3ddc3362f2ff0e0468af09f623545e47c9b2484b8b4e2aebffb52e3fe4067bf2

Analysis

max time kernel
145s
max time network
114s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
03-06-2024 20:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3ddc3362f2ff0e0468af09f623545e47c9b2484b8b4e2aebffb52e3fe4067bf2.exe
Size

78KB
MD5

202773c28402dfd9f5340b61011e9869
SHA1

a4d684aecfcaecd36307b1d9f6c401cf3d95395f
SHA256

3ddc3362f2ff0e0468af09f623545e47c9b2484b8b4e2aebffb52e3fe4067bf2
SHA512

7750f58563209e6cfd96eee27bf2833d8b1c2cafdc689b65f34e152bd2e3580694c7f2ebd1bc6bdd642191b7618208c47c0fd968a560728d0bea794c2675b53c
SSDEEP

1536:rjc1Uayzewb+N8p9AaeGZCR3ik6yf5oAnqDM+4yyF:nc6fnQraenR3ikCuq4cyF

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Iiffen32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdmegp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ifjfnb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jfffjqdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jbocea32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lijdhiaa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ifjfnb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mdfofakp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgekbljc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnapdf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hbanme32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gppekj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jplmmfmi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kilhgk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjhqjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nkjjij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Njcpee32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ifopiajn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kkpnlm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lkdggmlj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjeddggd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nbhkac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ldmlpbbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mnapdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hcedaheh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Icjmmg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Idofhfmm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jplmmfmi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jmpngk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kinemkko.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nnjbke32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nqiogp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hfofbd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kdaldd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcbiao32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ndghmo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hippdo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kkkdan32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcnhmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ngcgcjnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gppekj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kgbefoji.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lkiqbl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mpmokb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mgidml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hippdo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iinlemia.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jibeql32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lgkhlnbn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mdkhapfj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngpjnkpf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnmopdep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nkqpjidj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ibccic32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kknafn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ljnnch32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgbnmm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hccglh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hpihai32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iidipnal.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nbhkac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kbapjafe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kpepcedo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgkhlnbn.exe

Executes dropped EXE 64 IoCs

pid	Process
4176	Gppekj32.exe
4388	Hboagf32.exe
3672	Hmdedo32.exe
2560	Hapaemll.exe
1552	Hpbaqj32.exe
4436	Hbanme32.exe
4244	Hjhfnccl.exe
2140	Hcqjfh32.exe
1980	Hfofbd32.exe
4716	Hadkpm32.exe
628	Hccglh32.exe
2728	Hippdo32.exe
2468	Hpihai32.exe
3256	Hcedaheh.exe
1240	Hibljoco.exe
3956	Haidklda.exe
3976	Ibjqcd32.exe
5000	Iffmccbi.exe
3928	Iidipnal.exe
5060	Iakaql32.exe
2224	Icjmmg32.exe
4108	Ifhiib32.exe
2384	Iiffen32.exe
932	Ipqnahgf.exe
2028	Icljbg32.exe
4252	Ifjfnb32.exe
2024	Imdnklfp.exe
3320	Ipckgh32.exe
2376	Idofhfmm.exe
5104	Ifmcdblq.exe
2472	Imgkql32.exe
3604	Ipegmg32.exe
3032	Ibccic32.exe
4624	Ifopiajn.exe
4440	Iinlemia.exe
2304	Jaedgjjd.exe
4844	Jpgdbg32.exe
1516	Jbfpobpb.exe
3380	Jjmhppqd.exe
1112	Jbhmdbnp.exe
3300	Jibeql32.exe
2496	Jmnaakne.exe
2988	Jplmmfmi.exe
1172	Jfffjqdf.exe
1808	Jmpngk32.exe
3868	Jdjfcecp.exe
3384	Jbmfoa32.exe
3816	Jmbklj32.exe
1012	Jpaghf32.exe
4592	Jbocea32.exe
812	Jiikak32.exe
5092	Kmegbjgn.exe
4980	Kpccnefa.exe
2964	Kbapjafe.exe
3184	Kkihknfg.exe
3584	Kilhgk32.exe
4564	Kpepcedo.exe
1968	Kdaldd32.exe
3400	Kkkdan32.exe
4224	Kinemkko.exe
436	Kaemnhla.exe
5056	Kdcijcke.exe
4240	Kgbefoji.exe
1916	Kknafn32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Hapaemll.exe	Hmdedo32.exe
File created	C:\Windows\SysWOW64\Kgbefoji.exe	Kdcijcke.exe
File created	C:\Windows\SysWOW64\Kagichjo.exe	Kknafn32.exe
File created	C:\Windows\SysWOW64\Ibadbaha.dll	Hippdo32.exe
File opened for modification	C:\Windows\SysWOW64\Jbfpobpb.exe	Jpgdbg32.exe
File opened for modification	C:\Windows\SysWOW64\Kaemnhla.exe	Kinemkko.exe
File created	C:\Windows\SysWOW64\Akihmf32.dll	Kagichjo.exe
File created	C:\Windows\SysWOW64\Ibhblqpo.dll	Mnlfigcc.exe
File created	C:\Windows\SysWOW64\Pjpdme32.dll	Hboagf32.exe
File created	C:\Windows\SysWOW64\Hapaemll.exe	Hmdedo32.exe
File opened for modification	C:\Windows\SysWOW64\Hfofbd32.exe	Hcqjfh32.exe
File created	C:\Windows\SysWOW64\Cnacjn32.dll	Mcnhmm32.exe
File opened for modification	C:\Windows\SysWOW64\Mncmjfmk.exe	Mjhqjg32.exe
File created	C:\Windows\SysWOW64\Hcedaheh.exe	Hpihai32.exe
File created	C:\Windows\SysWOW64\Bgdnaigp.dll	Hcedaheh.exe
File created	C:\Windows\SysWOW64\Ogijli32.dll	Lgkhlnbn.exe
File created	C:\Windows\SysWOW64\Mpaifalo.exe	Mncmjfmk.exe
File opened for modification	C:\Windows\SysWOW64\Mgnnhk32.exe	Mdpalp32.exe
File opened for modification	C:\Windows\SysWOW64\Hadkpm32.exe	Hfofbd32.exe
File opened for modification	C:\Windows\SysWOW64\Jpgdbg32.exe	Jaedgjjd.exe
File opened for modification	C:\Windows\SysWOW64\Lkdggmlj.exe	Ldkojb32.exe
File opened for modification	C:\Windows\SysWOW64\Mjeddggd.exe	Mgghhlhq.exe
File created	C:\Windows\SysWOW64\Ncgkcl32.exe	Nqiogp32.exe
File created	C:\Windows\SysWOW64\Kknafn32.exe	Kgbefoji.exe
File created	C:\Windows\SysWOW64\Lmccchkn.exe	Lkdggmlj.exe
File created	C:\Windows\SysWOW64\Kpdobeck.dll	Mdfofakp.exe
File created	C:\Windows\SysWOW64\Jeiooj32.dll	Jdjfcecp.exe
File created	C:\Windows\SysWOW64\Kdhbec32.exe	Kibnhjgj.exe
File created	C:\Windows\SysWOW64\Lkdggmlj.exe	Ldkojb32.exe
File created	C:\Windows\SysWOW64\Bbgkjl32.dll	Laciofpa.exe
File created	C:\Windows\SysWOW64\Mpmokb32.exe	Mnocof32.exe
File opened for modification	C:\Windows\SysWOW64\Ifhiib32.exe	Icjmmg32.exe
File created	C:\Windows\SysWOW64\Iiffen32.exe	Ifhiib32.exe
File created	C:\Windows\SysWOW64\Jaedgjjd.exe	Iinlemia.exe
File created	C:\Windows\SysWOW64\Fnelfilp.dll	Mncmjfmk.exe
File opened for modification	C:\Windows\SysWOW64\Mpdelajl.exe	Maaepd32.exe
File created	C:\Windows\SysWOW64\Cmafhe32.dll	Lkdggmlj.exe
File created	C:\Windows\SysWOW64\Mecaoggc.dll	Lphfpbdi.exe
File created	C:\Windows\SysWOW64\Mncmjfmk.exe	Mjhqjg32.exe
File created	C:\Windows\SysWOW64\Hionfema.dll	Hpihai32.exe
File opened for modification	C:\Windows\SysWOW64\Ifjfnb32.exe	Icljbg32.exe
File opened for modification	C:\Windows\SysWOW64\Jibeql32.exe	Jbhmdbnp.exe
File opened for modification	C:\Windows\SysWOW64\Iakaql32.exe	Iidipnal.exe
File created	C:\Windows\SysWOW64\Iljnde32.dll	Jiikak32.exe
File opened for modification	C:\Windows\SysWOW64\Ljnnch32.exe	Lgpagm32.exe
File opened for modification	C:\Windows\SysWOW64\Lkiqbl32.exe	Lcbiao32.exe
File created	C:\Windows\SysWOW64\Bnckcnhb.dll	Kpepcedo.exe
File opened for modification	C:\Windows\SysWOW64\Kinemkko.exe	Kkkdan32.exe
File created	C:\Windows\SysWOW64\Mglack32.exe	Mdmegp32.exe
File opened for modification	C:\Windows\SysWOW64\Hpbaqj32.exe	Hapaemll.exe
File created	C:\Windows\SysWOW64\Jbocea32.exe	Jpaghf32.exe
File created	C:\Windows\SysWOW64\Enbofg32.dll	Kbapjafe.exe
File opened for modification	C:\Windows\SysWOW64\Ifmcdblq.exe	Idofhfmm.exe
File created	C:\Windows\SysWOW64\Ipegmg32.exe	Imgkql32.exe
File opened for modification	C:\Windows\SysWOW64\Kmegbjgn.exe	Jiikak32.exe
File created	C:\Windows\SysWOW64\Ldobbkdk.dll	Kilhgk32.exe
File created	C:\Windows\SysWOW64\Kdcijcke.exe	Kaemnhla.exe
File created	C:\Windows\SysWOW64\Hbanme32.exe	Hpbaqj32.exe
File created	C:\Windows\SysWOW64\Hdgpjm32.dll	Haidklda.exe
File created	C:\Windows\SysWOW64\Pglanoaq.dll	Iakaql32.exe
File opened for modification	C:\Windows\SysWOW64\Lalcng32.exe	Kkbkamnl.exe
File created	C:\Windows\SysWOW64\Agbnmibj.dll	Mdiklqhm.exe
File created	C:\Windows\SysWOW64\Codhke32.dll	Mkgmcjld.exe
File created	C:\Windows\SysWOW64\Dgcifj32.dll	Mdkhapfj.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5532	6108	WerFault.exe	216

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ljnnch32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dgcifj32.dll"	Mdkhapfj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hlmobp32.dll"	Nkjjij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lpcmec32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lgpagm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mgghhlhq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mncmjfmk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lijdhiaa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mjhqjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gppekj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cpjljp32.dll"	Jbmfoa32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lmccchkn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ifmcdblq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mdiklqhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndclfb32.dll"	Ldmlpbbj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jdjfcecp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jdjfcecp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hpihai32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kpccnefa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Akihmf32.dll"	Kagichjo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lgkhlnbn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mglppmnd.dll"	Ljnnch32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hboagf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mgidml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mlhblb32.dll"	Nnhfee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eqbmje32.dll"	Lmccchkn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oedbld32.dll"	Mgekbljc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mdpalp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ifjfnb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kgbefoji.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnfmbf32.dll"	Mdpalp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nbhkac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ldmlpbbj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mcnhmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Codhke32.dll"	Mkgmcjld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nkjjij32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Haidklda.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lcnodhch.dll"	Iidipnal.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aaqnkb32.dll"	Icljbg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ifjfnb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Imgkql32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ipegmg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jpaghf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ifhiib32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mgekbljc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kknafn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nqiogp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hadkpm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kdcijcke.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mnocof32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ngpjnkpf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hmdedo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hcedaheh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mgnnhk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gncoccha.dll"	Kinemkko.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekiidlll.dll"	Lcbiao32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mgnnhk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Iinlemia.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lkdggmlj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Egqcbapl.dll"	Mgnnhk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cgfgaq32.dll"	Njacpf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ddpfgd32.dll"	Nkqpjidj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jbhmdbnp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ljnnch32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2788 wrote to memory of 4176	2788	3ddc3362f2ff0e0468af09f623545e47c9b2484b8b4e2aebffb52e3fe4067bf2.exe	84
PID 2788 wrote to memory of 4176	2788	3ddc3362f2ff0e0468af09f623545e47c9b2484b8b4e2aebffb52e3fe4067bf2.exe	84
PID 2788 wrote to memory of 4176	2788	3ddc3362f2ff0e0468af09f623545e47c9b2484b8b4e2aebffb52e3fe4067bf2.exe	84
PID 4176 wrote to memory of 4388	4176	Gppekj32.exe	85
PID 4176 wrote to memory of 4388	4176	Gppekj32.exe	85
PID 4176 wrote to memory of 4388	4176	Gppekj32.exe	85
PID 4388 wrote to memory of 3672	4388	Hboagf32.exe	86
PID 4388 wrote to memory of 3672	4388	Hboagf32.exe	86
PID 4388 wrote to memory of 3672	4388	Hboagf32.exe	86
PID 3672 wrote to memory of 2560	3672	Hmdedo32.exe	87
PID 3672 wrote to memory of 2560	3672	Hmdedo32.exe	87
PID 3672 wrote to memory of 2560	3672	Hmdedo32.exe	87
PID 2560 wrote to memory of 1552	2560	Hapaemll.exe	88
PID 2560 wrote to memory of 1552	2560	Hapaemll.exe	88
PID 2560 wrote to memory of 1552	2560	Hapaemll.exe	88
PID 1552 wrote to memory of 4436	1552	Hpbaqj32.exe	89
PID 1552 wrote to memory of 4436	1552	Hpbaqj32.exe	89
PID 1552 wrote to memory of 4436	1552	Hpbaqj32.exe	89
PID 4436 wrote to memory of 4244	4436	Hbanme32.exe	90
PID 4436 wrote to memory of 4244	4436	Hbanme32.exe	90
PID 4436 wrote to memory of 4244	4436	Hbanme32.exe	90
PID 4244 wrote to memory of 2140	4244	Hjhfnccl.exe	91
PID 4244 wrote to memory of 2140	4244	Hjhfnccl.exe	91
PID 4244 wrote to memory of 2140	4244	Hjhfnccl.exe	91
PID 2140 wrote to memory of 1980	2140	Hcqjfh32.exe	92
PID 2140 wrote to memory of 1980	2140	Hcqjfh32.exe	92
PID 2140 wrote to memory of 1980	2140	Hcqjfh32.exe	92
PID 1980 wrote to memory of 4716	1980	Hfofbd32.exe	93
PID 1980 wrote to memory of 4716	1980	Hfofbd32.exe	93
PID 1980 wrote to memory of 4716	1980	Hfofbd32.exe	93
PID 4716 wrote to memory of 628	4716	Hadkpm32.exe	94
PID 4716 wrote to memory of 628	4716	Hadkpm32.exe	94
PID 4716 wrote to memory of 628	4716	Hadkpm32.exe	94
PID 628 wrote to memory of 2728	628	Hccglh32.exe	95
PID 628 wrote to memory of 2728	628	Hccglh32.exe	95
PID 628 wrote to memory of 2728	628	Hccglh32.exe	95
PID 2728 wrote to memory of 2468	2728	Hippdo32.exe	96
PID 2728 wrote to memory of 2468	2728	Hippdo32.exe	96
PID 2728 wrote to memory of 2468	2728	Hippdo32.exe	96
PID 2468 wrote to memory of 3256	2468	Hpihai32.exe	97
PID 2468 wrote to memory of 3256	2468	Hpihai32.exe	97
PID 2468 wrote to memory of 3256	2468	Hpihai32.exe	97
PID 3256 wrote to memory of 1240	3256	Hcedaheh.exe	98
PID 3256 wrote to memory of 1240	3256	Hcedaheh.exe	98
PID 3256 wrote to memory of 1240	3256	Hcedaheh.exe	98
PID 1240 wrote to memory of 3956	1240	Hibljoco.exe	99
PID 1240 wrote to memory of 3956	1240	Hibljoco.exe	99
PID 1240 wrote to memory of 3956	1240	Hibljoco.exe	99
PID 3956 wrote to memory of 3976	3956	Haidklda.exe	100
PID 3956 wrote to memory of 3976	3956	Haidklda.exe	100
PID 3956 wrote to memory of 3976	3956	Haidklda.exe	100
PID 3976 wrote to memory of 5000	3976	Ibjqcd32.exe	101
PID 3976 wrote to memory of 5000	3976	Ibjqcd32.exe	101
PID 3976 wrote to memory of 5000	3976	Ibjqcd32.exe	101
PID 5000 wrote to memory of 3928	5000	Iffmccbi.exe	102
PID 5000 wrote to memory of 3928	5000	Iffmccbi.exe	102
PID 5000 wrote to memory of 3928	5000	Iffmccbi.exe	102
PID 3928 wrote to memory of 5060	3928	Iidipnal.exe	103
PID 3928 wrote to memory of 5060	3928	Iidipnal.exe	103
PID 3928 wrote to memory of 5060	3928	Iidipnal.exe	103
PID 5060 wrote to memory of 2224	5060	Iakaql32.exe	104
PID 5060 wrote to memory of 2224	5060	Iakaql32.exe	104
PID 5060 wrote to memory of 2224	5060	Iakaql32.exe	104
PID 2224 wrote to memory of 4108	2224	Icjmmg32.exe	105

C:\Users\Admin\AppData\Local\Temp\3ddc3362f2ff0e0468af09f623545e47c9b2484b8b4e2aebffb52e3fe4067bf2.exe
"C:\Users\Admin\AppData\Local\Temp\3ddc3362f2ff0e0468af09f623545e47c9b2484b8b4e2aebffb52e3fe4067bf2.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2788
- C:\Windows\SysWOW64\Gppekj32.exe
  C:\Windows\system32\Gppekj32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4176
- - C:\Windows\SysWOW64\Hboagf32.exe
    C:\Windows\system32\Hboagf32.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:4388
  - - C:\Windows\SysWOW64\Hmdedo32.exe
      C:\Windows\system32\Hmdedo32.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:3672
    - - C:\Windows\SysWOW64\Hapaemll.exe
        
        C:\Windows\system32\Hapaemll.exe
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2560
      - C:\Windows\SysWOW64\Hpbaqj32.exe
        
        C:\Windows\system32\Hpbaqj32.exe
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1552
        
        C:\Windows\SysWOW64\Hbanme32.exe
        
        C:\Windows\system32\Hbanme32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4436
        
        C:\Windows\SysWOW64\Hjhfnccl.exe
        
        C:\Windows\system32\Hjhfnccl.exe
        8⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4244
        
        C:\Windows\SysWOW64\Hcqjfh32.exe
        
        C:\Windows\system32\Hcqjfh32.exe
        9⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2140
        
        C:\Windows\SysWOW64\Hfofbd32.exe
        
        C:\Windows\system32\Hfofbd32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1980
        
        C:\Windows\SysWOW64\Hadkpm32.exe
        
        C:\Windows\system32\Hadkpm32.exe
        11⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4716
        
        C:\Windows\SysWOW64\Hccglh32.exe
        
        C:\Windows\system32\Hccglh32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:628
        
        C:\Windows\SysWOW64\Hippdo32.exe
        
        C:\Windows\system32\Hippdo32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2728
        
        C:\Windows\SysWOW64\Hpihai32.exe
        
        C:\Windows\system32\Hpihai32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2468
        
        C:\Windows\SysWOW64\Hcedaheh.exe
        
        C:\Windows\system32\Hcedaheh.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3256
        
        C:\Windows\SysWOW64\Hibljoco.exe
        
        C:\Windows\system32\Hibljoco.exe
        16⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1240
        
        C:\Windows\SysWOW64\Haidklda.exe
        
        C:\Windows\system32\Haidklda.exe
        17⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3956
        
        C:\Windows\SysWOW64\Ibjqcd32.exe
        
        C:\Windows\system32\Ibjqcd32.exe
        18⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3976
        
        C:\Windows\SysWOW64\Iffmccbi.exe
        
        C:\Windows\system32\Iffmccbi.exe
        19⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:5000
        
        C:\Windows\SysWOW64\Iidipnal.exe
        
        C:\Windows\system32\Iidipnal.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3928
        
        C:\Windows\SysWOW64\Iakaql32.exe
        
        C:\Windows\system32\Iakaql32.exe
        21⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:5060
        
        C:\Windows\SysWOW64\Icjmmg32.exe
        
        C:\Windows\system32\Icjmmg32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2224
        
        C:\Windows\SysWOW64\Ifhiib32.exe
        
        C:\Windows\system32\Ifhiib32.exe
        23⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4108
        
        C:\Windows\SysWOW64\Iiffen32.exe
        
        C:\Windows\system32\Iiffen32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2384
        
        C:\Windows\SysWOW64\Ipqnahgf.exe
        
        C:\Windows\system32\Ipqnahgf.exe
        25⤵
        Executes dropped EXE
        
        PID:932
        
        C:\Windows\SysWOW64\Icljbg32.exe
        
        C:\Windows\system32\Icljbg32.exe
        26⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2028
        
        C:\Windows\SysWOW64\Ifjfnb32.exe
        
        C:\Windows\system32\Ifjfnb32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4252
        
        C:\Windows\SysWOW64\Imdnklfp.exe
        
        C:\Windows\system32\Imdnklfp.exe
        28⤵
        Executes dropped EXE
        
        PID:2024
        
        C:\Windows\SysWOW64\Ipckgh32.exe
        
        C:\Windows\system32\Ipckgh32.exe
        29⤵
        Executes dropped EXE
        
        PID:3320
        
        C:\Windows\SysWOW64\Idofhfmm.exe
        
        C:\Windows\system32\Idofhfmm.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2376
        
        C:\Windows\SysWOW64\Ifmcdblq.exe
        
        C:\Windows\system32\Ifmcdblq.exe
        31⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:5104
        
        C:\Windows\SysWOW64\Imgkql32.exe
        
        C:\Windows\system32\Imgkql32.exe
        32⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2472
        
        C:\Windows\SysWOW64\Ipegmg32.exe
        
        C:\Windows\system32\Ipegmg32.exe
        33⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3604
        
        C:\Windows\SysWOW64\Ibccic32.exe
        
        C:\Windows\system32\Ibccic32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3032
        
        C:\Windows\SysWOW64\Ifopiajn.exe
        
        C:\Windows\system32\Ifopiajn.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4624
        
        C:\Windows\SysWOW64\Iinlemia.exe
        
        C:\Windows\system32\Iinlemia.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4440
        
        C:\Windows\SysWOW64\Jaedgjjd.exe
        
        C:\Windows\system32\Jaedgjjd.exe
        37⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2304
        
        C:\Windows\SysWOW64\Jpgdbg32.exe
        
        C:\Windows\system32\Jpgdbg32.exe
        38⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4844
        
        C:\Windows\SysWOW64\Jbfpobpb.exe
        
        C:\Windows\system32\Jbfpobpb.exe
        39⤵
        Executes dropped EXE
        
        PID:1516
        
        C:\Windows\SysWOW64\Jjmhppqd.exe
        
        C:\Windows\system32\Jjmhppqd.exe
        40⤵
        Executes dropped EXE
        
        PID:3380
        
        C:\Windows\SysWOW64\Jbhmdbnp.exe
        
        C:\Windows\system32\Jbhmdbnp.exe
        41⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1112
        
        C:\Windows\SysWOW64\Jibeql32.exe
        
        C:\Windows\system32\Jibeql32.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3300
        
        C:\Windows\SysWOW64\Jmnaakne.exe
        
        C:\Windows\system32\Jmnaakne.exe
        43⤵
        Executes dropped EXE
        
        PID:2496
        
        C:\Windows\SysWOW64\Jplmmfmi.exe
        
        C:\Windows\system32\Jplmmfmi.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2988
        
        C:\Windows\SysWOW64\Jfffjqdf.exe
        
        C:\Windows\system32\Jfffjqdf.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1172
        
        C:\Windows\SysWOW64\Jmpngk32.exe
        
        C:\Windows\system32\Jmpngk32.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1808
        
        C:\Windows\SysWOW64\Jdjfcecp.exe
        
        C:\Windows\system32\Jdjfcecp.exe
        47⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3868
        
        C:\Windows\SysWOW64\Jbmfoa32.exe
        
        C:\Windows\system32\Jbmfoa32.exe
        48⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3384
        
        C:\Windows\SysWOW64\Jmbklj32.exe
        
        C:\Windows\system32\Jmbklj32.exe
        49⤵
        Executes dropped EXE
        
        PID:3816
        
        C:\Windows\SysWOW64\Jpaghf32.exe
        
        C:\Windows\system32\Jpaghf32.exe
        50⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1012
        
        C:\Windows\SysWOW64\Jbocea32.exe
        
        C:\Windows\system32\Jbocea32.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4592
        
        C:\Windows\SysWOW64\Jiikak32.exe
        
        C:\Windows\system32\Jiikak32.exe
        52⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:812
        
        C:\Windows\SysWOW64\Kmegbjgn.exe
        
        C:\Windows\system32\Kmegbjgn.exe
        53⤵
        Executes dropped EXE
        
        PID:5092
        
        C:\Windows\SysWOW64\Kpccnefa.exe
        
        C:\Windows\system32\Kpccnefa.exe
        54⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4980
        
        C:\Windows\SysWOW64\Kbapjafe.exe
        
        C:\Windows\system32\Kbapjafe.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2964
        
        C:\Windows\SysWOW64\Kkihknfg.exe
        
        C:\Windows\system32\Kkihknfg.exe
        56⤵
        Executes dropped EXE
        
        PID:3184
        
        C:\Windows\SysWOW64\Kilhgk32.exe
        
        C:\Windows\system32\Kilhgk32.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3584
        
        C:\Windows\SysWOW64\Kpepcedo.exe
        
        C:\Windows\system32\Kpepcedo.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4564
        
        C:\Windows\SysWOW64\Kdaldd32.exe
        
        C:\Windows\system32\Kdaldd32.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1968
        
        C:\Windows\SysWOW64\Kkkdan32.exe
        
        C:\Windows\system32\Kkkdan32.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3400
        
        C:\Windows\SysWOW64\Kinemkko.exe
        
        C:\Windows\system32\Kinemkko.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4224
        
        C:\Windows\SysWOW64\Kaemnhla.exe
        
        C:\Windows\system32\Kaemnhla.exe
        62⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:436
        
        C:\Windows\SysWOW64\Kdcijcke.exe
        
        C:\Windows\system32\Kdcijcke.exe
        63⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5056
        
        C:\Windows\SysWOW64\Kgbefoji.exe
        
        C:\Windows\system32\Kgbefoji.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4240
        
        C:\Windows\SysWOW64\Kknafn32.exe
        
        C:\Windows\system32\Kknafn32.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1916
        
        C:\Windows\SysWOW64\Kagichjo.exe
        
        C:\Windows\system32\Kagichjo.exe
        66⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:224
        
        C:\Windows\SysWOW64\Kdffocib.exe
        
        C:\Windows\system32\Kdffocib.exe
        67⤵
        
        PID:1284
        
        C:\Windows\SysWOW64\Kkpnlm32.exe
        
        C:\Windows\system32\Kkpnlm32.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:876
        
        C:\Windows\SysWOW64\Kibnhjgj.exe
        
        C:\Windows\system32\Kibnhjgj.exe
        69⤵
        Drops file in System32 directory
        
        PID:2460
        
        C:\Windows\SysWOW64\Kdhbec32.exe
        
        C:\Windows\system32\Kdhbec32.exe
        70⤵
        
        PID:2220
        
        C:\Windows\SysWOW64\Kkbkamnl.exe
        
        C:\Windows\system32\Kkbkamnl.exe
        71⤵
        Drops file in System32 directory
        
        PID:3908
        
        C:\Windows\SysWOW64\Lalcng32.exe
        
        C:\Windows\system32\Lalcng32.exe
        72⤵
        
        PID:1560
        
        C:\Windows\SysWOW64\Ldkojb32.exe
        
        C:\Windows\system32\Ldkojb32.exe
        73⤵
        Drops file in System32 directory
        
        PID:536
        
        C:\Windows\SysWOW64\Lkdggmlj.exe
        
        C:\Windows\system32\Lkdggmlj.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:624
        
        C:\Windows\SysWOW64\Lmccchkn.exe
        
        C:\Windows\system32\Lmccchkn.exe
        75⤵
        Modifies registry class
        
        PID:1312
        
        C:\Windows\SysWOW64\Ldmlpbbj.exe
        
        C:\Windows\system32\Ldmlpbbj.exe
        76⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:3708
        
        C:\Windows\SysWOW64\Lgkhlnbn.exe
        
        C:\Windows\system32\Lgkhlnbn.exe
        77⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:4816
        
        C:\Windows\SysWOW64\Lijdhiaa.exe
        
        C:\Windows\system32\Lijdhiaa.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4500
        
        C:\Windows\SysWOW64\Lpcmec32.exe
        
        C:\Windows\system32\Lpcmec32.exe
        79⤵
        Modifies registry class
        
        PID:636
        
        C:\Windows\SysWOW64\Lcbiao32.exe
        
        C:\Windows\system32\Lcbiao32.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:1320
        
        C:\Windows\SysWOW64\Lkiqbl32.exe
        
        C:\Windows\system32\Lkiqbl32.exe
        81⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4204
        
        C:\Windows\SysWOW64\Laciofpa.exe
        
        C:\Windows\system32\Laciofpa.exe
        82⤵
        Drops file in System32 directory
        
        PID:2732
        
        C:\Windows\SysWOW64\Lgpagm32.exe
        
        C:\Windows\system32\Lgpagm32.exe
        83⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1500
        
        C:\Windows\SysWOW64\Ljnnch32.exe
        
        C:\Windows\system32\Ljnnch32.exe
        84⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4656
        
        C:\Windows\SysWOW64\Lphfpbdi.exe
        
        C:\Windows\system32\Lphfpbdi.exe
        85⤵
        Drops file in System32 directory
        
        PID:4312
        
        C:\Windows\SysWOW64\Lgbnmm32.exe
        
        C:\Windows\system32\Lgbnmm32.exe
        86⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3520
        
        C:\Windows\SysWOW64\Mnlfigcc.exe
        
        C:\Windows\system32\Mnlfigcc.exe
        87⤵
        Drops file in System32 directory
        
        PID:1900
        
        C:\Windows\SysWOW64\Mahbje32.exe
        
        C:\Windows\system32\Mahbje32.exe
        88⤵
        
        PID:4504
        
        C:\Windows\SysWOW64\Mdfofakp.exe
        
        C:\Windows\system32\Mdfofakp.exe
        89⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:3732
        
        C:\Windows\SysWOW64\Mgekbljc.exe
        
        C:\Windows\system32\Mgekbljc.exe
        90⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:2456
        
        C:\Windows\SysWOW64\Mnocof32.exe
        
        C:\Windows\system32\Mnocof32.exe
        91⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4804
        
        C:\Windows\SysWOW64\Mpmokb32.exe
        
        C:\Windows\system32\Mpmokb32.exe
        92⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5168
        
        C:\Windows\SysWOW64\Mdiklqhm.exe
        
        C:\Windows\system32\Mdiklqhm.exe
        93⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5212
        
        C:\Windows\SysWOW64\Mgghhlhq.exe
        
        C:\Windows\system32\Mgghhlhq.exe
        94⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5260
        
        C:\Windows\SysWOW64\Mjeddggd.exe
        
        C:\Windows\system32\Mjeddggd.exe
        95⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5300
        
        C:\Windows\SysWOW64\Mnapdf32.exe
        
        C:\Windows\system32\Mnapdf32.exe
        96⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5348
        
        C:\Windows\SysWOW64\Mamleegg.exe
        
        C:\Windows\system32\Mamleegg.exe
        97⤵
        
        PID:5392
        
        C:\Windows\SysWOW64\Mdkhapfj.exe
        
        C:\Windows\system32\Mdkhapfj.exe
        98⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5436
        
        C:\Windows\SysWOW64\Mcnhmm32.exe
        
        C:\Windows\system32\Mcnhmm32.exe
        99⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5480
        
        C:\Windows\SysWOW64\Mgidml32.exe
        
        C:\Windows\system32\Mgidml32.exe
        100⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5520
        
        C:\Windows\SysWOW64\Mjhqjg32.exe
        
        C:\Windows\system32\Mjhqjg32.exe
        101⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5568
        
        C:\Windows\SysWOW64\Mncmjfmk.exe
        
        C:\Windows\system32\Mncmjfmk.exe
        102⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5612
        
        C:\Windows\SysWOW64\Mpaifalo.exe
        
        C:\Windows\system32\Mpaifalo.exe
        103⤵
        
        PID:5656
        
        C:\Windows\SysWOW64\Mdmegp32.exe
        
        C:\Windows\system32\Mdmegp32.exe
        104⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5696
        
        C:\Windows\SysWOW64\Mglack32.exe
        
        C:\Windows\system32\Mglack32.exe
        105⤵
        
        PID:5744
        
        C:\Windows\SysWOW64\Mkgmcjld.exe
        
        C:\Windows\system32\Mkgmcjld.exe
        106⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5788
        
        C:\Windows\SysWOW64\Mnfipekh.exe
        
        C:\Windows\system32\Mnfipekh.exe
        107⤵
        
        PID:5832
        
        C:\Windows\SysWOW64\Maaepd32.exe
        
        C:\Windows\system32\Maaepd32.exe
        108⤵
        Drops file in System32 directory
        
        PID:5872
        
        C:\Windows\SysWOW64\Mpdelajl.exe
        
        C:\Windows\system32\Mpdelajl.exe
        109⤵
        
        PID:5920
        
        C:\Windows\SysWOW64\Mdpalp32.exe
        
        C:\Windows\system32\Mdpalp32.exe
        110⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5960
        
        C:\Windows\SysWOW64\Mgnnhk32.exe
        
        C:\Windows\system32\Mgnnhk32.exe
        111⤵
        Modifies registry class
        
        PID:6008
        
        C:\Windows\SysWOW64\Nkjjij32.exe
        
        C:\Windows\system32\Nkjjij32.exe
        112⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6048
        
        C:\Windows\SysWOW64\Nnhfee32.exe
        
        C:\Windows\system32\Nnhfee32.exe
        113⤵
        Modifies registry class
        
        PID:6092
        
        C:\Windows\SysWOW64\Ngpjnkpf.exe
        
        C:\Windows\system32\Ngpjnkpf.exe
        114⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6136
        
        C:\Windows\SysWOW64\Nnjbke32.exe
        
        C:\Windows\system32\Nnjbke32.exe
        115⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5148
        
        C:\Windows\SysWOW64\Nqiogp32.exe
        
        C:\Windows\system32\Nqiogp32.exe
        116⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5200
        
        C:\Windows\SysWOW64\Ncgkcl32.exe
        
        C:\Windows\system32\Ncgkcl32.exe
        117⤵
        
        PID:5268
        
        C:\Windows\SysWOW64\Ngcgcjnc.exe
        
        C:\Windows\system32\Ngcgcjnc.exe
        118⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5328
        
        C:\Windows\SysWOW64\Njacpf32.exe
        
        C:\Windows\system32\Njacpf32.exe
        119⤵
        Modifies registry class
        
        PID:5428
        
        C:\Windows\SysWOW64\Nnmopdep.exe
        
        C:\Windows\system32\Nnmopdep.exe
        120⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5472
        
        C:\Windows\SysWOW64\Nbhkac32.exe
        
        C:\Windows\system32\Nbhkac32.exe
        121⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5536
        
        C:\Windows\SysWOW64\Ndghmo32.exe
        
        C:\Windows\system32\Ndghmo32.exe
        122⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5600
        
        C:\Windows\SysWOW64\Ngedij32.exe
        
        C:\Windows\system32\Ngedij32.exe
        123⤵
        
        PID:5672
        
        C:\Windows\SysWOW64\Nkqpjidj.exe
        
        C:\Windows\system32\Nkqpjidj.exe
        124⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5736
        
        C:\Windows\SysWOW64\Njcpee32.exe
        
        C:\Windows\system32\Njcpee32.exe
        125⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5808
        
        C:\Windows\SysWOW64\Nbkhfc32.exe
        
        C:\Windows\system32\Nbkhfc32.exe
        126⤵
        
        PID:5868
        
        C:\Windows\SysWOW64\Ndidbn32.exe
        
        C:\Windows\system32\Ndidbn32.exe
        127⤵
        
        PID:5956
        
        C:\Windows\SysWOW64\Ncldnkae.exe
        
        C:\Windows\system32\Ncldnkae.exe
        128⤵
        
        PID:6040
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        129⤵
        
        PID:6108
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6108 -s 404
        130⤵
        Program crash
        
        PID:5532

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 6108 -ip 6108
1⤵
PID:5340

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Gppekj32.exe

Filesize
78KB

MD5
cb7263bc8b2220c0ce29e17933c4afdb

SHA1
6e1996bb3ac5999e196115ee4f3d0044ca3e4dc8

SHA256
066a191b4efc6fe7640643011e1f261f759843c77249e60422ebc5890110be69

SHA512
4b80b4f518b489b41254847727a6ae80f4ab4a8ee011960d7986ad595b9ffe8c4f83e8a9e6daee52557c52757704d85b5e8d9ba6609d959e935d2521e656843d

Download Submit
C:\Windows\SysWOW64\Hadkpm32.exe

Filesize
78KB

MD5
04ba94c1ded7e3444c2991061f2c9337

SHA1
51a8ec8e66d254b2402a8ae9dd2bc50f8902f30e

SHA256
4c9b22d358bed58acce44efa44b785a9c165c79a3ed602a5229546e0fdcfcf03

SHA512
25982415fd45f35a76b47f993cd0b8d473e1bc0d461e638898f2e1cf145adfbd5df738b2cd026cff40749eef4d41102f4e52e1349c7fcbf5094053525d49c2d0

Download Submit
C:\Windows\SysWOW64\Haidklda.exe

Filesize
78KB

MD5
eeff4e8c1c29f4e0d35bcbed76bd6d1c

SHA1
7814b11c6f3ee6a7bcd588513e0598ef04ad4fe0

SHA256
9ea16f8967c79d461e49c36bb0c0000c10133b155762f4a93c5a8f339b248268

SHA512
d91c09ecf2cab5a8c472f92baff00f1a763a4f56ef91e140b1e21d73f48a92dfa54ec1ed20a1f67498a1ab71b0707700601b8567128b3f1a691b1d009b155e16

Download Submit
C:\Windows\SysWOW64\Hapaemll.exe

Filesize
78KB

MD5
327cf73f21be58847e098b1bf20a7ed0

SHA1
cf01a3ebda06746fd5c0fa47191bef7ec8466f43

SHA256
51fec85e07262b79906e7b41e3740601e5fac9e31baa3ba30fa686a987373929

SHA512
3471f753a330b048c74bb29f0c1d7845cb32e8dc832847ba5ac1818dc6e844388bab974b97a40f6d79b5d416347f2aea1b9226ef5c5edb42bee441dd242ee0bd

Download Submit
C:\Windows\SysWOW64\Hbanme32.exe

Filesize
78KB

MD5
f8c9fc88b6f0e24c65dd6374b5e6f67e

SHA1
a5e645fcfd4f1dc50c5a0bcc5e8f9284008ed98d

SHA256
74ae000ba239d7b4b657a0c71d0c860e5d0d07f39a400d8bf38ca45cfa3d7bee

SHA512
a1f90f4cc245b98b147d8d20d8cbf66fd5343a25772070d4df11b18607ebe6ae2edfd2aba625e1c04d2b51eaa56082a58e19b2c0926630606fc4e85005423d1c

Download Submit
C:\Windows\SysWOW64\Hboagf32.exe

Filesize
78KB

MD5
21dc42488bad049526d36e7835eeb269

SHA1
fb48bfb098618808262c08b1dc50db3b770894b1

SHA256
df8dc7edd792804e9f1622a468b0f1327d0d86ccb80ccd489881b286ac87e35e

SHA512
619049e0dcf8b3451373c09da555a69522180f0b7a5c5b081495e3c333d9b55dba8271fd3d8fef72b6d306427a440415e4d71d103c0cd42c00ef979d0f2168bc

Download Submit
C:\Windows\SysWOW64\Hccglh32.exe

Filesize
78KB

MD5
1a9d36e8cde8fd5a091be97c0fd10abc

SHA1
837593657079ae819e06103eb56653c62558b9ce

SHA256
4d3b88295d07c520d12f9df8826ffeec921bf4a6155d130d890348be4c17718f

SHA512
a0b2d7cb9dce8150f3829892cdd5b39fdbdd25a21dd8c8be0c33a78b4ecdff7231de6cec514c96703af0e32bc15f1f056ef9f2dee71200c2de643b4a40eeb08e

Download Submit
C:\Windows\SysWOW64\Hcedaheh.exe

Filesize
78KB

MD5
2f7acd410ef70d8bed90aac1df730ef0

SHA1
3ff117cf451fc9363017d31c13044d6915d257e2

SHA256
0a09c47e65c573de1d6b916777783efeefce2e4a20883e8ab3aff2a9289733e8

SHA512
bafde65c6fc9a916519e285f46766bd19cf8aced2e369a19a98ea2326461bf85947061e15f99fbc953ab219ef8c570b15e4e22e4f83623a746ce412933a965a4

Download Submit
C:\Windows\SysWOW64\Hcqjfh32.exe

Filesize
78KB

MD5
8c869b6da145d42e6e1347c26234cfd7

SHA1
52518a5b30342e138f2e03ec4dbf8f03c5613f99

SHA256
ceb69ecef9869849d4760f9dc7232aaf08963d290f1bb82ba575ea20b56dcfb5

SHA512
795b71c948aecb285dccb5406e1204dfc35b13c9248a645d4a29bade2ccfffcb59fd13366dfb6ecab8e5e1e556028e3ef9bf06df38b0aafbd848e47a0e052a84

Download Submit
C:\Windows\SysWOW64\Hfofbd32.exe

Filesize
78KB

MD5
317c0204a24e5d868310950768bd57f2

SHA1
e8a620639381463dec5b363d5d037edcd0884cf2

SHA256
0eeeb96c3329ea6bbe3caa6ba6662d50f1ed3747c356618131e3944f801c4ac0

SHA512
1b978dbad0c82d30f3a3e90e418f92110f8da387e162b534fddb5022eb7db6796027154f2822d009649c68c022bd6c3b0bdf67d9aa02cc10168296927bd40c12

Download Submit
C:\Windows\SysWOW64\Hibljoco.exe

Filesize
78KB

MD5
3ee76fd3de0d4f64ff176c1eba9050ca

SHA1
dbed962c9e881c17189451bc1599240f3f496bcf

SHA256
b82dac47730c2e822cd13ffcc99d259448204238988ba8694cf73de3e72cc33d

SHA512
7d7f9c989308b504b55e44792e01330e95a704881468dfd9ad555470fe2d08e659f7f2f076715bd97a9266abfcb77c38ab4ac5a03335a25f66b85c068462210f

Download Submit
C:\Windows\SysWOW64\Hippdo32.exe

Filesize
78KB

MD5
983b48c7ca81742fba08f1767cf32884

SHA1
0a8740f31a0cfde9809ee336ed13b2900eb0145e

SHA256
9cb5ea3244490907e07cecac10a3e2b9076e05d06b36bdc52da97164cadae459

SHA512
7693d0287fe724cea1020cf4000f56f481e8d61e6fa0e4dc713dfad11506153e09e5ae0671fe005c0fedd5b9ecfe6c404d345c68ebe7a1d98f595dbbaef56b64

Download Submit
C:\Windows\SysWOW64\Hjhfnccl.exe

Filesize
78KB

MD5
5b36b02ff4f82b4193127b8a4900bed5

SHA1
3c25430c9d64f8ad49e8d57d5b4e5d63407213f1

SHA256
6774d109292199f20779dd39c0aef3c2d92033b28e577157223d8ea9f6f06c34

SHA512
da5380fa218b83b872ccb74a88b785b1c694c7616edad874d2f88f8b75de03e6be156d5b3407f7d11eedaf20cba5da80d7328049c0019f162c0d448b6cfa8536

Download Submit
C:\Windows\SysWOW64\Hmdedo32.exe

Filesize
78KB

MD5
b8df5d04631ea52faec4f1974e4e914d

SHA1
0ee3f9fcbe38e91bbd925fe47afcfeca56d0f48b

SHA256
7834cfbd84b4094981611accce8fe3d55859b5682ba90b3dab5e58be51066645

SHA512
6239f23268d292644bff562d24570913deecd5af276b0843660103ab82d9f175d87b10e02e4b219476881b67511f9e4910e6e7f9f45ca2cf5083cb4d782cfc01

Download Submit
C:\Windows\SysWOW64\Hpbaqj32.exe

Filesize
78KB

MD5
a7d80b3c06a1392f8d880fde47066f17

SHA1
60e17f507d8e6295f87e09f92821457506bde13b

SHA256
01f11d602da1d0e5b670394b86a619e5952bdfe45a2d44d7fc3b160ae2fcbadf

SHA512
daaba08a2037e518dc3c80255b218de6e2010a3d6f9fc3da4a021b3ae60676a7da93eb0a961630be3239a4103528e256a8c2533e7fa06e59b4a2be0f3b7a5e12

Download Submit
C:\Windows\SysWOW64\Hpihai32.exe

Filesize
78KB

MD5
f0c105f4c910bb92547a29527d45ee0d

SHA1
9136ea7898523501f118e705d37ff19748768103

SHA256
ee2dd6dd8cc6054a3eac2652d6c28d76f98acda0dbd8847b2ea10596318c6527

SHA512
36f29d5bbd056f3ae6d29cb4dd2b1a501a7ccf1f2d79697c35fbe8474b29a11a7c7a42326c8905c91884182148d363217299d9e2f5f59f46c8b8cf8ee2a17003

Download Submit
C:\Windows\SysWOW64\Iakaql32.exe

Filesize
78KB

MD5
067b7191158eaf16076b9c4e9d71dd65

SHA1
1c6fb35447b0b5a526dbfb6edd40692f2bd83910

SHA256
954c43094b93ba4be5ddf5fe1f96caab9132ad962d88bd692d9dce2047884a52

SHA512
8a36b8ea3c59589e6493cc059c3edbaf96722e07eb45e880901e82b6f619be0d17d6c0cbb37371d9730dd9a6b8814bcbc9bb46a3a7bde5f1c24ab26fd375207d

Download Submit
C:\Windows\SysWOW64\Ibjqcd32.exe

Filesize
78KB

MD5
6484570ae5e9f6c42bd2c0713e0fddb7

SHA1
eaaf1370be20406015534b3c34b2e2c2671d75f9

SHA256
4f9a8c7a766b43a7be7b70d9c95ab1e59f4f74d0acec94b8ef10273ec736b9e7

SHA512
295a203027a2d5fd4e32d1598e94b6a607ca91791669cdf11f2300ccc9698cc8dc19ea4574bb27b42d23bb753066aaa1f802f30273879f5a07348a4a19a9cb66

Download Submit
C:\Windows\SysWOW64\Icjmmg32.exe

Filesize
78KB

MD5
4d791ff20b7aa084c57549dc0a2803c3

SHA1
7f97ea9d06d9a5b4eddce88b9347ab477cdc064c

SHA256
56833d730b1bd7d22a521e2d2712e02a0cbaa63552b222b4c6bc23cdbab446f2

SHA512
5248b44df3f1c2f51b8e2954a3c3339b4e6e3327d826006cbae28076a7c484547413daec812be82a7bcee3bdde0e75af1732728d64ad0edef96b914ca0b30183

Download Submit
C:\Windows\SysWOW64\Icljbg32.exe

Filesize
78KB

MD5
19c039f2e2dc7fad23faf2e7be34c920

SHA1
71ffb599e01925034a21f502eb4f458a87ac3c20

SHA256
a35e03891051cf57952335a036af198a6fc3cb42f74d099ee9aa5d6700e8f753

SHA512
bf739e97b045c1205711122002ddcf96b10122e4087f4a9703c7cd2afd39aad9aea87cf9f1ebbf7a4a60a6110aa2721d58107b89b7222f53af6a5a7c6e0427fd

Download Submit
C:\Windows\SysWOW64\Idofhfmm.exe

Filesize
78KB

MD5
55ecff9dc5ffa7e53dc5cd853284f867

SHA1
351980e35f57bcede500e7214ff1f260e6484e6b

SHA256
e27bf6259e1398bcb69bbd6e9ec3ecee7edadc54a94e3375e93d6daa735653dc

SHA512
d9bfe31c9ffcfc3da704ab09f649a5dcce4780450e54247e35f1663ee7690c563a2c0760462786950176a89513f22c1d799e887a2982b52e79986be1d58aed18

Download Submit
C:\Windows\SysWOW64\Iffmccbi.exe

Filesize
78KB

MD5
316be30dbada595f2bf0e37fc6062a58

SHA1
019142fd7f851ff85257def6555c010466d306cc

SHA256
255d56cf6337e07762ff6af297efba3b010205e07b950009ad515166889b79c8

SHA512
a1d4e36d38c23c6d9410a6c832a50a3887256bb4395182a84b033d25391d58ac8c6e79898e3fa406a1f22e5daf5ddb93d772a7e16a0081408d0edb58edd2843e

Download Submit
C:\Windows\SysWOW64\Ifhiib32.exe

Filesize
78KB

MD5
45f93ebd8865aad429ae3f1484ed0257

SHA1
b984d085ca83da646e399a4fd9eac0b06af0dde2

SHA256
966eb7a46775a3665ef43ca057284725fd562266a0ff12095407e1704ea8cfb1

SHA512
8fe7a327581f3d29739a484e91925a1525eeee582a90898b1a890e1e72bcdde92d9096f44484f0acdc305eb726cdf8797aac95f3e1e40bcc048db1ea1cbbef79

Download Submit
C:\Windows\SysWOW64\Ifjfnb32.exe

Filesize
78KB

MD5
543848b7a7e8b0da2afbe67d42efb043

SHA1
e2f853d0312df31bb9a7fee42b5d9cb6241c151b

SHA256
7a2d670ec2b043810bc9ef6c3c178f633752bef61df8a3af918f8ecb1b00feb8

SHA512
80e871574e3a4bc7846f7623f82917e1074043b2098e954e0fb0b036edffe413a402686be7e4705eb3eccb0f2d91202768e5fa2758cc198ffafe1bfb7eb5a1fe

Download Submit
C:\Windows\SysWOW64\Ifmcdblq.exe

Filesize
78KB

MD5
e0de94063c9938d2706981611acb10bc

SHA1
dfe35f20045b80e8d467fcc4e0b1dbe594270721

SHA256
f654738459a3e3b7989eb718e6efb58e2a74f16451c28b9527e8f295637976f3

SHA512
832fd95ba351839f12ae87224466520157a03d8a913f05cdadf02f178bfadea6b6b146f37260697c30c7895f2e51eb40bcddabb8f17aa05d1854932bc1179094

Download Submit
C:\Windows\SysWOW64\Iidipnal.exe

Filesize
78KB

MD5
3a10f5cfc90f6624c3e8c9a3542ef6c5

SHA1
3c8429214482e03228c59815dcd3ed142568a95b

SHA256
0c2a1cd5b940cb4aa5b6ef1db9fa7c13b6e17909be45fa3e69ab32c6b62e6eaf

SHA512
e5068bcdd75133f79479d3ed296b96785d0647077a37647e187e4e69d69880ce12da1b2c83f2df395c8cfd62a1eacf3c31a55dccd6faf8a970bd7743e631efe2

Download Submit
C:\Windows\SysWOW64\Iiffen32.exe

Filesize
78KB

MD5
fa8e66612d64c21c3e7e78d00eb29ce9

SHA1
d3516c7085e1a51813bbf495f0318dba0427917d

SHA256
99a000ad6a8bc9c1927b1c45db67598294d4c3575502a8ffaecc53c22c560fd9

SHA512
e4824b9f65ecdc370de8ff629d80f937beba2a6ddc6f574ec9ae63887f670b226c384aa120331671503d03e4cc9fa93effef97860215fadec102bafee1882e58

Download Submit
C:\Windows\SysWOW64\Imdnklfp.exe

Filesize
78KB

MD5
02f484caff172bc1a2bc46b692da9a2d

SHA1
43ce6c7e6abba4bfe17f45036b3821dd9aa9b30e

SHA256
a009185d4154537fe507770250a7b1c33470842c7ebdcfa226c8d12ea42c495f

SHA512
edee1ed01d08882a2eb61d8301f0ce91a480ed8b5ab151ab8bb69a1d7566434dfdc21997ab998866cc12f39b49eeca1a4b1b202220ddc9558c1abe0c6927c96d

Download Submit
C:\Windows\SysWOW64\Imgkql32.exe

Filesize
78KB

MD5
2d66f9237554fe55f5a00e431ade8a66

SHA1
74d0067335f81ef102f0e43b169b90c43f5fea40

SHA256
6b5dcd468af1e1d79b368f7729caaf643b3750ee52edd8ab233f05656c973b94

SHA512
a2b8e72a62ddf7cb507beac26ae9b8e22608147633c0ce60b9214b102ba4b5ce354d0e9996dc8fc7344a086d88f337999abf568c5a9a011f9b79aa3f2d1eb9b8

Download Submit
C:\Windows\SysWOW64\Ipckgh32.exe

Filesize
78KB

MD5
cbbddf61c2da90678ffa0eefd9c41e5f

SHA1
7363d73020968904c3c639c2a79414f28a67092d

SHA256
a5f83ea5a56743fb0f1997baa3d340bf5a9a874c5b2b5f67fd3a59dcdab04dda

SHA512
d3ec65a15d9f444cf9697ea02f94df487cd9ddd0fa4c15e79a1e27088b0d5f6f230124edf9405581bac3b9948ecfa628da52c21f810887898c46c7658038efc8

Download Submit
C:\Windows\SysWOW64\Ipegmg32.exe

Filesize
78KB

MD5
359cae3205345a8158c1dc7107a4a30c

SHA1
0112f42d1a1fad7532c3ccdf6f1469cf31512a6b

SHA256
c9ed071c5b755dde6f928a9bf2048f37e24df4268a8e0e14a4a7d97ec08a44a8

SHA512
de69aee18cfa27f9a21e0c79a4b2f09f751af70592008d107561caa23aa333892674f184752383b6a72ab66b4efcf90e6ae92e7a97fc778892160debec90df51

Download Submit
C:\Windows\SysWOW64\Ipqnahgf.exe

Filesize
78KB

MD5
faae50bfed1505cb1591e5188f515c12

SHA1
27baf8000889a890c94b0b2ddf52651918dfa6bc

SHA256
3a65cc20b3f09cd9cc7a4bc106f2e5b71e3ccfb8517c9a28669cd60efde66b30

SHA512
481b8dbcb3595e92d8d3fe30768f5638887f9bce0fccb2475cfedb1a3db7949db8bd47865cf7611cb567db26350020f0555c74fa102c2afab5c7d278ecedc6d3

Download Submit
C:\Windows\SysWOW64\Jpaghf32.exe

Filesize
78KB

MD5
5e58c2b98a08f097c9c1790423afe014

SHA1
398fbcc73f984310a8845453e4958e460e1c1915

SHA256
0784e43ad5c7d485e2e6e1ecd8f8011dea8078619b6ee36a036de26c9b816ff4

SHA512
7f96366b2df86d6cbc11965992d2eaf926910a56931d19d28feaec2c8b8c897e20256c28932504f70a9741bed0bf01767a27d72eddefab59153974037958dbf6

Download Submit
C:\Windows\SysWOW64\Njcpee32.exe

Filesize
78KB

MD5
36aae1083857c8d21c8511ba7e0b5083

SHA1
ed518b32d01cb59e9cc35e453c234f38d7880301

SHA256
ee6eb25cbbd9aba5f06d18771d48995ae3a24fde36751c4b2fbf3afe92a1befb

SHA512
3f962aec5d464030fcf355b92a0c4117a7fbafd26e1f6ddea56394075477c7eec31293c58841ce483cc1903838702cec5b0374eab1f8c4c74b43be0b1533461c

Download Submit
memory/224-455-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/436-435-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/536-497-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/624-507-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/628-88-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/636-537-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/812-371-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/876-467-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/932-193-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1012-359-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1112-310-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1172-329-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1240-125-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1284-466-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1312-513-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1320-539-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1500-563-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1516-298-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1552-45-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1560-491-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1808-335-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1900-590-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1916-453-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1968-413-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1980-73-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2024-217-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2028-201-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2140-68-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2140-604-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2220-479-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2224-169-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2304-281-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2376-232-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2384-185-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2460-476-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2468-105-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2472-249-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2496-317-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2560-37-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2728-97-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2732-552-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2788-1-0x0000000000432000-0x0000000000433000-memory.dmp

Filesize
4KB

Download
memory/2788-0-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2788-545-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2964-394-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2988-328-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3032-263-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3184-399-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3256-113-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3300-311-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3320-231-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3380-299-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3384-347-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3400-419-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3520-579-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3584-405-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3604-257-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3672-572-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3672-25-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3708-515-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3732-603-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3816-353-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3868-341-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3908-489-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3928-153-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3956-129-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3976-141-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4108-181-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4176-558-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4176-13-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4204-546-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4224-430-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4240-448-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4244-601-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4244-57-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4252-209-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4312-573-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4388-565-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4388-16-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4436-53-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4440-275-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4500-527-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4504-591-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4564-409-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4592-365-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4624-273-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4656-566-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4716-81-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4816-521-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4844-291-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4980-383-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/5000-145-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/5056-441-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/5060-164-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/5092-382-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/5104-247-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads