c46f1b2e5dd9fa26ef1c7b88ccf86d3fb686b715754e74829ee446aea52843

Download Submit
C:\Windows\SysWOW64\Iabgaklg.exe

Filesize
64KB

MD5
fe9161f83ac57bea1f2d9a34e1725903

SHA1
c4e2dfb39dd62d65223d87a29e9a37c835176b03

SHA256
f1e3fc243afab86578d878221ce71a25694dbc0e9c7b0d1ad94e7070f0b6a5c7

SHA512
23a7da7a52a9f3c063d6d74491cddacb558aba1895924386606a82d1c9b197ec3120aec8a61966158f6b264508dd69800723e9eabdc8bc9077547fd477bfb984

Download Submit
C:\Windows\SysWOW64\Iannfk32.exe

Filesize
64KB

MD5
fbc146d12e90115e91a6eebf39796697

SHA1
74755f6f753ab0f65c6916ef3925bde90610ea89

SHA256
0826072f08bfeb0ab15695944f242aec990d9155d5a83b80d99e7e524fb851a2

SHA512
9a7a9ce66050114bafbe943a8a7403ea3933d39f1d6d12bb8cdb842cd7823b9670927069e0af2cfab93a154b20be6cb513c14915418264953a05b95b93a14c61

Download Submit
C:\Windows\SysWOW64\Iapjlk32.exe

Filesize
64KB

MD5
36862146bdb772e9b22673e9ed1a3c79

SHA1
ed0e3aedeb26432afc70824734f68f4e34ab24de

SHA256
0e23cff1643db85f3c4e641a2392579f3a4403e045bab3555a127c85ce8e2323

SHA512
314a5c4c9d32c3e598b34647c805a0387b62952d76193ed34b869fb015b8371bd411f1449b0820454ad36896d670bf10c89c88b3893d25630a64dd9a50ff5e61

Download Submit
C:\Windows\SysWOW64\Ibjqcd32.exe

Filesize
64KB

MD5
04b54adfbe545ad8f868ca21697af495

SHA1
e1e102ce79a78ca2ce037e7ae37cef507125ce62

SHA256
961cfd91a0698f91433e0ef56e8860dede399f47b0b83b77f05b4a23f8fc17ff

SHA512
6f658aeb6daaa47da5c554ea17b6f36613027aeb1cf970f62fed7dd672dbcdab0ef96cd0c3e76926b145b2926bac4561386470f787f95cc0232c6dfc8fbae35c

Download Submit
C:\Windows\SysWOW64\Ibojncfj.exe

Filesize
64KB

MD5
42bc8a97d2cde14b21ef1c9ae480b570

SHA1
7f7da73de36548ab4240b806d1c0f210acb088a5

SHA256
2dc0470f66bbf937399678a043b002806433aac8ee8ad62e74806a385936e1ca

SHA512
e3443312ca4e190eebf54deb475cecbe90f263a3f8792759e1cec9d514b2d1c430a04cb949688457f6c7ebbc9d7eb731cfc8558ea4fec01d75b3447bda4b4968

Download Submit
C:\Windows\SysWOW64\Icjmmg32.exe

Filesize
64KB

MD5
d3235ef15da5ba867e9c07052c1cfb25

SHA1
8155b3d24d738e10a75807973ee856396ac20156

SHA256
e6f208285eb0420907b8a054c2dc0d95dd4bbff93520a17e5f53a72cbc0ce444

SHA512
8de99bd7f04089541559f00532c2aaed02809c2bbe68c3cef6d4fe1942165a8ac80ed7f33153691c068f1adb28456cc53545c515a279237a7f690f06bceda6d8

Download Submit
C:\Windows\SysWOW64\Icljbg32.exe

Filesize
64KB

MD5
3b732b166f59a35e9b5a4715f7e49414

SHA1
22a63f4bb2a4b59be4e45245a2d183541caa87c4

SHA256
144f1d20ac0e4afeb6d7e086bdf0e76087d9d76754dd71afbfeed9da2dd8acf7

SHA512
6f5d87980ee187de96cabee6567203ae0d36ad165eb90c2755278c42b61ae290cf7ecefc46c3a4bca30fa559ac879943ad3f5bd3d0de549f57510855001aa141

Download Submit
C:\Windows\SysWOW64\Idacmfkj.exe

Filesize
64KB

MD5
c821b0e5048f99f431193caf39f1bd47

SHA1
660e59cbf18f0ac3d0b7832d199618123be5c3e6

SHA256
b309a374cb7ca62f9293c82ff5f731f92a4206413aede4e125460c25d5276a7f

SHA512
dff5a1bba4dd77236cee04b34fd3e993ca3169672508ba2cc0513a7a81daca4a3c99a1191f73b2c9419ab1563578ff4faab4bb17f9a002a20d7117d146681ca3

Download Submit
C:\Windows\SysWOW64\Idofhfmm.exe

Filesize
64KB

MD5
8e02980c67ca5d05ea05f47617bc8013

SHA1
ec8a4e75624c2c5864df81f9b866734f7b49ce5a

SHA256
80a3b35fc369ddf2d3d1e52dd561d5a7bb6bb2dd04f85d6c62d77201dca53048

SHA512
c0586191b394c3162697e4cafe7fbab9a95b2da51d039bcd477b865413767f7b7c5e73cab0908ee306c7a31347fa8f297a4a6b7bc4dc0da1a8a869d18f672d45

Download Submit
C:\Windows\SysWOW64\Ifmcdblq.exe

Filesize
64KB

MD5
b1c77a2c7a4324435cee956548dc2db3

SHA1
a3c5276ed98b701ea452dfcb306715d22c0f80b1

SHA256
da4eb740d1be35cda4a18cb5f47875e3a977888669258063f1163ea8934d8438

SHA512
4f231936b367082d412bf660c98e384a6aad711e4c5a6bb894b00d4e62754e6ecefbf640cd8e1a6f2fcdc19d55d5bb01f3838a7a87e3856a103927461c137d5c

Download Submit
C:\Windows\SysWOW64\Ifopiajn.exe

Filesize
64KB

MD5
9ae9a01eb4183d3dfabbc146c3e81dcd

SHA1
63c851d959b09d5c3ff1717eb09e1207ba206a47

SHA256
9f81b4ee5f7714c521067a42d5837925ba9630937c50b2d2d1899165e9f1ff58

SHA512
d86ce5452349a01853d2abdc3018bf83b39f9a3e9fc4d1de2435d1dc4e7358b177e788f72f4746a42237077e8454d68a3daf94d040158bc4805d8603b0098ac8

Download Submit
C:\Windows\SysWOW64\Iiffen32.exe

Filesize
64KB

MD5
ceeaf0d8693280d181b6b2d599433a59

SHA1
7ceb1691b2c782699eef650a1b6802f94303de52

SHA256
aea7453cbacfcd507cae05e554210c66abf4bfdda7fca46cf508ca01a9126f0e

SHA512
19354276bd3a0ff2c4dddf42f86fd51bf8808331fc9a61a811929f3a8cdab750dfcfad1197d1fae319c07ba3d7c61c44c64416546559bab921cffa40c3b2ff09

Download Submit
C:\Windows\SysWOW64\Iikopmkd.exe

Filesize
64KB

MD5
be8c5b8bf1b206fb9b61750007b292cf

SHA1
004c8fb22ba1231b2f306987c01546e60e905b98

SHA256
91ce03dc6556a45e6333f5833239c2f562d865db0cce0bee0fcc14d166ee829f

SHA512
92eceb38354fd17c784f46a85e254ac4b81a3198fd2cbea57ee9e4b5cf8b513f8de61abca8691ac9965338acea9f4ada821550e0f0aee0d817210dcdf575a2a0

Download Submit
C:\Windows\SysWOW64\Ijaida32.exe

Filesize
64KB

MD5
015827897cdcd5280476e3c14b4424e1

SHA1
6b36720f543e04202d28a1848279fa7519946a33

SHA256
9844d6eef063255b4d4256debaac53eec814e4112332ef07d920aee62c1212c7

SHA512
f2d8a12740137fc9e0810c9c5b1521cb9e4d2b2ca20bf3ff7143e5fd621324ef9b106a3d8e31e9cfe2eab556f86b2ae4eb20890e48be5a2dc3871b1381c8f341

Download Submit
C:\Windows\SysWOW64\Ijdeiaio.exe

Filesize
64KB

MD5
fe675cd5825be2d08f905f2f69eeb99b

SHA1
b4b5f8ad07965ada345d466a162eeaee3b18a1d7

SHA256
e68e479bbdd96ba86a8c22efea847a2e151bed54c377c12f892ee87e0fec246e

SHA512
32be4fced244c437db2d632376475018999f3947e56fd4e9a074c86f3fab1b221a2b7fb24dd6da469e294e004aaddc88d9012e1eb894b3cb410a1aeb4a7d5701

Download Submit
C:\Windows\SysWOW64\Ijfboafl.exe

Filesize
64KB

MD5
acecc9eea4b3b2f2204e5b35f5bf2fc1

SHA1
6a33f215fb64a6f1f5cdf318a8997f682953147b

SHA256
3b8b808b9890db6819bdc786a3c90d00853342e50c4e342a7fa9f2041e0898ec

SHA512
73629cb683d1e9b8ce4bebf0034f4cbd9b62fda58547b744759584e4faae77f88bfeda2542f5cf85b19cac8359bc1ff6083b09036ca21fc7bd5c2e97f689e874

Download Submit
C:\Windows\SysWOW64\Impepm32.exe

Filesize
64KB

MD5
74fb76234afca80b00b90a2fc6598410

SHA1
792a477e5032512427df07f75a4a129a9bae94d1

SHA256
78eb3cb6418c9db54fd738f130f9128fd5cdcea19a85ba09a95e1a9ab680e8d6

SHA512
db1ee879c1d1c9021504a25a3058d2d0422aee66b52839080b3089ba20c14a01a8c8673e660dc75db38ea9870238bd47927745da851b49613efbb298e6ee144d

Download Submit
C:\Windows\SysWOW64\Ipldfi32.exe

Filesize
64KB

MD5
19729bc10a9a45906232ee2780f3b6e7

SHA1
719ee3a6f6041ea48c47100888cc8907dba404c7

SHA256
9f2504de33748cc66b4d20e3151302dbdb548263142f909d9278cd02f40deb18

SHA512
aa765518f699b0fc7aa3d7a06eff7239c9154eb34ddb5e00653d4fcb02d83462495ea339954c536d0cb8e613a411b346c5395f301250a76c1ad225f837e20c8d

Download Submit
C:\Windows\SysWOW64\Mdkhapfj.exe

Filesize
64KB

MD5
6da0825b6698e0a41e85e503bf56c469

SHA1
a88a5bf4a0225baa66028f256cdf9972e5e0c63a

SHA256
ea8af4df771351da95187cb7e24b14f5387b3f8283a98947f22e8d6216fa93a0

SHA512
6ef6b5892f940408da3c5e0f267ee6676c7afe5e33820f22b45c44823ef5ab248002f55bd56d5a4237db8ce5090df717353b9335d2b6588bc9f35119bd6fb3cf

Download Submit
C:\Windows\SysWOW64\Mjeddggd.exe

Filesize
64KB

MD5
5899aec8b9fd14c8986ad3e9a3e29986

SHA1
e6bb8bc4178bed1f70f32b855fa90d29d019d1d0

SHA256
beeb4825ef0d127ba10e3d556b74c23c6f5af01b5defc5e36b6dfc8e24e010de

SHA512
01e5b98cab018a5230d68ff9c3e11540588ef500685c875c1ef49442419df84bd90497eef514d342d0c077fae09edd055805f3f72765584b683adc1effc93cdb

Download Submit
C:\Windows\SysWOW64\Njljefql.exe

Filesize
64KB

MD5
5ffc31c13339c79ada43279a9e1fe54f

SHA1
4398a0403e8ac89ec15562bd30ccfb1e827ea27f

SHA256
fea0bcc62fcb330a100e2be3c345aaba65d98dfd6277c1df69511ee471bb0258

SHA512
04246325b2b2c47009c0dd6124dbfb273cc729db76f01d23c5fd5abdffbcdf8c5456a1d25577ad3b6a1a65b9d9df67993781b1682473d9b7268c702de069cf7f

Download Submit
memory/716-603-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/716-65-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/756-371-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/780-538-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/920-263-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/936-585-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/936-49-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1016-254-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1020-181-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1056-558-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1056-21-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1060-281-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1084-490-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1100-81-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1136-519-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1168-496-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1192-73-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1424-273-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1436-279-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1620-545-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1648-465-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1656-29-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1664-455-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1704-125-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1744-169-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1780-43-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1780-578-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1784-323-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1920-304-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1936-407-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1940-497-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1948-33-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1948-571-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1968-229-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2152-478-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2288-293-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2388-509-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2504-419-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2508-413-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2520-359-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2596-89-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2604-317-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2760-185-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2876-216-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3032-105-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3048-261-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3136-153-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3140-13-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3152-449-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3164-443-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3212-353-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3220-527-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3228-467-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3248-97-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3252-479-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3304-305-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3320-213-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3364-56-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3364-592-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3584-345-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3628-193-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3648-333-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3724-311-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3844-145-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4024-387-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4072-550-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4136-389-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4168-377-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4204-398-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4224-113-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4240-339-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4356-521-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4376-441-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4412-140-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4472-241-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4484-129-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4512-365-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4516-161-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4596-503-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4616-347-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4644-239-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4768-287-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4784-552-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4788-429-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4864-435-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4928-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4928-543-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4928-5-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/4984-200-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5000-401-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5168-559-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5212-566-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5252-572-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5296-579-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5364-590-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5424-593-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/6140-917-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads