58cb56ca9ab94f5ada438124c86a118a157e7b9e8f76995f7d6d24c14ca94ccd

Analysis

max time kernel
140s
max time network
131s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
15/05/2024, 22:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

58cb56ca9ab94f5ada438124c86a118a157e7b9e8f76995f7d6d24c14ca94ccd.exe
Size

45KB
MD5

297b59843fc9c7b10daafc5616914eb4
SHA1

0c28676315a7bb7e6b059bbd7a97424271d9c693
SHA256

58cb56ca9ab94f5ada438124c86a118a157e7b9e8f76995f7d6d24c14ca94ccd
SHA512

c13a5d30b8be889e7d74f485be7843bd087007856d9431178e8b6471bc8cdd47c1572841d730d654e282b3d3ea0fa3a187f8e433936724a4ea4d832914bebc7d
SSDEEP

768:08YXg4Qiv/q6Piz4/D5jGI+ZxIpPaqlRzFRVmUuV/1H5ME:H4QiFPUacI+0taUHRVWKE

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mdpalp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nddkgonp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jbkjjblm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lklnhlfb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mglack32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngpjnkpf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hfcpncdk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kknafn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gmhfhp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ipldfi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nafokcol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Njcpee32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jidbflcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ngpjnkpf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lklnhlfb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdpalp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngedij32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jpjqhgol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lpocjdld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jaedgjjd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mciobn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Imdnklfp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iikopmkd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ifopiajn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Iinlemia.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jmkdlkph.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jbhmdbnp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kmjqmi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Laopdgcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gbenqg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gidphq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjjmog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ncldnkae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mjjmog32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnmopdep.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hpihai32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Icjmmg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ndidbn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gifmnpnl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hmioonpn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnapdf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iffmccbi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jpaghf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kknafn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kibnhjgj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mgidml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nkjjij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nqklmpdd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hcnnaikp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kgphpo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnocof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nbkhfc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hcnnaikp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lgkhlnbn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Laalifad.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gfhqbe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lmqgnhmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hihicplj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Iannfk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kpepcedo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mnocof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nkncdifl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gjjjle32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gidphq32.exe

Executes dropped EXE 64 IoCs

pid	Process
4208	Gbcakg32.exe
3208	Gjjjle32.exe
4040	Gmhfhp32.exe
3308	Gbenqg32.exe
2548	Gjlfbd32.exe
4704	Gqfooodg.exe
1648	Gfcgge32.exe
2824	Gqikdn32.exe
3940	Gfedle32.exe
4600	Gidphq32.exe
1164	Gpnhekgl.exe
3392	Gfhqbe32.exe
4624	Gifmnpnl.exe
4904	Gameonno.exe
524	Hfjmgdlf.exe
3408	Hihicplj.exe
2320	Hcnnaikp.exe
4884	Hfljmdjc.exe
876	Hikfip32.exe
2324	Hcqjfh32.exe
4796	Hbckbepg.exe
692	Hmioonpn.exe
312	Hpgkkioa.exe
2292	Hfachc32.exe
4012	Hmklen32.exe
1612	Hpihai32.exe
5088	Hfcpncdk.exe
4980	Hibljoco.exe
2236	Ipldfi32.exe
2584	Iffmccbi.exe
5032	Iidipnal.exe
1776	Iakaql32.exe
5044	Icjmmg32.exe
4140	Iiffen32.exe
4312	Iannfk32.exe
3312	Ipqnahgf.exe
3720	Ifjfnb32.exe
3116	Imdnklfp.exe
4084	Idofhfmm.exe
4180	Ifmcdblq.exe
2264	Iikopmkd.exe
2660	Iabgaklg.exe
1052	Ifopiajn.exe
1232	Iinlemia.exe
1632	Jaedgjjd.exe
2400	Jjmhppqd.exe
1256	Jmkdlkph.exe
3244	Jpjqhgol.exe
3960	Jbhmdbnp.exe
1348	Jibeql32.exe
3348	Jaimbj32.exe
4992	Jbkjjblm.exe
892	Jidbflcj.exe
3164	Jpojcf32.exe
1672	Jbmfoa32.exe
2140	Jigollag.exe
1528	Jpaghf32.exe
1460	Jfkoeppq.exe
4696	Jiikak32.exe
2676	Kaqcbi32.exe
4548	Kdopod32.exe
5024	Kkihknfg.exe
2780	Kilhgk32.exe
988	Kpepcedo.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Ncldlbah.dll	Ifopiajn.exe
File created	C:\Windows\SysWOW64\Jpjqhgol.exe	Jmkdlkph.exe
File created	C:\Windows\SysWOW64\Laalifad.exe	Lgkhlnbn.exe
File created	C:\Windows\SysWOW64\Hpihai32.exe	Hmklen32.exe
File created	C:\Windows\SysWOW64\Lihoogdd.dll	Ifmcdblq.exe
File created	C:\Windows\SysWOW64\Kkkdan32.exe	Kgphpo32.exe
File opened for modification	C:\Windows\SysWOW64\Kknafn32.exe	Kphmie32.exe
File opened for modification	C:\Windows\SysWOW64\Laopdgcg.exe	Lkdggmlj.exe
File created	C:\Windows\SysWOW64\Cnacjn32.dll	Mdkhapfj.exe
File created	C:\Windows\SysWOW64\Jlnpomfk.dll	Nafokcol.exe
File opened for modification	C:\Windows\SysWOW64\Gifmnpnl.exe	Gfhqbe32.exe
File created	C:\Windows\SysWOW64\Klebid32.dll	Hfljmdjc.exe
File created	C:\Windows\SysWOW64\Ipmack32.dll	Iabgaklg.exe
File created	C:\Windows\SysWOW64\Gbledndp.dll	Iinlemia.exe
File created	C:\Windows\SysWOW64\Jidbflcj.exe	Jbkjjblm.exe
File created	C:\Windows\SysWOW64\Eplmgmol.dll	Kaqcbi32.exe
File opened for modification	C:\Windows\SysWOW64\Lgkhlnbn.exe	Laopdgcg.exe
File created	C:\Windows\SysWOW64\Bheenp32.dll	Lpfijcfl.exe
File created	C:\Windows\SysWOW64\Hmjdia32.dll	Hcnnaikp.exe
File created	C:\Windows\SysWOW64\Iiffen32.exe	Icjmmg32.exe
File created	C:\Windows\SysWOW64\Fneiph32.dll	Maohkd32.exe
File created	C:\Windows\SysWOW64\Pipfna32.dll	Nddkgonp.exe
File created	C:\Windows\SysWOW64\Iffmccbi.exe	Ipldfi32.exe
File created	C:\Windows\SysWOW64\Nnhfee32.exe	Nkjjij32.exe
File opened for modification	C:\Windows\SysWOW64\Gfcgge32.exe	Gqfooodg.exe
File created	C:\Windows\SysWOW64\Ibadbaha.dll	Hmklen32.exe
File created	C:\Windows\SysWOW64\Eddbig32.dll	Imdnklfp.exe
File created	C:\Windows\SysWOW64\Mkbchk32.exe	Mgghhlhq.exe
File created	C:\Windows\SysWOW64\Ddpfgd32.dll	Ngedij32.exe
File created	C:\Windows\SysWOW64\Gkillp32.dll	Icjmmg32.exe
File opened for modification	C:\Windows\SysWOW64\Idofhfmm.exe	Imdnklfp.exe
File created	C:\Windows\SysWOW64\Ggpfjejo.dll	Jbmfoa32.exe
File created	C:\Windows\SysWOW64\Lgkhlnbn.exe	Laopdgcg.exe
File created	C:\Windows\SysWOW64\Njogjfoj.exe	Ngpjnkpf.exe
File created	C:\Windows\SysWOW64\Jcoegc32.dll	Njogjfoj.exe
File opened for modification	C:\Windows\SysWOW64\Gbcakg32.exe	58cb56ca9ab94f5ada438124c86a118a157e7b9e8f76995f7d6d24c14ca94ccd.exe
File created	C:\Windows\SysWOW64\Gfhqbe32.exe	Gpnhekgl.exe
File created	C:\Windows\SysWOW64\Mnapdf32.exe	Mkbchk32.exe
File opened for modification	C:\Windows\SysWOW64\Hbckbepg.exe	Hcqjfh32.exe
File opened for modification	C:\Windows\SysWOW64\Iiffen32.exe	Icjmmg32.exe
File created	C:\Windows\SysWOW64\Hbckbepg.exe	Hcqjfh32.exe
File opened for modification	C:\Windows\SysWOW64\Kipabjil.exe	Kknafn32.exe
File created	C:\Windows\SysWOW64\Nqfbaq32.exe	Nnhfee32.exe
File created	C:\Windows\SysWOW64\Ilaidmmo.dll	Gmhfhp32.exe
File opened for modification	C:\Windows\SysWOW64\Gpnhekgl.exe	Gidphq32.exe
File created	C:\Windows\SysWOW64\Mgidml32.exe	Mdkhapfj.exe
File created	C:\Windows\SysWOW64\Maohkd32.exe	Mjhqjg32.exe
File opened for modification	C:\Windows\SysWOW64\Njogjfoj.exe	Ngpjnkpf.exe
File created	C:\Windows\SysWOW64\Idofhfmm.exe	Imdnklfp.exe
File created	C:\Windows\SysWOW64\Jigollag.exe	Jbmfoa32.exe
File opened for modification	C:\Windows\SysWOW64\Gfedle32.exe	Gqikdn32.exe
File created	C:\Windows\SysWOW64\Jdkhlo32.dll	Gifmnpnl.exe
File created	C:\Windows\SysWOW64\Jaedgjjd.exe	Iinlemia.exe
File created	C:\Windows\SysWOW64\Jmkdlkph.exe	Jjmhppqd.exe
File created	C:\Windows\SysWOW64\Kkdeek32.dll	Kkihknfg.exe
File created	C:\Windows\SysWOW64\Kknafn32.exe	Kphmie32.exe
File created	C:\Windows\SysWOW64\Gbcakg32.exe	58cb56ca9ab94f5ada438124c86a118a157e7b9e8f76995f7d6d24c14ca94ccd.exe
File opened for modification	C:\Windows\SysWOW64\Gjjjle32.exe	Gbcakg32.exe
File created	C:\Windows\SysWOW64\Fcdjjo32.dll	Nqfbaq32.exe
File created	C:\Windows\SysWOW64\Opbnic32.dll	Nbkhfc32.exe
File opened for modification	C:\Windows\SysWOW64\Hcqjfh32.exe	Hikfip32.exe
File created	C:\Windows\SysWOW64\Iikopmkd.exe	Ifmcdblq.exe
File created	C:\Windows\SysWOW64\Iinlemia.exe	Ifopiajn.exe
File created	C:\Windows\SysWOW64\Jpaghf32.exe	Jigollag.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5732	5396	WerFault.exe	210

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nddkgonp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fojjgcdm.dll"	Gbenqg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gqikdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kgdbkohf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mglack32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Laalifad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lpfijcfl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jpgeph32.dll"	Lklnhlfb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mpmokb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oeahce32.dll"	Gqfooodg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gfedle32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Idofhfmm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kgphpo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mdpalp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nceonl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kpjjod32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mjjmog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfcbokki.dll"	Ngpjnkpf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Onkhkpho.dll"	Ipldfi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Iikopmkd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jaedgjjd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kaqcbi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Icjmmg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hiaohfpc.dll"	Idofhfmm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kmjqmi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hpihai32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Iabgaklg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mdpalp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Adakia32.dll"	Hfjmgdlf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipmack32.dll"	Iabgaklg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Iabgaklg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mjhqjg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kgdbkohf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lcmofolg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gfedle32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Klebid32.dll"	Hfljmdjc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kpepcedo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kpepcedo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kpjjod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mecaoggc.dll"	Lddbqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bebboiqi.dll"	Mjjmog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hlmobp32.dll"	Nkjjij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Joamagmq.dll"	Kipabjil.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kgfoan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Njcpee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	58cb56ca9ab94f5ada438124c86a118a157e7b9e8f76995f7d6d24c14ca94ccd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gjlfbd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gfcgge32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hpgkkioa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cgfgaq32.dll"	Nkncdifl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eddbig32.dll"	Imdnklfp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Imdnklfp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Honcnp32.dll"	Jbkjjblm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jfkoeppq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihaoimoh.dll"	Kphmie32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Maohkd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nqklmpdd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gmhfhp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ipldfi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Iiffen32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kdopod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lifenaok.dll"	Lgbnmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fcdjjo32.dll"	Nqfbaq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nqfbaq32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3472 wrote to memory of 4208	3472	58cb56ca9ab94f5ada438124c86a118a157e7b9e8f76995f7d6d24c14ca94ccd.exe	82
PID 3472 wrote to memory of 4208	3472	58cb56ca9ab94f5ada438124c86a118a157e7b9e8f76995f7d6d24c14ca94ccd.exe	82
PID 3472 wrote to memory of 4208	3472	58cb56ca9ab94f5ada438124c86a118a157e7b9e8f76995f7d6d24c14ca94ccd.exe	82
PID 4208 wrote to memory of 3208	4208	Gbcakg32.exe	83
PID 4208 wrote to memory of 3208	4208	Gbcakg32.exe	83
PID 4208 wrote to memory of 3208	4208	Gbcakg32.exe	83
PID 3208 wrote to memory of 4040	3208	Gjjjle32.exe	84
PID 3208 wrote to memory of 4040	3208	Gjjjle32.exe	84
PID 3208 wrote to memory of 4040	3208	Gjjjle32.exe	84
PID 4040 wrote to memory of 3308	4040	Gmhfhp32.exe	85
PID 4040 wrote to memory of 3308	4040	Gmhfhp32.exe	85
PID 4040 wrote to memory of 3308	4040	Gmhfhp32.exe	85
PID 3308 wrote to memory of 2548	3308	Gbenqg32.exe	86
PID 3308 wrote to memory of 2548	3308	Gbenqg32.exe	86
PID 3308 wrote to memory of 2548	3308	Gbenqg32.exe	86
PID 2548 wrote to memory of 4704	2548	Gjlfbd32.exe	87
PID 2548 wrote to memory of 4704	2548	Gjlfbd32.exe	87
PID 2548 wrote to memory of 4704	2548	Gjlfbd32.exe	87
PID 4704 wrote to memory of 1648	4704	Gqfooodg.exe	88
PID 4704 wrote to memory of 1648	4704	Gqfooodg.exe	88
PID 4704 wrote to memory of 1648	4704	Gqfooodg.exe	88
PID 1648 wrote to memory of 2824	1648	Gfcgge32.exe	89
PID 1648 wrote to memory of 2824	1648	Gfcgge32.exe	89
PID 1648 wrote to memory of 2824	1648	Gfcgge32.exe	89
PID 2824 wrote to memory of 3940	2824	Gqikdn32.exe	90
PID 2824 wrote to memory of 3940	2824	Gqikdn32.exe	90
PID 2824 wrote to memory of 3940	2824	Gqikdn32.exe	90
PID 3940 wrote to memory of 4600	3940	Gfedle32.exe	91
PID 3940 wrote to memory of 4600	3940	Gfedle32.exe	91
PID 3940 wrote to memory of 4600	3940	Gfedle32.exe	91
PID 4600 wrote to memory of 1164	4600	Gidphq32.exe	92
PID 4600 wrote to memory of 1164	4600	Gidphq32.exe	92
PID 4600 wrote to memory of 1164	4600	Gidphq32.exe	92
PID 1164 wrote to memory of 3392	1164	Gpnhekgl.exe	93
PID 1164 wrote to memory of 3392	1164	Gpnhekgl.exe	93
PID 1164 wrote to memory of 3392	1164	Gpnhekgl.exe	93
PID 3392 wrote to memory of 4624	3392	Gfhqbe32.exe	94
PID 3392 wrote to memory of 4624	3392	Gfhqbe32.exe	94
PID 3392 wrote to memory of 4624	3392	Gfhqbe32.exe	94
PID 4624 wrote to memory of 4904	4624	Gifmnpnl.exe	95
PID 4624 wrote to memory of 4904	4624	Gifmnpnl.exe	95
PID 4624 wrote to memory of 4904	4624	Gifmnpnl.exe	95
PID 4904 wrote to memory of 524	4904	Gameonno.exe	96
PID 4904 wrote to memory of 524	4904	Gameonno.exe	96
PID 4904 wrote to memory of 524	4904	Gameonno.exe	96
PID 524 wrote to memory of 3408	524	Hfjmgdlf.exe	97
PID 524 wrote to memory of 3408	524	Hfjmgdlf.exe	97
PID 524 wrote to memory of 3408	524	Hfjmgdlf.exe	97
PID 3408 wrote to memory of 2320	3408	Hihicplj.exe	98
PID 3408 wrote to memory of 2320	3408	Hihicplj.exe	98
PID 3408 wrote to memory of 2320	3408	Hihicplj.exe	98
PID 2320 wrote to memory of 4884	2320	Hcnnaikp.exe	99
PID 2320 wrote to memory of 4884	2320	Hcnnaikp.exe	99
PID 2320 wrote to memory of 4884	2320	Hcnnaikp.exe	99
PID 4884 wrote to memory of 876	4884	Hfljmdjc.exe	100
PID 4884 wrote to memory of 876	4884	Hfljmdjc.exe	100
PID 4884 wrote to memory of 876	4884	Hfljmdjc.exe	100
PID 876 wrote to memory of 2324	876	Hikfip32.exe	102
PID 876 wrote to memory of 2324	876	Hikfip32.exe	102
PID 876 wrote to memory of 2324	876	Hikfip32.exe	102
PID 2324 wrote to memory of 4796	2324	Hcqjfh32.exe	103
PID 2324 wrote to memory of 4796	2324	Hcqjfh32.exe	103
PID 2324 wrote to memory of 4796	2324	Hcqjfh32.exe	103
PID 4796 wrote to memory of 692	4796	Hbckbepg.exe	104

C:\Users\Admin\AppData\Local\Temp\58cb56ca9ab94f5ada438124c86a118a157e7b9e8f76995f7d6d24c14ca94ccd.exe
"C:\Users\Admin\AppData\Local\Temp\58cb56ca9ab94f5ada438124c86a118a157e7b9e8f76995f7d6d24c14ca94ccd.exe"
1⤵
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3472
- C:\Windows\SysWOW64\Gbcakg32.exe
  C:\Windows\system32\Gbcakg32.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:4208
- - C:\Windows\SysWOW64\Gjjjle32.exe
    C:\Windows\system32\Gjjjle32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:3208
  - - C:\Windows\SysWOW64\Gmhfhp32.exe
      C:\Windows\system32\Gmhfhp32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:4040
    - - C:\Windows\SysWOW64\Gbenqg32.exe
        
        C:\Windows\system32\Gbenqg32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3308
      - C:\Windows\SysWOW64\Gjlfbd32.exe
        
        C:\Windows\system32\Gjlfbd32.exe
        6⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2548
        
        C:\Windows\SysWOW64\Gqfooodg.exe
        
        C:\Windows\system32\Gqfooodg.exe
        7⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4704
        
        C:\Windows\SysWOW64\Gfcgge32.exe
        
        C:\Windows\system32\Gfcgge32.exe
        8⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1648
        
        C:\Windows\SysWOW64\Gqikdn32.exe
        
        C:\Windows\system32\Gqikdn32.exe
        9⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2824
        
        C:\Windows\SysWOW64\Gfedle32.exe
        
        C:\Windows\system32\Gfedle32.exe
        10⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3940
        
        C:\Windows\SysWOW64\Gidphq32.exe
        
        C:\Windows\system32\Gidphq32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4600
        
        C:\Windows\SysWOW64\Gpnhekgl.exe
        
        C:\Windows\system32\Gpnhekgl.exe
        12⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1164
        
        C:\Windows\SysWOW64\Gfhqbe32.exe
        
        C:\Windows\system32\Gfhqbe32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3392
        
        C:\Windows\SysWOW64\Gifmnpnl.exe
        
        C:\Windows\system32\Gifmnpnl.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4624
        
        C:\Windows\SysWOW64\Gameonno.exe
        
        C:\Windows\system32\Gameonno.exe
        15⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4904
        
        C:\Windows\SysWOW64\Hfjmgdlf.exe
        
        C:\Windows\system32\Hfjmgdlf.exe
        16⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:524
        
        C:\Windows\SysWOW64\Hihicplj.exe
        
        C:\Windows\system32\Hihicplj.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3408
        
        C:\Windows\SysWOW64\Hcnnaikp.exe
        
        C:\Windows\system32\Hcnnaikp.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2320
        
        C:\Windows\SysWOW64\Hfljmdjc.exe
        
        C:\Windows\system32\Hfljmdjc.exe
        19⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4884
        
        C:\Windows\SysWOW64\Hikfip32.exe
        
        C:\Windows\system32\Hikfip32.exe
        20⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:876
        
        C:\Windows\SysWOW64\Hcqjfh32.exe
        
        C:\Windows\system32\Hcqjfh32.exe
        21⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2324
        
        C:\Windows\SysWOW64\Hbckbepg.exe
        
        C:\Windows\system32\Hbckbepg.exe
        22⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4796
        
        C:\Windows\SysWOW64\Hmioonpn.exe
        
        C:\Windows\system32\Hmioonpn.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:692
        
        C:\Windows\SysWOW64\Hpgkkioa.exe
        
        C:\Windows\system32\Hpgkkioa.exe
        24⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:312
        
        C:\Windows\SysWOW64\Hfachc32.exe
        
        C:\Windows\system32\Hfachc32.exe
        25⤵
        Executes dropped EXE
        
        PID:2292
        
        C:\Windows\SysWOW64\Hmklen32.exe
        
        C:\Windows\system32\Hmklen32.exe
        26⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4012
        
        C:\Windows\SysWOW64\Hpihai32.exe
        
        C:\Windows\system32\Hpihai32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1612
        
        C:\Windows\SysWOW64\Hfcpncdk.exe
        
        C:\Windows\system32\Hfcpncdk.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:5088
        
        C:\Windows\SysWOW64\Hibljoco.exe
        
        C:\Windows\system32\Hibljoco.exe
        29⤵
        Executes dropped EXE
        
        PID:4980
        
        C:\Windows\SysWOW64\Ipldfi32.exe
        
        C:\Windows\system32\Ipldfi32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2236
        
        C:\Windows\SysWOW64\Iffmccbi.exe
        
        C:\Windows\system32\Iffmccbi.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2584
        
        C:\Windows\SysWOW64\Iidipnal.exe
        
        C:\Windows\system32\Iidipnal.exe
        32⤵
        Executes dropped EXE
        
        PID:5032
        
        C:\Windows\SysWOW64\Iakaql32.exe
        
        C:\Windows\system32\Iakaql32.exe
        33⤵
        Executes dropped EXE
        
        PID:1776
        
        C:\Windows\SysWOW64\Icjmmg32.exe
        
        C:\Windows\system32\Icjmmg32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5044
        
        C:\Windows\SysWOW64\Iiffen32.exe
        
        C:\Windows\system32\Iiffen32.exe
        35⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4140
        
        C:\Windows\SysWOW64\Iannfk32.exe
        
        C:\Windows\system32\Iannfk32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4312
        
        C:\Windows\SysWOW64\Ipqnahgf.exe
        
        C:\Windows\system32\Ipqnahgf.exe
        37⤵
        Executes dropped EXE
        
        PID:3312
        
        C:\Windows\SysWOW64\Ifjfnb32.exe
        
        C:\Windows\system32\Ifjfnb32.exe
        38⤵
        Executes dropped EXE
        
        PID:3720
        
        C:\Windows\SysWOW64\Imdnklfp.exe
        
        C:\Windows\system32\Imdnklfp.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3116
        
        C:\Windows\SysWOW64\Idofhfmm.exe
        
        C:\Windows\system32\Idofhfmm.exe
        40⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4084
        
        C:\Windows\SysWOW64\Ifmcdblq.exe
        
        C:\Windows\system32\Ifmcdblq.exe
        41⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4180
        
        C:\Windows\SysWOW64\Iikopmkd.exe
        
        C:\Windows\system32\Iikopmkd.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2264
        
        C:\Windows\SysWOW64\Iabgaklg.exe
        
        C:\Windows\system32\Iabgaklg.exe
        43⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2660
        
        C:\Windows\SysWOW64\Ifopiajn.exe
        
        C:\Windows\system32\Ifopiajn.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1052
        
        C:\Windows\SysWOW64\Iinlemia.exe
        
        C:\Windows\system32\Iinlemia.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1232
        
        C:\Windows\SysWOW64\Jaedgjjd.exe
        
        C:\Windows\system32\Jaedgjjd.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1632
        
        C:\Windows\SysWOW64\Jjmhppqd.exe
        
        C:\Windows\system32\Jjmhppqd.exe
        47⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2400
        
        C:\Windows\SysWOW64\Jmkdlkph.exe
        
        C:\Windows\system32\Jmkdlkph.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1256
        
        C:\Windows\SysWOW64\Jpjqhgol.exe
        
        C:\Windows\system32\Jpjqhgol.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3244
        
        C:\Windows\SysWOW64\Jbhmdbnp.exe
        
        C:\Windows\system32\Jbhmdbnp.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3960
        
        C:\Windows\SysWOW64\Jibeql32.exe
        
        C:\Windows\system32\Jibeql32.exe
        51⤵
        Executes dropped EXE
        
        PID:1348
        
        C:\Windows\SysWOW64\Jaimbj32.exe
        
        C:\Windows\system32\Jaimbj32.exe
        52⤵
        Executes dropped EXE
        
        PID:3348
        
        C:\Windows\SysWOW64\Jbkjjblm.exe
        
        C:\Windows\system32\Jbkjjblm.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4992
        
        C:\Windows\SysWOW64\Jidbflcj.exe
        
        C:\Windows\system32\Jidbflcj.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:892
        
        C:\Windows\SysWOW64\Jpojcf32.exe
        
        C:\Windows\system32\Jpojcf32.exe
        55⤵
        Executes dropped EXE
        
        PID:3164
        
        C:\Windows\SysWOW64\Jbmfoa32.exe
        
        C:\Windows\system32\Jbmfoa32.exe
        56⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1672
        
        C:\Windows\SysWOW64\Jigollag.exe
        
        C:\Windows\system32\Jigollag.exe
        57⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2140
        
        C:\Windows\SysWOW64\Jpaghf32.exe
        
        C:\Windows\system32\Jpaghf32.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1528
        
        C:\Windows\SysWOW64\Jfkoeppq.exe
        
        C:\Windows\system32\Jfkoeppq.exe
        59⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1460
        
        C:\Windows\SysWOW64\Jiikak32.exe
        
        C:\Windows\system32\Jiikak32.exe
        60⤵
        Executes dropped EXE
        
        PID:4696
        
        C:\Windows\SysWOW64\Kaqcbi32.exe
        
        C:\Windows\system32\Kaqcbi32.exe
        61⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2676
        
        C:\Windows\SysWOW64\Kdopod32.exe
        
        C:\Windows\system32\Kdopod32.exe
        62⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4548
        
        C:\Windows\SysWOW64\Kkihknfg.exe
        
        C:\Windows\system32\Kkihknfg.exe
        63⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5024
        
        C:\Windows\SysWOW64\Kilhgk32.exe
        
        C:\Windows\system32\Kilhgk32.exe
        64⤵
        Executes dropped EXE
        
        PID:2780
        
        C:\Windows\SysWOW64\Kpepcedo.exe
        
        C:\Windows\system32\Kpepcedo.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:988
        
        C:\Windows\SysWOW64\Kgphpo32.exe
        
        C:\Windows\system32\Kgphpo32.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:4300
        
        C:\Windows\SysWOW64\Kkkdan32.exe
        
        C:\Windows\system32\Kkkdan32.exe
        67⤵
        
        PID:2924
        
        C:\Windows\SysWOW64\Kmjqmi32.exe
        
        C:\Windows\system32\Kmjqmi32.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4932
        
        C:\Windows\SysWOW64\Kphmie32.exe
        
        C:\Windows\system32\Kphmie32.exe
        69⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1532
        
        C:\Windows\SysWOW64\Kknafn32.exe
        
        C:\Windows\system32\Kknafn32.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4324
        
        C:\Windows\SysWOW64\Kipabjil.exe
        
        C:\Windows\system32\Kipabjil.exe
        71⤵
        Modifies registry class
        
        PID:4340
        
        C:\Windows\SysWOW64\Kpjjod32.exe
        
        C:\Windows\system32\Kpjjod32.exe
        72⤵
        Modifies registry class
        
        PID:1728
        
        C:\Windows\SysWOW64\Kgdbkohf.exe
        
        C:\Windows\system32\Kgdbkohf.exe
        73⤵
        Modifies registry class
        
        PID:368
        
        C:\Windows\SysWOW64\Kibnhjgj.exe
        
        C:\Windows\system32\Kibnhjgj.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:452
        
        C:\Windows\SysWOW64\Kpmfddnf.exe
        
        C:\Windows\system32\Kpmfddnf.exe
        75⤵
        
        PID:2448
        
        C:\Windows\SysWOW64\Kgfoan32.exe
        
        C:\Windows\system32\Kgfoan32.exe
        76⤵
        Modifies registry class
        
        PID:4720
        
        C:\Windows\SysWOW64\Lmqgnhmp.exe
        
        C:\Windows\system32\Lmqgnhmp.exe
        77⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4452
        
        C:\Windows\SysWOW64\Lpocjdld.exe
        
        C:\Windows\system32\Lpocjdld.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5048
        
        C:\Windows\SysWOW64\Lcmofolg.exe
        
        C:\Windows\system32\Lcmofolg.exe
        79⤵
        Modifies registry class
        
        PID:2844
        
        C:\Windows\SysWOW64\Lkdggmlj.exe
        
        C:\Windows\system32\Lkdggmlj.exe
        80⤵
        Drops file in System32 directory
        
        PID:4596
        
        C:\Windows\SysWOW64\Laopdgcg.exe
        
        C:\Windows\system32\Laopdgcg.exe
        81⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:2600
        
        C:\Windows\SysWOW64\Lgkhlnbn.exe
        
        C:\Windows\system32\Lgkhlnbn.exe
        82⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:2608
        
        C:\Windows\SysWOW64\Laalifad.exe
        
        C:\Windows\system32\Laalifad.exe
        83⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:1336
        
        C:\Windows\SysWOW64\Ldohebqh.exe
        
        C:\Windows\system32\Ldohebqh.exe
        84⤵
        
        PID:4620
        
        C:\Windows\SysWOW64\Lkiqbl32.exe
        
        C:\Windows\system32\Lkiqbl32.exe
        85⤵
        
        PID:2152
        
        C:\Windows\SysWOW64\Lpfijcfl.exe
        
        C:\Windows\system32\Lpfijcfl.exe
        86⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:2288
        
        C:\Windows\SysWOW64\Lklnhlfb.exe
        
        C:\Windows\system32\Lklnhlfb.exe
        87⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:3980
        
        C:\Windows\SysWOW64\Lddbqa32.exe
        
        C:\Windows\system32\Lddbqa32.exe
        88⤵
        Modifies registry class
        
        PID:2172
        
        C:\Windows\SysWOW64\Lgbnmm32.exe
        
        C:\Windows\system32\Lgbnmm32.exe
        89⤵
        Modifies registry class
        
        PID:4956
        
        C:\Windows\SysWOW64\Mciobn32.exe
        
        C:\Windows\system32\Mciobn32.exe
        90⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5160
        
        C:\Windows\SysWOW64\Mjcgohig.exe
        
        C:\Windows\system32\Mjcgohig.exe
        91⤵
        
        PID:5200
        
        C:\Windows\SysWOW64\Mnocof32.exe
        
        C:\Windows\system32\Mnocof32.exe
        92⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5248
        
        C:\Windows\SysWOW64\Mpmokb32.exe
        
        C:\Windows\system32\Mpmokb32.exe
        93⤵
        Modifies registry class
        
        PID:5292
        
        C:\Windows\SysWOW64\Mgghhlhq.exe
        
        C:\Windows\system32\Mgghhlhq.exe
        94⤵
        Drops file in System32 directory
        
        PID:5336
        
        C:\Windows\SysWOW64\Mkbchk32.exe
        
        C:\Windows\system32\Mkbchk32.exe
        95⤵
        Drops file in System32 directory
        
        PID:5380
        
        C:\Windows\SysWOW64\Mnapdf32.exe
        
        C:\Windows\system32\Mnapdf32.exe
        96⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5424
        
        C:\Windows\SysWOW64\Mdkhapfj.exe
        
        C:\Windows\system32\Mdkhapfj.exe
        97⤵
        Drops file in System32 directory
        
        PID:5472
        
        C:\Windows\SysWOW64\Mgidml32.exe
        
        C:\Windows\system32\Mgidml32.exe
        98⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5516
        
        C:\Windows\SysWOW64\Mjhqjg32.exe
        
        C:\Windows\system32\Mjhqjg32.exe
        99⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5556
        
        C:\Windows\SysWOW64\Maohkd32.exe
        
        C:\Windows\system32\Maohkd32.exe
        100⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5600
        
        C:\Windows\SysWOW64\Mdmegp32.exe
        
        C:\Windows\system32\Mdmegp32.exe
        101⤵
        
        PID:5660
        
        C:\Windows\SysWOW64\Mglack32.exe
        
        C:\Windows\system32\Mglack32.exe
        102⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5700
        
        C:\Windows\SysWOW64\Mjjmog32.exe
        
        C:\Windows\system32\Mjjmog32.exe
        103⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5764
        
        C:\Windows\SysWOW64\Maaepd32.exe
        
        C:\Windows\system32\Maaepd32.exe
        104⤵
        
        PID:5820
        
        C:\Windows\SysWOW64\Mdpalp32.exe
        
        C:\Windows\system32\Mdpalp32.exe
        105⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5892
        
        C:\Windows\SysWOW64\Nkjjij32.exe
        
        C:\Windows\system32\Nkjjij32.exe
        106⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5944
        
        C:\Windows\SysWOW64\Nnhfee32.exe
        
        C:\Windows\system32\Nnhfee32.exe
        107⤵
        Drops file in System32 directory
        
        PID:5988
        
        C:\Windows\SysWOW64\Nqfbaq32.exe
        
        C:\Windows\system32\Nqfbaq32.exe
        108⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6040
        
        C:\Windows\SysWOW64\Nceonl32.exe
        
        C:\Windows\system32\Nceonl32.exe
        109⤵
        Modifies registry class
        
        PID:6112
        
        C:\Windows\SysWOW64\Ngpjnkpf.exe
        
        C:\Windows\system32\Ngpjnkpf.exe
        110⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5144
        
        C:\Windows\SysWOW64\Njogjfoj.exe
        
        C:\Windows\system32\Njogjfoj.exe
        111⤵
        Drops file in System32 directory
        
        PID:5224
        
        C:\Windows\SysWOW64\Nafokcol.exe
        
        C:\Windows\system32\Nafokcol.exe
        112⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5300
        
        C:\Windows\SysWOW64\Nddkgonp.exe
        
        C:\Windows\system32\Nddkgonp.exe
        113⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5376
        
        C:\Windows\SysWOW64\Ncgkcl32.exe
        
        C:\Windows\system32\Ncgkcl32.exe
        114⤵
        
        PID:5460
        
        C:\Windows\SysWOW64\Nkncdifl.exe
        
        C:\Windows\system32\Nkncdifl.exe
        115⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5564
        
        C:\Windows\SysWOW64\Nnmopdep.exe
        
        C:\Windows\system32\Nnmopdep.exe
        116⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5676
        
        C:\Windows\SysWOW64\Nqklmpdd.exe
        
        C:\Windows\system32\Nqklmpdd.exe
        117⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5776
        
        C:\Windows\SysWOW64\Ngedij32.exe
        
        C:\Windows\system32\Ngedij32.exe
        118⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5872
        
        C:\Windows\SysWOW64\Njcpee32.exe
        
        C:\Windows\system32\Njcpee32.exe
        119⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5984
        
        C:\Windows\SysWOW64\Nbkhfc32.exe
        
        C:\Windows\system32\Nbkhfc32.exe
        120⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6048
        
        C:\Windows\SysWOW64\Ndidbn32.exe
        
        C:\Windows\system32\Ndidbn32.exe
        121⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4192
        
        C:\Windows\SysWOW64\Ncldnkae.exe
        
        C:\Windows\system32\Ncldnkae.exe
        122⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5276
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        123⤵
        
        PID:5396
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5396 -s 408
        124⤵
        Program crash
        
        PID:5732

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 5396 -ip 5396
1⤵
PID:5636

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Gameonno.exe

Filesize
45KB

MD5
31f452ede1f289b7d76377e7d96b0b71

SHA1
8d060b15cf1dea645f998a57838cd85c0e53ffd8

SHA256
9595beb4e0c5587dbd3ef3693256c2610ae72a38609041e6c227bba87c766465

SHA512
8fe6ebd0096093e6d19bf05714d336735abf16b79dfe9d3eee8833d1f903f09ddb1f80c4286b1a735d5471ec75cdfc1b8ad4a15af418f9d1bceb6018185d1d55

Download Submit
C:\Windows\SysWOW64\Gbcakg32.exe

Filesize
45KB

MD5
3476b3a3384384fe0cecb7eacc24921e

SHA1
ac335fbcf079942106bbe0d104fd6c380aa3e643

SHA256
85c0f9a268ee5be6fb399cf2bb5a934b800bf57cc81fd036d474f968a7052027

SHA512
9668356c91036a8b07f708151f78acd62e7ce8b564ad3488a7581ae294aa62d9151856f902832e9496a448fc87e9901e3187888c22a13f1c040aed8364bc411b

Download Submit
C:\Windows\SysWOW64\Gbenqg32.exe

Filesize
45KB

MD5
fd177757b2cf526583babc7c9cfe60ba

SHA1
d831cac4dac4cc3f280b11f2886bc7548ac35c92

SHA256
c1eb61347e18a218bac2ea08b5c53e4cff1c32e6560f069bce3063b92f8c35cf

SHA512
9750c0308673f5d72609def588be193b15fc8ec816bdacf425ada6e495bcd361568c8464b1a37c6dcf6bfe5492d3235373acb818624e0d85c9947da3cf6ff3fa

Download Submit
C:\Windows\SysWOW64\Gfcgge32.exe

Filesize
45KB

MD5
713fdb470e84bd7735f3ad8044d27583

SHA1
8392c176497d8a77de67d2120c24b5e2e3e9e3ac

SHA256
d58eb70b5c6d1ee5ca7543d9ebce207ece938a85be8f9e06c32d39031e7f93c5

SHA512
448537e536f78d232af3a30f582fe3dbcc3901a1130df6c50b21a8f700444ab21dbe6484ad422f57fba34b1d4dc0aaf17613b19fdc94d0fe492bd10db1893186

Download Submit
C:\Windows\SysWOW64\Gfedle32.exe

Filesize
45KB

MD5
13b64eefce8e23bdf20b51f7da668536

SHA1
41a3593bdd6f41b70bda629ddd66279aaf343018

SHA256
89073e458633508c3dc37594cd9f04f5751d8cd0b14b42cd644f4dd3a737af0c

SHA512
31ed1d3a8d8c94df243afa6435a09e57e28898960a2c1ff92b37f5a53557488539cf67d9e5a8970ff4f7aced0099932da4ae99f65f116bc97873fab55d108191

Download Submit
C:\Windows\SysWOW64\Gfhqbe32.exe

Filesize
45KB

MD5
39b8736ba308f77733a48f973500f808

SHA1
7a87fdf78f28d78d9154480c4bf9ff1d4f75bc44

SHA256
e724076e4bc043c0fbbc5038cd4e5a2fbbe7a2a55079245258a7b5cbdc7d897b

SHA512
1a112a507a49c4020156b7cd825b0842764b12c192f0479290fa935502d2e36920ccbf7ad9e23322178113901098b5c92034874bf4e5e228b8edb76dd6df77c9

Download Submit
C:\Windows\SysWOW64\Gidphq32.exe

Filesize
45KB

MD5
8d0ab130e677476b4960d9b51b327337

SHA1
52bbda2ed9354da3895ae1299cfc17487455b32e

SHA256
1b45f51137b3aee2cf923326edf1e5700f9379165bc684139078a4ff62e8e3d3

SHA512
24c3b8933a0ddf3b534033221bdf024a668f096f573a5cda826df1b423fa936cffbc9cab0f790453e739e456f3602c29453b21bff4479310a38218230dd25281

Download Submit
C:\Windows\SysWOW64\Gifmnpnl.exe

Filesize
45KB

MD5
90c3ae6be686997065518159baa474f3

SHA1
c97a7bb9bdaf2edd202bf3239f1d63a081ad0b85

SHA256
31fec374578d196a59a8ed0d97789fadd34ddda0d832accc8dd61979616951e5

SHA512
b810df44dea7492872e758eb8f683407ecf63efced2ab08331974e00461e3dad0898a3e10daae57f184367f860f4ac1a8f1ada9ff7d46add2e7d6a72bad444ed

Download Submit
C:\Windows\SysWOW64\Gjjjle32.exe

Filesize
45KB

MD5
694bfab83fc709a64d1c11d01b00ed55

SHA1
0b2584f8e70b1e39c85fe85f8d78926e4541ee16

SHA256
098119f4da0fbd9bd2f618bdd9bfa938ad38a3103db32932deca896320126640

SHA512
01d83df1c6d9eccf2e15049f0892dfb76f7429f37359a448a64ad842ac0b276cfcdce9541be82bfb283a2cc9de6a50436806b0546bbbb8091a6df0e3f016adf2

Download Submit
C:\Windows\SysWOW64\Gjlfbd32.exe

Filesize
45KB

MD5
6fb62dc665dfc0b7c0aebcebd24ddb66

SHA1
dfaa369e859728bb56c8482e29e7a7cac46583ca

SHA256
de166e1c5cc95a75eb53a0dad61c3e83cca3fb75ef4166b199711b8648f31546

SHA512
1f89584754e9cfbc6e5d98c6b357018db600042560e25e444a5c9d44250701c161787f12b05a31c17160059ce603c97103dd8439cd0453d23f841bc625cabeb2

Download Submit
C:\Windows\SysWOW64\Gmhfhp32.exe

Filesize
45KB

MD5
2a6f7770f33c7ddddc4375c10fb00bf9

SHA1
5e540f56b7ce232698e6f1a56d29eb9a2d01b93f

SHA256
12aa71fc6252ce48e8da21c172e2b6252e5d999623da33ddfa42688c1a92d45b

SHA512
513fd190dcd6f943cf0b293ef4bf906241be3db53a07e709c7575087755d50d84fbd793694bcd53fc9a0bca5cfa1a39cfd9a74f38923ee822faa1207f8300011

Download Submit
C:\Windows\SysWOW64\Gpnhekgl.exe

Filesize
45KB

MD5
b36661c17e1f708370f0f2e5846ad091

SHA1
1e9bc7a41aed51d65c2d08adfbadccf7a80300b2

SHA256
7cb1ab2e583338f562344c577cd8b4766f1bdb252ad6c5fa2a5bc5f81ea6a011

SHA512
ef0f27751d9881d64e8c1dbd1d89ad0121de57937676cf8cc5e23ce2c67d633bb791004c94065d2b6b1147a9e81aa2489283495be7812a702e6bb25fe2d79e51

Download Submit
C:\Windows\SysWOW64\Gqfooodg.exe

Filesize
45KB

MD5
2d14885018b25195aed656f9b2668412

SHA1
1bda9494899f4f8d112fd235b495ef50988b20c4

SHA256
d1e8ff4dfdc6943171fdcfee9fe1e0f30a3efe74cdfaa7ba66bd81136f81dd1f

SHA512
8f62667e6b74b86acf7aee8d87c3c3f62971ad3a342881e65ad60519bd438ac1c5c6c72028c0fc6eb18ebd981d4d5af45b24f995052cdc81ef7712f14f3ec397

Download Submit
C:\Windows\SysWOW64\Gqikdn32.exe

Filesize
45KB

MD5
a7b4d68329792e98ef446d930e6dfd01

SHA1
b99c9cf2a3d8d3170fa7a75b03a7536070122edd

SHA256
91ecd299a4db87abb15b20f4f721a8e3e551d25868099caccbbd914d9bb8c411

SHA512
4bf4a8bdfa8a28057e86080328048716b5b9f29d6631ac6e5d35602683f99f823cad28a485697b3c7d827b4208d831a4bd423f8eb555a89aee6707967a84bae1

Download Submit
C:\Windows\SysWOW64\Hbckbepg.exe

Filesize
45KB

MD5
7d1eb47f4d173a6b6fe41712c4c64322

SHA1
5ac0da8a94e870593777f131957a81bb453a1427

SHA256
0b29dfa043bc9791f88c4dccb4c9eb700c370282a36926eae8698585e3fa4073

SHA512
e7afbd5959aa0d3c33371c607c92ee4f8b50e47e3c86d519d22adc57d3cea019e139150394b1e1efd5d4ab12d96721be2335f5f044d38b0183c056076ef982e2

Download Submit
C:\Windows\SysWOW64\Hcnnaikp.exe

Filesize
45KB

MD5
8364e093484c8fd7e58ce2093f2738bc

SHA1
14d54515d68cf4ef1d92d09dd924614259d44bb0

SHA256
1529d12bed52c492737fae01e8d832124daddc0a3526f9785bf500a02b3b8eef

SHA512
a94bea135a008faf6c20b496ad563bf919a65937bf94b0ed8bc45ee1e42f1622cad5eb7a8b3833a80ff860a67deb06847d1cbe46db1643e7532bfd681a5cb07e

Download Submit
C:\Windows\SysWOW64\Hcqjfh32.exe

Filesize
45KB

MD5
b045fda2f6e466cd7aff1ea4336f8fea

SHA1
4dd7de14c5ba9b73e320460a5d057a26e82a86a3

SHA256
0b6e701441c9216e228b1a9ff6f6c85e2b55216eb5dbb12298593dd6c7985b37

SHA512
26e487b261a34fd33dd84df56181e117cb39351c6c92376ea101716fa64c9d5f2001ab3bd76a36c9cde37f48847118412613ae5c372f6faa4de88960f318ec82

Download Submit
C:\Windows\SysWOW64\Hfachc32.exe

Filesize
45KB

MD5
465c462060035bbb3c77d98b9482c0b3

SHA1
4d11cd7c3e675533de8788750132a773da307aa8

SHA256
cccf6fff33dc4502b53c3049909dcdb0b0e61c7c479533da039cb5ccbc94e0ad

SHA512
72b39f66b6ad35c93eeff0c6f83f829a8507c035bf75688c0dbe60daafb02d5ae6dce2eab3824f46215b7cfde17a6cde308765f58c8f8c2cd08672082aecf171

Download Submit
C:\Windows\SysWOW64\Hfcpncdk.exe

Filesize
45KB

MD5
7735ea2786e2e4bf97f5a0d0d274ab83

SHA1
bd664bec242833081702884bd14257986c643e4b

SHA256
27d199e3a2cb034dc666d45b7ff7a672b80c365f80955e7cb9179cb6a470768b

SHA512
32db3a1976566212a092102bddafa5f78c90e0290c2f2d9124163da520f597ffb3cb211d926cdb9b3b4817f07b479b899d9452380c0d4f9262c7247a9ac1e8ab

Download Submit
C:\Windows\SysWOW64\Hfjmgdlf.exe

Filesize
45KB

MD5
da64f5508f2153eac417a84fa0524763

SHA1
1e44130f42fe9c461e2ecee679464f36835b9268

SHA256
0ddcb6faad2107df41c0334318550eb073e598741c3babc2b0b61c683c63642e

SHA512
61ffac3b6ea5e9c56c59a45206bbc4550787935da19aba22a9dee7c1d9bece84ae66f4ef9d997283af2d002b57655ed72a959a1e1a0da89210e14c1543efc06d

Download Submit
C:\Windows\SysWOW64\Hfljmdjc.exe

Filesize
45KB

MD5
4a2060a5d24bc6056a40c08e50ed2074

SHA1
046fecbffa593679f53163a53724b7e7fa0abee7

SHA256
e5e136270d1a6d62a0a4f300b345ae2d3edc1341109c998af59206a95cf10bb3

SHA512
29501f8bacf18ca79de907625d42d539df9b5f2e13f3f39cce02301267c8f4ef4164cf622f49ab8dde719d5b3b56fffe755c4ab4851e390d3befedc572aa9bcb

Download Submit
C:\Windows\SysWOW64\Hibljoco.exe

Filesize
45KB

MD5
975d1969d53fbe3f2e71ca1994dcf53c

SHA1
71eb435cb079c958e124cfc9898d72d86d4ab249

SHA256
3d7424f79c62f52e77644d4c9468668a2caf8c084abb3178aa119d184551bb3d

SHA512
cc0f54d4572e9ec38a311dd88fd2a87269633c1dc7a1d321bf3980631f66e63e5800d2a269d5cacb16c06ec45a3d35b6238cfb7e0cc1ec180c92deec7c422321

Download Submit
C:\Windows\SysWOW64\Hihicplj.exe

Filesize
45KB

MD5
bdbac098f8ba0ecc9d03fa1c81fccc0c

SHA1
2e5ebdc88dfd3507d20ff3c53f945f65fbd6ed1d

SHA256
0eb6002833cfeade6b53333ae610e9bf8e320127372e3ebb5cbf9e11d627b2ae

SHA512
aa5f0350a18d69957162c9ec20ca79c5c12b3521e3d4ad9369f1cdad12d3b7a5478fac26201bcf146ef54a3a67b47f8cb0d77619f6eaf0014fc63d2723f129b1

Download Submit
C:\Windows\SysWOW64\Hikfip32.exe

Filesize
45KB

MD5
63d20a57355e7bf0e4e6307c0f9f49b8

SHA1
66618c5a02d1b15eb124c60cdb4d08fc1f1c8879

SHA256
4d4d14209f35ee12e9df9a1bcba51759eb878451f17bb630992cdc3280779f57

SHA512
f53ebe12675d7240c2ead43a705388b36fb3bd5c0ab7df4acdc1305c5dc26273e3e3cf222134008e32ad1b893522b91670ffd8722cd80221923098b654c9350b

Download Submit
C:\Windows\SysWOW64\Hmioonpn.exe

Filesize
45KB

MD5
a7e36f3839f2d898481d324f8ab91d42

SHA1
751360c904456e1eabb0b929e5f110e0c62cc247

SHA256
eec05395d305ad6a0e663ee312892288e2734fc34a7142233462c202c16d8aa4

SHA512
c24ef46e1ff6552f51fc9c62b792cfa32968d9af7844d1c12067b82a65baa3f56d02bb59229de192440e30948e886c9f734b0e4242017465f57b4a6f9aa84db1

Download Submit
C:\Windows\SysWOW64\Hmklen32.exe

Filesize
45KB

MD5
bc9640b3177b0d7ecee20ef1b48a16c3

SHA1
00a0e0c28a53c14e46c263bc4ffb8dc347c5b282

SHA256
55961a1ddfa5db74454e102ef97a9df1b38bb71ad1c0f4b2e22d3115a5ced51a

SHA512
ebb3aae90223daabf970a045a85eba47a2d86f9e6d583c3cc1b8555380dfd2180c900c52fb0727f5bb6905688b1cb8f452e202a2fea589a24f1487e7e6edfa66

Download Submit
C:\Windows\SysWOW64\Hpgkkioa.exe

Filesize
45KB

MD5
d30f0700433b265347f45042f8102b53

SHA1
7cdfb26f65b28f3775e14d02b649fa9ffe9898a3

SHA256
4229e26e7d987bf3a176ff387b88299933ba9b9ce1a4abb55cb0c9468bdfd5ec

SHA512
5599a0abae6fda5a7580027f50f15dec64b2ad592c3157487a26787af36bcc904a1c6632690ab26a2e6da8f0e1cc922fae8a348227ec32c6833923d566e88694

Download Submit
C:\Windows\SysWOW64\Hpihai32.exe

Filesize
45KB

MD5
65b8a9e71a8c7cb95e56f8195d05970a

SHA1
9d9a4cdd10c8d4bc1800bd5081f9a5fbbe93fa4f

SHA256
83f66c9fce302691f623ebcb0306434dbf15bc60f3094c49afc6cead85903330

SHA512
900f77faa13a2b65fa609b11f3d1a986ffe1070dff80be646dd248dcc523f8e1eda91f24e008f9e8ea86a73b9b19ed4b0af1e711a50eef324ae8b948f779f459

Download Submit
C:\Windows\SysWOW64\Iakaql32.exe

Filesize
45KB

MD5
ee4b126c31855afe4cec3396f48c2a33

SHA1
45bc9a8da2d8f18a30b02c359deaab0436aa3e5d

SHA256
32e61e544804b023fef38e4067039f58dac71917236a6031fdafaa2e75b62c78

SHA512
35ada6d3e4916a7b32514b75e4d5ae7248e94e1995a793d251a32ce0377225f6118873dd7dbb36919158e6a96b8e5434942cd27be95c6564bda8fe8a14d5af90

Download Submit
C:\Windows\SysWOW64\Iffmccbi.exe

Filesize
45KB

MD5
22b8f3254965584bd47f93c862ccc36f

SHA1
5b9df69f9e5d5a026e40ce1f5cc48c4bbf68f7d1

SHA256
0b71f06e190c8d8a5087f999c82a7120a108d8c7288989005773abb47bc83840

SHA512
b14f45785a994cc41d9d24ca60fec2d64c370e64a0a2a764a079f623c97b76b2a550b45d18d9b2d511ee2021df21f9f1a47163c0a64be097a78b2094baa0dfd9

Download Submit
C:\Windows\SysWOW64\Ifmcdblq.exe

Filesize
45KB

MD5
cbf45a875bba9e68a849936e986d580a

SHA1
ab7b99d289fcea818ddd36ed3525c9fd9c9c5ddc

SHA256
760befbf5231c7c787fd580875a9f0c104a7755da8608eb5cbd6d181adc991f1

SHA512
70b49d93f993f413a12f683c4ba75322486a6c273bc8b30e51f13cc20258601fa153b428fb6cd577f93eee132c7e14781ae7007439ab0d7552174a7846a4c597

Download Submit
C:\Windows\SysWOW64\Iidipnal.exe

Filesize
45KB

MD5
c81af99698b8d22211d5b190222dd40c

SHA1
3270414c794eeb821f0c1f3f4d4d397b432fdb6c

SHA256
809093649a67e210b2995e8c79afbee40df1a6ae0435076839e00ae3d17d7444

SHA512
e508a7a729bdfb0afe31641cadb5ca3630a5eda6f8fb15de6f9a32dddc5929194a8283a2ef4b966f6c83a6be8e98c2aad640344974aa3c80e1771462ad8a54d7

Download Submit
C:\Windows\SysWOW64\Ipldfi32.exe

Filesize
45KB

MD5
9712ab61a3fae3ba0fa9ad7a73cee4c5

SHA1
8efe26ac4077d5e905268cf09802486353c8f4ac

SHA256
35c8fcc38252c265e2dadc55e800d8b2f4e189b3d07e96f5a54ad7013b5fbd37

SHA512
aac9e7d6af6cc8cda1389c38635347bac914ff50b9f617a1f1a8d0cf3b126af22f9999ff99e2d1d0d93e27350eb932ad909703e55fa98918d941dbf049dc594f

Download Submit
C:\Windows\SysWOW64\Jbhmdbnp.exe

Filesize
45KB

MD5
72e948d43ca56c0df90bbd971d4dcb6f

SHA1
1a95b5605e58c5d301cf74dd87ae0b21e60c3c29

SHA256
9131f0b3db413d8488c098da3cb05b7a9f32c36489e16fa10a235536e98b7011

SHA512
fc302928188ac9d7a1f7a0c37a4f44118106bc10bc2dca5605ec33ab651f41c46d43cd670fffd855bf7491bd75d3afd9e7b525870c8def28a6eaaa5293e9f52c

Download Submit
C:\Windows\SysWOW64\Kdopod32.exe

Filesize
45KB

MD5
99ecd212edccedf86fb4d75be59c7b49

SHA1
76590ea679020635ab8a28b08e952795429f056d

SHA256
38c89adecc4950f6b122f4a26d8871f81420fb0fdfa30e483fc1ca7b204260e7

SHA512
bb85304ac725d92608e82da912c4a0d191d06d5267d4c8920bcd957a0b1cc44bb185a399ecd8663d10920fbccda7d6f5c030caf3c55ec7c5d587a43e1301fd2d

Download Submit
C:\Windows\SysWOW64\Kpepcedo.exe

Filesize
45KB

MD5
2331c5ceda81e93fefc47aa3c9edcfa1

SHA1
33dc630678e1cebce9975bd5179c743752fed57c

SHA256
c73c5bcdaea3d3b645e7811d74ceb38527e19a2c7a28e1b4b8fb7b480ebb116b

SHA512
690748dc07467cc0015739c3f5478ca8e7570dd951a07bf0c3d89d4a0393086d16436f583c1aa92d556fc5ca319434c22ae9759160902b9da71995b5b4235742

Download Submit
C:\Windows\SysWOW64\Kpmfddnf.exe

Filesize
45KB

MD5
e2449e9498fd67de70a316e3a174f201

SHA1
4c24fb51a3c1d898e29e2bb3583220951eea657e

SHA256
23642eb57680d18d687942f9298a49f1888917cdea6e636b1cb2925fa1793923

SHA512
e58cbeaf502e474e86becd8c0521209998b6195c41aec8e2a01164ee2807ce3d53fbc5716467bea0f7ac4ef08f7fadeecdcf0f4baf9d8c1e9a9ca1a936befff6

Download Submit
C:\Windows\SysWOW64\Mdkhapfj.exe

Filesize
45KB

MD5
9689a55627a76291ab0acf7b3f195bdd

SHA1
3fa1e65fdd84cc8abd9619411252848b16566a9b

SHA256
a28b4f09563e881f63335f504da4d4f695355f58b5db06d95e8533cffa2eca04

SHA512
91ee3047835e5ca82e2a1759d8cbaa4cdc8cc20b5db67a6146371ec44b49b369f18c58d7a07264a5b3da7ad4d6506a6e08f3ec1626256fab20799c88ade49482

Download Submit
memory/312-183-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/368-501-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/452-502-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/524-119-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/692-176-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/876-152-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/892-382-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/988-448-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1052-322-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1164-88-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1232-328-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1256-346-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1336-563-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1348-364-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1460-412-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1528-406-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1532-472-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1532-916-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1612-208-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1632-334-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1648-593-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1648-55-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1672-395-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1728-494-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1776-256-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2140-400-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2152-573-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2172-598-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2236-232-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2264-310-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2288-580-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2292-196-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2320-140-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2324-160-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2400-340-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2448-508-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2548-40-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2548-579-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2584-240-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2600-545-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2608-552-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2660-316-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2676-929-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2676-424-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2780-442-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2824-63-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2844-536-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2924-464-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3116-292-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3164-392-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3208-16-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3208-562-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3244-352-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3308-32-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3308-572-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3312-280-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3348-370-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3392-95-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3408-127-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3472-0-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3472-544-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3720-286-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3940-72-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3960-358-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3980-587-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4012-204-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4040-24-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4040-565-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4084-298-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4140-268-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4180-308-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4208-551-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4208-12-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4300-454-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4312-278-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4324-483-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4340-484-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4452-520-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4548-430-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4596-538-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4600-80-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4620-566-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4624-104-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4696-418-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4696-930-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4704-47-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4704-586-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4720-518-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4796-168-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4884-144-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4904-111-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4932-470-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4980-228-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4992-380-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5024-440-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5032-252-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5044-266-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5048-526-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5088-221-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5892-856-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/6040-851-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/6112-850-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads