6b34067b98936dc636474a01b1d1f9fecfc41cedd6433ace42398f35574a5bfe

Analysis

max time kernel
139s
max time network
108s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
04/05/2024, 17:27

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

022e6b19ca261c4bfa1f1c5a5c4974fc.exe
Size

1.2MB
MD5

022e6b19ca261c4bfa1f1c5a5c4974fc
SHA1

e8cfa171f831345652e24c7c1ad3b3cf967f0b69
SHA256

6b34067b98936dc636474a01b1d1f9fecfc41cedd6433ace42398f35574a5bfe
SHA512

16cf683723e81ca9b45f07480b4ecfb8721a0d1aa3be15308fe47ef1b8a1d4142f74e2a5a8946830ff547fd7608c0e6ec705b41ae9fb64f957e0b4418d86236e
SSDEEP

12288:Ah4Osf0FHCXwpnsKvNA+XTvZHWuEo3oWbvrec:d0ZpsKv2EvZHp3oWbvrec

Score

10^/10

backdoor dropper persistence trojan

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hboagf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kmnjhioc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngpjnkpf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Hboagf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kgmlkp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lgkhlnbn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ldohebqh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdfofakp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjjmog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ngedij32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ijdeiaio.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kpmfddnf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Njacpf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdcijcke.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnapdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kmjqmi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ndbnboqb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kacphh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Jdemhe32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njcpee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Jpaghf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ljnnch32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jbkjjblm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Laciofpa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ldkojb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nacbfdao.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iabgaklg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdpalp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hpenfjad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kckbqpnj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ldohebqh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgnnhk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Imihfl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kaqcbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mnapdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mahbje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Maaepd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nqmhbpba.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hikfip32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jmbklj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lmqgnhmp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lijdhiaa.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ljnnch32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mglack32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iikopmkd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Jbkjjblm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kkpnlm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lddbqa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjqjih32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mgidml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nafokcol.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdffocib.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngedij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Iiibkn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jjmhppqd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Laciofpa.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndghmo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Jkdnpo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kdopod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kdaldd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mahbje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mjcgohig.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Impepm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgneampk.exe

Malware Dropper & Backdoor - Berbew 64 IoCs

Berbew is a backdoor Trojan malware with capabilities to download and install a range of additional malicious software, such as other Trojans, ransomware, and cryptominers.

backdoor trojan dropper

resource	yara_rule
behavioral2/memory/2692-0-0x0000000000400000-0x0000000000441000-memory.dmp	family_berbew
behavioral2/files/0x000c000000023b36-6.dat	family_berbew
behavioral2/memory/1484-12-0x0000000000400000-0x0000000000441000-memory.dmp	family_berbew
behavioral2/files/0x000a000000023b95-15.dat	family_berbew
behavioral2/memory/5324-20-0x0000000000400000-0x0000000000441000-memory.dmp	family_berbew
behavioral2/files/0x000a000000023b97-22.dat	family_berbew
behavioral2/memory/4632-24-0x0000000000400000-0x0000000000441000-memory.dmp	family_berbew
behavioral2/memory/6056-32-0x0000000000400000-0x0000000000441000-memory.dmp	family_berbew
behavioral2/files/0x000a000000023b99-30.dat	family_berbew
behavioral2/files/0x000a000000023b9b-38.dat	family_berbew
behavioral2/memory/2308-48-0x0000000000400000-0x0000000000441000-memory.dmp	family_berbew
behavioral2/files/0x000a000000023b9e-47.dat	family_berbew
behavioral2/memory/4156-56-0x0000000000400000-0x0000000000441000-memory.dmp	family_berbew
behavioral2/files/0x000a000000023ba0-55.dat	family_berbew
behavioral2/memory/4616-44-0x0000000000400000-0x0000000000441000-memory.dmp	family_berbew
behavioral2/files/0x000a000000023ba3-63.dat	family_berbew
behavioral2/memory/836-64-0x0000000000400000-0x0000000000441000-memory.dmp	family_berbew
behavioral2/files/0x000b000000023b92-70.dat	family_berbew
behavioral2/files/0x000a000000023ba6-79.dat	family_berbew
behavioral2/files/0x000a000000023ba8-87.dat	family_berbew
behavioral2/files/0x000a000000023baa-94.dat	family_berbew
behavioral2/memory/5524-107-0x0000000000400000-0x0000000000441000-memory.dmp	family_berbew
behavioral2/files/0x000a000000023bba-153.dat	family_berbew
behavioral2/files/0x000a000000023bc0-174.dat	family_berbew
behavioral2/files/0x000a000000023bc8-202.dat	family_berbew
behavioral2/files/0x000a000000023bcc-216.dat	family_berbew
behavioral2/memory/660-609-0x0000000000400000-0x0000000000441000-memory.dmp	family_berbew
behavioral2/memory/3500-604-0x0000000000400000-0x0000000000441000-memory.dmp	family_berbew
behavioral2/memory/2584-603-0x0000000000400000-0x0000000000441000-memory.dmp	family_berbew
behavioral2/memory/6096-612-0x0000000000400000-0x0000000000441000-memory.dmp	family_berbew
behavioral2/memory/3444-611-0x0000000000400000-0x0000000000441000-memory.dmp	family_berbew
behavioral2/memory/5156-610-0x0000000000400000-0x0000000000441000-memory.dmp	family_berbew
behavioral2/memory/4628-608-0x0000000000400000-0x0000000000441000-memory.dmp	family_berbew
behavioral2/memory/3652-607-0x0000000000400000-0x0000000000441000-memory.dmp	family_berbew
behavioral2/memory/5700-606-0x0000000000400000-0x0000000000441000-memory.dmp	family_berbew
behavioral2/memory/4312-605-0x0000000000400000-0x0000000000441000-memory.dmp	family_berbew
behavioral2/memory/5384-617-0x0000000000400000-0x0000000000441000-memory.dmp	family_berbew
behavioral2/memory/5292-616-0x0000000000400000-0x0000000000441000-memory.dmp	family_berbew
behavioral2/memory/3748-615-0x0000000000400000-0x0000000000441000-memory.dmp	family_berbew
behavioral2/memory/3648-614-0x0000000000400000-0x0000000000441000-memory.dmp	family_berbew
behavioral2/memory/3240-613-0x0000000000400000-0x0000000000441000-memory.dmp	family_berbew
behavioral2/files/0x000a000000023bd2-237.dat	family_berbew
behavioral2/files/0x000a000000023bd0-230.dat	family_berbew
behavioral2/files/0x000a000000023bce-223.dat	family_berbew
behavioral2/files/0x000a000000023bca-209.dat	family_berbew
behavioral2/files/0x000a000000023bc6-195.dat	family_berbew
behavioral2/files/0x000a000000023bc4-188.dat	family_berbew
behavioral2/files/0x000a000000023bc2-181.dat	family_berbew
behavioral2/files/0x000a000000023bbe-167.dat	family_berbew
behavioral2/files/0x000a000000023bbc-160.dat	family_berbew
behavioral2/files/0x0031000000023bb8-146.dat	family_berbew
behavioral2/files/0x0031000000023bb6-139.dat	family_berbew
behavioral2/memory/4540-632-0x0000000000400000-0x0000000000441000-memory.dmp	family_berbew
behavioral2/memory/832-631-0x0000000000400000-0x0000000000441000-memory.dmp	family_berbew
behavioral2/memory/3192-684-0x0000000000400000-0x0000000000441000-memory.dmp	family_berbew
behavioral2/memory/5816-683-0x0000000000400000-0x0000000000441000-memory.dmp	family_berbew
behavioral2/memory/4816-682-0x0000000000400000-0x0000000000441000-memory.dmp	family_berbew
behavioral2/memory/5720-681-0x0000000000400000-0x0000000000441000-memory.dmp	family_berbew
behavioral2/memory/5008-680-0x0000000000400000-0x0000000000441000-memory.dmp	family_berbew
behavioral2/memory/3996-679-0x0000000000400000-0x0000000000441000-memory.dmp	family_berbew
behavioral2/memory/4700-678-0x0000000000400000-0x0000000000441000-memory.dmp	family_berbew
behavioral2/memory/5620-677-0x0000000000400000-0x0000000000441000-memory.dmp	family_berbew
behavioral2/memory/3292-676-0x0000000000400000-0x0000000000441000-memory.dmp	family_berbew
behavioral2/memory/2204-675-0x0000000000400000-0x0000000000441000-memory.dmp	family_berbew

Executes dropped EXE 64 IoCs

pid	Process
1484	Gmmocpjk.exe
5324	Gfedle32.exe
4632	Hboagf32.exe
6056	Hapaemll.exe
4616	Hbanme32.exe
2308	Hikfip32.exe
4156	Hpenfjad.exe
836	Impepm32.exe
3396	Ipnalhii.exe
3460	Ijdeiaio.exe
5924	Imbaemhc.exe
2564	Ipqnahgf.exe
5524	Iiibkn32.exe
2584	Iapjlk32.exe
3500	Ifmcdblq.exe
4312	Iikopmkd.exe
5700	Iabgaklg.exe
3652	Ibccic32.exe
4628	Ijkljp32.exe
660	Imihfl32.exe
5156	Jpgdbg32.exe
3444	Jbfpobpb.exe
6096	Jjmhppqd.exe
3240	Jagqlj32.exe
3648	Jdemhe32.exe
3748	Jibeql32.exe
5292	Jaimbj32.exe
5384	Jbkjjblm.exe
5396	Jidbflcj.exe
5196	Jdjfcecp.exe
4164	Jkdnpo32.exe
5708	Jmbklj32.exe
4772	Jpaghf32.exe
2728	Jbocea32.exe
2592	Jiikak32.exe
5244	Kaqcbi32.exe
1136	Kdopod32.exe
3036	Kgmlkp32.exe
5812	Kilhgk32.exe
2996	Kacphh32.exe
2000	Kdaldd32.exe
832	Kkkdan32.exe
4540	Kmjqmi32.exe
964	Kdcijcke.exe
1652	Kgbefoji.exe
3612	Kipabjil.exe
5976	Kagichjo.exe
2100	Kdffocib.exe
840	Kkpnlm32.exe
4784	Kmnjhioc.exe
460	Kpmfddnf.exe
216	Kckbqpnj.exe
2236	Kkbkamnl.exe
1416	Lmqgnhmp.exe
552	Ldkojb32.exe
3548	Lkdggmlj.exe
3920	Lgkhlnbn.exe
2788	Lijdhiaa.exe
4408	Laalifad.exe
4940	Ldohebqh.exe
6028	Lgneampk.exe
3084	Lilanioo.exe
2912	Laciofpa.exe
3172	Ldaeka32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Ipqnahgf.exe	Imbaemhc.exe
File opened for modification	C:\Windows\SysWOW64\Jaimbj32.exe	Jibeql32.exe
File created	C:\Windows\SysWOW64\Jbocea32.exe	Jpaghf32.exe
File created	C:\Windows\SysWOW64\Kaqcbi32.exe	Jiikak32.exe
File created	C:\Windows\SysWOW64\Hehifldd.dll	Kdopod32.exe
File opened for modification	C:\Windows\SysWOW64\Ljnnch32.exe	Lgpagm32.exe
File created	C:\Windows\SysWOW64\Mahbje32.exe	Mjqjih32.exe
File created	C:\Windows\SysWOW64\Hboagf32.exe	Gfedle32.exe
File created	C:\Windows\SysWOW64\Mecaoggc.dll	Lddbqa32.exe
File created	C:\Windows\SysWOW64\Kpdobeck.dll	Mdfofakp.exe
File created	C:\Windows\SysWOW64\Njljefql.exe	Mgnnhk32.exe
File created	C:\Windows\SysWOW64\Ipkobd32.dll	Njacpf32.exe
File created	C:\Windows\SysWOW64\Bghhihab.dll	Njcpee32.exe
File opened for modification	C:\Windows\SysWOW64\Jbocea32.exe	Jpaghf32.exe
File opened for modification	C:\Windows\SysWOW64\Kmjqmi32.exe	Kkkdan32.exe
File created	C:\Windows\SysWOW64\Kkpnlm32.exe	Kdffocib.exe
File opened for modification	C:\Windows\SysWOW64\Lgkhlnbn.exe	Lkdggmlj.exe
File opened for modification	C:\Windows\SysWOW64\Lilanioo.exe	Lgneampk.exe
File created	C:\Windows\SysWOW64\Geegicjl.dll	Mglack32.exe
File opened for modification	C:\Windows\SysWOW64\Nkcmohbg.exe	Ncldnkae.exe
File created	C:\Windows\SysWOW64\Jiphogop.dll	Iabgaklg.exe
File opened for modification	C:\Windows\SysWOW64\Jidbflcj.exe	Jbkjjblm.exe
File created	C:\Windows\SysWOW64\Kdffocib.exe	Kagichjo.exe
File created	C:\Windows\SysWOW64\Pbcfgejn.dll	Mjhqjg32.exe
File opened for modification	C:\Windows\SysWOW64\Iabgaklg.exe	Iikopmkd.exe
File created	C:\Windows\SysWOW64\Kckbqpnj.exe	Kpmfddnf.exe
File opened for modification	C:\Windows\SysWOW64\Lmqgnhmp.exe	Kkbkamnl.exe
File created	C:\Windows\SysWOW64\Gmmocpjk.exe	022e6b19ca261c4bfa1f1c5a5c4974fc.exe
File created	C:\Windows\SysWOW64\Nphlemjl.dll	Gmmocpjk.exe
File created	C:\Windows\SysWOW64\Jbkjjblm.exe	Jaimbj32.exe
File created	C:\Windows\SysWOW64\Ogijli32.dll	Lgkhlnbn.exe
File created	C:\Windows\SysWOW64\Ldaeka32.exe	Laciofpa.exe
File created	C:\Windows\SysWOW64\Mcklgm32.exe	Mpmokb32.exe
File opened for modification	C:\Windows\SysWOW64\Mcklgm32.exe	Mpmokb32.exe
File created	C:\Windows\SysWOW64\Eagncfoj.dll	Gfedle32.exe
File created	C:\Windows\SysWOW64\Bclhoo32.dll	Jdemhe32.exe
File created	C:\Windows\SysWOW64\Ldkojb32.exe	Lmqgnhmp.exe
File created	C:\Windows\SysWOW64\Mdemcacc.dll	Lijdhiaa.exe
File created	C:\Windows\SysWOW64\Ckegia32.dll	Laciofpa.exe
File opened for modification	C:\Windows\SysWOW64\Mglack32.exe	Mdmegp32.exe
File created	C:\Windows\SysWOW64\Lfcbokki.dll	Ngpjnkpf.exe
File created	C:\Windows\SysWOW64\Jibpdc32.dll	Ijkljp32.exe
File created	C:\Windows\SysWOW64\Hjobcj32.dll	Jbfpobpb.exe
File created	C:\Windows\SysWOW64\Njcpee32.exe	Ngedij32.exe
File created	C:\Windows\SysWOW64\Imihfl32.exe	Ijkljp32.exe
File created	C:\Windows\SysWOW64\Ldohebqh.exe	Laalifad.exe
File created	C:\Windows\SysWOW64\Lppbjjia.dll	Lgbnmm32.exe
File created	C:\Windows\SysWOW64\Ipqnahgf.exe	Imbaemhc.exe
File opened for modification	C:\Windows\SysWOW64\Kilhgk32.exe	Kgmlkp32.exe
File opened for modification	C:\Windows\SysWOW64\Laciofpa.exe	Lilanioo.exe
File opened for modification	C:\Windows\SysWOW64\Lgpagm32.exe	Ldaeka32.exe
File created	C:\Windows\SysWOW64\Mpmokb32.exe	Majopeii.exe
File opened for modification	C:\Windows\SysWOW64\Ncldnkae.exe	Nqmhbpba.exe
File created	C:\Windows\SysWOW64\Aqnhjk32.dll	Impepm32.exe
File opened for modification	C:\Windows\SysWOW64\Ibccic32.exe	Iabgaklg.exe
File created	C:\Windows\SysWOW64\Gmlgol32.dll	Jpaghf32.exe
File opened for modification	C:\Windows\SysWOW64\Lgbnmm32.exe	Lddbqa32.exe
File created	C:\Windows\SysWOW64\Iapjlk32.exe	Iiibkn32.exe
File created	C:\Windows\SysWOW64\Laciofpa.exe	Lilanioo.exe
File created	C:\Windows\SysWOW64\Ebaqkk32.dll	Ljnnch32.exe
File created	C:\Windows\SysWOW64\Mkbchk32.exe	Mcklgm32.exe
File created	C:\Windows\SysWOW64\Odhibo32.dll	022e6b19ca261c4bfa1f1c5a5c4974fc.exe
File created	C:\Windows\SysWOW64\Kmjqmi32.exe	Kkkdan32.exe
File created	C:\Windows\SysWOW64\Jcoegc32.dll	Njogjfoj.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5076	676	WerFault.exe	190

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oimhnoch.dll"	Kkpnlm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnfmbf32.dll"	Mdpalp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ajgblndm.dll"	Kkkdan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Khehmdgi.dll"	Lilanioo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	022e6b19ca261c4bfa1f1c5a5c4974fc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Gfedle32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aqnhjk32.dll"	Impepm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Jbfpobpb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ehifigof.dll"	Jidbflcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cpjljp32.dll"	Jkdnpo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mglack32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnibdpde.dll"	Ncldnkae.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Iikopmkd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Jiikak32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Kkbkamnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Lmqgnhmp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mdkhapfj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bebboiqi.dll"	Mjjmog32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Njacpf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dlddhggk.dll"	Nqmhbpba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kijjfe32.dll"	Hikfip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Impoan32.dll"	Iikopmkd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ngedij32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Iapjlk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ijkljp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Jkdnpo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hehifldd.dll"	Kdopod32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Kdffocib.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mjcgohig.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Kaqcbi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Lmqgnhmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Lgbnmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Geegicjl.dll"	Mglack32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ngcgcjnc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Hpenfjad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ipnalhii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Laefdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Majknlkd.dll"	Nddkgonp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lmbnpm32.dll"	Ngcgcjnc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Imihfl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Jbkjjblm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Kkpnlm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Lijdhiaa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mahbje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdgdjjem.dll"	Mkbchk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cdcbljie.dll"	Ijdeiaio.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Jmbklj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Jbocea32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Njogjfoj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Impepm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Honcnp32.dll"	Jbkjjblm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Kipabjil.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gefncbmc.dll"	Lgpagm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Epmjjbbj.dll"	Mpmokb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjlcankg.dll"	Jagqlj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Lilanioo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lnohlokp.dll"	Mjcgohig.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mcklgm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mgidml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjblgaie.dll"	Kilhgk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Laalifad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Lgpagm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bkankc32.dll"	Majopeii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mjhqjg32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2692 wrote to memory of 1484	2692	022e6b19ca261c4bfa1f1c5a5c4974fc.exe	83
PID 2692 wrote to memory of 1484	2692	022e6b19ca261c4bfa1f1c5a5c4974fc.exe	83
PID 2692 wrote to memory of 1484	2692	022e6b19ca261c4bfa1f1c5a5c4974fc.exe	83
PID 1484 wrote to memory of 5324	1484	Gmmocpjk.exe	84
PID 1484 wrote to memory of 5324	1484	Gmmocpjk.exe	84
PID 1484 wrote to memory of 5324	1484	Gmmocpjk.exe	84
PID 5324 wrote to memory of 4632	5324	Gfedle32.exe	85
PID 5324 wrote to memory of 4632	5324	Gfedle32.exe	85
PID 5324 wrote to memory of 4632	5324	Gfedle32.exe	85
PID 4632 wrote to memory of 6056	4632	Hboagf32.exe	86
PID 4632 wrote to memory of 6056	4632	Hboagf32.exe	86
PID 4632 wrote to memory of 6056	4632	Hboagf32.exe	86
PID 6056 wrote to memory of 4616	6056	Hapaemll.exe	87
PID 6056 wrote to memory of 4616	6056	Hapaemll.exe	87
PID 6056 wrote to memory of 4616	6056	Hapaemll.exe	87
PID 4616 wrote to memory of 2308	4616	Hbanme32.exe	88
PID 4616 wrote to memory of 2308	4616	Hbanme32.exe	88
PID 4616 wrote to memory of 2308	4616	Hbanme32.exe	88
PID 2308 wrote to memory of 4156	2308	Hikfip32.exe	89
PID 2308 wrote to memory of 4156	2308	Hikfip32.exe	89
PID 2308 wrote to memory of 4156	2308	Hikfip32.exe	89
PID 4156 wrote to memory of 836	4156	Hpenfjad.exe	92
PID 4156 wrote to memory of 836	4156	Hpenfjad.exe	92
PID 4156 wrote to memory of 836	4156	Hpenfjad.exe	92
PID 836 wrote to memory of 3396	836	Impepm32.exe	93
PID 836 wrote to memory of 3396	836	Impepm32.exe	93
PID 836 wrote to memory of 3396	836	Impepm32.exe	93
PID 3396 wrote to memory of 3460	3396	Ipnalhii.exe	95
PID 3396 wrote to memory of 3460	3396	Ipnalhii.exe	95
PID 3396 wrote to memory of 3460	3396	Ipnalhii.exe	95
PID 3460 wrote to memory of 5924	3460	Ijdeiaio.exe	96
PID 3460 wrote to memory of 5924	3460	Ijdeiaio.exe	96
PID 3460 wrote to memory of 5924	3460	Ijdeiaio.exe	96
PID 5924 wrote to memory of 2564	5924	Imbaemhc.exe	97
PID 5924 wrote to memory of 2564	5924	Imbaemhc.exe	97
PID 5924 wrote to memory of 2564	5924	Imbaemhc.exe	97
PID 2564 wrote to memory of 5524	2564	Ipqnahgf.exe	98
PID 2564 wrote to memory of 5524	2564	Ipqnahgf.exe	98
PID 2564 wrote to memory of 5524	2564	Ipqnahgf.exe	98
PID 5524 wrote to memory of 2584	5524	Iiibkn32.exe	99
PID 5524 wrote to memory of 2584	5524	Iiibkn32.exe	99
PID 5524 wrote to memory of 2584	5524	Iiibkn32.exe	99
PID 2584 wrote to memory of 3500	2584	Iapjlk32.exe	100
PID 2584 wrote to memory of 3500	2584	Iapjlk32.exe	100
PID 2584 wrote to memory of 3500	2584	Iapjlk32.exe	100
PID 3500 wrote to memory of 4312	3500	Ifmcdblq.exe	101
PID 3500 wrote to memory of 4312	3500	Ifmcdblq.exe	101
PID 3500 wrote to memory of 4312	3500	Ifmcdblq.exe	101
PID 4312 wrote to memory of 5700	4312	Iikopmkd.exe	102
PID 4312 wrote to memory of 5700	4312	Iikopmkd.exe	102
PID 4312 wrote to memory of 5700	4312	Iikopmkd.exe	102
PID 5700 wrote to memory of 3652	5700	Iabgaklg.exe	103
PID 5700 wrote to memory of 3652	5700	Iabgaklg.exe	103
PID 5700 wrote to memory of 3652	5700	Iabgaklg.exe	103
PID 3652 wrote to memory of 4628	3652	Ibccic32.exe	104
PID 3652 wrote to memory of 4628	3652	Ibccic32.exe	104
PID 3652 wrote to memory of 4628	3652	Ibccic32.exe	104
PID 4628 wrote to memory of 660	4628	Ijkljp32.exe	105
PID 4628 wrote to memory of 660	4628	Ijkljp32.exe	105
PID 4628 wrote to memory of 660	4628	Ijkljp32.exe	105
PID 660 wrote to memory of 5156	660	Imihfl32.exe	106
PID 660 wrote to memory of 5156	660	Imihfl32.exe	106
PID 660 wrote to memory of 5156	660	Imihfl32.exe	106
PID 5156 wrote to memory of 3444	5156	Jpgdbg32.exe	107

C:\Users\Admin\AppData\Local\Temp\022e6b19ca261c4bfa1f1c5a5c4974fc.exe
"C:\Users\Admin\AppData\Local\Temp\022e6b19ca261c4bfa1f1c5a5c4974fc.exe"
1⤵
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2692
- C:\Windows\SysWOW64\Gmmocpjk.exe
  C:\Windows\system32\Gmmocpjk.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:1484
- - C:\Windows\SysWOW64\Gfedle32.exe
    C:\Windows\system32\Gfedle32.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:5324
  - - C:\Windows\SysWOW64\Hboagf32.exe
      C:\Windows\system32\Hboagf32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:4632
    - - C:\Windows\SysWOW64\Hapaemll.exe
        
        C:\Windows\system32\Hapaemll.exe
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:6056
      - C:\Windows\SysWOW64\Hbanme32.exe
        
        C:\Windows\system32\Hbanme32.exe
        6⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4616
        
        C:\Windows\SysWOW64\Hikfip32.exe
        
        C:\Windows\system32\Hikfip32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2308
        
        C:\Windows\SysWOW64\Hpenfjad.exe
        
        C:\Windows\system32\Hpenfjad.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4156
        
        C:\Windows\SysWOW64\Impepm32.exe
        
        C:\Windows\system32\Impepm32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:836
        
        C:\Windows\SysWOW64\Ipnalhii.exe
        
        C:\Windows\system32\Ipnalhii.exe
        10⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3396
        
        C:\Windows\SysWOW64\Ijdeiaio.exe
        
        C:\Windows\system32\Ijdeiaio.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3460
        
        C:\Windows\SysWOW64\Imbaemhc.exe
        
        C:\Windows\system32\Imbaemhc.exe
        12⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:5924
        
        C:\Windows\SysWOW64\Ipqnahgf.exe
        
        C:\Windows\system32\Ipqnahgf.exe
        13⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2564
        
        C:\Windows\SysWOW64\Iiibkn32.exe
        
        C:\Windows\system32\Iiibkn32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:5524
        
        C:\Windows\SysWOW64\Iapjlk32.exe
        
        C:\Windows\system32\Iapjlk32.exe
        15⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2584
        
        C:\Windows\SysWOW64\Ifmcdblq.exe
        
        C:\Windows\system32\Ifmcdblq.exe
        16⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3500
        
        C:\Windows\SysWOW64\Iikopmkd.exe
        
        C:\Windows\system32\Iikopmkd.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4312
        
        C:\Windows\SysWOW64\Iabgaklg.exe
        
        C:\Windows\system32\Iabgaklg.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:5700
        
        C:\Windows\SysWOW64\Ibccic32.exe
        
        C:\Windows\system32\Ibccic32.exe
        19⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3652
        
        C:\Windows\SysWOW64\Ijkljp32.exe
        
        C:\Windows\system32\Ijkljp32.exe
        20⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4628
        
        C:\Windows\SysWOW64\Imihfl32.exe
        
        C:\Windows\system32\Imihfl32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:660
        
        C:\Windows\SysWOW64\Jpgdbg32.exe
        
        C:\Windows\system32\Jpgdbg32.exe
        22⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:5156
        
        C:\Windows\SysWOW64\Jbfpobpb.exe
        
        C:\Windows\system32\Jbfpobpb.exe
        23⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3444
        
        C:\Windows\SysWOW64\Jjmhppqd.exe
        
        C:\Windows\system32\Jjmhppqd.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:6096
        
        C:\Windows\SysWOW64\Jagqlj32.exe
        
        C:\Windows\system32\Jagqlj32.exe
        25⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3240
        
        C:\Windows\SysWOW64\Jdemhe32.exe
        
        C:\Windows\system32\Jdemhe32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3648
        
        C:\Windows\SysWOW64\Jibeql32.exe
        
        C:\Windows\system32\Jibeql32.exe
        27⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3748
        
        C:\Windows\SysWOW64\Jaimbj32.exe
        
        C:\Windows\system32\Jaimbj32.exe
        28⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5292
        
        C:\Windows\SysWOW64\Jbkjjblm.exe
        
        C:\Windows\system32\Jbkjjblm.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5384
        
        C:\Windows\SysWOW64\Jidbflcj.exe
        
        C:\Windows\system32\Jidbflcj.exe
        30⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:5396
        
        C:\Windows\SysWOW64\Jdjfcecp.exe
        
        C:\Windows\system32\Jdjfcecp.exe
        31⤵
        Executes dropped EXE
        
        PID:5196
        
        C:\Windows\SysWOW64\Jkdnpo32.exe
        
        C:\Windows\system32\Jkdnpo32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4164
        
        C:\Windows\SysWOW64\Jmbklj32.exe
        
        C:\Windows\system32\Jmbklj32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:5708
        
        C:\Windows\SysWOW64\Jpaghf32.exe
        
        C:\Windows\system32\Jpaghf32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4772
        
        C:\Windows\SysWOW64\Jbocea32.exe
        
        C:\Windows\system32\Jbocea32.exe
        35⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2728
        
        C:\Windows\SysWOW64\Jiikak32.exe
        
        C:\Windows\system32\Jiikak32.exe
        36⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2592
        
        C:\Windows\SysWOW64\Kaqcbi32.exe
        
        C:\Windows\system32\Kaqcbi32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:5244
        
        C:\Windows\SysWOW64\Kdopod32.exe
        
        C:\Windows\system32\Kdopod32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1136
        
        C:\Windows\SysWOW64\Kgmlkp32.exe
        
        C:\Windows\system32\Kgmlkp32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3036
        
        C:\Windows\SysWOW64\Kilhgk32.exe
        
        C:\Windows\system32\Kilhgk32.exe
        40⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:5812
        
        C:\Windows\SysWOW64\Kacphh32.exe
        
        C:\Windows\system32\Kacphh32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2996
        
        C:\Windows\SysWOW64\Kdaldd32.exe
        
        C:\Windows\system32\Kdaldd32.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2000
        
        C:\Windows\SysWOW64\Kkkdan32.exe
        
        C:\Windows\system32\Kkkdan32.exe
        43⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:832
        
        C:\Windows\SysWOW64\Kmjqmi32.exe
        
        C:\Windows\system32\Kmjqmi32.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4540
        
        C:\Windows\SysWOW64\Kdcijcke.exe
        
        C:\Windows\system32\Kdcijcke.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:964
        
        C:\Windows\SysWOW64\Kgbefoji.exe
        
        C:\Windows\system32\Kgbefoji.exe
        46⤵
        Executes dropped EXE
        
        PID:1652
        
        C:\Windows\SysWOW64\Kipabjil.exe
        
        C:\Windows\system32\Kipabjil.exe
        47⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3612
        
        C:\Windows\SysWOW64\Kagichjo.exe
        
        C:\Windows\system32\Kagichjo.exe
        48⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5976
        
        C:\Windows\SysWOW64\Kdffocib.exe
        
        C:\Windows\system32\Kdffocib.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2100
        
        C:\Windows\SysWOW64\Kkpnlm32.exe
        
        C:\Windows\system32\Kkpnlm32.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:840
        
        C:\Windows\SysWOW64\Kmnjhioc.exe
        
        C:\Windows\system32\Kmnjhioc.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4784
        
        C:\Windows\SysWOW64\Kpmfddnf.exe
        
        C:\Windows\system32\Kpmfddnf.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:460
        
        C:\Windows\SysWOW64\Kckbqpnj.exe
        
        C:\Windows\system32\Kckbqpnj.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:216
        
        C:\Windows\SysWOW64\Kkbkamnl.exe
        
        C:\Windows\system32\Kkbkamnl.exe
        54⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2236
        
        C:\Windows\SysWOW64\Lmqgnhmp.exe
        
        C:\Windows\system32\Lmqgnhmp.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1416
        
        C:\Windows\SysWOW64\Ldkojb32.exe
        
        C:\Windows\system32\Ldkojb32.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:552
        
        C:\Windows\SysWOW64\Lkdggmlj.exe
        
        C:\Windows\system32\Lkdggmlj.exe
        57⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3548
        
        C:\Windows\SysWOW64\Lgkhlnbn.exe
        
        C:\Windows\system32\Lgkhlnbn.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3920
        
        C:\Windows\SysWOW64\Lijdhiaa.exe
        
        C:\Windows\system32\Lijdhiaa.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2788
        
        C:\Windows\SysWOW64\Laalifad.exe
        
        C:\Windows\system32\Laalifad.exe
        60⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4408
        
        C:\Windows\SysWOW64\Ldohebqh.exe
        
        C:\Windows\system32\Ldohebqh.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4940
        
        C:\Windows\SysWOW64\Lgneampk.exe
        
        C:\Windows\system32\Lgneampk.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:6028
        
        C:\Windows\SysWOW64\Lilanioo.exe
        
        C:\Windows\system32\Lilanioo.exe
        63⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3084
        
        C:\Windows\SysWOW64\Laciofpa.exe
        
        C:\Windows\system32\Laciofpa.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2912
        
        C:\Windows\SysWOW64\Ldaeka32.exe
        
        C:\Windows\system32\Ldaeka32.exe
        65⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3172
        
        C:\Windows\SysWOW64\Lgpagm32.exe
        
        C:\Windows\system32\Lgpagm32.exe
        66⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5168
        
        C:\Windows\SysWOW64\Ljnnch32.exe
        
        C:\Windows\system32\Ljnnch32.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:1456
        
        C:\Windows\SysWOW64\Laefdf32.exe
        
        C:\Windows\system32\Laefdf32.exe
        68⤵
        Modifies registry class
        
        PID:392
        
        C:\Windows\SysWOW64\Lddbqa32.exe
        
        C:\Windows\system32\Lddbqa32.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:2376
        
        C:\Windows\SysWOW64\Lgbnmm32.exe
        
        C:\Windows\system32\Lgbnmm32.exe
        70⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:2256
        
        C:\Windows\SysWOW64\Mjqjih32.exe
        
        C:\Windows\system32\Mjqjih32.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4196
        
        C:\Windows\SysWOW64\Mahbje32.exe
        
        C:\Windows\system32\Mahbje32.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:2552
        
        C:\Windows\SysWOW64\Mdfofakp.exe
        
        C:\Windows\system32\Mdfofakp.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:2852
        
        C:\Windows\SysWOW64\Mgekbljc.exe
        
        C:\Windows\system32\Mgekbljc.exe
        74⤵
        
        PID:5644
        
        C:\Windows\SysWOW64\Mjcgohig.exe
        
        C:\Windows\system32\Mjcgohig.exe
        75⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5424
        
        C:\Windows\SysWOW64\Majopeii.exe
        
        C:\Windows\system32\Majopeii.exe
        76⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5516
        
        C:\Windows\SysWOW64\Mpmokb32.exe
        
        C:\Windows\system32\Mpmokb32.exe
        77⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5532
        
        C:\Windows\SysWOW64\Mcklgm32.exe
        
        C:\Windows\system32\Mcklgm32.exe
        78⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:3888
        
        C:\Windows\SysWOW64\Mkbchk32.exe
        
        C:\Windows\system32\Mkbchk32.exe
        79⤵
        Modifies registry class
        
        PID:5736
        
        C:\Windows\SysWOW64\Mnapdf32.exe
        
        C:\Windows\system32\Mnapdf32.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5124
        
        C:\Windows\SysWOW64\Mdkhapfj.exe
        
        C:\Windows\system32\Mdkhapfj.exe
        81⤵
        Modifies registry class
        
        PID:1028
        
        C:\Windows\SysWOW64\Mgidml32.exe
        
        C:\Windows\system32\Mgidml32.exe
        82⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4132
        
        C:\Windows\SysWOW64\Mjhqjg32.exe
        
        C:\Windows\system32\Mjhqjg32.exe
        83⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4092
        
        C:\Windows\SysWOW64\Maohkd32.exe
        
        C:\Windows\system32\Maohkd32.exe
        84⤵
        
        PID:2668
        
        C:\Windows\SysWOW64\Mdmegp32.exe
        
        C:\Windows\system32\Mdmegp32.exe
        85⤵
        Drops file in System32 directory
        
        PID:2140
        
        C:\Windows\SysWOW64\Mglack32.exe
        
        C:\Windows\system32\Mglack32.exe
        86⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:1684
        
        C:\Windows\SysWOW64\Mjjmog32.exe
        
        C:\Windows\system32\Mjjmog32.exe
        87⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:2204
        
        C:\Windows\SysWOW64\Maaepd32.exe
        
        C:\Windows\system32\Maaepd32.exe
        88⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3292
        
        C:\Windows\SysWOW64\Mdpalp32.exe
        
        C:\Windows\system32\Mdpalp32.exe
        89⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5620
        
        C:\Windows\SysWOW64\Mgnnhk32.exe
        
        C:\Windows\system32\Mgnnhk32.exe
        90⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4700
        
        C:\Windows\SysWOW64\Njljefql.exe
        
        C:\Windows\system32\Njljefql.exe
        91⤵
        
        PID:3996
        
        C:\Windows\SysWOW64\Nacbfdao.exe
        
        C:\Windows\system32\Nacbfdao.exe
        92⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5008
        
        C:\Windows\SysWOW64\Ndbnboqb.exe
        
        C:\Windows\system32\Ndbnboqb.exe
        93⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5720
        
        C:\Windows\SysWOW64\Ngpjnkpf.exe
        
        C:\Windows\system32\Ngpjnkpf.exe
        94⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4816
        
        C:\Windows\SysWOW64\Njogjfoj.exe
        
        C:\Windows\system32\Njogjfoj.exe
        95⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5816
        
        C:\Windows\SysWOW64\Nafokcol.exe
        
        C:\Windows\system32\Nafokcol.exe
        96⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3192
        
        C:\Windows\SysWOW64\Nddkgonp.exe
        
        C:\Windows\system32\Nddkgonp.exe
        97⤵
        Modifies registry class
        
        PID:3028
        
        C:\Windows\SysWOW64\Ngcgcjnc.exe
        
        C:\Windows\system32\Ngcgcjnc.exe
        98⤵
        Modifies registry class
        
        PID:5828
        
        C:\Windows\SysWOW64\Njacpf32.exe
        
        C:\Windows\system32\Njacpf32.exe
        99⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:4376
        
        C:\Windows\SysWOW64\Nbhkac32.exe
        
        C:\Windows\system32\Nbhkac32.exe
        100⤵
        
        PID:4008
        
        C:\Windows\SysWOW64\Ndghmo32.exe
        
        C:\Windows\system32\Ndghmo32.exe
        101⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2988
        
        C:\Windows\SysWOW64\Ngedij32.exe
        
        C:\Windows\system32\Ngedij32.exe
        102⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:3448
        
        C:\Windows\SysWOW64\Njcpee32.exe
        
        C:\Windows\system32\Njcpee32.exe
        103⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5732
        
        C:\Windows\SysWOW64\Nqmhbpba.exe
        
        C:\Windows\system32\Nqmhbpba.exe
        104⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:3972
        
        C:\Windows\SysWOW64\Ncldnkae.exe
        
        C:\Windows\system32\Ncldnkae.exe
        105⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1740
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        106⤵
        
        PID:676
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 676 -s 412
        107⤵
        Program crash
        
        PID:5076

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 676 -ip 676
1⤵
PID:1500

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Gfedle32.exe

Filesize
1.2MB

MD5
35cc4558e92390042433d54ccbc4f663

SHA1
3c4cf6b141acb19c2b760a249fbe437a3940d9e6

SHA256
100a02ffafc8bf1b2b6559e7c87d6c8b6c4ba02c31ea729f02d3340ac172bb4f

SHA512
4466213a8f426660baefce823378b795f2cd906f9178f02854e4bfb929090a2b253a4a206dbde4bdf6cb312eb6b17838dee771515a7bcb0686cb427bf4275ac4

Download Submit
C:\Windows\SysWOW64\Gmmocpjk.exe

Filesize
1.2MB

MD5
72e9414b5552c907b6e1dd22e9016c1f

SHA1
d2aa2b341b4d93d1d56ff26569eabcfdb2d2cb69

SHA256
a3a81ef70609d9b528c21b59b970165a1be3607cc7b49078ec47515c7f7c469d

SHA512
1cda81043b12467eb2746eb1f488ce8e9b00598e383f62facf2eb7e2aa98b28f8a06259d36c7c9b28a1f9dfa2c7c791ac294e76957392c6af1d28237acd9e808

Download Submit
C:\Windows\SysWOW64\Hapaemll.exe

Filesize
1.2MB

MD5
0404286912372d8d6cb698b4d8d5dc17

SHA1
8c02415ee861decf3817582d3bee3b79c0f1f744

SHA256
882cd13165bb36f9bd4f52ee971279b39da11b4dac23e78089c587092f24bb10

SHA512
8d2c9272fbbd98a8fd914c3a429ef5616c1632abf274eb2161a4381f61b359da2a02ff41e4ed01eaa793833f68fe3edbc79727d416d4b6a53be123f6577d434a

Download Submit
C:\Windows\SysWOW64\Hbanme32.exe

Filesize
1.2MB

MD5
d84719c1ec1c8bb65c91c204e08d60d2

SHA1
7c2e383f25f82dc066ffa52d8697ac71d35413fe

SHA256
6e277cc3693daff492f2f62e6a7541201042c5e3fecb51334a18a7c8d1ad31ac

SHA512
9a09071488de05ec67c7bb1e346be8e0c6905c56ef434a1c3b7a13cfc7276e61d5f9cae68d6c1355cfc7c396f230fa2156594214634460004cc2a19aa3837c8a

Download Submit
C:\Windows\SysWOW64\Hboagf32.exe

Filesize
1.2MB

MD5
149b03e34fdd9fe4f96351342e355f4f

SHA1
238662a7025d6179d6c81f11b409ed87f24c53b2

SHA256
5313718c29cf0b13831ac8d90aa9ea02e885da8711a5585e1ceac7c1faa33544

SHA512
70fb21293e9b6f532faec191801782c9b90a60d1144582b698c84132ce0d1b853f772df32fe925213028d896f1175fd31ccdb1f2ac37e185790348bc03943b29

Download Submit
C:\Windows\SysWOW64\Hikfip32.exe

Filesize
1.2MB

MD5
7c65346f493dc7d59a755ae39a5995ff

SHA1
6433da26a2ead0750c4002fea25bc32d3574f605

SHA256
34f6b2ae0f4cd894d194fcb6a12ef35c8e4f385b4030813ded8a6682349cbe71

SHA512
c919202577e7e51b7fe5250c7329b60985858900b16c2020fb46edec926f2f4ec282c15e77be4fead6d0d6bdd7112b0c14342dd75570ed34a2618e82c5d45985

Download Submit
C:\Windows\SysWOW64\Hpenfjad.exe

Filesize
1.2MB

MD5
7c11e3e8e154be99e71483cbade78167

SHA1
35b93fceac38ea75444f766bf050322c3421a78d

SHA256
43b99f8a3a38699b547459a8701c5a5b154efd9fbaec611877abaa43b55271d9

SHA512
3266df5fa7a9338ac5e8f5e40ce54ddce5b74c14862569f198451a1e43ce551b152b46e08244e5033aa8a516c9cf897b158570e725c20816bf80bf51e1705538

Download Submit
C:\Windows\SysWOW64\Iabgaklg.exe

Filesize
1.2MB

MD5
03185d74bd2e35e83bd0368d163ea6e7

SHA1
78236862357df66ce5c917641235557e21ceb207

SHA256
6fc8523ba41f2a303d03fb34e5e41e2306629d9e2458d59b93761ef92ab670f0

SHA512
68e8004106a7f9fd72ed9d940dd00c1b66cfb30a28d9270d82cd3af702d066967044452ca102d650dad20624bbe8e8fbbf65a630575ac2236b0589323514b2ae

Download Submit
C:\Windows\SysWOW64\Iapjlk32.exe

Filesize
1.2MB

MD5
86d156ad1741338d2afa7e42e1926abf

SHA1
5a1967423eca7ed825e9ac965dc27de7b0fafa44

SHA256
8529398e5b6c0d930b75113f77feb7739cc7799e9f63a5d0a09ab3b484e902dc

SHA512
e9f6731ba0e5c3085ef02e5be788f4dc3361cb63df250db514e385b5a6db9ffe0b6c87d0fec66487426cb9190713d992e43e26e3d4003e680f5f2106792e25ef

Download Submit
C:\Windows\SysWOW64\Ibccic32.exe

Filesize
1.2MB

MD5
84966fae8692ff498c98979ca8846aa8

SHA1
da7987c901455c2ac11948e99c996fdcb6bf64c7

SHA256
a29e28143fb21eb95741bda3b4d117001eb14af7163381a214462a4d3e98f1fb

SHA512
40afd55c2fd91f1fc74abf259171087e1ce8c5cd00ef551b9658116f5ca6bad7da1adc4746cccf198f0a4960ff5f2cf62ab3faeeb5b04d2390b3ee098d2fe950

Download Submit
C:\Windows\SysWOW64\Ifmcdblq.exe

Filesize
1.2MB

MD5
10b323b0e63d67988f791d4aa5238cd0

SHA1
7de71a2289a2d696f2afe7f7303dbc6fdf06ba21

SHA256
124e76fcaae6b246b6dca12fa61af14d5cc46fa5a26400314b51437eea45c3b4

SHA512
256444ac057e9210662ad4393062f9eaf22ab70cf5fb44d8dab75cd989c52005b94a0ab06998571f565a71629d4c4c9ff03c5f7cac5d805d6a6e4b4403e0c315

Download Submit
C:\Windows\SysWOW64\Iiibkn32.exe

Filesize
1.2MB

MD5
ba50e339c7c18be8f9d4b6172da94fe2

SHA1
eb6449bb5cd9e74cd10b783adfa0ba4a4389c409

SHA256
0de63926a59fec49913a21b7694aa984e91b8770778604076da603b7c4af776c

SHA512
cacbd5ecb9997b94b9b93b1b05c2a3bed1cf064271b5189b3204839eff41c7ae91dfcbc6e6145f889619d0df583a8c823577f0a493f6c6dffc87dda6da07279d

Download Submit
C:\Windows\SysWOW64\Iikopmkd.exe

Filesize
1.2MB

MD5
0e81b6e638f49861931e3abcd5886780

SHA1
7c453f942ef6bf235b508da1e299327ab503ee9f

SHA256
6f8c3d6ef9d5ff9bc7abae9f6ae3e5941b915a454e55cb3969e62ed8cb0de95a

SHA512
c8579340cdb17b2037bfe99d342e51f43cbd62990b7ee3a4e895b13257b290be6ff086b4b334ef237e96348526e6513c5cc1659fcf6f263566d0eb1e0c027604

Download Submit
C:\Windows\SysWOW64\Ijdeiaio.exe

Filesize
1.2MB

MD5
6b13633a93deaa6d9bfb1f85d161288f

SHA1
c835c5fd9e9487ff0300ae458fac43281e992bec

SHA256
4a8d395d7fbf77a69d4c2bfba0596962e126ec7481e93a6d6ae9a970af78137c

SHA512
e39ed417d413edb9a638d9d28fed1d2602a0e93fefeec3da8111ed5bdebed77617805710b8a58dceede9bf7264b64bdc2010426dcab002306853264e313991f8

Download Submit
C:\Windows\SysWOW64\Ijkljp32.exe

Filesize
1.2MB

MD5
96515579779d577876487b79699527c4

SHA1
3e12a9b69feeb39f0449ef5f3f82c2d9da5e6358

SHA256
8a5d8fddcd72f6f001d9061a95f824a1e46f558553f6c720a5357d61809a9ccf

SHA512
806133d68e15a23dd234971d2a5986b6ce38ad796f87d05acff92c6ad9c958b63db4aca3b5bcac82c9fc056f91ed483f4631a206f02fb3aa3ec6ae303ad24ddf

Download Submit
C:\Windows\SysWOW64\Imbaemhc.exe

Filesize
1.2MB

MD5
b3353c785796ddcec025ab488a603796

SHA1
d6e128c14a21f98627b16d1c36fe4cb7aac6b19d

SHA256
c377569304bbf3bc60f6ded262603417dd55219c28eed169d4b4c15f75d9dac9

SHA512
310d325ff3d603ff7efbcac7116f952f239e1ca10e3e0c36f91c339c179ea82d3bc06fdc1eabfa4d3e5f173f5be71e4fddf9f92a6b22afcf694eb8e1f7255e6a

Download Submit
C:\Windows\SysWOW64\Imihfl32.exe

Filesize
1.2MB

MD5
d8acd10b544683e7e70bfcd6adb09af6

SHA1
d2411f2fecbaeacf36608d09d768c34e1943b736

SHA256
d42ba49fdd41da397a82672109668d7f7dfd8f8f37eee97d1a52870aa6d3a46a

SHA512
54285f78b7f8ca5058acb58eb37d83061c9757fcca4167b14418d45b67bba93f6844ef60371a869230c944804d034b5dd65ee3c3db16a761a7ad520ecfbaa774

Download Submit
C:\Windows\SysWOW64\Impepm32.exe

Filesize
1.2MB

MD5
1f1cf162d95b0794103e7cd63422e313

SHA1
9dd030e9cfc5ed3b914a44203edb5bfa0a43a991

SHA256
8470359623afb4c00630f5dd24a1e7a75d2d419e5298c9c09196aa91f907e185

SHA512
0970bb29808f18de7c1fde125603bbec6a82471eaa795628eac910585364572f876cb8193fe65c510d4f89a5a48bd1d87b445ee168ef476219d4b7e78f69301e

Download Submit
C:\Windows\SysWOW64\Ipnalhii.exe

Filesize
1.2MB

MD5
82a1abce30ec5b8e776f0e81020b87b2

SHA1
df62dbf3a382d2856ab07e768c55c6c086101b04

SHA256
b89b38e6e69408f149309473b15f8e1ac433c72f2b7db16b5538b696363b296e

SHA512
5b6874145b060d7e6322f569b40215bb9b40af8bcb99e25ae1d500fde424a273f55c7ebf21b62d34c50b28c70821f2539bde6fcd47268f1be09eb0fb1728d69a

Download Submit
C:\Windows\SysWOW64\Ipqnahgf.exe

Filesize
1.2MB

MD5
c8899756ca8854cfc86635a809de9a2f

SHA1
f3575fef8557578ff21a71247763d254cfc1454b

SHA256
90e4980b872849b7f685b7d3d30917b5d08f28b0f04d271db265572e52e5eb5b

SHA512
413d153dcea9be47753e7def489b51974e575bd350b374b3c7894ae478483ee31df27c11e632220a4847995f7f0ebface98d49fbe0086034ed97c9cae50c3a77

Download Submit
C:\Windows\SysWOW64\Jagqlj32.exe

Filesize
1.2MB

MD5
6043c5c41e35863e93021b1cd80b9cc7

SHA1
0ef6e65f0e71daac2ecd54441479942a57807297

SHA256
79e37824ecdd6f25120587b2ab75cf02d03dff5edab5530c73d5f695c141eac5

SHA512
cd52b008c52c049d68ca7fda964d78bcc197985b088ad9ead29f75017e6072e7db60b9935184b23e1f8ea226afb89dcac52ba7b08828e5287fb3acdd90c2d735

Download Submit
C:\Windows\SysWOW64\Jaimbj32.exe

Filesize
1.2MB

MD5
259656e0b7acf317c6f081cc5e9d29f6

SHA1
c8088c6519a081b963cf7d8d8b47e89d793c1b58

SHA256
cda3941d82d7d0fa05a3d9724feb97993b52cdaa1761c9c416f8be8f8abcbb21

SHA512
11bea62f66bfd9c974c3b5cb48e996341d355e490e00a280d058d275e9ed866ef65c8bda345a828e8ba18be3fbe1f448ef42622005e83bfb689c7d0dbc0d34eb

Download Submit
C:\Windows\SysWOW64\Jbfpobpb.exe

Filesize
1.2MB

MD5
3275cced644d92a09d9654d818a895aa

SHA1
440fd5e39bb363cf71ecc0c1be3cacaa81aa16a8

SHA256
9c02e97935830de7f56ffb8b4995aadbbcc713f5824a2422d5340698bc94b207

SHA512
82bc75426ff23be1002d13646096588527d417a7c50a636962c8452d58b791f9d4228610395753662604e5a8b1d4f1b0e2f47b599754a1568772da17d9140644

Download Submit
C:\Windows\SysWOW64\Jbkjjblm.exe

Filesize
1.2MB

MD5
a2cbbfa12bd82648b38e34f1d80022c5

SHA1
07baad7f90b9909a98732c58509fc869c2ec5132

SHA256
9049a9c69d0ee707107ee8985a1365abcab079d431066493b62212ad99871235

SHA512
859a82f583192bb545e77cf4e33087d083f522c5f5d56a4c90b540494a71371928b9ef4cd0de4eacf3c1e67f909d49abba8f1f13003eca062a974d32315b5c0e

Download Submit
C:\Windows\SysWOW64\Jdemhe32.exe

Filesize
1.2MB

MD5
c1fa2664eb95315bb40988ac36db6541

SHA1
5e1f40a563f56a6ccaf37ecea8f7624d83ba8cef

SHA256
188b2b63a53e440d88230b636b5f1a36829b8a5b73a1a10e1fd124cc7ce7346a

SHA512
cc44c717f00ab504f165f404c3d2b38d204806c7a6096ad0b27d9a9326aa5be23a837cf3e20040ebc47d71bb9461b839d405503345fff42f877706da99becc45

Download Submit
C:\Windows\SysWOW64\Jdjfcecp.exe

Filesize
1.2MB

MD5
d4f4e301fa0a15df8e734d48da660180

SHA1
765f2de5094183ed42ade478541d542c55ce26fa

SHA256
4aec14dca6fe0199532f07f7514ec122a1f6730db91a439b7dd2e2f34639e9b6

SHA512
ee0f16be13922da928d15f110ad1daaae4771540eaf8989e291f6f5687d981ef6a69f4f82e61de970f776dabbed3f123a013a44b8b3b53ac27b606e6cab078cf

Download Submit
C:\Windows\SysWOW64\Jibeql32.exe

Filesize
1.2MB

MD5
3677271cef05c4125d6352dc548980ef

SHA1
8cba26f7b9fc28e9d826576eca98f778cfb4769b

SHA256
188fe146bb75553722a1f708a41df533483c5c9ed351fa912dcd8b5bf6019003

SHA512
a8754c5dca4a464a9a1eb0c0bf783927c96076594bc1355cea4e342c6fbb776e730c40876f977605120d2fcd164f3cb104c06bb89ba152b6f4ce316be82827de

Download Submit
C:\Windows\SysWOW64\Jidbflcj.exe

Filesize
1.2MB

MD5
59e502e3a32ed8ab9e38b88c79bb0e9a

SHA1
e6213f8e468b618a7cd50af9ceea48b4345f6e6a

SHA256
136acb23dbdd5631ae4dda3e4a0a5f780951eb877fd1db243e144a429fbce030

SHA512
a5e9ef188e2691d496e77e00c25605ea26b5eefa6c5149a4160aa813ba06abf4ba1ac349aae72cea78425effc67f10f6f6a7583b63cbc35d065549abeddfc9d4

Download Submit
C:\Windows\SysWOW64\Jjmhppqd.exe

Filesize
1.2MB

MD5
845d3f2741edab4539ff4799430c29b8

SHA1
17cc541c2b5c0071e834ede344d3f41b6ded506f

SHA256
89f41395d33c9b4dbd3283918e841919192aecbd6e80b5ad0f70121db39399b6

SHA512
74bb030230c022b340fab9a93d9b709b115df8195b12dcd496be365015b860a301cf8f09573c9286a8eeea47103aed75e308e9b3ca9655dd0ca4ff2e2d2dd73d

Download Submit
C:\Windows\SysWOW64\Jkdnpo32.exe

Filesize
1.2MB

MD5
1398154363484f7431870fea5f43139c

SHA1
3412627c007432e68f42e36e8a4a787d33b620a3

SHA256
036eeb2f66175abdcc4b1cfa01c4c4d9da2bcac956061e30d762a2c08ab01a12

SHA512
64f44ec9a3472c799b378118c250aa134409e9db14a36d7897d47ddecea14e8c72b166d79bfcbd5968d02db9f13051a44611568b725ec6c38cda617e422ee0d7

Download Submit
C:\Windows\SysWOW64\Jmbklj32.exe

Filesize
1.2MB

MD5
7c0f6a884ace5c4504afcb60e317d250

SHA1
41a3533cc930aa1e232512ad0fccf30ddc1da677

SHA256
d17dd14d808e3c3a9bf4d6d2a1e8ad52abc9ed6029c0d5cfb5079d9b57525e40

SHA512
6bf45bf6faf2c6a51739053cb4ffdeca39ab973f198f67abdf398fcb0bd0327c8684dcdc75427f7d66fc634f58731a6e7c55a88d04c8b083f9e50eb95ec1147c

Download Submit
C:\Windows\SysWOW64\Jpgdbg32.exe

Filesize
1.2MB

MD5
656be2f677717df6f8fc2922d4f99351

SHA1
50b6341cebec9c3c540c6637fe5426092da0d6fe

SHA256
382b540d326a035086556715231d538e23739397233832150c41224e02fd92e0

SHA512
9887017208cca20890d21a15b671294148ad8de7f1ac696c1786ac7f2470c60a856d121f62685a4c90c48af95f6a3c5ebc3713ae5e8d598dd51e2d2a25a30b3b

Download Submit
C:\Windows\SysWOW64\Ldooifgl.dll

Filesize
7KB

MD5
adb33ded93e8e0e545cd2efb0f90da5a

SHA1
068d77690e3b037eb98d5084f6fabf24ddd3d4c5

SHA256
a3e6cd0c57ad88b939c82efe85d9a93981fba189e1d93dcaa6d443ad9218e15f

SHA512
033b63880316b3eadb3263286f312a24c499bf5a2add707c4c9958d574d1d3b681ac33acd2146d45a6e250c7228fa0147300bba43f8aaaa10710c41064f68053

Download Submit
memory/216-641-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/392-656-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/460-640-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/552-644-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/660-609-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/832-631-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/836-64-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/840-638-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/964-633-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1028-669-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1136-626-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1416-643-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1456-655-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1484-12-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1652-634-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1684-674-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2000-630-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2100-637-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2140-673-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2204-675-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2236-642-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2256-658-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2308-48-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2376-657-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2552-660-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2564-101-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2584-603-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2592-624-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2668-672-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2692-0-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2728-623-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2788-647-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2852-661-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2912-652-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2996-629-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3036-627-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3084-651-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3172-653-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3192-684-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3240-613-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3292-676-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3396-71-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3444-611-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3460-85-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3500-604-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3548-645-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3612-635-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3648-614-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3652-607-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3748-615-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3888-666-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3920-646-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3996-679-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4092-671-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4132-670-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4156-56-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4164-620-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4196-659-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4312-605-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4408-648-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4540-632-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4616-44-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4628-608-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4632-24-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4700-678-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4772-622-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4784-639-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4816-682-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4940-649-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/5008-680-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/5124-668-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/5156-610-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/5168-654-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/5196-619-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/5244-625-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/5292-616-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/5324-20-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/5384-617-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/5396-618-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/5424-663-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/5516-664-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/5524-107-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/5532-665-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/5620-677-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/5644-662-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/5700-606-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/5708-621-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/5720-681-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/5736-667-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/5812-628-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/5816-683-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/5924-93-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/5976-636-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/6028-650-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/6056-32-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/6096-612-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads