770bfbda0a4dd72450a1ca093327ee38a503590a50e1c70a8975f7386017974e

Analysis

max time kernel
138s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
04/05/2024, 18:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a163827417943ce910c06cef4c6b9792.jaffacakes118.exe
Size

409KB
MD5

a163827417943ce910c06cef4c6b9792
SHA1

c64cfe7ffcbb1c48b52a68beba68c52480ac9a07
SHA256

770bfbda0a4dd72450a1ca093327ee38a503590a50e1c70a8975f7386017974e
SHA512

be68e0707ef1b4448792d615bee2785e3ef73a604303c24c10c2200811f9d61c4f2d80a09e400729c1b95e3283446646ed2a962febe210bcaca941e1689eef6e
SSDEEP

3072:Cclpvy8/41QUUZm8/41QrAoUZ4pWLB51jozFWLBggS2LHqlhTZNAqWBWhjozFWLX:X31ZgZ0Wd/OWdPS2LStOshOWdPS2Ln

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ndidbn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hippdo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mdkhapfj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nceonl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nqiogp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mcpebmkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mjjmog32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ifhiib32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ipqnahgf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jibeql32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lpappc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jbmfoa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hmmhjm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Iannfk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jibeql32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jmnaakne.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngcgcjnc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Icgqggce.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jbhmdbnp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jmbklj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lnhmng32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ipldfi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jjmhppqd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkbchk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jaedgjjd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jdmcidam.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcdegnep.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpdelajl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hippdo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Haggelfd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Iakaql32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Icjmmg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ifopiajn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jigollag.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kmegbjgn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kkpnlm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lnepih32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lcdegnep.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lpappc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lkiqbl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mjqjih32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nkncdifl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hbckbepg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hadkpm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ipldfi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Imbaemhc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Impepm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kmnjhioc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lpfijcfl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jmpngk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mcbahlip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nbkhfc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hadkpm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Icgqggce.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jaedgjjd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jmnaakne.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lgkhlnbn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nceonl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jdcpcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lnhmng32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpmokb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lknjmkdo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mkgmcjld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nkncdifl.exe

Executes dropped EXE 64 IoCs

pid	Process
3892	Hbckbepg.exe
1760	Hadkpm32.exe
3368	Hpgkkioa.exe
4500	Hippdo32.exe
5492	Haggelfd.exe
1612	Hcedaheh.exe
4932	Hbhdmd32.exe
456	Hfcpncdk.exe
1804	Hibljoco.exe
4388	Hmmhjm32.exe
3172	Ipldfi32.exe
5412	Icgqggce.exe
4784	Iffmccbi.exe
4604	Ijaida32.exe
3576	Impepm32.exe
4048	Iakaql32.exe
3932	Icjmmg32.exe
6108	Ibmmhdhm.exe
2504	Ifhiib32.exe
5620	Ijdeiaio.exe
5576	Imbaemhc.exe
2760	Iannfk32.exe
5772	Ipqnahgf.exe
4184	Icljbg32.exe
3736	Ifjfnb32.exe
860	Ijfboafl.exe
1452	Iiibkn32.exe
372	Imdnklfp.exe
640	Iapjlk32.exe
3112	Idofhfmm.exe
3140	Ibagcc32.exe
316	Ifmcdblq.exe
4564	Ijhodq32.exe
2668	Iikopmkd.exe
1828	Imgkql32.exe
1540	Iabgaklg.exe
1060	Ipegmg32.exe
4280	Ibccic32.exe
3880	Ifopiajn.exe
5080	Ijkljp32.exe
3524	Imihfl32.exe
4188	Jaedgjjd.exe
1796	Jpgdbg32.exe
4736	Jdcpcf32.exe
4740	Jfaloa32.exe
2984	Jjmhppqd.exe
776	Jmkdlkph.exe
6064	Jpjqhgol.exe
1908	Jdemhe32.exe
5624	Jbhmdbnp.exe
3940	Jfdida32.exe
2448	Jibeql32.exe
2976	Jmnaakne.exe
5756	Jaimbj32.exe
5656	Jplmmfmi.exe
1716	Jdhine32.exe
1664	Jbkjjblm.exe
4320	Jfffjqdf.exe
1012	Jidbflcj.exe
4684	Jmpngk32.exe
5072	Jaljgidl.exe
4696	Jdjfcecp.exe
1404	Jbmfoa32.exe
4672	Jfhbppbc.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Fjkiobic.dll	Ipldfi32.exe
File opened for modification	C:\Windows\SysWOW64\Kbdmpqcb.exe	Kmegbjgn.exe
File created	C:\Windows\SysWOW64\Lfcbokki.dll	Nceonl32.exe
File opened for modification	C:\Windows\SysWOW64\Hbhdmd32.exe	Hcedaheh.exe
File created	C:\Windows\SysWOW64\Mfogkh32.dll	Hcedaheh.exe
File created	C:\Windows\SysWOW64\Iffmccbi.exe	Icgqggce.exe
File created	C:\Windows\SysWOW64\Iiibkn32.exe	Ijfboafl.exe
File opened for modification	C:\Windows\SysWOW64\Iikopmkd.exe	Ijhodq32.exe
File opened for modification	C:\Windows\SysWOW64\Ibccic32.exe	Ipegmg32.exe
File opened for modification	C:\Windows\SysWOW64\Jpjqhgol.exe	Jmkdlkph.exe
File created	C:\Windows\SysWOW64\Ghmfdf32.dll	Jplmmfmi.exe
File created	C:\Windows\SysWOW64\Ecppdbpl.dll	Jangmibi.exe
File opened for modification	C:\Windows\SysWOW64\Lgkhlnbn.exe	Lpappc32.exe
File created	C:\Windows\SysWOW64\Mncmjfmk.exe	Mgidml32.exe
File opened for modification	C:\Windows\SysWOW64\Iannfk32.exe	Imbaemhc.exe
File opened for modification	C:\Windows\SysWOW64\Ijfboafl.exe	Ifjfnb32.exe
File created	C:\Windows\SysWOW64\Eddbig32.dll	Iapjlk32.exe
File created	C:\Windows\SysWOW64\Jdjfcecp.exe	Jaljgidl.exe
File created	C:\Windows\SysWOW64\Kckbqpnj.exe	Kdhbec32.exe
File created	C:\Windows\SysWOW64\Lpappc32.exe	Lmccchkn.exe
File opened for modification	C:\Windows\SysWOW64\Mnocof32.exe	Mgekbljc.exe
File opened for modification	C:\Windows\SysWOW64\Ndidbn32.exe	Nqmhbpba.exe
File created	C:\Windows\SysWOW64\Hbhdmd32.exe	Hcedaheh.exe
File created	C:\Windows\SysWOW64\Impepm32.exe	Ijaida32.exe
File created	C:\Windows\SysWOW64\Lpfihl32.dll	Idofhfmm.exe
File opened for modification	C:\Windows\SysWOW64\Jfaloa32.exe	Jdcpcf32.exe
File opened for modification	C:\Windows\SysWOW64\Jfhbppbc.exe	Jbmfoa32.exe
File opened for modification	C:\Windows\SysWOW64\Kmnjhioc.exe	Kkpnlm32.exe
File created	C:\Windows\SysWOW64\Kdhbec32.exe	Kpmfddnf.exe
File created	C:\Windows\SysWOW64\Kkbkamnl.exe	Kckbqpnj.exe
File opened for modification	C:\Windows\SysWOW64\Hibljoco.exe	Hfcpncdk.exe
File created	C:\Windows\SysWOW64\Ifmcdblq.exe	Ibagcc32.exe
File opened for modification	C:\Windows\SysWOW64\Ifmcdblq.exe	Ibagcc32.exe
File opened for modification	C:\Windows\SysWOW64\Jplmmfmi.exe	Jaimbj32.exe
File created	C:\Windows\SysWOW64\Qekdppan.dll	Jmpngk32.exe
File created	C:\Windows\SysWOW64\Jmbklj32.exe	Jigollag.exe
File created	C:\Windows\SysWOW64\Mdkhapfj.exe	Mnapdf32.exe
File created	C:\Windows\SysWOW64\Bgdnaigp.dll	Hfcpncdk.exe
File opened for modification	C:\Windows\SysWOW64\Jaedgjjd.exe	Imihfl32.exe
File opened for modification	C:\Windows\SysWOW64\Jmbklj32.exe	Jigollag.exe
File opened for modification	C:\Windows\SysWOW64\Kkpnlm32.exe	Kdffocib.exe
File created	C:\Windows\SysWOW64\Lnjjdgee.exe	Lcdegnep.exe
File opened for modification	C:\Windows\SysWOW64\Mkbchk32.exe	Mcklgm32.exe
File created	C:\Windows\SysWOW64\Gbbkdl32.dll	Mjjmog32.exe
File created	C:\Windows\SysWOW64\Nqmhbpba.exe	Nbkhfc32.exe
File created	C:\Windows\SysWOW64\Nkcmohbg.exe	Ndidbn32.exe
File created	C:\Windows\SysWOW64\Hadkpm32.exe	Hbckbepg.exe
File opened for modification	C:\Windows\SysWOW64\Ipegmg32.exe	Iabgaklg.exe
File created	C:\Windows\SysWOW64\Ibccic32.exe	Ipegmg32.exe
File opened for modification	C:\Windows\SysWOW64\Jdhine32.exe	Jplmmfmi.exe
File opened for modification	C:\Windows\SysWOW64\Ldohebqh.exe	Lnepih32.exe
File created	C:\Windows\SysWOW64\Ekiidlll.dll	Ldohebqh.exe
File created	C:\Windows\SysWOW64\Mbaohn32.dll	Lnhmng32.exe
File opened for modification	C:\Windows\SysWOW64\Mgekbljc.exe	Mahbje32.exe
File created	C:\Windows\SysWOW64\Mpmokb32.exe	Mnocof32.exe
File created	C:\Windows\SysWOW64\Epmjjbbj.dll	Mpmokb32.exe
File opened for modification	C:\Windows\SysWOW64\Mncmjfmk.exe	Mgidml32.exe
File created	C:\Windows\SysWOW64\Ibmmhdhm.exe	Icjmmg32.exe
File created	C:\Windows\SysWOW64\Imbaemhc.exe	Ijdeiaio.exe
File created	C:\Windows\SysWOW64\Jaimbj32.exe	Jmnaakne.exe
File opened for modification	C:\Windows\SysWOW64\Jfffjqdf.exe	Jbkjjblm.exe
File created	C:\Windows\SysWOW64\Nafokcol.exe	Njogjfoj.exe
File created	C:\Windows\SysWOW64\Mbgaem32.dll	Hadkpm32.exe
File created	C:\Windows\SysWOW64\Jmkdlkph.exe	Jjmhppqd.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5768	4464	WerFault.exe	211

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jbmfoa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kbdmpqcb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lpappc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eeopdi32.dll"	Ijfboafl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbledndp.dll"	Imihfl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bekppcpp.dll"	Hmmhjm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjobcj32.dll"	Jfaloa32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kkpnlm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lmccchkn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jnngob32.dll"	Lnjjdgee.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	a163827417943ce910c06cef4c6b9792.jaffacakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hbckbepg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mpdelajl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipmack32.dll"	Ibccic32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jaedgjjd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jigollag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kbdmpqcb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jplifcqp.dll"	Kdhbec32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nbkhfc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nqmhbpba.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ndidbn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eddbig32.dll"	Iapjlk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Anjekdho.dll"	Jbhmdbnp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oimhnoch.dll"	Kkpnlm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ipegmg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Akihmf32.dll"	Kdcijcke.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ebkdha32.dll"	Ifmcdblq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Impoan32.dll"	Imgkql32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdgdjjem.dll"	Mkbchk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hhapkbgi.dll"	Mncmjfmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nkncdifl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Opbnic32.dll"	Nqmhbpba.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	a163827417943ce910c06cef4c6b9792.jaffacakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mlilmlna.dll"	Iannfk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lgikfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Egqcbapl.dll"	Mcbahlip.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Haggelfd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jfhbppbc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kpmfddnf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lnhmng32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ijhodq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jigollag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jbhmdbnp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kdffocib.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lgkhlnbn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ldohebqh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nceonl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nkncdifl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Iffmccbi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ibmmhdhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nbkhfc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jangmibi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jangmibi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kmnjhioc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nngcpm32.dll"	Lgkhlnbn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mpmokb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lelgbkio.dll"	Mpdelajl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Imdnklfp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ggpfjejo.dll"	Jkdnpo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mjqjih32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nqklmpdd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ifhiib32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Imgkql32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jdcpcf32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3984 wrote to memory of 3892	3984	a163827417943ce910c06cef4c6b9792.jaffacakes118.exe	83
PID 3984 wrote to memory of 3892	3984	a163827417943ce910c06cef4c6b9792.jaffacakes118.exe	83
PID 3984 wrote to memory of 3892	3984	a163827417943ce910c06cef4c6b9792.jaffacakes118.exe	83
PID 3892 wrote to memory of 1760	3892	Hbckbepg.exe	84
PID 3892 wrote to memory of 1760	3892	Hbckbepg.exe	84
PID 3892 wrote to memory of 1760	3892	Hbckbepg.exe	84
PID 1760 wrote to memory of 3368	1760	Hadkpm32.exe	85
PID 1760 wrote to memory of 3368	1760	Hadkpm32.exe	85
PID 1760 wrote to memory of 3368	1760	Hadkpm32.exe	85
PID 3368 wrote to memory of 4500	3368	Hpgkkioa.exe	86
PID 3368 wrote to memory of 4500	3368	Hpgkkioa.exe	86
PID 3368 wrote to memory of 4500	3368	Hpgkkioa.exe	86
PID 4500 wrote to memory of 5492	4500	Hippdo32.exe	87
PID 4500 wrote to memory of 5492	4500	Hippdo32.exe	87
PID 4500 wrote to memory of 5492	4500	Hippdo32.exe	87
PID 5492 wrote to memory of 1612	5492	Haggelfd.exe	88
PID 5492 wrote to memory of 1612	5492	Haggelfd.exe	88
PID 5492 wrote to memory of 1612	5492	Haggelfd.exe	88
PID 1612 wrote to memory of 4932	1612	Hcedaheh.exe	89
PID 1612 wrote to memory of 4932	1612	Hcedaheh.exe	89
PID 1612 wrote to memory of 4932	1612	Hcedaheh.exe	89
PID 4932 wrote to memory of 456	4932	Hbhdmd32.exe	90
PID 4932 wrote to memory of 456	4932	Hbhdmd32.exe	90
PID 4932 wrote to memory of 456	4932	Hbhdmd32.exe	90
PID 456 wrote to memory of 1804	456	Hfcpncdk.exe	91
PID 456 wrote to memory of 1804	456	Hfcpncdk.exe	91
PID 456 wrote to memory of 1804	456	Hfcpncdk.exe	91
PID 1804 wrote to memory of 4388	1804	Hibljoco.exe	92
PID 1804 wrote to memory of 4388	1804	Hibljoco.exe	92
PID 1804 wrote to memory of 4388	1804	Hibljoco.exe	92
PID 4388 wrote to memory of 3172	4388	Hmmhjm32.exe	93
PID 4388 wrote to memory of 3172	4388	Hmmhjm32.exe	93
PID 4388 wrote to memory of 3172	4388	Hmmhjm32.exe	93
PID 3172 wrote to memory of 5412	3172	Ipldfi32.exe	94
PID 3172 wrote to memory of 5412	3172	Ipldfi32.exe	94
PID 3172 wrote to memory of 5412	3172	Ipldfi32.exe	94
PID 5412 wrote to memory of 4784	5412	Icgqggce.exe	95
PID 5412 wrote to memory of 4784	5412	Icgqggce.exe	95
PID 5412 wrote to memory of 4784	5412	Icgqggce.exe	95
PID 4784 wrote to memory of 4604	4784	Iffmccbi.exe	96
PID 4784 wrote to memory of 4604	4784	Iffmccbi.exe	96
PID 4784 wrote to memory of 4604	4784	Iffmccbi.exe	96
PID 4604 wrote to memory of 3576	4604	Ijaida32.exe	97
PID 4604 wrote to memory of 3576	4604	Ijaida32.exe	97
PID 4604 wrote to memory of 3576	4604	Ijaida32.exe	97
PID 3576 wrote to memory of 4048	3576	Impepm32.exe	98
PID 3576 wrote to memory of 4048	3576	Impepm32.exe	98
PID 3576 wrote to memory of 4048	3576	Impepm32.exe	98
PID 4048 wrote to memory of 3932	4048	Iakaql32.exe	99
PID 4048 wrote to memory of 3932	4048	Iakaql32.exe	99
PID 4048 wrote to memory of 3932	4048	Iakaql32.exe	99
PID 3932 wrote to memory of 6108	3932	Icjmmg32.exe	100
PID 3932 wrote to memory of 6108	3932	Icjmmg32.exe	100
PID 3932 wrote to memory of 6108	3932	Icjmmg32.exe	100
PID 6108 wrote to memory of 2504	6108	Ibmmhdhm.exe	101
PID 6108 wrote to memory of 2504	6108	Ibmmhdhm.exe	101
PID 6108 wrote to memory of 2504	6108	Ibmmhdhm.exe	101
PID 2504 wrote to memory of 5620	2504	Ifhiib32.exe	102
PID 2504 wrote to memory of 5620	2504	Ifhiib32.exe	102
PID 2504 wrote to memory of 5620	2504	Ifhiib32.exe	102
PID 5620 wrote to memory of 5576	5620	Ijdeiaio.exe	103
PID 5620 wrote to memory of 5576	5620	Ijdeiaio.exe	103
PID 5620 wrote to memory of 5576	5620	Ijdeiaio.exe	103
PID 5576 wrote to memory of 2760	5576	Imbaemhc.exe	104

C:\Users\Admin\AppData\Local\Temp\a163827417943ce910c06cef4c6b9792.jaffacakes118.exe
"C:\Users\Admin\AppData\Local\Temp\a163827417943ce910c06cef4c6b9792.jaffacakes118.exe"
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3984
- C:\Windows\SysWOW64\Hbckbepg.exe
  C:\Windows\system32\Hbckbepg.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3892
- - C:\Windows\SysWOW64\Hadkpm32.exe
    C:\Windows\system32\Hadkpm32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious use of WriteProcessMemory
    PID:1760
  - - C:\Windows\SysWOW64\Hpgkkioa.exe
      C:\Windows\system32\Hpgkkioa.exe
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:3368
    - - C:\Windows\SysWOW64\Hippdo32.exe
        
        C:\Windows\system32\Hippdo32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4500
      - C:\Windows\SysWOW64\Haggelfd.exe
        
        C:\Windows\system32\Haggelfd.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5492
        
        C:\Windows\SysWOW64\Hcedaheh.exe
        
        C:\Windows\system32\Hcedaheh.exe
        7⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1612
        
        C:\Windows\SysWOW64\Hbhdmd32.exe
        
        C:\Windows\system32\Hbhdmd32.exe
        8⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4932
        
        C:\Windows\SysWOW64\Hfcpncdk.exe
        
        C:\Windows\system32\Hfcpncdk.exe
        9⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:456
        
        C:\Windows\SysWOW64\Hibljoco.exe
        
        C:\Windows\system32\Hibljoco.exe
        10⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1804
        
        C:\Windows\SysWOW64\Hmmhjm32.exe
        
        C:\Windows\system32\Hmmhjm32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4388
        
        C:\Windows\SysWOW64\Ipldfi32.exe
        
        C:\Windows\system32\Ipldfi32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3172
        
        C:\Windows\SysWOW64\Icgqggce.exe
        
        C:\Windows\system32\Icgqggce.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:5412
        
        C:\Windows\SysWOW64\Iffmccbi.exe
        
        C:\Windows\system32\Iffmccbi.exe
        14⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4784
        
        C:\Windows\SysWOW64\Ijaida32.exe
        
        C:\Windows\system32\Ijaida32.exe
        15⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4604
        
        C:\Windows\SysWOW64\Impepm32.exe
        
        C:\Windows\system32\Impepm32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3576
        
        C:\Windows\SysWOW64\Iakaql32.exe
        
        C:\Windows\system32\Iakaql32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4048
        
        C:\Windows\SysWOW64\Icjmmg32.exe
        
        C:\Windows\system32\Icjmmg32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3932
        
        C:\Windows\SysWOW64\Ibmmhdhm.exe
        
        C:\Windows\system32\Ibmmhdhm.exe
        19⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:6108
        
        C:\Windows\SysWOW64\Ifhiib32.exe
        
        C:\Windows\system32\Ifhiib32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2504
        
        C:\Windows\SysWOW64\Ijdeiaio.exe
        
        C:\Windows\system32\Ijdeiaio.exe
        21⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:5620
        
        C:\Windows\SysWOW64\Imbaemhc.exe
        
        C:\Windows\system32\Imbaemhc.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:5576
        
        C:\Windows\SysWOW64\Iannfk32.exe
        
        C:\Windows\system32\Iannfk32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2760
        
        C:\Windows\SysWOW64\Ipqnahgf.exe
        
        C:\Windows\system32\Ipqnahgf.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:5772
        
        C:\Windows\SysWOW64\Icljbg32.exe
        
        C:\Windows\system32\Icljbg32.exe
        25⤵
        Executes dropped EXE
        
        PID:4184
        
        C:\Windows\SysWOW64\Ifjfnb32.exe
        
        C:\Windows\system32\Ifjfnb32.exe
        26⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3736
        
        C:\Windows\SysWOW64\Ijfboafl.exe
        
        C:\Windows\system32\Ijfboafl.exe
        27⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:860
        
        C:\Windows\SysWOW64\Iiibkn32.exe
        
        C:\Windows\system32\Iiibkn32.exe
        28⤵
        Executes dropped EXE
        
        PID:1452
        
        C:\Windows\SysWOW64\Imdnklfp.exe
        
        C:\Windows\system32\Imdnklfp.exe
        29⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:372
        
        C:\Windows\SysWOW64\Iapjlk32.exe
        
        C:\Windows\system32\Iapjlk32.exe
        30⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:640
        
        C:\Windows\SysWOW64\Idofhfmm.exe
        
        C:\Windows\system32\Idofhfmm.exe
        31⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3112
        
        C:\Windows\SysWOW64\Ibagcc32.exe
        
        C:\Windows\system32\Ibagcc32.exe
        32⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3140
        
        C:\Windows\SysWOW64\Ifmcdblq.exe
        
        C:\Windows\system32\Ifmcdblq.exe
        33⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:316
        
        C:\Windows\SysWOW64\Ijhodq32.exe
        
        C:\Windows\system32\Ijhodq32.exe
        34⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4564
        
        C:\Windows\SysWOW64\Iikopmkd.exe
        
        C:\Windows\system32\Iikopmkd.exe
        35⤵
        Executes dropped EXE
        
        PID:2668
        
        C:\Windows\SysWOW64\Imgkql32.exe
        
        C:\Windows\system32\Imgkql32.exe
        36⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1828
        
        C:\Windows\SysWOW64\Iabgaklg.exe
        
        C:\Windows\system32\Iabgaklg.exe
        37⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1540
        
        C:\Windows\SysWOW64\Ipegmg32.exe
        
        C:\Windows\system32\Ipegmg32.exe
        38⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1060
        
        C:\Windows\SysWOW64\Ibccic32.exe
        
        C:\Windows\system32\Ibccic32.exe
        39⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4280
        
        C:\Windows\SysWOW64\Ifopiajn.exe
        
        C:\Windows\system32\Ifopiajn.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3880
        
        C:\Windows\SysWOW64\Ijkljp32.exe
        
        C:\Windows\system32\Ijkljp32.exe
        41⤵
        Executes dropped EXE
        
        PID:5080
        
        C:\Windows\SysWOW64\Imihfl32.exe
        
        C:\Windows\system32\Imihfl32.exe
        42⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3524
        
        C:\Windows\SysWOW64\Jaedgjjd.exe
        
        C:\Windows\system32\Jaedgjjd.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4188
        
        C:\Windows\SysWOW64\Jpgdbg32.exe
        
        C:\Windows\system32\Jpgdbg32.exe
        44⤵
        Executes dropped EXE
        
        PID:1796
        
        C:\Windows\SysWOW64\Jdcpcf32.exe
        
        C:\Windows\system32\Jdcpcf32.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4736
        
        C:\Windows\SysWOW64\Jfaloa32.exe
        
        C:\Windows\system32\Jfaloa32.exe
        46⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4740
        
        C:\Windows\SysWOW64\Jjmhppqd.exe
        
        C:\Windows\system32\Jjmhppqd.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2984
        
        C:\Windows\SysWOW64\Jmkdlkph.exe
        
        C:\Windows\system32\Jmkdlkph.exe
        48⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:776
        
        C:\Windows\SysWOW64\Jpjqhgol.exe
        
        C:\Windows\system32\Jpjqhgol.exe
        49⤵
        Executes dropped EXE
        
        PID:6064
        
        C:\Windows\SysWOW64\Jdemhe32.exe
        
        C:\Windows\system32\Jdemhe32.exe
        50⤵
        Executes dropped EXE
        
        PID:1908
        
        C:\Windows\SysWOW64\Jbhmdbnp.exe
        
        C:\Windows\system32\Jbhmdbnp.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:5624
        
        C:\Windows\SysWOW64\Jfdida32.exe
        
        C:\Windows\system32\Jfdida32.exe
        52⤵
        Executes dropped EXE
        
        PID:3940
        
        C:\Windows\SysWOW64\Jibeql32.exe
        
        C:\Windows\system32\Jibeql32.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2448
        
        C:\Windows\SysWOW64\Jmnaakne.exe
        
        C:\Windows\system32\Jmnaakne.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2976
        
        C:\Windows\SysWOW64\Jaimbj32.exe
        
        C:\Windows\system32\Jaimbj32.exe
        55⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5756
        
        C:\Windows\SysWOW64\Jplmmfmi.exe
        
        C:\Windows\system32\Jplmmfmi.exe
        56⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5656
        
        C:\Windows\SysWOW64\Jdhine32.exe
        
        C:\Windows\system32\Jdhine32.exe
        57⤵
        Executes dropped EXE
        
        PID:1716
        
        C:\Windows\SysWOW64\Jbkjjblm.exe
        
        C:\Windows\system32\Jbkjjblm.exe
        58⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1664
        
        C:\Windows\SysWOW64\Jfffjqdf.exe
        
        C:\Windows\system32\Jfffjqdf.exe
        59⤵
        Executes dropped EXE
        
        PID:4320
        
        C:\Windows\SysWOW64\Jidbflcj.exe
        
        C:\Windows\system32\Jidbflcj.exe
        60⤵
        Executes dropped EXE
        
        PID:1012
        
        C:\Windows\SysWOW64\Jmpngk32.exe
        
        C:\Windows\system32\Jmpngk32.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4684
        
        C:\Windows\SysWOW64\Jaljgidl.exe
        
        C:\Windows\system32\Jaljgidl.exe
        62⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5072
        
        C:\Windows\SysWOW64\Jdjfcecp.exe
        
        C:\Windows\system32\Jdjfcecp.exe
        63⤵
        Executes dropped EXE
        
        PID:4696
        
        C:\Windows\SysWOW64\Jbmfoa32.exe
        
        C:\Windows\system32\Jbmfoa32.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1404
        
        C:\Windows\SysWOW64\Jfhbppbc.exe
        
        C:\Windows\system32\Jfhbppbc.exe
        65⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4672
        
        C:\Windows\SysWOW64\Jkdnpo32.exe
        
        C:\Windows\system32\Jkdnpo32.exe
        66⤵
        Modifies registry class
        
        PID:996
        
        C:\Windows\SysWOW64\Jigollag.exe
        
        C:\Windows\system32\Jigollag.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5280
        
        C:\Windows\SysWOW64\Jmbklj32.exe
        
        C:\Windows\system32\Jmbklj32.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5968
        
        C:\Windows\SysWOW64\Jangmibi.exe
        
        C:\Windows\system32\Jangmibi.exe
        69⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4064
        
        C:\Windows\SysWOW64\Jdmcidam.exe
        
        C:\Windows\system32\Jdmcidam.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4952
        
        C:\Windows\SysWOW64\Jkfkfohj.exe
        
        C:\Windows\system32\Jkfkfohj.exe
        71⤵
        
        PID:1408
        
        C:\Windows\SysWOW64\Kmegbjgn.exe
        
        C:\Windows\system32\Kmegbjgn.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5064
        
        C:\Windows\SysWOW64\Kbdmpqcb.exe
        
        C:\Windows\system32\Kbdmpqcb.exe
        73⤵
        Modifies registry class
        
        PID:4532
        
        C:\Windows\SysWOW64\Kaemnhla.exe
        
        C:\Windows\system32\Kaemnhla.exe
        74⤵
        
        PID:4300
        
        C:\Windows\SysWOW64\Kdcijcke.exe
        
        C:\Windows\system32\Kdcijcke.exe
        75⤵
        Modifies registry class
        
        PID:4076
        
        C:\Windows\SysWOW64\Kdffocib.exe
        
        C:\Windows\system32\Kdffocib.exe
        76⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1928
        
        C:\Windows\SysWOW64\Kkpnlm32.exe
        
        C:\Windows\system32\Kkpnlm32.exe
        77⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5348
        
        C:\Windows\SysWOW64\Kmnjhioc.exe
        
        C:\Windows\system32\Kmnjhioc.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5748
        
        C:\Windows\SysWOW64\Kpmfddnf.exe
        
        C:\Windows\system32\Kpmfddnf.exe
        79⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:3628
        
        C:\Windows\SysWOW64\Kdhbec32.exe
        
        C:\Windows\system32\Kdhbec32.exe
        80⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:2532
        
        C:\Windows\SysWOW64\Kckbqpnj.exe
        
        C:\Windows\system32\Kckbqpnj.exe
        81⤵
        Drops file in System32 directory
        
        PID:4468
        
        C:\Windows\SysWOW64\Kkbkamnl.exe
        
        C:\Windows\system32\Kkbkamnl.exe
        82⤵
        
        PID:5628
        
        C:\Windows\SysWOW64\Lmqgnhmp.exe
        
        C:\Windows\system32\Lmqgnhmp.exe
        83⤵
        
        PID:1524
        
        C:\Windows\SysWOW64\Lgikfn32.exe
        
        C:\Windows\system32\Lgikfn32.exe
        84⤵
        Modifies registry class
        
        PID:1552
        
        C:\Windows\SysWOW64\Lmccchkn.exe
        
        C:\Windows\system32\Lmccchkn.exe
        85⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:2628
        
        C:\Windows\SysWOW64\Lpappc32.exe
        
        C:\Windows\system32\Lpappc32.exe
        86⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:1436
        
        C:\Windows\SysWOW64\Lgkhlnbn.exe
        
        C:\Windows\system32\Lgkhlnbn.exe
        87⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4020
        
        C:\Windows\SysWOW64\Lnepih32.exe
        
        C:\Windows\system32\Lnepih32.exe
        88⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4936
        
        C:\Windows\SysWOW64\Ldohebqh.exe
        
        C:\Windows\system32\Ldohebqh.exe
        89⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5960
        
        C:\Windows\SysWOW64\Lkiqbl32.exe
        
        C:\Windows\system32\Lkiqbl32.exe
        90⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2152
        
        C:\Windows\SysWOW64\Lnhmng32.exe
        
        C:\Windows\system32\Lnhmng32.exe
        91⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:1008
        
        C:\Windows\SysWOW64\Lpfijcfl.exe
        
        C:\Windows\system32\Lpfijcfl.exe
        92⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4624
        
        C:\Windows\SysWOW64\Lcdegnep.exe
        
        C:\Windows\system32\Lcdegnep.exe
        93⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4956
        
        C:\Windows\SysWOW64\Lnjjdgee.exe
        
        C:\Windows\system32\Lnjjdgee.exe
        94⤵
        Modifies registry class
        
        PID:4752
        
        C:\Windows\SysWOW64\Lknjmkdo.exe
        
        C:\Windows\system32\Lknjmkdo.exe
        95⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1984
        
        C:\Windows\SysWOW64\Mjqjih32.exe
        
        C:\Windows\system32\Mjqjih32.exe
        96⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:1000
        
        C:\Windows\SysWOW64\Mahbje32.exe
        
        C:\Windows\system32\Mahbje32.exe
        97⤵
        Drops file in System32 directory
        
        PID:2104
        
        C:\Windows\SysWOW64\Mgekbljc.exe
        
        C:\Windows\system32\Mgekbljc.exe
        98⤵
        Drops file in System32 directory
        
        PID:4800
        
        C:\Windows\SysWOW64\Mnocof32.exe
        
        C:\Windows\system32\Mnocof32.exe
        99⤵
        Drops file in System32 directory
        
        PID:1056
        
        C:\Windows\SysWOW64\Mpmokb32.exe
        
        C:\Windows\system32\Mpmokb32.exe
        100⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:4428
        
        C:\Windows\SysWOW64\Mcklgm32.exe
        
        C:\Windows\system32\Mcklgm32.exe
        101⤵
        Drops file in System32 directory
        
        PID:624
        
        C:\Windows\SysWOW64\Mkbchk32.exe
        
        C:\Windows\system32\Mkbchk32.exe
        102⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4364
        
        C:\Windows\SysWOW64\Mnapdf32.exe
        
        C:\Windows\system32\Mnapdf32.exe
        103⤵
        Drops file in System32 directory
        
        PID:2264
        
        C:\Windows\SysWOW64\Mdkhapfj.exe
        
        C:\Windows\system32\Mdkhapfj.exe
        104⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:888
        
        C:\Windows\SysWOW64\Mgidml32.exe
        
        C:\Windows\system32\Mgidml32.exe
        105⤵
        Drops file in System32 directory
        
        PID:2168
        
        C:\Windows\SysWOW64\Mncmjfmk.exe
        
        C:\Windows\system32\Mncmjfmk.exe
        106⤵
        Modifies registry class
        
        PID:5248
        
        C:\Windows\SysWOW64\Mcpebmkb.exe
        
        C:\Windows\system32\Mcpebmkb.exe
        107⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5316
        
        C:\Windows\SysWOW64\Mkgmcjld.exe
        
        C:\Windows\system32\Mkgmcjld.exe
        108⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3788
        
        C:\Windows\SysWOW64\Mjjmog32.exe
        
        C:\Windows\system32\Mjjmog32.exe
        109⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:2276
        
        C:\Windows\SysWOW64\Mpdelajl.exe
        
        C:\Windows\system32\Mpdelajl.exe
        110⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:3936
        
        C:\Windows\SysWOW64\Mcbahlip.exe
        
        C:\Windows\system32\Mcbahlip.exe
        111⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:3768
        
        C:\Windows\SysWOW64\Nkjjij32.exe
        
        C:\Windows\system32\Nkjjij32.exe
        112⤵
        
        PID:1480
        
        C:\Windows\SysWOW64\Nqfbaq32.exe
        
        C:\Windows\system32\Nqfbaq32.exe
        113⤵
        
        PID:1576
        
        C:\Windows\SysWOW64\Nceonl32.exe
        
        C:\Windows\system32\Nceonl32.exe
        114⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:2004
        
        C:\Windows\SysWOW64\Njogjfoj.exe
        
        C:\Windows\system32\Njogjfoj.exe
        115⤵
        Drops file in System32 directory
        
        PID:6120
        
        C:\Windows\SysWOW64\Nafokcol.exe
        
        C:\Windows\system32\Nafokcol.exe
        116⤵
        
        PID:5592
        
        C:\Windows\SysWOW64\Nqiogp32.exe
        
        C:\Windows\system32\Nqiogp32.exe
        117⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4360
        
        C:\Windows\SysWOW64\Ngcgcjnc.exe
        
        C:\Windows\system32\Ngcgcjnc.exe
        118⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5528
        
        C:\Windows\SysWOW64\Nkncdifl.exe
        
        C:\Windows\system32\Nkncdifl.exe
        119⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4332
        
        C:\Windows\SysWOW64\Nnmopdep.exe
        
        C:\Windows\system32\Nnmopdep.exe
        120⤵
        
        PID:3848
        
        C:\Windows\SysWOW64\Nqklmpdd.exe
        
        C:\Windows\system32\Nqklmpdd.exe
        121⤵
        Modifies registry class
        
        PID:1468
        
        C:\Windows\SysWOW64\Ndghmo32.exe
        
        C:\Windows\system32\Ndghmo32.exe
        122⤵
        
        PID:5532
        
        C:\Windows\SysWOW64\Njcpee32.exe
        
        C:\Windows\system32\Njcpee32.exe
        123⤵
        
        PID:3156
        
        C:\Windows\SysWOW64\Nbkhfc32.exe
        
        C:\Windows\system32\Nbkhfc32.exe
        124⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:884
        
        C:\Windows\SysWOW64\Nqmhbpba.exe
        
        C:\Windows\system32\Nqmhbpba.exe
        125⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4348
        
        C:\Windows\SysWOW64\Ndidbn32.exe
        
        C:\Windows\system32\Ndidbn32.exe
        126⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:1316
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        127⤵
        
        PID:4464
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4464 -s 400
        128⤵
        Program crash
        
        PID:5768

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4464 -ip 4464
1⤵
PID:4296

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Hadkpm32.exe

Filesize
409KB

MD5
7989ecec6786f415743a7bc4c0ea5764

SHA1
fb4fae234c0fa1e8b0025d4a28169cd2659e7400

SHA256
d038df3c6cff7ae680cfd366679837678768882e6c3b002bdf6c3763a1925602

SHA512
da10d999a5ca29c8e9714c59b982b0480b871bf2d5184aaafb9a6825817f19b6b4c2a8767a40b62a794ab9130f85f9891412e0fe6453ab9ec0cde6ebb40d734e

Download Submit
C:\Windows\SysWOW64\Haggelfd.exe

Filesize
409KB

MD5
461d96c4b9be1b72bd4eda57564ee4e0

SHA1
fbde0f8ba9bf3938682da00d9227cdfdd3e25f6d

SHA256
55256e0570677a1985121deaa5f817891bfc5af36261404f588a9d0391ca0565

SHA512
e6eb5762177caa201354c9662691cec41a60ea568b507e1b7a8e7b6b88db9ef77eecdb4f2c8015c986932e47f9ded8d78378285c426175a856d52bb590a807bf

Download Submit
C:\Windows\SysWOW64\Hbckbepg.exe

Filesize
409KB

MD5
e1e8abb871ef78baeeb50660661127e3

SHA1
6656594dd96ff9963b9d8044dbe5ead9cb994db9

SHA256
8d514aaeaecbfbacb2f17af615e21112ad66848b44e35a724df55babe22ec2bd

SHA512
e7ae5309844ab2241c2f5b53f7a64bc05e3a3345956efa8be3ecba28ba16cdf666e2e2e2751abf2e7950ef22239de54f0a87ffed836c943e9d157bb51cfaf527

Download Submit
C:\Windows\SysWOW64\Hbhdmd32.exe

Filesize
409KB

MD5
193168f6d6a3f88d66aaa3624136a54f

SHA1
a8e0c17f071711ba46e0ec9cdc709960ac0b9ef4

SHA256
c86066e111e93ed3c916448e909ab5401fa16e7af051cfac4c2d4721607ff6b5

SHA512
4c38c1c537bd58b640777aec6ad4ac9322df89d463323527cbfbee4302d3dce17ae42d1e486e1e2b01a5f12d46991dd82b890cea551913a45477de4d4bdea750

Download Submit
C:\Windows\SysWOW64\Hcedaheh.exe

Filesize
409KB

MD5
762c1b5ba104b26e50a302e9411b3753

SHA1
cb54a03d64d5f405077d7e4234b0daab56565011

SHA256
10e32ac421d9d6f66b2010338a2bd875965a80b7d3003792902d598787822524

SHA512
29dab43a89e1729f2a11fcf12497dea1d6a1e773cae3637b2b95087c45358b8336532879b07f0ce53366ad01494a585f51710036de86713ba3dfd372a3a97954

Download Submit
C:\Windows\SysWOW64\Hfcpncdk.exe

Filesize
409KB

MD5
304212fd9691c7a675772de1af8a6ae5

SHA1
03dd699669d98e75b3194cef9ac5d61d2955efc3

SHA256
ac2348cf2cc28f2e07985d9ea11ee281963b771ae4a0197ab39ef4f50ac11c82

SHA512
2b078a7d1e9854da487ae890620726e23af6bc95896b29cad84a368bcb6fded6a0a2b3a45c53288b7e8595cacf85366213c6b4bc739ac414e677f5ce18f952a5

Download Submit
C:\Windows\SysWOW64\Hibljoco.exe

Filesize
409KB

MD5
3daeb14009f730263c7df6377bfac334

SHA1
d5cba0cd6043b4585438ff4fb44014ef02c36802

SHA256
14b3249c0783fe2a722775524ab7144c477f9a0a9bb52c6e8016c74f93ced3f5

SHA512
1b98e7682ad6499de7ea43058350dcf35036d8791067b848e3cb45d81748ce3080688febb12e77966221ab88319f1fd3a71962c57f865120fec511a1004c418e

Download Submit
C:\Windows\SysWOW64\Hippdo32.exe

Filesize
409KB

MD5
2f3d714e8c7cc5fe27b98b4c1b36fa57

SHA1
7d9aaae24dd4d2ff3a0cb61208c527b3aa7f55fe

SHA256
4185852c76ae73e570d2facbdb873ec0bf4f5a4d7ec73f18c6d684192d851997

SHA512
e340b567c4715260cf2d130f1c741062e9ac4809883a798105ab444f14fdfd9aba883ae2fecfc16e39afdda9648a3d7e577afad8f9ce715029fcae454b15ba9a

Download Submit
C:\Windows\SysWOW64\Hmmhjm32.exe

Filesize
409KB

MD5
0b912b96868483762bbd8952bcd21973

SHA1
accfe9b7273efff5a07444ab53cc30acd21354ed

SHA256
a206ffc6b044bbf43926a7162073d73e9734449c6abf1b2c821e7b47a0149dc3

SHA512
6e0a91e39b2c365ccf62021e54340c2e5e0e3a7d63d1b0b34f09a649df994cb7d0acf3ad21a8feedb3d3357fba45fccc13af9797fd6825c2249879cdde1a12e5

Download Submit
C:\Windows\SysWOW64\Hpgkkioa.exe

Filesize
409KB

MD5
6cce05a84cf74d94b00f893c58bb3b8e

SHA1
05edb29322b15e57055b2eb683da46bf2207391d

SHA256
a41e835dc8b46e0baa5052c55ffc81c65a54f3e509f1441fe68b4e75c388baa0

SHA512
01353d7f0fc98746b103b22c1fbb81c2b0049d24320d6091914a2c4a3d972d9198480169c4750986820bdcc718a06d7adf61061e63e0757b0c05406ff7454ace

Download Submit
C:\Windows\SysWOW64\Iakaql32.exe

Filesize
409KB

MD5
2a2ff4a523b0dd7df5c836650314979f

SHA1
a9c06a11370b8be8b12f8e911ed7a3c431829560

SHA256
02e178c88f7cfcc7daaa0ba15b092a2c0c2167cf412ca4d4256833bcf88221ba

SHA512
b6f9aa7a91fa4cd0fd5d453388b163372ceed938819f70265d4ce17c5e32bfac28e88a5a9a829ea4a88ab4be81004fa98c435fa4dbfdde76f97fb4eb4ed1dbd0

Download Submit
C:\Windows\SysWOW64\Iannfk32.exe

Filesize
409KB

MD5
e864d11ebe76adb05ef50291f0337dcb

SHA1
922ae458fab2ce5a0710065d40d4a0a3ab866c46

SHA256
519b2762f42da617b14bce9907314c990040fcce75ffdf1eae331ade04cc8a68

SHA512
56421828f0520fb8798bc974a838bd3d0003b90df0a1d1dca3c0ec487b51baf9bd624db83bd0e3c457b81eb4b985532e36b555bc688bcab0f8bc1221130a8a34

Download Submit
C:\Windows\SysWOW64\Iapjlk32.exe

Filesize
409KB

MD5
bf1c07ae4855b60c3f0ea02453065736

SHA1
269d08555cc005dfc5df34a1068e532cb7bc0c6b

SHA256
f5d49f5bb1763718c20ebbcf714c4e8a36566d02d4e32b95a35301340920c888

SHA512
4f2700969dd7a149d7d93b7855225f7298b98b65ab08e691b0580098fb412c937608990d6f1abdf6f8e26ccdf4ad910ba6c75af95f6ea5bc101e97ab3d1b914f

Download Submit
C:\Windows\SysWOW64\Ibagcc32.exe

Filesize
409KB

MD5
0c2dd218a8653d65903c8b059300674b

SHA1
6f52d6e11fb5389f4b1cd66aad09ea2df4d4ad07

SHA256
92199f9bb27f82394ecacdb6c01c48b54c05c94dc16615aa9e5773c9aa306c53

SHA512
6dba33d5b2174df19fe43a4cfd977f787d0a4a6cf2a07f866e9426b29edfe26809fcf4826a97eca861b5e4553cf2687423cab10e94415370793656e22f40a663

Download Submit
C:\Windows\SysWOW64\Ibmmhdhm.exe

Filesize
409KB

MD5
7abdfc7a1c9ca897cf71fd9b363be9ff

SHA1
8ec768279b024825f2c91db76c7ad8f13ad84820

SHA256
12ef6e31e0fbdae416a8857b2d958351b4011309d037be4ec87d1a7cfbe0c9f1

SHA512
078017ca7024b0d03a3e3f03b215e73b9551442c67e001914de72cc1dd9214a5efe9feed1e552ef6f7aea2d557405267a409142f05b8e03a4646705a31b243cd

Download Submit
C:\Windows\SysWOW64\Icgqggce.exe

Filesize
409KB

MD5
c26ffa950c33cf28f4b4a1fd80668d5a

SHA1
c9030dd84a6dadf81c74e68bbb3b96aecb4b6967

SHA256
d4eac212f813fb593b076cede51b2b23b1444e8b65e1f849924b6403c9120fe4

SHA512
925808ef7b4eb7a38701291fb26da53e53857d0cec25b33ee98ca5a4519aa59f18aa5541cc15bff2ebc5a15dd06d51d614395876665c802c5f402f69ed58930e

Download Submit
C:\Windows\SysWOW64\Icjmmg32.exe

Filesize
409KB

MD5
26d46ad750e8ed0f69c5453ed56df9ea

SHA1
b1871c319d27374cb29a237dd88c66f3cb30e084

SHA256
223372591cd17fad0b740eb890c485ea6a87b6e1f7cbfc246bf79230b7ec694a

SHA512
3b31f900e22d96fa84ba6126b07faca7829e78b56d45e441a13ddf16f96f46456141ded70975e5448a3ab7aa245ac23de991852a6694ae3ac5812856e492bb5b

Download Submit
C:\Windows\SysWOW64\Icljbg32.exe

Filesize
409KB

MD5
2252aa71a151002caa99c12b28abbc16

SHA1
57a89cdccf28a447a66a713622d48b3391142063

SHA256
8adf777ed9ad3219e91de600d358846fc909b9c5c0e4835f459e4dd56d1d4714

SHA512
07e8eed697a85ca3ea1aa3d083fa981c5d163696e3e952fda941fb545e2e93ed49c23710cb7e150a3547c1acace8c8bab1fbc185072946e4b3c0bc0136bd6595

Download Submit
C:\Windows\SysWOW64\Idofhfmm.exe

Filesize
409KB

MD5
b85fa2d92e4cc50c0c1c79abe7fbd111

SHA1
eb46f773910c835f111c3cbb0bd7bf4746e43864

SHA256
540a582b4be1b42a310b7daa854997fa4fd4e57e11abaf9cc7d559c4095dec85

SHA512
01a92b1e47918535cee38284291677b70fa2cdba42ebf7dd1e18d51f34c494ede847130a7427f1962d5f15dfeb697908fe34ad192d6660f3fa65044635ab6bc2

Download Submit
C:\Windows\SysWOW64\Iffmccbi.exe

Filesize
409KB

MD5
177f956c137e09bed02ce152bfff36fd

SHA1
391bb69bfcf1da3eb8a7f557494607eb8db269af

SHA256
d406970a2927ab93572a5b7a27630388a31b5faf6b969b79f897273b8ab23bee

SHA512
03968ca9dac1f93531a07e89d98115883dec18b81f5482e6f03d79733728980d7863aba650bf129fa589b11c3456e196b885d8b78a0f1f52ac48bd7179e1d51b

Download Submit
C:\Windows\SysWOW64\Ifhiib32.exe

Filesize
409KB

MD5
e5e6437ba23de77d8def66a2bce398a7

SHA1
9c7df821c3b7285a127cafebdaf48d1a47fede7f

SHA256
340f71a0cf63923be485e881e612a8580b74d7be743324f5cf5cd64c4e95beac

SHA512
f7e854df8d3da93d3c527103d54ab77392d9becd48f253608b8fb19f1346ba988bf6c1ec51229700a334cce61c3b74c1e1fd3599033140229e8ca477f0710c9d

Download Submit
C:\Windows\SysWOW64\Ifjfnb32.exe

Filesize
409KB

MD5
453a50b37ca72fbc7cdd3c570e9a70b6

SHA1
47de7c67e97529b185d677bc3fdeddb9b87293e4

SHA256
b419a548d19a1f8ffe66c50698c3d7f30b2866867178cb1d6b541ad5f7074ce6

SHA512
9f207ad1c43ab32351a6de6deee2e7bb44ca4ca91b997758c059b5f1baf1f4e7dc4c670bff690ed6a58e5c5177c47b7a0fcbeaf3bba5c3ddf2a807eaebde5ca4

Download Submit
C:\Windows\SysWOW64\Ifmcdblq.exe

Filesize
409KB

MD5
2dc8258b5718a1592da39d58c2be84ed

SHA1
0fa8873d1dbe9c1f36f995a4ba9a291cff2a1788

SHA256
7f4ea8433fe119a3bb7d5b31be18460ad175246044aac06a419c4bf24221f580

SHA512
ffaaa46a64285c2a4dca28f8261d4072bdc072f1376574120fe9c0c6ea3d6ea0fff7d6dff4ece44027d069a74ccc5029b46cc05a604c7eb0239e1fe6c64113de

Download Submit
C:\Windows\SysWOW64\Iiibkn32.exe

Filesize
409KB

MD5
afa075743b15fe8ade4d41522cdf146d

SHA1
32c239fe0ff9c2f9c203d93e13afe573fe338624

SHA256
a0884fdbc27e4288a5ebf6709dcb862f0f7cd5f1a52d436fb0a3b2fa5542e93e

SHA512
687e8923064d3e7602a1d7655f2091466126632957cbd6e155327022bb312c697dd87ea78af71a4e524a8f94558c1aae5d45211042c0663f379e8cdbe00db840

Download Submit
C:\Windows\SysWOW64\Ijaida32.exe

Filesize
409KB

MD5
c65071fbdf7eb7c889e3553a5fa2b5e3

SHA1
55f877953f618a29bea907842fdfcff1df208cba

SHA256
844694725112b88af8abef770c854db11af93049bb4ba6dbe4661eccd61a5b0d

SHA512
3e5507bf7c7482c2ff0bd2fee8953bd34265594e8bffba7fce4a0f6a876251e1f9c63b3ea95e79f2e87c7fe7fb92844e30b1cd5136d1c45cb2f6a066d703997a

Download Submit
C:\Windows\SysWOW64\Ijdeiaio.exe

Filesize
409KB

MD5
da8f10aaa3b89a70c8444d59c4570abb

SHA1
7c889498de9e31497757cb7a0b17b931b2300f71

SHA256
63bfc4d6c75f9acc480377f72d1d77f1d56efedf553b2a42072db81b3aa0e9a0

SHA512
3aae9ddeacd18043b27b181d2249eccfb1ab0c881bafe2adccf38ab02d1b9f7bc4a6403a856b887ddebc460155f141ca73dc94118b46c5357b83e658b164da68

Download Submit
C:\Windows\SysWOW64\Ijfboafl.exe

Filesize
409KB

MD5
cc55e8a419a6328709a1b975d897731b

SHA1
d9f3082fbef8c742687cdb26fa794d3dbef24a14

SHA256
874dac744984d4841936d05f3b34c96cb7ee2ba0b0d9c4eaf4114659cbc588ab

SHA512
f8a025f7cb85389d086042e5b1b8d9952e5ad4cff4946c2289d6beec975f859cb3cdc16d9a8c3302ced9de724d7ca642dcbef902da066b2abae8416209a80e74

Download Submit
C:\Windows\SysWOW64\Imbaemhc.exe

Filesize
409KB

MD5
b2482455deec11ee5b756967ef5ccd67

SHA1
eb1f877d1851b5459b581d42b79ed835d2dffab5

SHA256
c55f1f0802204035eb2fb573f86745a392efaa7a76111de6c08849fd76b779a2

SHA512
8f40d4aaa281ab987fc5744168525b8963eafe12930020d0c14fdca66e546dd906e6d59be0d9a4de35248836d23ea1c1657d98f4dfdab9f16a11b69005ed897d

Download Submit
C:\Windows\SysWOW64\Imdnklfp.exe

Filesize
409KB

MD5
4b62e8dadf235fcd809cc312313f7a39

SHA1
82f5d1daf979fa8617cf6853936b2a4a4c5e2a1e

SHA256
b018c6526fb3db574495281e57abd20a8481f803aa565b1a96a148b134645fb9

SHA512
2ce79f80c9e18647977c9c1b875aae0d0953533d5cd4c50b4b27817a8a2957e9f79b0fc484c5feaaf73558cc97ce2531bd9a5cc5540390153153934ec1fc993d

Download Submit
C:\Windows\SysWOW64\Impepm32.exe

Filesize
409KB

MD5
6ab746d2ef4bfd621689158410c3942c

SHA1
9eec95e091a892fc6b5b59e9f2be89447cdfc0f9

SHA256
8857df47646e582bbfc3f03847611419d404b9e9576e16fa124d88aa2a1b6e2b

SHA512
abccccab0cc43843e3ee15ce64cf89c72a6c75438ac308acd11af94d23f34893454b283404459d72d34738b2de5a04d077b70eacf463964f7552339ff65d0d6a

Download Submit
C:\Windows\SysWOW64\Ipldfi32.exe

Filesize
409KB

MD5
2266ece822051f34bc90f47c1a28ec78

SHA1
0d8af35d09df45133ad24ba8d972f740c3533eb4

SHA256
74270282fe069f3b3bd3a39a2c9ad8fa2b1a03205aafcdd86c0847719498b798

SHA512
dda42b6f653bc44da5e3f966cb8c54230ca67e86f2cac28807b9fa5c48923e3769efca037250e391e9f541a91efbf1c69a359c6ed1305251e2aa9eb3e5ee6033

Download Submit
C:\Windows\SysWOW64\Ipqnahgf.exe

Filesize
409KB

MD5
a78a99ab688287301ad6e41146bb21ce

SHA1
82d86365d7632a6d5f85b1d78c3dbd5699388ad9

SHA256
9c5e5f7b29c3af726c6874d799feb301b4c74cc5b0e4ad5cbe75648e55505802

SHA512
07c815b7a1f6c4251a3a5df275df9ce8a8424c277ec9edd5ce801f9601b304bbc94d124a0625383ca2da72019cfefdfacbf35759c19bf4af1c1c0ddab6346c7f

Download Submit
C:\Windows\SysWOW64\Mkbchk32.exe

Filesize
409KB

MD5
f393f8d207857f7931b268daaf4de851

SHA1
f3f04f01a6d1fb45528855e3f45b431d963c38d3

SHA256
5369e215b96423c984a8cf92ae8fdc62b9ce12097d503d57807db140e70d4139

SHA512
3f0be30d5ce06079510fa84546828e0507cce3273353bccdc2a056920eb5742f952351c0449a9fdda787d6aaaf2fe2958ba44c98beea5618519a868c30d72c0b

Download Submit
C:\Windows\SysWOW64\Nkjjij32.exe

Filesize
409KB

MD5
dd5bdf5dadbfdaeb9dc209cacec95c63

SHA1
e49ea33ab7c71e9d4f680503a9bc949f52267e1e

SHA256
7a893a8fc46bb1fe48383d3114a717013d4d70b9de7db8a293680be9541f06dd

SHA512
49eb0283cf725e8aca5f5aff2aab373671cd3b316a07a0b43897b04a56d13392f9fbf8a80e84a2a7c55b86f0de8b943c3a56733cb1fad0d84dcba96aef980f64

Download Submit
memory/316-963-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/372-970-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/372-450-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/456-75-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/640-452-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/776-932-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/860-448-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/884-757-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/884-782-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/888-642-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/996-522-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/1000-601-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/1012-499-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/1056-618-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/1316-778-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/1404-516-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/1436-539-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/1452-449-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/1468-790-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/1468-744-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/1480-688-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/1540-954-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/1540-455-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/1576-698-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/1576-804-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/1612-55-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/1612-1014-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/1664-491-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/1716-485-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/1760-20-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/1760-1022-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/1804-76-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/1828-454-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/1908-474-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/2004-802-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/2104-603-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/2152-563-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/2168-653-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/2448-477-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/2448-922-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/2504-428-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/2668-959-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/2760-983-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/2760-435-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/2976-478-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/2984-468-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/3112-453-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/3156-786-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/3156-756-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/3172-420-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/3368-24-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/3576-996-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/3576-424-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/3736-447-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/3768-682-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/3788-670-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/3848-788-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/3848-739-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/3892-8-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/3932-992-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/3932-426-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/3936-676-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/3940-476-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/3984-0-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/4020-545-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/4048-425-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/4184-442-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/4320-493-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/4332-792-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/4348-768-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/4348-780-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/4360-722-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/4360-796-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/4364-635-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/4388-419-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/4428-620-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/4464-777-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/4464-774-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/4500-32-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/4564-960-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/4604-423-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/4624-578-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/4672-518-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/4684-514-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/4736-466-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/4740-936-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/4740-467-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/4752-586-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/4784-422-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/4932-57-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/4936-556-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/4956-580-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/5080-946-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/5248-654-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/5412-421-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/5492-51-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/5528-794-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/5528-726-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/5532-785-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/5576-434-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/5592-714-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/5592-798-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/5620-429-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/5624-475-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/5656-480-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/5656-916-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/5756-479-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/5772-980-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/5960-558-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/6108-427-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/6120-800-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/6120-705-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads