e29228acef40db79bc46ad967c0c775fa2f084eab79d99f5218f36aca61331cc

Analysis

max time kernel
139s
max time network
108s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
05/05/2024, 05:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e29228acef40db79bc46ad967c0c775fa2f084eab79d99f5218f36aca61331cc.exe
Size

520KB
MD5

bae43de374485900a220574eedc9eda7
SHA1

3ed4bd3b49fc7399dd70ad8648f20161c82777d1
SHA256

e29228acef40db79bc46ad967c0c775fa2f084eab79d99f5218f36aca61331cc
SHA512

d5b95cb87e07b84e382d5d185238d54d6c3f70a22f3128a6fadd857e0594dc99f5cdcf110bdc895782cbfbe063e3a64a2c3881c267d28c879bcdc34fef3dbff3
SSDEEP

6144:D6PKSKFFM6234lKm3mo8Yvi4KsLTFM6234lKm3r8SeNpgdyuH1lZfRo0V8JcgEH:DdFB24lwR45FB24lJ87g7/VycgEH

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ijaida32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Imgkql32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ijkljp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ipnalhii.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jiikak32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kpepcedo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nbkhfc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Hclakimb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Hibljoco.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ldmlpbbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mpdelajl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njljefql.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngcgcjnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Gfqjafdq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Hcqjfh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Icgqggce.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ijfboafl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nqfbaq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Gfcgge32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hibljoco.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iapjlk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkpgck32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njacpf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Hpihai32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hbhdmd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Laalifad.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpkbebbf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgnnhk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Njljefql.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Iapjlk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kphmie32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdhbec32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ngcgcjnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Hbeghene.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iiffen32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ijhodq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Gjapmdid.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hpgkkioa.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ldmlpbbj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ifmcdblq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncldnkae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Hikfip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Habnjm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hbckbepg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Laciofpa.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcdegnep.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdiklqhm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hmioonpn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iffmccbi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lnhmng32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnapdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ifmcdblq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mcbahlip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Hippdo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hfcpncdk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kaqcbi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgkhlnbn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mciobn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nkqpjidj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Gqkhjn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hmdedo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Idacmfkj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ibccic32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kmjqmi32.exe

Executes dropped EXE 64 IoCs

pid	Process
4236	Gfqjafdq.exe
4872	Gcekkjcj.exe
4736	Gfcgge32.exe
2684	Gjapmdid.exe
2052	Gqkhjn32.exe
3692	Hclakimb.exe
5024	Hmdedo32.exe
4016	Hbanme32.exe
1676	Hikfip32.exe
3712	Habnjm32.exe
4600	Hcqjfh32.exe
4272	Hbckbepg.exe
5004	Hjjbcbqj.exe
3508	Hmioonpn.exe
3212	Hpgkkioa.exe
1828	Hbeghene.exe
1776	Hjmoibog.exe
2680	Hippdo32.exe
3152	Haggelfd.exe
4996	Hpihai32.exe
2480	Hbhdmd32.exe
4360	Hfcpncdk.exe
3448	Hibljoco.exe
2332	Hmmhjm32.exe
3612	Ipldfi32.exe
2160	Icgqggce.exe
4796	Iffmccbi.exe
3484	Ijaida32.exe
1128	Iidipnal.exe
2548	Iakaql32.exe
2580	Ipnalhii.exe
2552	Icjmmg32.exe
3420	Ifhiib32.exe
4288	Iiffen32.exe
3048	Imbaemhc.exe
1112	Ipqnahgf.exe
4984	Icljbg32.exe
4260	Ibojncfj.exe
428	Ijfboafl.exe
1220	Iiibkn32.exe
3832	Iapjlk32.exe
732	Ipckgh32.exe
4204	Ibagcc32.exe
4072	Ifmcdblq.exe
1508	Ijhodq32.exe
1044	Imgkql32.exe
3172	Ipegmg32.exe
3076	Idacmfkj.exe
3972	Ibccic32.exe
4508	Ijkljp32.exe
3256	Jaedgjjd.exe
4672	Jfhbppbc.exe
4812	Jkdnpo32.exe
1140	Jbocea32.exe
3676	Jiikak32.exe
2716	Kaqcbi32.exe
4800	Kbapjafe.exe
1276	Kkihknfg.exe
3288	Kmgdgjek.exe
1964	Kpepcedo.exe
4368	Kbdmpqcb.exe
2068	Kmjqmi32.exe
5048	Kphmie32.exe
2968	Kgbefoji.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Icjmmg32.exe	Ipnalhii.exe
File created	C:\Windows\SysWOW64\Cdcbljie.dll	Iiffen32.exe
File created	C:\Windows\SysWOW64\Iapjlk32.exe	Iiibkn32.exe
File created	C:\Windows\SysWOW64\Kbdmpqcb.exe	Kpepcedo.exe
File created	C:\Windows\SysWOW64\Laciofpa.exe	Lnhmng32.exe
File created	C:\Windows\SysWOW64\Ifhmhq32.dll	Hjmoibog.exe
File created	C:\Windows\SysWOW64\Hibljoco.exe	Hfcpncdk.exe
File created	C:\Windows\SysWOW64\Ijaida32.exe	Iffmccbi.exe
File opened for modification	C:\Windows\SysWOW64\Mnapdf32.exe	Mdiklqhm.exe
File opened for modification	C:\Windows\SysWOW64\Nklfoi32.exe	Nceonl32.exe
File created	C:\Windows\SysWOW64\Mgnnhk32.exe	Mcbahlip.exe
File opened for modification	C:\Windows\SysWOW64\Nkcmohbg.exe	Ncldnkae.exe
File opened for modification	C:\Windows\SysWOW64\Hbanme32.exe	Hmdedo32.exe
File created	C:\Windows\SysWOW64\Imgkql32.exe	Ijhodq32.exe
File opened for modification	C:\Windows\SysWOW64\Laalifad.exe	Lijdhiaa.exe
File opened for modification	C:\Windows\SysWOW64\Maohkd32.exe	Mjhqjg32.exe
File opened for modification	C:\Windows\SysWOW64\Ncgkcl32.exe	Nnjbke32.exe
File created	C:\Windows\SysWOW64\Chbijmok.dll	Gfqjafdq.exe
File created	C:\Windows\SysWOW64\Hfkkgo32.dll	Ibccic32.exe
File created	C:\Windows\SysWOW64\Efhikhod.dll	Liekmj32.exe
File created	C:\Windows\SysWOW64\Kgbefoji.exe	Kphmie32.exe
File created	C:\Windows\SysWOW64\Lkdggmlj.exe	Lcmofolg.exe
File created	C:\Windows\SysWOW64\Ockcknah.dll	Mnocof32.exe
File created	C:\Windows\SysWOW64\Dgcifj32.dll	Mnapdf32.exe
File created	C:\Windows\SysWOW64\Hnfmbf32.dll	Mcbahlip.exe
File created	C:\Windows\SysWOW64\Hclakimb.exe	Gqkhjn32.exe
File opened for modification	C:\Windows\SysWOW64\Ipnalhii.exe	Iakaql32.exe
File created	C:\Windows\SysWOW64\Ibagcc32.exe	Ipckgh32.exe
File opened for modification	C:\Windows\SysWOW64\Ngcgcjnc.exe	Ncgkcl32.exe
File opened for modification	C:\Windows\SysWOW64\Ijkljp32.exe	Ibccic32.exe
File opened for modification	C:\Windows\SysWOW64\Mcpebmkb.exe	Maohkd32.exe
File opened for modification	C:\Windows\SysWOW64\Mkgmcjld.exe	Mcpebmkb.exe
File opened for modification	C:\Windows\SysWOW64\Ncldnkae.exe	Nbkhfc32.exe
File created	C:\Windows\SysWOW64\Pjpdme32.dll	Hclakimb.exe
File opened for modification	C:\Windows\SysWOW64\Hbckbepg.exe	Hcqjfh32.exe
File opened for modification	C:\Windows\SysWOW64\Hmmhjm32.exe	Hibljoco.exe
File created	C:\Windows\SysWOW64\Mkgmcjld.exe	Mcpebmkb.exe
File created	C:\Windows\SysWOW64\Ncgkcl32.exe	Nnjbke32.exe
File created	C:\Windows\SysWOW64\Gqkhjn32.exe	Gjapmdid.exe
File created	C:\Windows\SysWOW64\Hpihai32.exe	Haggelfd.exe
File created	C:\Windows\SysWOW64\Jbocea32.exe	Jangmibi.exe
File created	C:\Windows\SysWOW64\Ogpnaafp.dll	Ncihikcg.exe
File created	C:\Windows\SysWOW64\Ipegmg32.exe	Imgkql32.exe
File created	C:\Windows\SysWOW64\Mcbahlip.exe	Mpdelajl.exe
File created	C:\Windows\SysWOW64\Ncihikcg.exe	Nbhkac32.exe
File created	C:\Windows\SysWOW64\Kajfig32.exe	Kibnhjgj.exe
File opened for modification	C:\Windows\SysWOW64\Nceonl32.exe	Nqfbaq32.exe
File created	C:\Windows\SysWOW64\Lmmcfa32.dll	Kaqcbi32.exe
File opened for modification	C:\Windows\SysWOW64\Liggbi32.exe	Lkdggmlj.exe
File opened for modification	C:\Windows\SysWOW64\Hjjbcbqj.exe	Hbckbepg.exe
File created	C:\Windows\SysWOW64\Hmioonpn.exe	Hjjbcbqj.exe
File created	C:\Windows\SysWOW64\Lpfihl32.dll	Ipckgh32.exe
File created	C:\Windows\SysWOW64\Dbcjkf32.dll	Jaedgjjd.exe
File created	C:\Windows\SysWOW64\Ichhhi32.dll	Jiikak32.exe
File created	C:\Windows\SysWOW64\Bgdnaigp.dll	Hfcpncdk.exe
File created	C:\Windows\SysWOW64\Iidipnal.exe	Ijaida32.exe
File opened for modification	C:\Windows\SysWOW64\Ifmcdblq.exe	Ibagcc32.exe
File opened for modification	C:\Windows\SysWOW64\Ijhodq32.exe	Ifmcdblq.exe
File created	C:\Windows\SysWOW64\Bclgpkgk.dll	Ijhodq32.exe
File opened for modification	C:\Windows\SysWOW64\Kajfig32.exe	Kibnhjgj.exe
File created	C:\Windows\SysWOW64\Khehmdgi.dll	Lnhmng32.exe
File created	C:\Windows\SysWOW64\Qcldhk32.dll	Mcnhmm32.exe
File opened for modification	C:\Windows\SysWOW64\Hpgkkioa.exe	Hmioonpn.exe
File created	C:\Windows\SysWOW64\Hippdo32.exe	Hjmoibog.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5768	5532	WerFault.exe	211

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kflflhfg.dll"	Imgkql32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Jangmibi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pbcfgejn.dll"	Mjhqjg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mcpebmkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Hippdo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpfihl32.dll"	Ipckgh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ldooifgl.dll"	Hmdedo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Haggelfd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ijaida32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ijhodq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ijkljp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Kkihknfg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oeahce32.dll"	Gcekkjcj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Hmdedo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ldohebqh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mcbahlip.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Kmgdgjek.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Lkdggmlj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Iakaql32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Jaedgjjd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbhnnj32.dll"	Kibnhjgj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Kckbqpnj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Laalifad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lkfbjdpq.dll"	Nnolfdcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkbjnl32.dll"	Habnjm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ipldfi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Lnjjdgee.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Lnjjdgee.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dempmq32.dll"	Icjmmg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Imbaemhc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Iapjlk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Lkiqbl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Lgbnmm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Maohkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Denfkg32.dll"	Hbckbepg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Hjjbcbqj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Jfhbppbc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Kmjqmi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ldmlpbbj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Lnhmng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Gfcgge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pjpdme32.dll"	Hclakimb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Liekmj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mnocof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Codhke32.dll"	Mkgmcjld.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Hclakimb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Hbanme32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Iffmccbi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dendnoah.dll"	Ipqnahgf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mdiklqhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekipni32.dll"	Mcpebmkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Njacpf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Hikfip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ifhmhq32.dll"	Hjmoibog.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ifmcdblq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ijhodq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Kbdmpqcb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mpkbebbf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mcnhmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Njljefql.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjcfkp32.dll"	Hpgkkioa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Hfcpncdk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fibjjh32.dll"	Nceonl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ngcgcjnc.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1712 wrote to memory of 4236	1712	e29228acef40db79bc46ad967c0c775fa2f084eab79d99f5218f36aca61331cc.exe	86
PID 1712 wrote to memory of 4236	1712	e29228acef40db79bc46ad967c0c775fa2f084eab79d99f5218f36aca61331cc.exe	86
PID 1712 wrote to memory of 4236	1712	e29228acef40db79bc46ad967c0c775fa2f084eab79d99f5218f36aca61331cc.exe	86
PID 4236 wrote to memory of 4872	4236	Gfqjafdq.exe	87
PID 4236 wrote to memory of 4872	4236	Gfqjafdq.exe	87
PID 4236 wrote to memory of 4872	4236	Gfqjafdq.exe	87
PID 4872 wrote to memory of 4736	4872	Gcekkjcj.exe	88
PID 4872 wrote to memory of 4736	4872	Gcekkjcj.exe	88
PID 4872 wrote to memory of 4736	4872	Gcekkjcj.exe	88
PID 4736 wrote to memory of 2684	4736	Gfcgge32.exe	89
PID 4736 wrote to memory of 2684	4736	Gfcgge32.exe	89
PID 4736 wrote to memory of 2684	4736	Gfcgge32.exe	89
PID 2684 wrote to memory of 2052	2684	Gjapmdid.exe	91
PID 2684 wrote to memory of 2052	2684	Gjapmdid.exe	91
PID 2684 wrote to memory of 2052	2684	Gjapmdid.exe	91
PID 2052 wrote to memory of 3692	2052	Gqkhjn32.exe	93
PID 2052 wrote to memory of 3692	2052	Gqkhjn32.exe	93
PID 2052 wrote to memory of 3692	2052	Gqkhjn32.exe	93
PID 3692 wrote to memory of 5024	3692	Hclakimb.exe	94
PID 3692 wrote to memory of 5024	3692	Hclakimb.exe	94
PID 3692 wrote to memory of 5024	3692	Hclakimb.exe	94
PID 5024 wrote to memory of 4016	5024	Hmdedo32.exe	96
PID 5024 wrote to memory of 4016	5024	Hmdedo32.exe	96
PID 5024 wrote to memory of 4016	5024	Hmdedo32.exe	96
PID 4016 wrote to memory of 1676	4016	Hbanme32.exe	97
PID 4016 wrote to memory of 1676	4016	Hbanme32.exe	97
PID 4016 wrote to memory of 1676	4016	Hbanme32.exe	97
PID 1676 wrote to memory of 3712	1676	Hikfip32.exe	98
PID 1676 wrote to memory of 3712	1676	Hikfip32.exe	98
PID 1676 wrote to memory of 3712	1676	Hikfip32.exe	98
PID 3712 wrote to memory of 4600	3712	Habnjm32.exe	99
PID 3712 wrote to memory of 4600	3712	Habnjm32.exe	99
PID 3712 wrote to memory of 4600	3712	Habnjm32.exe	99
PID 4600 wrote to memory of 4272	4600	Hcqjfh32.exe	100
PID 4600 wrote to memory of 4272	4600	Hcqjfh32.exe	100
PID 4600 wrote to memory of 4272	4600	Hcqjfh32.exe	100
PID 4272 wrote to memory of 5004	4272	Hbckbepg.exe	101
PID 4272 wrote to memory of 5004	4272	Hbckbepg.exe	101
PID 4272 wrote to memory of 5004	4272	Hbckbepg.exe	101
PID 5004 wrote to memory of 3508	5004	Hjjbcbqj.exe	102
PID 5004 wrote to memory of 3508	5004	Hjjbcbqj.exe	102
PID 5004 wrote to memory of 3508	5004	Hjjbcbqj.exe	102
PID 3508 wrote to memory of 3212	3508	Hmioonpn.exe	103
PID 3508 wrote to memory of 3212	3508	Hmioonpn.exe	103
PID 3508 wrote to memory of 3212	3508	Hmioonpn.exe	103
PID 3212 wrote to memory of 1828	3212	Hpgkkioa.exe	104
PID 3212 wrote to memory of 1828	3212	Hpgkkioa.exe	104
PID 3212 wrote to memory of 1828	3212	Hpgkkioa.exe	104
PID 1828 wrote to memory of 1776	1828	Hbeghene.exe	105
PID 1828 wrote to memory of 1776	1828	Hbeghene.exe	105
PID 1828 wrote to memory of 1776	1828	Hbeghene.exe	105
PID 1776 wrote to memory of 2680	1776	Hjmoibog.exe	106
PID 1776 wrote to memory of 2680	1776	Hjmoibog.exe	106
PID 1776 wrote to memory of 2680	1776	Hjmoibog.exe	106
PID 2680 wrote to memory of 3152	2680	Hippdo32.exe	107
PID 2680 wrote to memory of 3152	2680	Hippdo32.exe	107
PID 2680 wrote to memory of 3152	2680	Hippdo32.exe	107
PID 3152 wrote to memory of 4996	3152	Haggelfd.exe	108
PID 3152 wrote to memory of 4996	3152	Haggelfd.exe	108
PID 3152 wrote to memory of 4996	3152	Haggelfd.exe	108
PID 4996 wrote to memory of 2480	4996	Hpihai32.exe	109
PID 4996 wrote to memory of 2480	4996	Hpihai32.exe	109
PID 4996 wrote to memory of 2480	4996	Hpihai32.exe	109
PID 2480 wrote to memory of 4360	2480	Hbhdmd32.exe	110

C:\Users\Admin\AppData\Local\Temp\e29228acef40db79bc46ad967c0c775fa2f084eab79d99f5218f36aca61331cc.exe
"C:\Users\Admin\AppData\Local\Temp\e29228acef40db79bc46ad967c0c775fa2f084eab79d99f5218f36aca61331cc.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1712
- C:\Windows\SysWOW64\Gfqjafdq.exe
  C:\Windows\system32\Gfqjafdq.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:4236
- - C:\Windows\SysWOW64\Gcekkjcj.exe
    C:\Windows\system32\Gcekkjcj.exe
    3⤵
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:4872
  - - C:\Windows\SysWOW64\Gfcgge32.exe
      C:\Windows\system32\Gfcgge32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:4736
    - - C:\Windows\SysWOW64\Gjapmdid.exe
        
        C:\Windows\system32\Gjapmdid.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2684
      - C:\Windows\SysWOW64\Gqkhjn32.exe
        
        C:\Windows\system32\Gqkhjn32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2052
        
        C:\Windows\SysWOW64\Hclakimb.exe
        
        C:\Windows\system32\Hclakimb.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3692
        
        C:\Windows\SysWOW64\Hmdedo32.exe
        
        C:\Windows\system32\Hmdedo32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5024
        
        C:\Windows\SysWOW64\Hbanme32.exe
        
        C:\Windows\system32\Hbanme32.exe
        9⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4016
        
        C:\Windows\SysWOW64\Hikfip32.exe
        
        C:\Windows\system32\Hikfip32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1676
        
        C:\Windows\SysWOW64\Habnjm32.exe
        
        C:\Windows\system32\Habnjm32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3712
        
        C:\Windows\SysWOW64\Hcqjfh32.exe
        
        C:\Windows\system32\Hcqjfh32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4600
        
        C:\Windows\SysWOW64\Hbckbepg.exe
        
        C:\Windows\system32\Hbckbepg.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4272
        
        C:\Windows\SysWOW64\Hjjbcbqj.exe
        
        C:\Windows\system32\Hjjbcbqj.exe
        14⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5004
        
        C:\Windows\SysWOW64\Hmioonpn.exe
        
        C:\Windows\system32\Hmioonpn.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3508
        
        C:\Windows\SysWOW64\Hpgkkioa.exe
        
        C:\Windows\system32\Hpgkkioa.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3212
        
        C:\Windows\SysWOW64\Hbeghene.exe
        
        C:\Windows\system32\Hbeghene.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1828
        
        C:\Windows\SysWOW64\Hjmoibog.exe
        
        C:\Windows\system32\Hjmoibog.exe
        18⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1776
        
        C:\Windows\SysWOW64\Hippdo32.exe
        
        C:\Windows\system32\Hippdo32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2680
        
        C:\Windows\SysWOW64\Haggelfd.exe
        
        C:\Windows\system32\Haggelfd.exe
        20⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3152
        
        C:\Windows\SysWOW64\Hpihai32.exe
        
        C:\Windows\system32\Hpihai32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4996
        
        C:\Windows\SysWOW64\Hbhdmd32.exe
        
        C:\Windows\system32\Hbhdmd32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2480
        
        C:\Windows\SysWOW64\Hfcpncdk.exe
        
        C:\Windows\system32\Hfcpncdk.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4360
        
        C:\Windows\SysWOW64\Hibljoco.exe
        
        C:\Windows\system32\Hibljoco.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3448
        
        C:\Windows\SysWOW64\Hmmhjm32.exe
        
        C:\Windows\system32\Hmmhjm32.exe
        25⤵
        Executes dropped EXE
        
        PID:2332
        
        C:\Windows\SysWOW64\Ipldfi32.exe
        
        C:\Windows\system32\Ipldfi32.exe
        26⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3612
        
        C:\Windows\SysWOW64\Icgqggce.exe
        
        C:\Windows\system32\Icgqggce.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2160
        
        C:\Windows\SysWOW64\Iffmccbi.exe
        
        C:\Windows\system32\Iffmccbi.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4796
        
        C:\Windows\SysWOW64\Ijaida32.exe
        
        C:\Windows\system32\Ijaida32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3484
        
        C:\Windows\SysWOW64\Iidipnal.exe
        
        C:\Windows\system32\Iidipnal.exe
        30⤵
        Executes dropped EXE
        
        PID:1128
        
        C:\Windows\SysWOW64\Iakaql32.exe
        
        C:\Windows\system32\Iakaql32.exe
        31⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2548
        
        C:\Windows\SysWOW64\Ipnalhii.exe
        
        C:\Windows\system32\Ipnalhii.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2580
        
        C:\Windows\SysWOW64\Icjmmg32.exe
        
        C:\Windows\system32\Icjmmg32.exe
        33⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2552
        
        C:\Windows\SysWOW64\Ifhiib32.exe
        
        C:\Windows\system32\Ifhiib32.exe
        34⤵
        Executes dropped EXE
        
        PID:3420
        
        C:\Windows\SysWOW64\Iiffen32.exe
        
        C:\Windows\system32\Iiffen32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4288
        
        C:\Windows\SysWOW64\Imbaemhc.exe
        
        C:\Windows\system32\Imbaemhc.exe
        36⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3048
        
        C:\Windows\SysWOW64\Ipqnahgf.exe
        
        C:\Windows\system32\Ipqnahgf.exe
        37⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1112
        
        C:\Windows\SysWOW64\Icljbg32.exe
        
        C:\Windows\system32\Icljbg32.exe
        38⤵
        Executes dropped EXE
        
        PID:4984
        
        C:\Windows\SysWOW64\Ibojncfj.exe
        
        C:\Windows\system32\Ibojncfj.exe
        39⤵
        Executes dropped EXE
        
        PID:4260
        
        C:\Windows\SysWOW64\Ijfboafl.exe
        
        C:\Windows\system32\Ijfboafl.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:428
        
        C:\Windows\SysWOW64\Iiibkn32.exe
        
        C:\Windows\system32\Iiibkn32.exe
        41⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1220
        
        C:\Windows\SysWOW64\Iapjlk32.exe
        
        C:\Windows\system32\Iapjlk32.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3832
        
        C:\Windows\SysWOW64\Ipckgh32.exe
        
        C:\Windows\system32\Ipckgh32.exe
        43⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:732
        
        C:\Windows\SysWOW64\Ibagcc32.exe
        
        C:\Windows\system32\Ibagcc32.exe
        44⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4204
        
        C:\Windows\SysWOW64\Ifmcdblq.exe
        
        C:\Windows\system32\Ifmcdblq.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4072
        
        C:\Windows\SysWOW64\Ijhodq32.exe
        
        C:\Windows\system32\Ijhodq32.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1508
        
        C:\Windows\SysWOW64\Imgkql32.exe
        
        C:\Windows\system32\Imgkql32.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1044
        
        C:\Windows\SysWOW64\Ipegmg32.exe
        
        C:\Windows\system32\Ipegmg32.exe
        48⤵
        Executes dropped EXE
        
        PID:3172
        
        C:\Windows\SysWOW64\Idacmfkj.exe
        
        C:\Windows\system32\Idacmfkj.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3076
        
        C:\Windows\SysWOW64\Ibccic32.exe
        
        C:\Windows\system32\Ibccic32.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3972
        
        C:\Windows\SysWOW64\Ijkljp32.exe
        
        C:\Windows\system32\Ijkljp32.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4508
        
        C:\Windows\SysWOW64\Jaedgjjd.exe
        
        C:\Windows\system32\Jaedgjjd.exe
        52⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3256
        
        C:\Windows\SysWOW64\Jfhbppbc.exe
        
        C:\Windows\system32\Jfhbppbc.exe
        53⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4672
        
        C:\Windows\SysWOW64\Jkdnpo32.exe
        
        C:\Windows\system32\Jkdnpo32.exe
        54⤵
        Executes dropped EXE
        
        PID:4812
        
        C:\Windows\SysWOW64\Jangmibi.exe
        
        C:\Windows\system32\Jangmibi.exe
        55⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:744
        
        C:\Windows\SysWOW64\Jbocea32.exe
        
        C:\Windows\system32\Jbocea32.exe
        56⤵
        Executes dropped EXE
        
        PID:1140
        
        C:\Windows\SysWOW64\Jiikak32.exe
        
        C:\Windows\system32\Jiikak32.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3676
        
        C:\Windows\SysWOW64\Kaqcbi32.exe
        
        C:\Windows\system32\Kaqcbi32.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2716
        
        C:\Windows\SysWOW64\Kbapjafe.exe
        
        C:\Windows\system32\Kbapjafe.exe
        59⤵
        Executes dropped EXE
        
        PID:4800
        
        C:\Windows\SysWOW64\Kkihknfg.exe
        
        C:\Windows\system32\Kkihknfg.exe
        60⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1276
        
        C:\Windows\SysWOW64\Kmgdgjek.exe
        
        C:\Windows\system32\Kmgdgjek.exe
        61⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3288
        
        C:\Windows\SysWOW64\Kpepcedo.exe
        
        C:\Windows\system32\Kpepcedo.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1964
        
        C:\Windows\SysWOW64\Kbdmpqcb.exe
        
        C:\Windows\system32\Kbdmpqcb.exe
        63⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4368
        
        C:\Windows\SysWOW64\Kmjqmi32.exe
        
        C:\Windows\system32\Kmjqmi32.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2068
        
        C:\Windows\SysWOW64\Kphmie32.exe
        
        C:\Windows\system32\Kphmie32.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5048
        
        C:\Windows\SysWOW64\Kgbefoji.exe
        
        C:\Windows\system32\Kgbefoji.exe
        66⤵
        Executes dropped EXE
        
        PID:2968
        
        C:\Windows\SysWOW64\Kmlnbi32.exe
        
        C:\Windows\system32\Kmlnbi32.exe
        67⤵
        
        PID:4148
        
        C:\Windows\SysWOW64\Kcifkp32.exe
        
        C:\Windows\system32\Kcifkp32.exe
        68⤵
        
        PID:4528
        
        C:\Windows\SysWOW64\Kibnhjgj.exe
        
        C:\Windows\system32\Kibnhjgj.exe
        69⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4216
        
        C:\Windows\SysWOW64\Kajfig32.exe
        
        C:\Windows\system32\Kajfig32.exe
        70⤵
        
        PID:4432
        
        C:\Windows\SysWOW64\Kdhbec32.exe
        
        C:\Windows\system32\Kdhbec32.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1764
        
        C:\Windows\SysWOW64\Kckbqpnj.exe
        
        C:\Windows\system32\Kckbqpnj.exe
        72⤵
        Modifies registry class
        
        PID:2928
        
        C:\Windows\SysWOW64\Liekmj32.exe
        
        C:\Windows\system32\Liekmj32.exe
        73⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:224
        
        C:\Windows\SysWOW64\Lalcng32.exe
        
        C:\Windows\system32\Lalcng32.exe
        74⤵
        
        PID:2776
        
        C:\Windows\SysWOW64\Lcmofolg.exe
        
        C:\Windows\system32\Lcmofolg.exe
        75⤵
        Drops file in System32 directory
        
        PID:840
        
        C:\Windows\SysWOW64\Lkdggmlj.exe
        
        C:\Windows\system32\Lkdggmlj.exe
        76⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:2708
        
        C:\Windows\SysWOW64\Liggbi32.exe
        
        C:\Windows\system32\Liggbi32.exe
        77⤵
        
        PID:3876
        
        C:\Windows\SysWOW64\Laopdgcg.exe
        
        C:\Windows\system32\Laopdgcg.exe
        78⤵
        
        PID:5056
        
        C:\Windows\SysWOW64\Ldmlpbbj.exe
        
        C:\Windows\system32\Ldmlpbbj.exe
        79⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:2324
        
        C:\Windows\SysWOW64\Lgkhlnbn.exe
        
        C:\Windows\system32\Lgkhlnbn.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1472
        
        C:\Windows\SysWOW64\Lijdhiaa.exe
        
        C:\Windows\system32\Lijdhiaa.exe
        81⤵
        Drops file in System32 directory
        
        PID:4732
        
        C:\Windows\SysWOW64\Laalifad.exe
        
        C:\Windows\system32\Laalifad.exe
        82⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:3604
        
        C:\Windows\SysWOW64\Ldohebqh.exe
        
        C:\Windows\system32\Ldohebqh.exe
        83⤵
        Modifies registry class
        
        PID:4860
        
        C:\Windows\SysWOW64\Lkiqbl32.exe
        
        C:\Windows\system32\Lkiqbl32.exe
        84⤵
        Modifies registry class
        
        PID:3124
        
        C:\Windows\SysWOW64\Lnhmng32.exe
        
        C:\Windows\system32\Lnhmng32.exe
        85⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:4740
        
        C:\Windows\SysWOW64\Laciofpa.exe
        
        C:\Windows\system32\Laciofpa.exe
        86⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3932
        
        C:\Windows\SysWOW64\Lcdegnep.exe
        
        C:\Windows\system32\Lcdegnep.exe
        87⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3704
        
        C:\Windows\SysWOW64\Lklnhlfb.exe
        
        C:\Windows\system32\Lklnhlfb.exe
        88⤵
        
        PID:4840
        
        C:\Windows\SysWOW64\Lnjjdgee.exe
        
        C:\Windows\system32\Lnjjdgee.exe
        89⤵
        Modifies registry class
        
        PID:2208
        
        C:\Windows\SysWOW64\Lddbqa32.exe
        
        C:\Windows\system32\Lddbqa32.exe
        90⤵
        
        PID:1580
        
        C:\Windows\SysWOW64\Lgbnmm32.exe
        
        C:\Windows\system32\Lgbnmm32.exe
        91⤵
        Modifies registry class
        
        PID:4012
        
        C:\Windows\SysWOW64\Mnlfigcc.exe
        
        C:\Windows\system32\Mnlfigcc.exe
        92⤵
        
        PID:5128
        
        C:\Windows\SysWOW64\Mpkbebbf.exe
        
        C:\Windows\system32\Mpkbebbf.exe
        93⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5168
        
        C:\Windows\SysWOW64\Mciobn32.exe
        
        C:\Windows\system32\Mciobn32.exe
        94⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5204
        
        C:\Windows\SysWOW64\Mkpgck32.exe
        
        C:\Windows\system32\Mkpgck32.exe
        95⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5252
        
        C:\Windows\SysWOW64\Mnocof32.exe
        
        C:\Windows\system32\Mnocof32.exe
        96⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5292
        
        C:\Windows\SysWOW64\Mdiklqhm.exe
        
        C:\Windows\system32\Mdiklqhm.exe
        97⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5340
        
        C:\Windows\SysWOW64\Mnapdf32.exe
        
        C:\Windows\system32\Mnapdf32.exe
        98⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5380
        
        C:\Windows\SysWOW64\Mcnhmm32.exe
        
        C:\Windows\system32\Mcnhmm32.exe
        99⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5416
        
        C:\Windows\SysWOW64\Mkepnjng.exe
        
        C:\Windows\system32\Mkepnjng.exe
        100⤵
        
        PID:5460
        
        C:\Windows\SysWOW64\Mjhqjg32.exe
        
        C:\Windows\system32\Mjhqjg32.exe
        101⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5496
        
        C:\Windows\SysWOW64\Maohkd32.exe
        
        C:\Windows\system32\Maohkd32.exe
        102⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5540
        
        C:\Windows\SysWOW64\Mcpebmkb.exe
        
        C:\Windows\system32\Mcpebmkb.exe
        103⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5580
        
        C:\Windows\SysWOW64\Mkgmcjld.exe
        
        C:\Windows\system32\Mkgmcjld.exe
        104⤵
        Modifies registry class
        
        PID:5620
        
        C:\Windows\SysWOW64\Mnfipekh.exe
        
        C:\Windows\system32\Mnfipekh.exe
        105⤵
        
        PID:5656
        
        C:\Windows\SysWOW64\Mpdelajl.exe
        
        C:\Windows\system32\Mpdelajl.exe
        106⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5696
        
        C:\Windows\SysWOW64\Mcbahlip.exe
        
        C:\Windows\system32\Mcbahlip.exe
        107⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5736
        
        C:\Windows\SysWOW64\Mgnnhk32.exe
        
        C:\Windows\system32\Mgnnhk32.exe
        108⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5780
        
        C:\Windows\SysWOW64\Njljefql.exe
        
        C:\Windows\system32\Njljefql.exe
        109⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5820
        
        C:\Windows\SysWOW64\Nqfbaq32.exe
        
        C:\Windows\system32\Nqfbaq32.exe
        110⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5860
        
        C:\Windows\SysWOW64\Nceonl32.exe
        
        C:\Windows\system32\Nceonl32.exe
        111⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5900
        
        C:\Windows\SysWOW64\Nklfoi32.exe
        
        C:\Windows\system32\Nklfoi32.exe
        112⤵
        
        PID:5940
        
        C:\Windows\SysWOW64\Nnjbke32.exe
        
        C:\Windows\system32\Nnjbke32.exe
        113⤵
        Drops file in System32 directory
        
        PID:5980
        
        C:\Windows\SysWOW64\Ncgkcl32.exe
        
        C:\Windows\system32\Ncgkcl32.exe
        114⤵
        Drops file in System32 directory
        
        PID:6020
        
        C:\Windows\SysWOW64\Ngcgcjnc.exe
        
        C:\Windows\system32\Ngcgcjnc.exe
        115⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6056
        
        C:\Windows\SysWOW64\Njacpf32.exe
        
        C:\Windows\system32\Njacpf32.exe
        116⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6100
        
        C:\Windows\SysWOW64\Nbhkac32.exe
        
        C:\Windows\system32\Nbhkac32.exe
        117⤵
        Drops file in System32 directory
        
        PID:6140
        
        C:\Windows\SysWOW64\Ncihikcg.exe
        
        C:\Windows\system32\Ncihikcg.exe
        118⤵
        Drops file in System32 directory
        
        PID:5164
        
        C:\Windows\SysWOW64\Nkqpjidj.exe
        
        C:\Windows\system32\Nkqpjidj.exe
        119⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5240
        
        C:\Windows\SysWOW64\Nnolfdcn.exe
        
        C:\Windows\system32\Nnolfdcn.exe
        120⤵
        Modifies registry class
        
        PID:5312
        
        C:\Windows\SysWOW64\Nbkhfc32.exe
        
        C:\Windows\system32\Nbkhfc32.exe
        121⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5400
        
        C:\Windows\SysWOW64\Ncldnkae.exe
        
        C:\Windows\system32\Ncldnkae.exe
        122⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5456
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        123⤵
        
        PID:5532
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5532 -s 424
        124⤵
        Program crash
        
        PID:5768

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 5532 -ip 5532
1⤵
PID:5732

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
1⤵
PID:5656

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Gbajhpfb.dll

Filesize
7KB

MD5
246ec5f146a3546a4f3a26a96b50b132

SHA1
b49b1135dcb485e321c54c6ce26c204e5f180610

SHA256
d88e0d5197dae212a9bd9413547d07afca061fbb45a381474401cbfd0e533c6a

SHA512
70d931ec4ff86c2d46990db05481c4d65265044df63b04d3d37138a9b2826c201c8a660e471c0089924c07bcab76d03b94989c00d3af0e455b8dbc71a5af0383

Download Submit
C:\Windows\SysWOW64\Gcekkjcj.exe

Filesize
520KB

MD5
acd2a2fc715debbab298188ee6a38242

SHA1
b96c271b45550aec8b4fff44146d74333a7955cc

SHA256
2f40b4c63cecaf9198e0edcf79a9d4941f3bcea6261a3d10291acdca72139902

SHA512
b2b722164503cf9031c77ecdc95c1e902f9cdef26302d83fb637aceffa0e3aa40b0dd6fcc8e67acc4e18b2d71794c631ac416c0f86cb9667c05cd19cd47cea46

Download Submit
C:\Windows\SysWOW64\Gfcgge32.exe

Filesize
520KB

MD5
8e76bf8e91b4443057048d8b5339b44f

SHA1
1da2fa54c0a90b27e49d19b1b5f0b144dbd2884f

SHA256
654eeb29080bbca47dcd55432a2b662ea369857a3de49bc874bc8b11d977c120

SHA512
b5a99fd3d49b77b11d46682e14e5f1d31edba2522e57c55e3a886c5f94d2b29794af57765be2eb92cc6ce68851fd166812aab902170fc7e959a496f819f0d91e

Download Submit
C:\Windows\SysWOW64\Gfqjafdq.exe

Filesize
520KB

MD5
8970a0c754064fca2c8baccbbf9dcee9

SHA1
6fc528349e015b39e92f4e923d42aa575cff254f

SHA256
0e3f5ece6ef5a5c791cfc163457703540f5523eb22069d722ea28d6afa611d94

SHA512
4a5efa87403c96edbd7a264472f26cf6cebb8e660c4efef67668d0ad3f2a044178c81b563cb1db1d75f8ea942b8093bcd2ced0f07c133a7838e0cdb0b2692b2d

Download Submit
C:\Windows\SysWOW64\Gjapmdid.exe

Filesize
520KB

MD5
efe8dd2af645012c979fdc0e35c12e30

SHA1
fcfc0fa1e0b5b410fa6c10cc27ddb526d973c30e

SHA256
b7ac51916d574b190bcf7fa91a004aa19876f28b13a9a86d82d0a7af7af07e47

SHA512
83aa5216106b8e84cb7cf762e132d07348c4b2f5a8a1270bd6c7fa8d95ece392ffcbb316d215d7c06f736a1ee3a499a5c27f04484d78f2820fd1f78f3f382c6f

Download Submit
C:\Windows\SysWOW64\Gqkhjn32.exe

Filesize
520KB

MD5
c41a7a31abc2eb0c477ae5acba5c7eeb

SHA1
dcc2731ef24ad3945eeceb736761829306cfe13e

SHA256
589e3d595027e6a49d429c54ba4089446daedea5458b807cf94ad162467549d4

SHA512
c34db153b146cf79191d037728f25d367ff0925504372e459082f37092b2cef8fcee475c45b785645c283e50c985abca17f5fe4dfc19216d4da84e1cb01dc9d3

Download Submit
C:\Windows\SysWOW64\Habnjm32.exe

Filesize
520KB

MD5
aa27dcae04f85637d1c658c2da0131ce

SHA1
fe1ff17cfd83d2f26e0ad9e5cc859eaadacd0e09

SHA256
5a0e29356150e5f43060b20947cd959efb9fde34424c27acc54b2195eab2de56

SHA512
6288acd51bf4defa75896f166e13347c80e455595dbf7af43dc211810104d07ef41d5f356da71c8fd720e56bdf807c3aa8bcb1a3c4451eb0f4d329bbe696b796

Download Submit
C:\Windows\SysWOW64\Haggelfd.exe

Filesize
520KB

MD5
5369af2eb182f242c81df6c5864e829f

SHA1
f9f4a7a748fb4a7089c6630b892dfd033a639f48

SHA256
d84ae57904becc77b0c393c5ee2b6c037dbc2f144e39ec8855da63ef3cfc6eca

SHA512
d104102485e92fb9259c370cd177d8773f827278943f164b92111cc1cf521ac5cade03f70d223a217eacb15a6694ab839efb8e5380a9a17a12c97bbd0f7f387f

Download Submit
C:\Windows\SysWOW64\Hbanme32.exe

Filesize
520KB

MD5
72408b5e48d89cf56118784160efef13

SHA1
07bc6923b5d5f4137ca927d93bdf149cdbbab00b

SHA256
89a2eba05800b9905ce6950aabb40a5fd946f762e71e7ae10c437dfa976bb544

SHA512
2145200c31574e7b1c423c221a100dabf002ebbe77bb53389f58951b6b55aa835f0bb07a8e8e59b335c447a7bc6e4015b18ed5b14aa7c499852ed9f53ae462fd

Download Submit
C:\Windows\SysWOW64\Hbckbepg.exe

Filesize
520KB

MD5
27f843b6f8c858b287a901a01ece3d98

SHA1
06af24563d7a77ba83a0e16bdaab757925900788

SHA256
a8cd90a0d553061c624b2669361a0fa8106cb4c55158860caa8dc84f3b0f382d

SHA512
b5d94c99faf2682ce7770116b928915d92cc800450fdea951734de0129f4d50a396a0a81d3269c3738373adb8e645a71fb7919ee22d64e60edecd6e6b48e414f

Download Submit
C:\Windows\SysWOW64\Hbeghene.exe

Filesize
520KB

MD5
0b749ef4517258b8ae3ed7c54f62c99b

SHA1
5c176871ed5ccf5794f8160a8aec3452072cccb6

SHA256
6a84d71f4f111af185a87ebe204382e4999d08cd58ac7a655a6a5736e6cbcf72

SHA512
6899290edf7db22c14bac650fad90b2eb4449f9b2a6e6397efc5674adac1bead1d6638ab56464087f07a6e9d9f711ceaf8a9866df0bbcb7e6371fa9514f1da87

Download Submit
C:\Windows\SysWOW64\Hbhdmd32.exe

Filesize
520KB

MD5
3fbb4018cd6a369971369af0fedf5d1f

SHA1
3cad95ffcd1812dadfb26a1efd383441ffbf93d6

SHA256
30f679f57de8d4c44203c247598225e43dc170edae6fb9993ddf4b477ab271db

SHA512
21e138ceceaff845caf79f898b737c41d685a5826bc1dd49f6e5356ecf0c993d9f9dfe9a5fd347625239913e03d3204ac1da79305e36e3407e609ad68f55f9ec

Download Submit
C:\Windows\SysWOW64\Hclakimb.exe

Filesize
520KB

MD5
9512729e4488ab2e797446f415424782

SHA1
ed85159ddc7c39e592209216f014fc858a0ff769

SHA256
bc28659fc18968cbf8c28ddb91110c666f4bef4e383b3f2961b1144f30314574

SHA512
eeda59ae0ba919a841e2715b421ab0ae2e30efdef4473ac8c67f17d5945cacdabad56a513872f8cb505874e7afdd3d21c5090b650c3b1be76a7a8c20328dd3f0

Download Submit
C:\Windows\SysWOW64\Hcqjfh32.exe

Filesize
520KB

MD5
3eefca61852d8fc90a411b5b614fbe59

SHA1
25a2b09bc9986c31186f5eefacffda9416f09a5e

SHA256
f05b8f186b56c11f3d3a94b73c7f797f9149a08c874d12d6a6e3f40a85dd67ef

SHA512
6c48ed848991f19b96fc11cedf2e7365b57a3e9b62f00546f5f1394d060152942a3158799d0780e66138e06fb3c8ad97d8b9855e18d8c1fd5060a3655efe3529

Download Submit
C:\Windows\SysWOW64\Hfcpncdk.exe

Filesize
520KB

MD5
2743ad015c0100da54518f0a4763c830

SHA1
0a969cad3919e86c24d23d753bedfd38d8da9c28

SHA256
d253047368d502b5192e3e4d34414c406ae2213041f898d5f2ba28c579f24fc3

SHA512
02af06efc0a24523893507e9e3b4ad0e7c16469c3a1eef8410f92882bef527023679e2f7a42ccb401c1c1931c0df638d129f970fbc2283b37135b3a0caa4330f

Download Submit
C:\Windows\SysWOW64\Hibljoco.exe

Filesize
520KB

MD5
ef7cdb15f1caa82a835c80a29d165922

SHA1
ba4adb511db45df9ebdcb0ecb88454cb581be21e

SHA256
62aa3de2201054ac505783908abec57fb2f41b5f3c21947efb84cbba03b5c5fb

SHA512
0efb8c83e2f28fc5d76f5c883067251a2ac48861b2254be71fd45657a2e947151c100da2f80007f379d0dea3b1e36179e5e17d03d55d6f0eadbf2256782c1867

Download Submit
C:\Windows\SysWOW64\Hikfip32.exe

Filesize
520KB

MD5
e9421ee85dcf052650d98375fce2c56d

SHA1
5423d0e431ea146c02e01e7dd325a3f275f99015

SHA256
6a3e4e950081f76f2d64d544640fcabda5be65fefac561f54ef84dc253f509cd

SHA512
50811fb37a8ba98838e744ca11a01097b07ce907d5c0c98b7adc8779d6383a55dcc426f168dd581146f5106658252f99d47992c86b1d4c752a50049c95e20951

Download Submit
C:\Windows\SysWOW64\Hippdo32.exe

Filesize
520KB

MD5
f8dc374330880deb9f3767db4bf68331

SHA1
9e1465121be872211d4c703cda08d0c223839e9c

SHA256
0cb65099f3727efe773b5b7629e5ffb9f8ca262924ddfdd8a381f8c130e5a65d

SHA512
9a755aa97af6a61e8097321691f358d4f11f85e81bccc111587ffb1c2d00ab87a4c8968248860e6ee0ba3061130d4a750a300a58f17f24c52c9256c5ba639042

Download Submit
C:\Windows\SysWOW64\Hjjbcbqj.exe

Filesize
520KB

MD5
083819262199f91cccc2469200b3d639

SHA1
980b79e390dac05d469d1ec3a98b214080c56ad4

SHA256
8a03a5343fc93814dd79f9f95634167a02ea97fe5237cb0728080926544ee05b

SHA512
485895d122b15b5cbfa81368a007d951b89ee67aee7827476c5fbee9627b9b7f38bf99109e162e4fd76f5fb736bb03f740e4718e079866684eca83d218cc085d

Download Submit
C:\Windows\SysWOW64\Hjmoibog.exe

Filesize
520KB

MD5
6c28bba14779f6f1d6a7cc84227246d9

SHA1
81e85d64b9ff11025d2137622e58a7da0638f256

SHA256
82c71648a33bd1bb51cb63727079207651299f6d51973fb02b70c96e62f8e053

SHA512
0584ff56db9029c79e57e8ad0b1922fcfff9ede458e6e85cc9ba33a07f6b8c2eb87e2f65a03bbc78cc484a79b739211f79dd110e3c70b394c1001bc591e80195

Download Submit
C:\Windows\SysWOW64\Hmdedo32.exe

Filesize
520KB

MD5
0c4bb1bc4a08aad755141e1d961b772b

SHA1
c4b52b19868f11096e5097bb5c95c80bda6fdfde

SHA256
dba53af71cefb215fcd3900127a5a48a91b4fa04bbb37148579c50e4ec933869

SHA512
a9d25cf2757338959d392d9314dec6663bb0c537544676bace043f52ce825e5f3e8fd87442f6e1eb878c8ca9149564300689a360d216d27079e90209cd4cfc66

Download Submit
C:\Windows\SysWOW64\Hmioonpn.exe

Filesize
520KB

MD5
503fa73de74cbc86e5abb2746c295292

SHA1
47deedc02525b1cb2786118e9efed34ab16a8f18

SHA256
4baf2e678e2ccd14603f16352f773a8bd1b2ae4daf8d8d17eb5fe90439262452

SHA512
c1a67ca8cde117f50b6a53ddcc0c09c55c32d3c53cb20701a1c08a41b5afdc773a86184870c101910645fc1be1c4d75d0c98ef41872136bbf6e53cefb224b6b1

Download Submit
C:\Windows\SysWOW64\Hmmhjm32.exe

Filesize
520KB

MD5
3150fdb8227641e3edfcb070d7a5a73e

SHA1
faf95db6fb57787ceb7a45d1d3251ee070023cb5

SHA256
9a5455c13fee387c3b81ea60b8c274c5d5b4dca42c6e53d90f151f2a2f7d5d14

SHA512
04a4e9981aa8189787cf99f64cce8d7776f5c3143aac84b546948bc22d880b8074450cb9a597387970041b37673a135840634bdc2160a2049b97331e15375eee

Download Submit
C:\Windows\SysWOW64\Hpgkkioa.exe

Filesize
520KB

MD5
15e32ccbf10b16fb9b8d4b8dda77539e

SHA1
993a19aab8c9a5c004db511c487182f224220ae5

SHA256
0b75dadbf5823e27a71458b2b269ef8c14a0c5c7e0d0158faecce5e806c57582

SHA512
311908f6a7bef5be4030125e66dc9a06c0210aa660a713b80555db8b0384dcfc362a515a0919e2e37a7a16b28c045ff924c2e5fd67ccae8cf5a13012f3465e7a

Download Submit
C:\Windows\SysWOW64\Hpihai32.exe

Filesize
520KB

MD5
4f5eb5c8e28b2ed5e215ccefaf8d8c68

SHA1
e279eeda1e3b6b6a7f435eebd7b67f1a06fbb97e

SHA256
7964e722311d961898465d98cbd1e41d889f89fdb3b4db883ba6b888f930bc06

SHA512
3936235689057bd976fae595a781f98d1d47c2b5fef6be6359c116b6a33f24cefd7c53e3c50fddfbcd5713e1143718c275a15a25954abc76f5aecb3323d12740

Download Submit
C:\Windows\SysWOW64\Iakaql32.exe

Filesize
520KB

MD5
0a74f6ff10b37c67df9e0fbaced9d7fe

SHA1
80c517227df8a42b7c37ce73af05326d10561cdb

SHA256
41022320e18f1a428648147551e16c9075fe4a27658a0f293f33242db16e8df7

SHA512
dcbe0d4cd103a8bd5a611cc8d73414d89da58b8a342fd05d9bf2be6efbf50c8066f729346876b4937eaeb5feaff0d91baf8e70e06601458d58e0101c0d650728

Download Submit
C:\Windows\SysWOW64\Icgqggce.exe

Filesize
520KB

MD5
5ca31e188a2d0833fc8d05f069964aa8

SHA1
0740048e304c9a6efd359e306e481ebb01c39f61

SHA256
3821683d9c7ee83442edace424aae1d87658fb10ba009d2d3c9d9acc27d452c2

SHA512
cbaf68284d1da9a4fa5ee09b38697390d1e0593061b351cece9eda037c646c60f406d0d9ff5d36fc3baa7f854b7a93214fcd8db5ffe0eaafed505dee5a7fb8ed

Download Submit
C:\Windows\SysWOW64\Icjmmg32.exe

Filesize
520KB

MD5
8f70c6afc449cd3dedaad14045b72897

SHA1
c6deda6b997184b2ced8c1337447f89ec8c2f8ee

SHA256
eca424f1974bab216f7bff02d03d07d8e06e1dea9c987e49088a73c6ada8b88e

SHA512
e5a68ccfa9b57c0cad0c1932af3d7510575e3266145e2d3a9ef094c0d8c45e222a8b9b134a873a17eccd7cdf8b31e4d28b49f2ca87defbce55cf86d0ee67ac58

Download Submit
C:\Windows\SysWOW64\Iffmccbi.exe

Filesize
520KB

MD5
2750169a254b3517abd5a56766f1a462

SHA1
ab5d64e63ce7cc821c4a0398bd376beaf77d1d0b

SHA256
346a9275b888ffdacac5f31d0cac53c3447646fe0237577fe7898b17b8efa99e

SHA512
c6bff4c72250cda185ec45df8a8044356a1a9147b39f1d8a8d22075b57fa2be091f65c9717e303edbf09a83a50c85c646ea4297a3c8641cf1a9ce5b3f324cf29

Download Submit
C:\Windows\SysWOW64\Iidipnal.exe

Filesize
520KB

MD5
934561903cb867e9990571ce589f0906

SHA1
92483bd8bf807991edfbee6070cc85391253a5c3

SHA256
7b232364da3b5c354c16d2edd711308ef607339e0d931891f684e0bfae26552a

SHA512
5e4d24a51233ce2197a539599f852b15bf6203bfcfaa0ab4031cb2c0af169f9820cf168f76d4138af6da3f30ae63dad01b05bc3cc4226f10b055f46f1b3f6ece

Download Submit
C:\Windows\SysWOW64\Ijaida32.exe

Filesize
520KB

MD5
6d934f40c247707edf60fc091725fd3a

SHA1
a7857ccc2d512e519c930faa3611db2cad3733d1

SHA256
ac44767ae9b883ba3734d7d80cb506a7fa12ed78302d81b11dd69a3ad9ac8872

SHA512
3e8e831c473a4d18e6b3353b6bf91c48de680de7ff15c4e7c3f47728131f7f8bc37236cf09833c819536a6a256f123171fcba98dabf5f13b1a57dbde21054928

Download Submit
C:\Windows\SysWOW64\Ipldfi32.exe

Filesize
520KB

MD5
c5eb2d3b64a570d19ecb5e167beb4659

SHA1
e52a88412ee22ae4cf370fde5d97f936d2c1bae2

SHA256
dada402d20489519579af0d38368ba39fa6f66456173e0f0a1a4245103e30a2a

SHA512
6314afc6498e6ef0cc8e63d35fa2425b84f8215de51be7d125e0646acb463d7f7009f3b7d1c320d4cffa146d01be4c0302b53353d74e7c7177412d4a5f0aee43

Download Submit
C:\Windows\SysWOW64\Ipnalhii.exe

Filesize
520KB

MD5
45ac18680b6d01ab83a426dbe2588a85

SHA1
9c28b2b20fe0cc4e5b9fedacfde04f2b6e8226c9

SHA256
9b7ac58e6135bfa2ce5904d0d9eb4e0671392e8f405eaf402005e52921174a0e

SHA512
c02004ffdc2533d9224e1264635628a8c9397b4cd242797d7e75636fcb2a783424edd3087dc85f4c1113e2c518b80392c917809ab7fbdc6c28daa7b85bbe6e4d

Download Submit
C:\Windows\SysWOW64\Kaqcbi32.exe

Filesize
520KB

MD5
a0eb6d85d18aebedfd29626e16b9d515

SHA1
b5df8e3dbafa6eaefe7173723de40128e5618dfe

SHA256
f654b35a20c0b3416c462341ea40880f3ea0ef4efe61b264322f8f6c98eb03e0

SHA512
0db356d446dacb5ac0402bc084e45562052d0324bcd062e8616ee97dc7a47a540475c6833a1d2806bea937da7a659eb78322ecc37dfbb3ced9214c31c09e4fa0

Download Submit
C:\Windows\SysWOW64\Mnapdf32.exe

Filesize
520KB

MD5
ff1128ba10a567d49b37826a01b3e03b

SHA1
c855d83bcdd4e85c2aa847277acd7cad853094b6

SHA256
95be8f452ebf51cb637df732f274bf0769260c27bf224df8700c89f055fef430

SHA512
de28577cc4402d3810070dabcf6c547854696fd0ec20c3f3b4922b67d7db6416fc64581898653b92531a5071bdf053b8d21bf6c6cae44daa5a084e75c9828639

Download Submit
C:\Windows\SysWOW64\Mnlfigcc.exe

Filesize
520KB

MD5
4383ddb1d0375017550acd315cc1c41f

SHA1
6caaf500c94dbaf4afbeebc93718de89d4be47f5

SHA256
8f005ad4b069496c6a852305b7fb4b24738c51115ad656db44b26ceb5c834a35

SHA512
d42353922d45495f8905b6d0a211fe56cfde59bc3b33436e636406da45c40f8217e1e00de76d01f8b53a518672f42df749f7b0faddcf86a3902e4e14e872d455

Download Submit
C:\Windows\SysWOW64\Nkcmohbg.exe

Filesize
520KB

MD5
c28540ed7760c9c2a85ba64c8f5d4668

SHA1
da44a5f8d2c21fc75dfccec22b1493b1e2638dae

SHA256
458b7e68d8b7f254357a5e7e08036e09f6cc6367ed9e7f71fbca6e53b796c818

SHA512
d792c20e1f583d6e797169272a760cdb3acc5790e6a9db5b58c110da2e8fae354388e4e8dae3aea6597d4c19e97e0b458deb9164409bca7a82e434f15e6cd9b6

Download Submit
C:\Windows\SysWOW64\Nnjbke32.exe

Filesize
520KB

MD5
7f5da4fdffa03ccf7a565ef3c21c9905

SHA1
4b5f92b033b0f66f0bb3bce5a2eae206ea431d8c

SHA256
bb9fff63bdf9df0cab3ce0e0eb1f95ef650747b63fe8ead6bc927bff3ddd0fa8

SHA512
bed154f8dab8b6f1f69cf5f4d7480faaf9dc300f29391e245d6060aa43f090fc7b57412be51dfdf6d2db79ea8e519be7bc87f1aaa6b741b5103bb9d2bb58e55b

Download Submit
memory/224-491-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/428-358-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/732-361-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/744-384-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/840-503-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1044-365-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1112-355-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1128-348-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1140-391-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1220-359-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1276-417-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1472-537-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1508-364-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1580-848-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1580-593-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1676-72-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1712-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1764-483-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1776-335-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1828-334-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1964-430-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2052-39-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2068-441-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2160-345-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2208-587-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2324-866-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2324-530-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2332-343-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2480-340-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2548-349-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2552-351-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2580-350-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2680-336-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2684-32-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2708-509-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2716-401-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2776-497-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2928-485-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2968-449-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3048-354-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3076-367-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3124-559-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3152-337-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3172-366-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3212-333-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3256-370-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3288-419-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3420-352-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3448-342-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3484-347-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3508-332-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3604-545-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3612-344-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3676-396-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3692-48-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3704-579-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3712-85-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3832-360-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3876-515-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3932-569-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3972-368-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4012-599-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4016-64-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4072-363-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4148-455-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4204-362-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4216-467-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4236-8-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4260-357-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4272-100-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4288-353-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4360-341-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4368-431-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4432-473-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4508-369-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4528-461-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4600-99-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4672-376-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4732-539-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4736-28-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4740-563-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4796-346-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4800-411-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4812-382-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4840-585-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4860-551-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4872-16-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4984-356-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4996-339-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5004-108-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5024-55-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5048-448-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5056-521-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5128-607-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5168-615-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5204-617-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5252-623-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5292-629-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5340-836-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5456-798-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads