8fe4d327fe42464f2395c529a7386ee39f11d6c6618faccf32f8d73ea7451233

Analysis

max time kernel
137s
max time network
128s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
07-05-2024 23:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8fe4d327fe42464f2395c529a7386ee39f11d6c6618faccf32f8d73ea7451233.exe
Size

224KB
MD5

3f5b6f3457fcf8036ab43215528c7f9b
SHA1

57bf3afdc1b9d7d41e7f54645d286ea86e42fb75
SHA256

8fe4d327fe42464f2395c529a7386ee39f11d6c6618faccf32f8d73ea7451233
SHA512

97887243913a861daab4e483cfef14487898ddbc8ae1b391ba3470f6cb8b28b70cee87818b963a08087ac4ac3ce6f4ad66f0cbb9c5c19557d55ad6de3a5cb39d
SSDEEP

3072:tfUofCqG9lj2B1xdLm102VZjuajDMyap9jCyFsWteYCWS3:tfUofCbTj2B1xBm102VQlter

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kipabjil.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mjeddggd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jjbako32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lijdhiaa.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nafokcol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gmhfhp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hboagf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fmficqpc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lkgdml32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kaemnhla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kipabjil.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lgpagm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gqikdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jkfkfohj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ifjfnb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ibccic32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdopod32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kgfoan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Laalifad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lgbnmm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Goiojk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Imbaemhc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lmccchkn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nceonl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gjocgdkg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gidphq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mgekbljc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gmaioo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kkpnlm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndidbn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gppekj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jkfkfohj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kpmfddnf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Liekmj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lkdggmlj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lkiqbl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjhqjg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fjhmgeao.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gbldaffp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ifhiib32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lpcmec32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mcklgm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kinemkko.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgkhlnbn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ljnnch32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mdkhapfj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgnnhk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngcgcjnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	8fe4d327fe42464f2395c529a7386ee39f11d6c6618faccf32f8d73ea7451233.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hikfip32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdmegp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gbjhlfhb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kpjjod32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kmgdgjek.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hbanme32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ifmcdblq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Goiojk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kpjjod32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lpappc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpmokb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nbkhfc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fjhmgeao.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gmhfhp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ifhiib32.exe

Executes dropped EXE 64 IoCs

pid	Process
388	Fjhmgeao.exe
532	Fmficqpc.exe
4852	Gcpapkgp.exe
1164	Gmhfhp32.exe
2836	Gjlfbd32.exe
2004	Goiojk32.exe
2900	Gjocgdkg.exe
2752	Gqikdn32.exe
320	Gbjhlfhb.exe
2564	Gidphq32.exe
4684	Gbldaffp.exe
684	Gmaioo32.exe
4308	Gppekj32.exe
3672	Hboagf32.exe
3768	Hbanme32.exe
972	Hikfip32.exe
1568	Habnjm32.exe
2220	Hbeghene.exe
4244	Haggelfd.exe
3320	Hfcpncdk.exe
3056	Hmmhjm32.exe
4200	Iidipnal.exe
4420	Ifhiib32.exe
2580	Imbaemhc.exe
4160	Ifjfnb32.exe
1452	Iiibkn32.exe
968	Ifmcdblq.exe
5020	Imgkql32.exe
1508	Ibccic32.exe
3316	Imihfl32.exe
2212	Jbfpobpb.exe
5064	Jiphkm32.exe
656	Jagqlj32.exe
1356	Jfdida32.exe
1476	Jibeql32.exe
4440	Jaimbj32.exe
1948	Jdhine32.exe
1240	Jjbako32.exe
5084	Jdjfcecp.exe
2536	Jigollag.exe
3300	Jbocea32.exe
2712	Jkfkfohj.exe
3028	Kdopod32.exe
5048	Kgmlkp32.exe
752	Kilhgk32.exe
1232	Kmgdgjek.exe
2840	Kdaldd32.exe
5100	Kgphpo32.exe
4796	Kinemkko.exe
4596	Kaemnhla.exe
3332	Kdcijcke.exe
3556	Kipabjil.exe
700	Kpjjod32.exe
4860	Kcifkp32.exe
4568	Kkpnlm32.exe
540	Kpmfddnf.exe
2320	Kckbqpnj.exe
4764	Kgfoan32.exe
936	Liekmj32.exe
4580	Lalcng32.exe
4300	Ldkojb32.exe
556	Lcmofolg.exe
4960	Lkdggmlj.exe
1576	Lmccchkn.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Fneiph32.dll	Mpaifalo.exe
File opened for modification	C:\Windows\SysWOW64\Jibeql32.exe	Jfdida32.exe
File created	C:\Windows\SysWOW64\Lkdggmlj.exe	Lcmofolg.exe
File created	C:\Windows\SysWOW64\Mjqjih32.exe	Lgbnmm32.exe
File created	C:\Windows\SysWOW64\Kpdobeck.dll	Mdfofakp.exe
File created	C:\Windows\SysWOW64\Agbnmibj.dll	Mcklgm32.exe
File created	C:\Windows\SysWOW64\Cnacjn32.dll	Mdkhapfj.exe
File created	C:\Windows\SysWOW64\Mjhqjg32.exe	Mgidml32.exe
File opened for modification	C:\Windows\SysWOW64\Nddkgonp.exe	Nafokcol.exe
File created	C:\Windows\SysWOW64\Goiojk32.exe	Gjlfbd32.exe
File created	C:\Windows\SysWOW64\Bdiihjon.dll	Kgphpo32.exe
File opened for modification	C:\Windows\SysWOW64\Gbjhlfhb.exe	Gqikdn32.exe
File created	C:\Windows\SysWOW64\Ddpfgd32.dll	Nkqpjidj.exe
File created	C:\Windows\SysWOW64\Haggelfd.exe	Hbeghene.exe
File created	C:\Windows\SysWOW64\Kinemkko.exe	Kgphpo32.exe
File created	C:\Windows\SysWOW64\Ckegia32.dll	Laciofpa.exe
File opened for modification	C:\Windows\SysWOW64\Mpmokb32.exe	Mnocof32.exe
File created	C:\Windows\SysWOW64\Ndbnboqb.exe	Nacbfdao.exe
File opened for modification	C:\Windows\SysWOW64\Ngcgcjnc.exe	Nddkgonp.exe
File created	C:\Windows\SysWOW64\Mngoghpn.dll	Gmaioo32.exe
File created	C:\Windows\SysWOW64\Jjcfkp32.dll	Habnjm32.exe
File created	C:\Windows\SysWOW64\Kgmlkp32.exe	Kdopod32.exe
File opened for modification	C:\Windows\SysWOW64\Mcklgm32.exe	Mpmokb32.exe
File opened for modification	C:\Windows\SysWOW64\Ldaeka32.exe	Laciofpa.exe
File opened for modification	C:\Windows\SysWOW64\Mdmegp32.exe	Mpaifalo.exe
File created	C:\Windows\SysWOW64\Nbkhfc32.exe	Njcpee32.exe
File created	C:\Windows\SysWOW64\Ifmcdblq.exe	Iiibkn32.exe
File opened for modification	C:\Windows\SysWOW64\Kaemnhla.exe	Kinemkko.exe
File opened for modification	C:\Windows\SysWOW64\Hfcpncdk.exe	Haggelfd.exe
File created	C:\Windows\SysWOW64\Jcpkbc32.dll	Kaemnhla.exe
File opened for modification	C:\Windows\SysWOW64\Kcifkp32.exe	Kpjjod32.exe
File created	C:\Windows\SysWOW64\Jcoegc32.dll	Nnjbke32.exe
File opened for modification	C:\Windows\SysWOW64\Gidphq32.exe	Gbjhlfhb.exe
File created	C:\Windows\SysWOW64\Habnjm32.exe	Hikfip32.exe
File opened for modification	C:\Windows\SysWOW64\Lmccchkn.exe	Lkdggmlj.exe
File opened for modification	C:\Windows\SysWOW64\Lkgdml32.exe	Lgkhlnbn.exe
File opened for modification	C:\Windows\SysWOW64\Mkgmcjld.exe	Mglack32.exe
File created	C:\Windows\SysWOW64\Jlnpomfk.dll	Nafokcol.exe
File opened for modification	C:\Windows\SysWOW64\Nbhkac32.exe	Njacpf32.exe
File created	C:\Windows\SysWOW64\Ldooifgl.dll	Hboagf32.exe
File created	C:\Windows\SysWOW64\Ghmfdf32.dll	Jaimbj32.exe
File created	C:\Windows\SysWOW64\Mecaoggc.dll	Lphfpbdi.exe
File created	C:\Windows\SysWOW64\Lkfbjdpq.dll	Njcpee32.exe
File created	C:\Windows\SysWOW64\Hmmhjm32.exe	Hfcpncdk.exe
File opened for modification	C:\Windows\SysWOW64\Mgidml32.exe	Mdkhapfj.exe
File opened for modification	C:\Windows\SysWOW64\Mglack32.exe	Mdmegp32.exe
File opened for modification	C:\Windows\SysWOW64\Hbanme32.exe	Hboagf32.exe
File created	C:\Windows\SysWOW64\Eeopdi32.dll	Ifjfnb32.exe
File created	C:\Windows\SysWOW64\Lcmofolg.exe	Ldkojb32.exe
File created	C:\Windows\SysWOW64\Lpcmec32.exe	Laalifad.exe
File created	C:\Windows\SysWOW64\Bbgkjl32.dll	Ldaeka32.exe
File created	C:\Windows\SysWOW64\Ljnnch32.exe	Lgpagm32.exe
File opened for modification	C:\Windows\SysWOW64\Mamleegg.exe	Mjeddggd.exe
File opened for modification	C:\Windows\SysWOW64\Mpaifalo.exe	Mncmjfmk.exe
File opened for modification	C:\Windows\SysWOW64\Jjbako32.exe	Jdhine32.exe
File opened for modification	C:\Windows\SysWOW64\Lalcng32.exe	Liekmj32.exe
File created	C:\Windows\SysWOW64\Ogndib32.dll	Lmccchkn.exe
File created	C:\Windows\SysWOW64\Dngdgf32.dll	Lgkhlnbn.exe
File created	C:\Windows\SysWOW64\Ibhblqpo.dll	Mjqjih32.exe
File created	C:\Windows\SysWOW64\Gpnkgo32.dll	Mgidml32.exe
File opened for modification	C:\Windows\SysWOW64\Nnjbke32.exe	Nklfoi32.exe
File created	C:\Windows\SysWOW64\Kdopod32.exe	Jkfkfohj.exe
File created	C:\Windows\SysWOW64\Kmgdgjek.exe	Kilhgk32.exe
File opened for modification	C:\Windows\SysWOW64\Kdaldd32.exe	Kmgdgjek.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5864	5716	WerFault.exe	205

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ggcjqj32.dll"	Jiphkm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kipabjil.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jplifcqp.dll"	Kpmfddnf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lnhmng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bbgkjl32.dll"	Ldaeka32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bkankc32.dll"	Mnocof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kdcijcke.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lphfpbdi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aaqnkb32.dll"	Imbaemhc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jagqlj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jdjfcecp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hehifldd.dll"	Kdopod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lkfbjdpq.dll"	Njcpee32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hbanme32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ifmcdblq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lmccchkn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjblifaf.dll"	Mgghhlhq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fcdjjo32.dll"	Ndbnboqb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gjlfbd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gmaioo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kdopod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Offdjb32.dll"	Ldkojb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Laalifad.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mncmjfmk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mkgmcjld.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Goiojk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bnjdmn32.dll"	Kkpnlm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lidmdfdo.dll"	Lpcmec32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nacbfdao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mlmpolji.dll"	Haggelfd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ifjfnb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Iiibkn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghmfdf32.dll"	Jaimbj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckegia32.dll"	Laciofpa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mpaifalo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekipni32.dll"	Mglack32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ddpfgd32.dll"	Nkqpjidj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ngcgcjnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fmficqpc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Iiibkn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghiqbiae.dll"	Kpjjod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imppcc32.dll"	Kgfoan32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lalcng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Epmjjbbj.dll"	Mpmokb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fhpdhp32.dll"	Mpdelajl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdiihjon.dll"	Kgphpo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gmhfhp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gjlfbd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ggdddife.dll"	Gqikdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ldooifgl.dll"	Hboagf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jiphkm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jjbako32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jkfkfohj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kpjjod32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kpmfddnf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mcklgm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ndbnboqb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lcmofolg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mjqjih32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnelfilp.dll"	Mncmjfmk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Imihfl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmlgol32.dll"	Jigollag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Joamagmq.dll"	Kipabjil.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mdfofakp.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4944 wrote to memory of 388	4944	8fe4d327fe42464f2395c529a7386ee39f11d6c6618faccf32f8d73ea7451233.exe	84
PID 4944 wrote to memory of 388	4944	8fe4d327fe42464f2395c529a7386ee39f11d6c6618faccf32f8d73ea7451233.exe	84
PID 4944 wrote to memory of 388	4944	8fe4d327fe42464f2395c529a7386ee39f11d6c6618faccf32f8d73ea7451233.exe	84
PID 388 wrote to memory of 532	388	Fjhmgeao.exe	85
PID 388 wrote to memory of 532	388	Fjhmgeao.exe	85
PID 388 wrote to memory of 532	388	Fjhmgeao.exe	85
PID 532 wrote to memory of 4852	532	Fmficqpc.exe	86
PID 532 wrote to memory of 4852	532	Fmficqpc.exe	86
PID 532 wrote to memory of 4852	532	Fmficqpc.exe	86
PID 4852 wrote to memory of 1164	4852	Gcpapkgp.exe	87
PID 4852 wrote to memory of 1164	4852	Gcpapkgp.exe	87
PID 4852 wrote to memory of 1164	4852	Gcpapkgp.exe	87
PID 1164 wrote to memory of 2836	1164	Gmhfhp32.exe	88
PID 1164 wrote to memory of 2836	1164	Gmhfhp32.exe	88
PID 1164 wrote to memory of 2836	1164	Gmhfhp32.exe	88
PID 2836 wrote to memory of 2004	2836	Gjlfbd32.exe	89
PID 2836 wrote to memory of 2004	2836	Gjlfbd32.exe	89
PID 2836 wrote to memory of 2004	2836	Gjlfbd32.exe	89
PID 2004 wrote to memory of 2900	2004	Goiojk32.exe	90
PID 2004 wrote to memory of 2900	2004	Goiojk32.exe	90
PID 2004 wrote to memory of 2900	2004	Goiojk32.exe	90
PID 2900 wrote to memory of 2752	2900	Gjocgdkg.exe	91
PID 2900 wrote to memory of 2752	2900	Gjocgdkg.exe	91
PID 2900 wrote to memory of 2752	2900	Gjocgdkg.exe	91
PID 2752 wrote to memory of 320	2752	Gqikdn32.exe	92
PID 2752 wrote to memory of 320	2752	Gqikdn32.exe	92
PID 2752 wrote to memory of 320	2752	Gqikdn32.exe	92
PID 320 wrote to memory of 2564	320	Gbjhlfhb.exe	93
PID 320 wrote to memory of 2564	320	Gbjhlfhb.exe	93
PID 320 wrote to memory of 2564	320	Gbjhlfhb.exe	93
PID 2564 wrote to memory of 4684	2564	Gidphq32.exe	94
PID 2564 wrote to memory of 4684	2564	Gidphq32.exe	94
PID 2564 wrote to memory of 4684	2564	Gidphq32.exe	94
PID 4684 wrote to memory of 684	4684	Gbldaffp.exe	95
PID 4684 wrote to memory of 684	4684	Gbldaffp.exe	95
PID 4684 wrote to memory of 684	4684	Gbldaffp.exe	95
PID 684 wrote to memory of 4308	684	Gmaioo32.exe	96
PID 684 wrote to memory of 4308	684	Gmaioo32.exe	96
PID 684 wrote to memory of 4308	684	Gmaioo32.exe	96
PID 4308 wrote to memory of 3672	4308	Gppekj32.exe	97
PID 4308 wrote to memory of 3672	4308	Gppekj32.exe	97
PID 4308 wrote to memory of 3672	4308	Gppekj32.exe	97
PID 3672 wrote to memory of 3768	3672	Hboagf32.exe	98
PID 3672 wrote to memory of 3768	3672	Hboagf32.exe	98
PID 3672 wrote to memory of 3768	3672	Hboagf32.exe	98
PID 3768 wrote to memory of 972	3768	Hbanme32.exe	99
PID 3768 wrote to memory of 972	3768	Hbanme32.exe	99
PID 3768 wrote to memory of 972	3768	Hbanme32.exe	99
PID 972 wrote to memory of 1568	972	Hikfip32.exe	101
PID 972 wrote to memory of 1568	972	Hikfip32.exe	101
PID 972 wrote to memory of 1568	972	Hikfip32.exe	101
PID 1568 wrote to memory of 2220	1568	Habnjm32.exe	103
PID 1568 wrote to memory of 2220	1568	Habnjm32.exe	103
PID 1568 wrote to memory of 2220	1568	Habnjm32.exe	103
PID 2220 wrote to memory of 4244	2220	Hbeghene.exe	104
PID 2220 wrote to memory of 4244	2220	Hbeghene.exe	104
PID 2220 wrote to memory of 4244	2220	Hbeghene.exe	104
PID 4244 wrote to memory of 3320	4244	Haggelfd.exe	106
PID 4244 wrote to memory of 3320	4244	Haggelfd.exe	106
PID 4244 wrote to memory of 3320	4244	Haggelfd.exe	106
PID 3320 wrote to memory of 3056	3320	Hfcpncdk.exe	107
PID 3320 wrote to memory of 3056	3320	Hfcpncdk.exe	107
PID 3320 wrote to memory of 3056	3320	Hfcpncdk.exe	107
PID 3056 wrote to memory of 4200	3056	Hmmhjm32.exe	108

C:\Users\Admin\AppData\Local\Temp\8fe4d327fe42464f2395c529a7386ee39f11d6c6618faccf32f8d73ea7451233.exe
"C:\Users\Admin\AppData\Local\Temp\8fe4d327fe42464f2395c529a7386ee39f11d6c6618faccf32f8d73ea7451233.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Suspicious use of WriteProcessMemory
PID:4944
- C:\Windows\SysWOW64\Fjhmgeao.exe
  C:\Windows\system32\Fjhmgeao.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:388
- - C:\Windows\SysWOW64\Fmficqpc.exe
    C:\Windows\system32\Fmficqpc.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:532
  - - C:\Windows\SysWOW64\Gcpapkgp.exe
      C:\Windows\system32\Gcpapkgp.exe
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:4852
    - - C:\Windows\SysWOW64\Gmhfhp32.exe
        
        C:\Windows\system32\Gmhfhp32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1164
      - C:\Windows\SysWOW64\Gjlfbd32.exe
        
        C:\Windows\system32\Gjlfbd32.exe
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2836
        
        C:\Windows\SysWOW64\Goiojk32.exe
        
        C:\Windows\system32\Goiojk32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2004
        
        C:\Windows\SysWOW64\Gjocgdkg.exe
        
        C:\Windows\system32\Gjocgdkg.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2900
        
        C:\Windows\SysWOW64\Gqikdn32.exe
        
        C:\Windows\system32\Gqikdn32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2752
        
        C:\Windows\SysWOW64\Gbjhlfhb.exe
        
        C:\Windows\system32\Gbjhlfhb.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:320
        
        C:\Windows\SysWOW64\Gidphq32.exe
        
        C:\Windows\system32\Gidphq32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2564
        
        C:\Windows\SysWOW64\Gbldaffp.exe
        
        C:\Windows\system32\Gbldaffp.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4684
        
        C:\Windows\SysWOW64\Gmaioo32.exe
        
        C:\Windows\system32\Gmaioo32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:684
        
        C:\Windows\SysWOW64\Gppekj32.exe
        
        C:\Windows\system32\Gppekj32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4308
        
        C:\Windows\SysWOW64\Hboagf32.exe
        
        C:\Windows\system32\Hboagf32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3672
        
        C:\Windows\SysWOW64\Hbanme32.exe
        
        C:\Windows\system32\Hbanme32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3768
        
        C:\Windows\SysWOW64\Hikfip32.exe
        
        C:\Windows\system32\Hikfip32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:972
        
        C:\Windows\SysWOW64\Habnjm32.exe
        
        C:\Windows\system32\Habnjm32.exe
        18⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1568
        
        C:\Windows\SysWOW64\Hbeghene.exe
        
        C:\Windows\system32\Hbeghene.exe
        19⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2220
        
        C:\Windows\SysWOW64\Haggelfd.exe
        
        C:\Windows\system32\Haggelfd.exe
        20⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4244
        
        C:\Windows\SysWOW64\Hfcpncdk.exe
        
        C:\Windows\system32\Hfcpncdk.exe
        21⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3320
        
        C:\Windows\SysWOW64\Hmmhjm32.exe
        
        C:\Windows\system32\Hmmhjm32.exe
        22⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3056
        
        C:\Windows\SysWOW64\Iidipnal.exe
        
        C:\Windows\system32\Iidipnal.exe
        23⤵
        Executes dropped EXE
        
        PID:4200
        
        C:\Windows\SysWOW64\Ifhiib32.exe
        
        C:\Windows\system32\Ifhiib32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4420
        
        C:\Windows\SysWOW64\Imbaemhc.exe
        
        C:\Windows\system32\Imbaemhc.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2580
        
        C:\Windows\SysWOW64\Ifjfnb32.exe
        
        C:\Windows\system32\Ifjfnb32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4160
        
        C:\Windows\SysWOW64\Iiibkn32.exe
        
        C:\Windows\system32\Iiibkn32.exe
        27⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1452
        
        C:\Windows\SysWOW64\Ifmcdblq.exe
        
        C:\Windows\system32\Ifmcdblq.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:968
        
        C:\Windows\SysWOW64\Imgkql32.exe
        
        C:\Windows\system32\Imgkql32.exe
        29⤵
        Executes dropped EXE
        
        PID:5020
        
        C:\Windows\SysWOW64\Ibccic32.exe
        
        C:\Windows\system32\Ibccic32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1508
        
        C:\Windows\SysWOW64\Imihfl32.exe
        
        C:\Windows\system32\Imihfl32.exe
        31⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3316
        
        C:\Windows\SysWOW64\Jbfpobpb.exe
        
        C:\Windows\system32\Jbfpobpb.exe
        32⤵
        Executes dropped EXE
        
        PID:2212
        
        C:\Windows\SysWOW64\Jiphkm32.exe
        
        C:\Windows\system32\Jiphkm32.exe
        33⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:5064
        
        C:\Windows\SysWOW64\Jagqlj32.exe
        
        C:\Windows\system32\Jagqlj32.exe
        34⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:656
        
        C:\Windows\SysWOW64\Jfdida32.exe
        
        C:\Windows\system32\Jfdida32.exe
        35⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1356
        
        C:\Windows\SysWOW64\Jibeql32.exe
        
        C:\Windows\system32\Jibeql32.exe
        36⤵
        Executes dropped EXE
        
        PID:1476
        
        C:\Windows\SysWOW64\Jaimbj32.exe
        
        C:\Windows\system32\Jaimbj32.exe
        37⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4440
        
        C:\Windows\SysWOW64\Jdhine32.exe
        
        C:\Windows\system32\Jdhine32.exe
        38⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1948
        
        C:\Windows\SysWOW64\Jjbako32.exe
        
        C:\Windows\system32\Jjbako32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1240
        
        C:\Windows\SysWOW64\Jdjfcecp.exe
        
        C:\Windows\system32\Jdjfcecp.exe
        40⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:5084
        
        C:\Windows\SysWOW64\Jigollag.exe
        
        C:\Windows\system32\Jigollag.exe
        41⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2536
        
        C:\Windows\SysWOW64\Jbocea32.exe
        
        C:\Windows\system32\Jbocea32.exe
        42⤵
        Executes dropped EXE
        
        PID:3300
        
        C:\Windows\SysWOW64\Jkfkfohj.exe
        
        C:\Windows\system32\Jkfkfohj.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2712
        
        C:\Windows\SysWOW64\Kdopod32.exe
        
        C:\Windows\system32\Kdopod32.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3028
        
        C:\Windows\SysWOW64\Kgmlkp32.exe
        
        C:\Windows\system32\Kgmlkp32.exe
        45⤵
        Executes dropped EXE
        
        PID:5048
        
        C:\Windows\SysWOW64\Kilhgk32.exe
        
        C:\Windows\system32\Kilhgk32.exe
        46⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:752
        
        C:\Windows\SysWOW64\Kmgdgjek.exe
        
        C:\Windows\system32\Kmgdgjek.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1232
        
        C:\Windows\SysWOW64\Kdaldd32.exe
        
        C:\Windows\system32\Kdaldd32.exe
        48⤵
        Executes dropped EXE
        
        PID:2840
        
        C:\Windows\SysWOW64\Kgphpo32.exe
        
        C:\Windows\system32\Kgphpo32.exe
        49⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5100
        
        C:\Windows\SysWOW64\Kinemkko.exe
        
        C:\Windows\system32\Kinemkko.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4796
        
        C:\Windows\SysWOW64\Kaemnhla.exe
        
        C:\Windows\system32\Kaemnhla.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4596
        
        C:\Windows\SysWOW64\Kdcijcke.exe
        
        C:\Windows\system32\Kdcijcke.exe
        52⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3332
        
        C:\Windows\SysWOW64\Kipabjil.exe
        
        C:\Windows\system32\Kipabjil.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3556
        
        C:\Windows\SysWOW64\Kpjjod32.exe
        
        C:\Windows\system32\Kpjjod32.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:700
        
        C:\Windows\SysWOW64\Kcifkp32.exe
        
        C:\Windows\system32\Kcifkp32.exe
        55⤵
        Executes dropped EXE
        
        PID:4860
        
        C:\Windows\SysWOW64\Kkpnlm32.exe
        
        C:\Windows\system32\Kkpnlm32.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4568
        
        C:\Windows\SysWOW64\Kpmfddnf.exe
        
        C:\Windows\system32\Kpmfddnf.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:540
        
        C:\Windows\SysWOW64\Kckbqpnj.exe
        
        C:\Windows\system32\Kckbqpnj.exe
        58⤵
        Executes dropped EXE
        
        PID:2320
        
        C:\Windows\SysWOW64\Kgfoan32.exe
        
        C:\Windows\system32\Kgfoan32.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4764
        
        C:\Windows\SysWOW64\Liekmj32.exe
        
        C:\Windows\system32\Liekmj32.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:936
        
        C:\Windows\SysWOW64\Lalcng32.exe
        
        C:\Windows\system32\Lalcng32.exe
        61⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4580
        
        C:\Windows\SysWOW64\Ldkojb32.exe
        
        C:\Windows\system32\Ldkojb32.exe
        62⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4300
        
        C:\Windows\SysWOW64\Lcmofolg.exe
        
        C:\Windows\system32\Lcmofolg.exe
        63⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:556
        
        C:\Windows\SysWOW64\Lkdggmlj.exe
        
        C:\Windows\system32\Lkdggmlj.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4960
        
        C:\Windows\SysWOW64\Lmccchkn.exe
        
        C:\Windows\system32\Lmccchkn.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1576
        
        C:\Windows\SysWOW64\Lpappc32.exe
        
        C:\Windows\system32\Lpappc32.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2236
        
        C:\Windows\SysWOW64\Lgkhlnbn.exe
        
        C:\Windows\system32\Lgkhlnbn.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:3992
        
        C:\Windows\SysWOW64\Lkgdml32.exe
        
        C:\Windows\system32\Lkgdml32.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3536
        
        C:\Windows\SysWOW64\Lijdhiaa.exe
        
        C:\Windows\system32\Lijdhiaa.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4688
        
        C:\Windows\SysWOW64\Laalifad.exe
        
        C:\Windows\system32\Laalifad.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:848
        
        C:\Windows\SysWOW64\Lpcmec32.exe
        
        C:\Windows\system32\Lpcmec32.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4472
        
        C:\Windows\SysWOW64\Lcbiao32.exe
        
        C:\Windows\system32\Lcbiao32.exe
        72⤵
        
        PID:3088
        
        C:\Windows\SysWOW64\Lkiqbl32.exe
        
        C:\Windows\system32\Lkiqbl32.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4964
        
        C:\Windows\SysWOW64\Lnhmng32.exe
        
        C:\Windows\system32\Lnhmng32.exe
        74⤵
        Modifies registry class
        
        PID:4512
        
        C:\Windows\SysWOW64\Laciofpa.exe
        
        C:\Windows\system32\Laciofpa.exe
        75⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4920
        
        C:\Windows\SysWOW64\Ldaeka32.exe
        
        C:\Windows\system32\Ldaeka32.exe
        76⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1412
        
        C:\Windows\SysWOW64\Lgpagm32.exe
        
        C:\Windows\system32\Lgpagm32.exe
        77⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:512
        
        C:\Windows\SysWOW64\Ljnnch32.exe
        
        C:\Windows\system32\Ljnnch32.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3092
        
        C:\Windows\SysWOW64\Lphfpbdi.exe
        
        C:\Windows\system32\Lphfpbdi.exe
        79⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4844
        
        C:\Windows\SysWOW64\Lgbnmm32.exe
        
        C:\Windows\system32\Lgbnmm32.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:2132
        
        C:\Windows\SysWOW64\Mjqjih32.exe
        
        C:\Windows\system32\Mjqjih32.exe
        81⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:2604
        
        C:\Windows\SysWOW64\Mahbje32.exe
        
        C:\Windows\system32\Mahbje32.exe
        82⤵
        
        PID:1952
        
        C:\Windows\SysWOW64\Mdfofakp.exe
        
        C:\Windows\system32\Mdfofakp.exe
        83⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4372
        
        C:\Windows\SysWOW64\Mgekbljc.exe
        
        C:\Windows\system32\Mgekbljc.exe
        84⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4888
        
        C:\Windows\SysWOW64\Mnocof32.exe
        
        C:\Windows\system32\Mnocof32.exe
        85⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:396
        
        C:\Windows\SysWOW64\Mpmokb32.exe
        
        C:\Windows\system32\Mpmokb32.exe
        86⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:380
        
        C:\Windows\SysWOW64\Mcklgm32.exe
        
        C:\Windows\system32\Mcklgm32.exe
        87⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:3296
        
        C:\Windows\SysWOW64\Mgghhlhq.exe
        
        C:\Windows\system32\Mgghhlhq.exe
        88⤵
        Modifies registry class
        
        PID:5124
        
        C:\Windows\SysWOW64\Mjeddggd.exe
        
        C:\Windows\system32\Mjeddggd.exe
        89⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5172
        
        C:\Windows\SysWOW64\Mamleegg.exe
        
        C:\Windows\system32\Mamleegg.exe
        90⤵
        
        PID:5216
        
        C:\Windows\SysWOW64\Mdkhapfj.exe
        
        C:\Windows\system32\Mdkhapfj.exe
        91⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5260
        
        C:\Windows\SysWOW64\Mgidml32.exe
        
        C:\Windows\system32\Mgidml32.exe
        92⤵
        Drops file in System32 directory
        
        PID:5304
        
        C:\Windows\SysWOW64\Mjhqjg32.exe
        
        C:\Windows\system32\Mjhqjg32.exe
        93⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5348
        
        C:\Windows\SysWOW64\Mncmjfmk.exe
        
        C:\Windows\system32\Mncmjfmk.exe
        94⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5384
        
        C:\Windows\SysWOW64\Mpaifalo.exe
        
        C:\Windows\system32\Mpaifalo.exe
        95⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5436
        
        C:\Windows\SysWOW64\Mdmegp32.exe
        
        C:\Windows\system32\Mdmegp32.exe
        96⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5480
        
        C:\Windows\SysWOW64\Mglack32.exe
        
        C:\Windows\system32\Mglack32.exe
        97⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5524
        
        C:\Windows\SysWOW64\Mkgmcjld.exe
        
        C:\Windows\system32\Mkgmcjld.exe
        98⤵
        Modifies registry class
        
        PID:5564
        
        C:\Windows\SysWOW64\Mnfipekh.exe
        
        C:\Windows\system32\Mnfipekh.exe
        99⤵
        
        PID:5608
        
        C:\Windows\SysWOW64\Mpdelajl.exe
        
        C:\Windows\system32\Mpdelajl.exe
        100⤵
        Modifies registry class
        
        PID:5648
        
        C:\Windows\SysWOW64\Mdpalp32.exe
        
        C:\Windows\system32\Mdpalp32.exe
        101⤵
        
        PID:5696
        
        C:\Windows\SysWOW64\Mgnnhk32.exe
        
        C:\Windows\system32\Mgnnhk32.exe
        102⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5740
        
        C:\Windows\SysWOW64\Njljefql.exe
        
        C:\Windows\system32\Njljefql.exe
        103⤵
        
        PID:5788
        
        C:\Windows\SysWOW64\Nacbfdao.exe
        
        C:\Windows\system32\Nacbfdao.exe
        104⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5828
        
        C:\Windows\SysWOW64\Ndbnboqb.exe
        
        C:\Windows\system32\Ndbnboqb.exe
        105⤵
        Modifies registry class
        
        PID:5872
        
        C:\Windows\SysWOW64\Nceonl32.exe
        
        C:\Windows\system32\Nceonl32.exe
        106⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5916
        
        C:\Windows\SysWOW64\Nklfoi32.exe
        
        C:\Windows\system32\Nklfoi32.exe
        107⤵
        Drops file in System32 directory
        
        PID:5960
        
        C:\Windows\SysWOW64\Nnjbke32.exe
        
        C:\Windows\system32\Nnjbke32.exe
        108⤵
        Drops file in System32 directory
        
        PID:6004
        
        C:\Windows\SysWOW64\Nafokcol.exe
        
        C:\Windows\system32\Nafokcol.exe
        109⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6048
        
        C:\Windows\SysWOW64\Nddkgonp.exe
        
        C:\Windows\system32\Nddkgonp.exe
        110⤵
        Drops file in System32 directory
        
        PID:6088
        
        C:\Windows\SysWOW64\Ngcgcjnc.exe
        
        C:\Windows\system32\Ngcgcjnc.exe
        111⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6132
        
        C:\Windows\SysWOW64\Njacpf32.exe
        
        C:\Windows\system32\Njacpf32.exe
        112⤵
        Drops file in System32 directory
        
        PID:5156
        
        C:\Windows\SysWOW64\Nbhkac32.exe
        
        C:\Windows\system32\Nbhkac32.exe
        113⤵
        
        PID:5228
        
        C:\Windows\SysWOW64\Ndghmo32.exe
        
        C:\Windows\system32\Ndghmo32.exe
        114⤵
        
        PID:5296
        
        C:\Windows\SysWOW64\Nkqpjidj.exe
        
        C:\Windows\system32\Nkqpjidj.exe
        115⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5372
        
        C:\Windows\SysWOW64\Njcpee32.exe
        
        C:\Windows\system32\Njcpee32.exe
        116⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5448
        
        C:\Windows\SysWOW64\Nbkhfc32.exe
        
        C:\Windows\system32\Nbkhfc32.exe
        117⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5512
        
        C:\Windows\SysWOW64\Ndidbn32.exe
        
        C:\Windows\system32\Ndidbn32.exe
        118⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5616
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        119⤵
        
        PID:5716
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5716 -s 400
        120⤵
        Program crash
        
        PID:5864

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 5716 -ip 5716
1⤵
PID:5820

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Fjhmgeao.exe

Filesize
224KB

MD5
5880019e253b0a1aed4996f1f09b3a39

SHA1
6d5287caa937256c29bdb38ff5697bba4e905cdc

SHA256
fc90a9331392ebbaf66fa7b9f6aef17953eb2320c841d175347537047bfaba62

SHA512
62e0d96e4c61e8c896b2ae6d7c4df17c25caa7b5b4470bb747bcdf20b4ddfa96b7449f0fea50a4d7812a8aa82b6a26cbaeb00f335f02632568395f55ed3f058b

Download Submit
C:\Windows\SysWOW64\Fmficqpc.exe

Filesize
224KB

MD5
63a4ab104d315869e0f9b29f118216fa

SHA1
3e7918d6ec017c5aa6e7eb5616e541ada44889c8

SHA256
0c7ee09250c913f9899dc1be75244a2b6ada542f63a194cea0a4367cef59e4b7

SHA512
3c3fafa590019faadf2c2e5195b5c63d3d6ccb645ee74a7fabf1d2c26dfad822ddfdc5b796e1d84f57f0cde7c489333dfd686dd0d322457b7e89036c7cfa2ee6

Download Submit
C:\Windows\SysWOW64\Gbjhlfhb.exe

Filesize
224KB

MD5
57302545240f404fe28e220b401f3d4d

SHA1
c1f36cb34db95554656bda62e14921e328129691

SHA256
4e45b91cabd1abff50c9869a0a9f228e390621ce12a8a04dc884b2d5306c4d6d

SHA512
42e14b3542ff5332474644711034c29efd80ed94592dc70125f57045a6c279d4e397a45d0080599b221fca0bc472ff33597110d726d508ac3e0ad6edaa6d2573

Download Submit
C:\Windows\SysWOW64\Gbldaffp.exe

Filesize
224KB

MD5
cd1c2b9e1e90dab00a299c0f1f8e6b9a

SHA1
a0dc1a90a57b430078ff1e6cbbfe78f209e955fd

SHA256
0732c7af10f735b82e92e8ac1b21d1a35fde981a23b773485a54112576c625c2

SHA512
21e7f1c023057b91268c811a11a1130cfb09e041f8367c65f9427e38885952994d214d542531fd1d8110467960e9c7bdc815a6a0d580fabb63c3892f7ae209cf

Download Submit
C:\Windows\SysWOW64\Gcpapkgp.exe

Filesize
224KB

MD5
71058ed851ae1f5081807194d4ae002d

SHA1
d273ba1638367f736d904058d2df375d0ff65929

SHA256
da98e311a8929ff70990a5b79885e1d66681962c8b600a18c65ccae3215d213b

SHA512
6a4f4314e62023db57e2b4492ed704abc70ca48b648242ddca202833c98b2139daf53c374cdde6dc07e6cf78b0ba4f59da6eb667dfcd5b18885953990b48fa20

Download Submit
C:\Windows\SysWOW64\Gidphq32.exe

Filesize
224KB

MD5
539f8aef377ff3e670601c7ae9689f77

SHA1
4dc15897e97c67defd98bf164199f19415a00c1a

SHA256
e9276dc0f2f779e19ccce8380238369d73a8bcddd876a453c8f63b3ecd487fe8

SHA512
0fe2e03170165ee1bb40531f9814bc344788b0d78136c500c2b50d97eefd2a4f8c0eee6677d7a5416c4b1659c2e1ea2c299fd794bf676ab068a5305de915277e

Download Submit
C:\Windows\SysWOW64\Gjlfbd32.exe

Filesize
224KB

MD5
d6e027332dc3edd8569fc06f0ad9b0fb

SHA1
e8415c50ee78ed31cc1918f3e5091029130722cc

SHA256
b6fc0c78a6bc1765e08a6ecffa9ec5ee849db41744dcb53657dada26d6564813

SHA512
5487e23fc665e66049d809e5f33e9b668d955ff089fdc04ab4f29a0782b7995326c92d9f28ece60e09f768d7db4660d533f5d1b30c9ded9f9df2a158f7f09908

Download Submit
C:\Windows\SysWOW64\Gjocgdkg.exe

Filesize
224KB

MD5
96e29426f93486ec492e030d65e0f5cf

SHA1
9dffc0f89cfb9786c8da00e743474f94846b26b4

SHA256
4a7ef311e85736572cf110425c439a12622cafdb04fe9964f61636f0718ca09f

SHA512
7eba9ff27f8590a00a5204ff8e3e7e2c67e0395ce99a8c88da234d54dea91687c45aa5bcf3ba89cb1bc090b716c7c9812927632b566cba4d2c289a7def0412d9

Download Submit
C:\Windows\SysWOW64\Gmaioo32.exe

Filesize
224KB

MD5
da36c3af0a07304a089efa9a4448ab27

SHA1
de990c89c8fefd93afe4f6c39ebcb6e2803a076b

SHA256
ca7181fe730af645ffa12a9a5ab5c18bc697c90e62d48db8f6c78fab1f8e0b20

SHA512
4b2f5984be16599f54a21adae725e06e34041a84575450697d0d4676b99c3fd9a31387e6179911961a00c7793aa0f28b144dc19776f785ab1cedf8cd981f9147

Download Submit
C:\Windows\SysWOW64\Gmhfhp32.exe

Filesize
224KB

MD5
71937540a1b4649e269da062e7f1723e

SHA1
0279e81690e359b3af9dcd721130e55a4b940103

SHA256
c2bf7bd449e9d9b97ef62a7eb02c05e876a88f2e5ebc74c0e2b06cc114d4bc65

SHA512
ca30e3d9d291b4efa870425498fdec916b1ef635e0ddf202f041041006633f09d545c2f83deae659ee38f358553942cd1c7c2b3a30555f8969c046d808de37a1

Download Submit
C:\Windows\SysWOW64\Goiojk32.exe

Filesize
224KB

MD5
5a0930a39b1734b1eae5209ecc3b9356

SHA1
f39413a3ae92f56355e8e5351da794f1476a57c0

SHA256
103f712bde573a3c4a4878fa80ed441a7b6e555a9d86984140511289a5185b97

SHA512
6b0eb9bd1b98bc6d2e2db05fb5c8346a35de3cfa0047716ed6e773bc0592b4f25b4774f29c3d1863c817ba76b00d8b5d40090a0e1fa63671444de89237f64d79

Download Submit
C:\Windows\SysWOW64\Gppekj32.exe

Filesize
224KB

MD5
1f3623d3879405955427d7ad52134d12

SHA1
a194e00db00e356f60f3d0e09ed47e8954f8f07a

SHA256
77f62ed9c1a04b5fe7432c62377ad7790cc4aed3b46eb6082f3752afa3fdd8bf

SHA512
fe898498d816954fc70d3601f6c827eb0e0fe2088f339a7d86885b8549d6e070927c413613d9aaa2aa244853e8754dea498bb6b79cc8b9bd8eb4e0918deea0eb

Download Submit
C:\Windows\SysWOW64\Gqikdn32.exe

Filesize
224KB

MD5
c2504bf9afe3dbec3421b828377a0b0f

SHA1
35fa6a9ca8405d7b1b3d257e4539fc0147ebd252

SHA256
1b8605fd211ab350de087dd08bc2059b4bb1c13248b6eb507d7f41e2039530b4

SHA512
a908ffa794ccff16b648724a4d5929488a25f843565a229df532698779bb4d2145fda44a6caf7e483e49486c181da225c06af1e1ef1ba66d3bace31ecb8dbc6d

Download Submit
C:\Windows\SysWOW64\Habnjm32.exe

Filesize
224KB

MD5
d6c4620cfe8803687b17ed2792ab7330

SHA1
c2fbbb90b9e7b3a7d7a198074aed48af13c30fa8

SHA256
38aa2a1bbe86b3b3d269c58a051c5b58fbcc3e2ed641c4489b147b6918087bb2

SHA512
c60c4f1b9c845d2f93bf143d4771ad1d93470d7e19f0895d494a57e9c813f737df2deb6c196d17d36f5357cfc4ebfd684a13110b698b9e81cf8e1d39406b2181

Download Submit
C:\Windows\SysWOW64\Haggelfd.exe

Filesize
224KB

MD5
3d55a25092279b5b726ee909dbf914d4

SHA1
c83d8878894ae76a910d8008be4b012186992c5e

SHA256
512bc388905af2aaa91dc7a399b0da6339473a09a12e029ca86e0cdd6474bb01

SHA512
d15448166b566d57c7fc42dc3b081ec650929445ce37a23d64f943a902fa98b503227dfbfbc4646d015a329ab19b6dedf1e28dd64a483fd5f0577e0bad1a0d22

Download Submit
C:\Windows\SysWOW64\Hbanme32.exe

Filesize
224KB

MD5
d4b415ab7930260a775f0248cfa9736e

SHA1
ae34b456f53408f74b4530e2d1998938db51546f

SHA256
4a35b2df639d9ddddffc5fd9834b5daff8467b73ee03c7a8f2077dcaaf207cfa

SHA512
144ba330255fdb7e7392ad2a55873256e13e106275ae28e81af07d59c9f18503a5b4867d3ae8419e211f91104fb4ff2ed612b63236b0204190c29f5b63e8fc62

Download Submit
C:\Windows\SysWOW64\Hbeghene.exe

Filesize
224KB

MD5
c733dbd4c43b4188d0fbd737e085560d

SHA1
d498bcabf0bc97ee49612cebd6f08cd724979d83

SHA256
bd39c3d9b09b5e1ebdee0cdc1806191c8994c8261c1e3d65661c8ee35076dc79

SHA512
160daa1653b055226be02cdd495ec5c624561537a3c31c860faf77e1c6c4d5b180c374e4f7c1fd066f57f37cf8b9c056734d4fadcf8a050f09a956f200c53a86

Download Submit
C:\Windows\SysWOW64\Hboagf32.exe

Filesize
224KB

MD5
ae600b933e4805382378b72c1905f9f2

SHA1
09efccaf8feea4369e31dd0492078c5619ec23cd

SHA256
9382f1f56fcba1034f40ee434b9a0eec81c948bac6f907e02e3e0ab4ba8a5659

SHA512
1cb501275851d9e9d2f226ed614658bc1ae385f2e2d6bec613e8688f218a78e7ac5cf161869a6cd55a05e5fe62eb7b45ed1570ba1cf46e70a52d432698ab1b0e

Download Submit
C:\Windows\SysWOW64\Hfcpncdk.exe

Filesize
224KB

MD5
4c55961b3e7790de7446daa41fe05f0f

SHA1
5ea893f417399c4eb60106edc9c42a912bab8b41

SHA256
0457d098c96d5d9ca0124b139d4de0c27e383a7cdea5914180a3ff26fda2fae7

SHA512
327292e001dbaaefb58aaecc5779e8bf741469d42647a11ed530e3595180ff2c738b20fc24c449369d93e8110663a66554ec80d8214baa0f4193dbe9ddd217d9

Download Submit
C:\Windows\SysWOW64\Hikfip32.exe

Filesize
224KB

MD5
4f30ac9b5745691b9efeaed9157706d5

SHA1
b1095fcd24d273e12d7b4242ba2d226f4a35cbcc

SHA256
1362043d6056a44a3aab088740303b36b1ba377a5d620482c1b38d7bd788dba9

SHA512
5ed18deb7339770527dc741f22357d76b044a33f3ea149e8ad65cefc412f8525f2474a3f056561061993a317158d7a4798801e99147be78821a545efe7319b9b

Download Submit
C:\Windows\SysWOW64\Hmmhjm32.exe

Filesize
224KB

MD5
3830a73065812bc818d0fbd7e9b5830d

SHA1
b58ca073ca91af432da191ae8823798dfa6d4391

SHA256
00267d679d40653a3788d39dc3d3970bfd5bb06f4598ff8d945210bdf3727b27

SHA512
fae02e2b5983a312a693872041d4b4bf8983587f7601a77a3af436d8b2d642a66c2656b5b53266900ee63c8aef5735c6ebe5b8a8d510b53375c65d7a5161db2c

Download Submit
C:\Windows\SysWOW64\Ibccic32.exe

Filesize
224KB

MD5
9de62f70eb0f2071e8fc1e01f04621b1

SHA1
39dfb29f6c9b7fbc839bb5e22f35e0a0d7cb9ded

SHA256
3609eadacd930e6f8a19a67b768fda51fa457b9d47fd648102e8611863ccef33

SHA512
f85fa7238a3ce992e28735022dca0a27a000504574de8cb95caf27f19be6c781b0546b67842aff0ae0a891cd5322b5f47b30198052cac78b5004ca99e3db978a

Download Submit
C:\Windows\SysWOW64\Ifhiib32.exe

Filesize
224KB

MD5
5d63266d8292b0d5b72e9af9899e679f

SHA1
46da346067ece7d1ef1bc1d88669bdee0e55fe0f

SHA256
ad0bd8144dc5d029cbad0e3946c85e762d8b6775b0ac8df6bbb8b5188174af29

SHA512
0cc5f607b49346b3fdc1270d245608fc5fd0dd3762e9c346a72008cfcc5e67738924d9f2e85434b3472cb0f6695e354e0008eedf087bde55ad1e0815e95718ad

Download Submit
C:\Windows\SysWOW64\Ifjfnb32.exe

Filesize
224KB

MD5
815ce6957140d0b36472affb18b289a9

SHA1
faa818fc68218f990180006b3294f4bececa7e67

SHA256
3c09e1fed050523bc820394ae45cd9b8986c1cc7c13115f01616594461063e95

SHA512
de45a2429135e221ad5a071993f975841779a9a31588c4c9e6317d0a9ce0a96d3431fc5b83c40376e0dbc5832322b86e8ac168e301489af5e367d4aa82e39708

Download Submit
C:\Windows\SysWOW64\Ifmcdblq.exe

Filesize
224KB

MD5
d1b4a458dc2b5687d5c2c6cd3a1eeffd

SHA1
bd1f9fdea8d86010e857bc7123b20aedcefa558c

SHA256
a0ac2bc9af0bca30e56070eb74e98033547a89482e3ac99208c97bfbc932014f

SHA512
dc8b8c7a8c91ef53fbc5c9b6d22f9c969199f6d98bd2107c8ef204b3186b99c45f3f963924c450b40e30b77f12262e1ce427de18097bf4f1a3b71eef9d2dcf92

Download Submit
C:\Windows\SysWOW64\Iidipnal.exe

Filesize
224KB

MD5
c967a70c71c3003ed174e1b3f66be7e9

SHA1
35d6ca95122dcb511a8394d38c01ac17d1041e98

SHA256
78967cd372ed39d63b5b92cb3110814911673451939ae1b152cbfe05ebf0bc99

SHA512
200a6493df774d69e17365c738e2e32832ef984ddc21d40550f2ab18af97c9b060ae8d443098edacaf1c73a0b9a580691ed46d77a87c84ae9b4557e2e735d6d3

Download Submit
C:\Windows\SysWOW64\Iiibkn32.exe

Filesize
224KB

MD5
de44aadaf64171039b1e756fee1b02c0

SHA1
96b626c29170dddcfdccf911f7f97a95dd8112f1

SHA256
9cbeed55181fd1984450d0cd1b777a14ddbb063a59782593dc32592804f560f6

SHA512
211e390261b996fce6f2b4b1daa51166890bc25b23d2027a618b0b26b2f50697038fc8087521789bcb76ccdccb8fd427d2bdde208e234b4fd31bc04edce2e0f8

Download Submit
C:\Windows\SysWOW64\Imbaemhc.exe

Filesize
224KB

MD5
f54c8fdc56129f24302e757edbda551f

SHA1
f42d91d01aad04400a1951128bd8c3a2677ad0d6

SHA256
75f63466585608e4c4b2a021b9cf246db4b766bd58f34c7d0e069f436a46c22d

SHA512
8598df83e1d3d05f6a530486a95c045570094286b8a3b73bec548984fa0ff9b8bfba288423049081210995152471d23ad6bdc38613f0e15fea23ab01ab81d904

Download Submit
C:\Windows\SysWOW64\Imgkql32.exe

Filesize
224KB

MD5
2550ca90c599050cc68eaf243354a742

SHA1
4db8d24e3ba2d4ec1ba7f19d131e76a10307c092

SHA256
7eb0a70d6aa5bfb7a5f70d536aa15c5bb53ab4cc904c89a505f44a2c52a94eeb

SHA512
2c8efe50a5d9bbd4b551c5e8f5c454ae0e6b4888bfb065a419a68dc6fc611e1fe7c04bfb41fbaa677e554921593c71f9e64c2471ef83725d32ddd54d431a621b

Download Submit
C:\Windows\SysWOW64\Imihfl32.exe

Filesize
224KB

MD5
6b41d68431c64c965e1a90bf1019a789

SHA1
7a51647bafa02de38cab40972df391a466a33ec2

SHA256
877edcc48583b1b9182c99213caebf5f0fdb1f80e51041d9ee5ad17e688df93a

SHA512
e1d0e8e6a2a8975e74719fccfa357fd225ad66cacd5d8c723dff7aaa9a8b5e805e86cf3d2f5eccfe15e3cb1fb9c151a589b75e648e5925a67262624e332efb94

Download Submit
C:\Windows\SysWOW64\Jbfpobpb.exe

Filesize
224KB

MD5
559eb2d3e8a30830e3fdd741d15eed8b

SHA1
fd67cf617c1230d02442628d418942d0272a875f

SHA256
85bdd6f81318c63248532eecce808cf452139d83815581c3748ad459b76e232b

SHA512
0aa231dda021116af4d472b7d0f23f62634d12ead9531f6658429da2638e1f6a642e4e50a365f710cad36de84d9f2e16c7fffa558719c1cde59176000f64cacb

Download Submit
C:\Windows\SysWOW64\Jiphkm32.exe

Filesize
224KB

MD5
f70a5322c4a0661d58c1f2c6a3084d90

SHA1
0f49197aa041427553deaad3e6bb2582ed198094

SHA256
e31426ebebd2b3d21adfdc6e91ed5955e168f9d3bbe996fc6109175d2a08017c

SHA512
ea510cd8a0ceaaf0130733a15c7173a100bc68a38947ad3dca09c949287b7060cc798b9b8ea407e77167b549c36a6d82db5aba4b43cd3c827465484478deaade

Download Submit
C:\Windows\SysWOW64\Kmgdgjek.exe

Filesize
224KB

MD5
65ea9e84495f56486ed5821c5449319c

SHA1
1bd96dc6b7b653f9bee23c96d99251f216a81013

SHA256
af9c0e5140912b94315ea0d8816398e748fa28e4d3a4fe341fe295fc629b7252

SHA512
a7918a9b2ee534f212866a9364bf2eab1f5c21ed2f99f0c66f8ff6ee020347e7f11155772e8cccafc87bc16e9478a3f71c18c324ef49c092961bc60d579613e4

Download Submit
C:\Windows\SysWOW64\Laalifad.exe

Filesize
224KB

MD5
bfd1472fdc2bac1dc3a8807b0b9330b1

SHA1
90ee079cac9c100f4d359ecf2e2e74b6f527a1dc

SHA256
fda2afc58816e4a0adddf9aaf7d40fd3b30232ee363da530a68b69359972eb34

SHA512
dbf4fd2ab73edabcc2069f1fc6c92dd736f0fc071c8d6e5bb1e78c17d3ba6797273044ba493352b389d3120636b79e322519ef31ee3aeb4d67f0535814af0ce2

Download Submit
C:\Windows\SysWOW64\Lmccchkn.exe

Filesize
224KB

MD5
085bff268548b8a57c72987e14d9e0b8

SHA1
04549d5d32f6ffdcd53da3a0eec003a7ab539933

SHA256
14dc11176258fcbc89ce1d1514fcaeeb549cc2f51690dfb22fc1bf4de79b1177

SHA512
47fefae8261c97ae3791b7cf785521a9487265d2ba88387c1d98cdbdaa241e9ed6fc846fb8042bb62db263d4cd8b3ff8a9fde9d29595ba48e9a454fa03fafe39

Download Submit
C:\Windows\SysWOW64\Mdkhapfj.exe

Filesize
224KB

MD5
3496a41c0c652bf75247b5318efb4af5

SHA1
15f58732b9192c604b611c6b3b0614d8d5eb1521

SHA256
25a93d5fc44259eb499e43e08568f18976b1e62eb33f8750ee5d010375507131

SHA512
80850de63bf119ab0c58492e937725123de46cdb8cdb4b51d9074fe47969acaabe6b557da11c52e4781f824e14d4d47ca78902a8bcc426d2dce454a026b25577

Download Submit
C:\Windows\SysWOW64\Mnocof32.exe

Filesize
224KB

MD5
ab8f17ce11cd673a7c8547cef79e58d9

SHA1
330756d06c111c03be44e032ef441ea1f28d80c4

SHA256
61a3d7c1217a87c5aa456c49aa456ddcc298f8369c6d3b2e4f6eba19674a180f

SHA512
8f0c96fc5ed0bc3598880abcd200fe0178d229e1d4ae8dbf391fce3dea0796d3e033cd230631158400be4569db837058bff65a4a6a53a076377115f5ae841bbb

Download Submit
C:\Windows\SysWOW64\Ndghmo32.exe

Filesize
224KB

MD5
7ec1306760bb1805f812fff90ac0d3f0

SHA1
d5d449799e4c0409b7c5e12cb36ad4cc6dacd887

SHA256
ce9eb605ebb8ae066d28cf424c8806cdd2bc7d7dc12f88bba02d58a8e46f95c7

SHA512
9273ef9befa1c5bdbdd961e8c8bc6856d1abf29ea80e20bb7dee680b50fe399a307a55c5e201b967e41b59086c6472aafa6837ae64536c787b8f0112709859a1

Download Submit
memory/320-159-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/320-73-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/388-13-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/532-21-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/656-289-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/684-186-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/684-98-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/700-419-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/752-432-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/752-367-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/968-233-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/968-316-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/972-222-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/972-134-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1164-114-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1164-33-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1232-439-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1232-374-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1240-324-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1356-360-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1356-292-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1452-305-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1452-223-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1476-303-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1508-331-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1508-251-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1568-142-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1568-231-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1948-317-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2004-49-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2004-133-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2212-345-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2212-268-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2220-152-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2220-241-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2536-398-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2536-334-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2564-169-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2564-82-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2580-291-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2580-205-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2712-348-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2712-411-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2752-151-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2752-64-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2836-124-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2836-41-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2840-384-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2900-57-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2900-141-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3028-418-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3028-354-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3056-267-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3056-179-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3300-346-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3316-260-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3316-333-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3320-259-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3320-170-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3332-405-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3556-412-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3672-115-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3672-204-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3768-129-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3768-214-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4160-215-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4160-302-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4200-277-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4200-188-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4244-250-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4244-160-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4308-187-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4308-113-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4420-288-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4420-197-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4440-306-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4440-373-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4568-433-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4596-399-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4684-178-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4684-89-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4796-392-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4852-106-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4852-29-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4860-426-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4944-6-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/4944-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4944-72-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5020-323-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5020-242-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5048-361-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5048-425-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5064-278-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5064-347-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5084-332-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5100-386-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads