940d14de6651ddaa491bb92dfb0eeb41759bcdd73bb703e42e50265db9db30f7

Analysis

max time kernel
51s
max time network
52s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
20/06/2024, 00:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

940d14de6651ddaa491bb92dfb0eeb41759bcdd73bb703e42e50265db9db30f7.exe
Size

335KB
MD5

578a2e2c0bfebc3d3912acd4e3be792c
SHA1

412d97592fc78e2735c204aa186adca03f802169
SHA256

940d14de6651ddaa491bb92dfb0eeb41759bcdd73bb703e42e50265db9db30f7
SHA512

a6d391a76d95de60e3cb62109f03d2ab1c94c5c4c72efbed3c26b49e05000d6011b0bbc5783cba584ab0d6b4265eebd4851b332a529aa715243fea55300b1ede
SSDEEP

6144:3bWYMJvLvwU/4qwvwU/4qvvwevwU/4q+vwk/4q7:3Y

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpaifalo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hcqjfh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjcgohig.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hpenfjad.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgpagm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lphfpbdi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpkbebbf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mncmjfmk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njacpf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Icjmmg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lpcmec32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jfaloa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kcifkp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nbkhfc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gameonno.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hihicplj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njcpee32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Icjmmg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ipckgh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnocof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nqklmpdd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hbeghene.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lphfpbdi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hibljoco.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hmmhjm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gmmocpjk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hihicplj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ibojncfj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdffocib.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hccglh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Impepm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Imbaemhc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lilanioo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mdpalp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Goiojk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hbckbepg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Icgqggce.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqklmpdd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gcekkjcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gjclbc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Maaepd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqiogp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ncihikcg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gjclbc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Haggelfd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ipnalhii.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lkgdml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nggqoj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gcggpj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hbhdmd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnjbke32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncihikcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hbckbepg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mncmjfmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lkiqbl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gfcgge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hclakimb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kgphpo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kkpnlm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lpcmec32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hpihai32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Iikopmkd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndbnboqb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gfedle32.exe

Executes dropped EXE 64 IoCs

pid	Process
2340	Gcbnejem.exe
1088	Gmkbnp32.exe
1948	Goiojk32.exe
3632	Gcekkjcj.exe
2564	Gfcgge32.exe
2488	Gjocgdkg.exe
4316	Gmmocpjk.exe
4244	Gqikdn32.exe
4980	Gcggpj32.exe
3580	Gbjhlfhb.exe
1600	Gfedle32.exe
2348	Gjapmdid.exe
4224	Gmoliohh.exe
5048	Gqkhjn32.exe
4648	Gcidfi32.exe
1424	Gbldaffp.exe
4524	Gfhqbe32.exe
4716	Gjclbc32.exe
2020	Gmaioo32.exe
640	Gameonno.exe
3788	Hclakimb.exe
4940	Hboagf32.exe
4800	Hfjmgdlf.exe
548	Hihicplj.exe
4216	Hmdedo32.exe
884	Hapaemll.exe
1728	Hpbaqj32.exe
2332	Hcnnaikp.exe
1908	Hbanme32.exe
1784	Hjhfnccl.exe
4804	Hikfip32.exe
1524	Hmfbjnbp.exe
4032	Habnjm32.exe
3436	Hpenfjad.exe
1952	Hcqjfh32.exe
4864	Hbckbepg.exe
3140	Hmioonpn.exe
368	Hadkpm32.exe
5044	Hpgkkioa.exe
4328	Hccglh32.exe
2944	Hbeghene.exe
928	Hfachc32.exe
4660	Hjmoibog.exe
5080	Hippdo32.exe
1444	Hmklen32.exe
2612	Haggelfd.exe
3776	Hpihai32.exe
4308	Hbhdmd32.exe
4672	Hfcpncdk.exe
3568	Hjolnb32.exe
3992	Hibljoco.exe
3652	Hmmhjm32.exe
1252	Haidklda.exe
2804	Ipldfi32.exe
2916	Icgqggce.exe
912	Iffmccbi.exe
4048	Ijaida32.exe
1480	Iidipnal.exe
4476	Impepm32.exe
2584	Iakaql32.exe
5096	Ipnalhii.exe
3300	Icjmmg32.exe
2624	Ifhiib32.exe
1020	Ijdeiaio.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Opocad32.dll	Hibljoco.exe
File created	C:\Windows\SysWOW64\Cdcbljie.dll	Iiffen32.exe
File created	C:\Windows\SysWOW64\Kdffocib.exe	Kipabjil.exe
File created	C:\Windows\SysWOW64\Ibadbaha.dll	Haggelfd.exe
File created	C:\Windows\SysWOW64\Hbhdmd32.exe	Hpihai32.exe
File created	C:\Windows\SysWOW64\Lcdegnep.exe	Laciofpa.exe
File created	C:\Windows\SysWOW64\Fhpdhp32.dll	Maaepd32.exe
File opened for modification	C:\Windows\SysWOW64\Kcifkp32.exe	Kdffocib.exe
File opened for modification	C:\Windows\SysWOW64\Njcpee32.exe	Ncihikcg.exe
File created	C:\Windows\SysWOW64\Pkbjnl32.dll	Hpenfjad.exe
File opened for modification	C:\Windows\SysWOW64\Mncmjfmk.exe	Mjhqjg32.exe
File opened for modification	C:\Windows\SysWOW64\Iapjlk32.exe	Iiibkn32.exe
File created	C:\Windows\SysWOW64\Mgekbljc.exe	Mpkbebbf.exe
File created	C:\Windows\SysWOW64\Djmdfpmb.dll	Gfedle32.exe
File opened for modification	C:\Windows\SysWOW64\Hmmhjm32.exe	Hibljoco.exe
File created	C:\Windows\SysWOW64\Mkgmcjld.exe	Mglack32.exe
File created	C:\Windows\SysWOW64\Addjcmqn.dll	Nbkhfc32.exe
File created	C:\Windows\SysWOW64\Hfjmgdlf.exe	Hboagf32.exe
File created	C:\Windows\SysWOW64\Bgdnaigp.dll	Hjolnb32.exe
File created	C:\Windows\SysWOW64\Kphmie32.exe	Kaemnhla.exe
File opened for modification	C:\Windows\SysWOW64\Nggqoj32.exe	Nbkhfc32.exe
File created	C:\Windows\SysWOW64\Jdkhlo32.dll	Gmaioo32.exe
File opened for modification	C:\Windows\SysWOW64\Hjmoibog.exe	Hfachc32.exe
File opened for modification	C:\Windows\SysWOW64\Lphfpbdi.exe	Ljnnch32.exe
File created	C:\Windows\SysWOW64\Mglack32.exe	Mpaifalo.exe
File opened for modification	C:\Windows\SysWOW64\Ijaida32.exe	Iffmccbi.exe
File created	C:\Windows\SysWOW64\Ghiqbiae.dll	Kdffocib.exe
File opened for modification	C:\Windows\SysWOW64\Njacpf32.exe	Ngcgcjnc.exe
File created	C:\Windows\SysWOW64\Diefokle.dll	Gbldaffp.exe
File created	C:\Windows\SysWOW64\Hippdo32.exe	Hjmoibog.exe
File opened for modification	C:\Windows\SysWOW64\Mjhqjg32.exe	Mcnhmm32.exe
File opened for modification	C:\Windows\SysWOW64\Haggelfd.exe	Hmklen32.exe
File opened for modification	C:\Windows\SysWOW64\Ipldfi32.exe	Haidklda.exe
File opened for modification	C:\Windows\SysWOW64\Jfaloa32.exe	Iabgaklg.exe
File opened for modification	C:\Windows\SysWOW64\Lpcmec32.exe	Lkgdml32.exe
File created	C:\Windows\SysWOW64\Jplifcqp.dll	Kibnhjgj.exe
File opened for modification	C:\Windows\SysWOW64\Ndbnboqb.exe	Njljefql.exe
File created	C:\Windows\SysWOW64\Pglanoaq.dll	Ipnalhii.exe
File created	C:\Windows\SysWOW64\Gpkqnp32.dll	Gcidfi32.exe
File opened for modification	C:\Windows\SysWOW64\Icgqggce.exe	Ipldfi32.exe
File created	C:\Windows\SysWOW64\Nbkhfc32.exe	Njcpee32.exe
File created	C:\Windows\SysWOW64\Gbjhlfhb.exe	Gcggpj32.exe
File created	C:\Windows\SysWOW64\Ndbnboqb.exe	Njljefql.exe
File opened for modification	C:\Windows\SysWOW64\Gjapmdid.exe	Gfedle32.exe
File opened for modification	C:\Windows\SysWOW64\Hpgkkioa.exe	Hadkpm32.exe
File opened for modification	C:\Windows\SysWOW64\Hfachc32.exe	Hbeghene.exe
File created	C:\Windows\SysWOW64\Mmpfpdoi.dll	Iidipnal.exe
File created	C:\Windows\SysWOW64\Lcnodhch.dll	Impepm32.exe
File opened for modification	C:\Windows\SysWOW64\Iannfk32.exe	Imbaemhc.exe
File created	C:\Windows\SysWOW64\Akihmf32.dll	Kipabjil.exe
File created	C:\Windows\SysWOW64\Gqkhjn32.exe	Gmoliohh.exe
File opened for modification	C:\Windows\SysWOW64\Hmdedo32.exe	Hihicplj.exe
File created	C:\Windows\SysWOW64\Gmkbnp32.exe	Gcbnejem.exe
File created	C:\Windows\SysWOW64\Lmbocjjm.dll	Gmmocpjk.exe
File created	C:\Windows\SysWOW64\Ibilnj32.dll	Hbanme32.exe
File created	C:\Windows\SysWOW64\Ljnnch32.exe	Lgpagm32.exe
File created	C:\Windows\SysWOW64\Hpgkkioa.exe	Hadkpm32.exe
File created	C:\Windows\SysWOW64\Haidklda.exe	Hmmhjm32.exe
File created	C:\Windows\SysWOW64\Kaemnhla.exe	Kinemkko.exe
File opened for modification	C:\Windows\SysWOW64\Hboagf32.exe	Hclakimb.exe
File created	C:\Windows\SysWOW64\Hpenfjad.exe	Habnjm32.exe
File opened for modification	C:\Windows\SysWOW64\Lcgblncm.exe	Lphfpbdi.exe
File opened for modification	C:\Windows\SysWOW64\Mpaifalo.exe	Mncmjfmk.exe
File created	C:\Windows\SysWOW64\Hclakimb.exe	Gameonno.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5452	5312	WerFault.exe	216

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mglack32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Goiojk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gqkhjn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eeopdi32.dll"	Ijfboafl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bpcbnd32.dll"	Kkpnlm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jokmgc32.dll"	940d14de6651ddaa491bb92dfb0eeb41759bcdd73bb703e42e50265db9db30f7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eeecjqkd.dll"	Kcifkp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bejkjg32.dll"	Hikfip32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Iakaql32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kdffocib.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lphfpbdi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmpfpdoi.dll"	Iidipnal.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Majknlkd.dll"	Nqiogp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ljnnch32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nqklmpdd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hadkpm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kdaldd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kgphpo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ndbnboqb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Onkhkpho.dll"	Icgqggce.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Icljbg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gefncbmc.dll"	Lgpagm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjblifaf.dll"	Mgghhlhq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nqiogp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnibdpde.dll"	Nggqoj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gameonno.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibilnj32.dll"	Hbanme32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hbanme32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Iikopmkd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kinemkko.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mpmokb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkbjnl32.dll"	Hpenfjad.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Iffmccbi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Akihmf32.dll"	Kipabjil.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	940d14de6651ddaa491bb92dfb0eeb41759bcdd73bb703e42e50265db9db30f7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hclakimb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mjeddggd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gpnkgo32.dll"	Mcnhmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mgghhlhq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jkageheh.dll"	Hpgkkioa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmdigkkd.dll"	Lknjmkdo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mkgmcjld.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ngpjnkpf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hpgkkioa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Icgqggce.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ngcgcjnc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gfedle32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hjolnb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jchbak32.dll"	Kckbqpnj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Njljefql.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nggqoj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Djmdfpmb.dll"	Gfedle32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hippdo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lpcmec32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oedbld32.dll"	Mjcgohig.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mpaifalo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bebboiqi.dll"	Mkgmcjld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dkfpkkqa.dll"	Gjclbc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ijfboafl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghiqbiae.dll"	Kdffocib.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Maaepd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gfhqbe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gkillp32.dll"	Ijdeiaio.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kcifkp32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4164 wrote to memory of 2340	4164	940d14de6651ddaa491bb92dfb0eeb41759bcdd73bb703e42e50265db9db30f7.exe	82
PID 4164 wrote to memory of 2340	4164	940d14de6651ddaa491bb92dfb0eeb41759bcdd73bb703e42e50265db9db30f7.exe	82
PID 4164 wrote to memory of 2340	4164	940d14de6651ddaa491bb92dfb0eeb41759bcdd73bb703e42e50265db9db30f7.exe	82
PID 2340 wrote to memory of 1088	2340	Gcbnejem.exe	83
PID 2340 wrote to memory of 1088	2340	Gcbnejem.exe	83
PID 2340 wrote to memory of 1088	2340	Gcbnejem.exe	83
PID 1088 wrote to memory of 1948	1088	Gmkbnp32.exe	84
PID 1088 wrote to memory of 1948	1088	Gmkbnp32.exe	84
PID 1088 wrote to memory of 1948	1088	Gmkbnp32.exe	84
PID 1948 wrote to memory of 3632	1948	Goiojk32.exe	85
PID 1948 wrote to memory of 3632	1948	Goiojk32.exe	85
PID 1948 wrote to memory of 3632	1948	Goiojk32.exe	85
PID 3632 wrote to memory of 2564	3632	Gcekkjcj.exe	86
PID 3632 wrote to memory of 2564	3632	Gcekkjcj.exe	86
PID 3632 wrote to memory of 2564	3632	Gcekkjcj.exe	86
PID 2564 wrote to memory of 2488	2564	Gfcgge32.exe	87
PID 2564 wrote to memory of 2488	2564	Gfcgge32.exe	87
PID 2564 wrote to memory of 2488	2564	Gfcgge32.exe	87
PID 2488 wrote to memory of 4316	2488	Gjocgdkg.exe	88
PID 2488 wrote to memory of 4316	2488	Gjocgdkg.exe	88
PID 2488 wrote to memory of 4316	2488	Gjocgdkg.exe	88
PID 4316 wrote to memory of 4244	4316	Gmmocpjk.exe	89
PID 4316 wrote to memory of 4244	4316	Gmmocpjk.exe	89
PID 4316 wrote to memory of 4244	4316	Gmmocpjk.exe	89
PID 4244 wrote to memory of 4980	4244	Gqikdn32.exe	90
PID 4244 wrote to memory of 4980	4244	Gqikdn32.exe	90
PID 4244 wrote to memory of 4980	4244	Gqikdn32.exe	90
PID 4980 wrote to memory of 3580	4980	Gcggpj32.exe	91
PID 4980 wrote to memory of 3580	4980	Gcggpj32.exe	91
PID 4980 wrote to memory of 3580	4980	Gcggpj32.exe	91
PID 3580 wrote to memory of 1600	3580	Gbjhlfhb.exe	92
PID 3580 wrote to memory of 1600	3580	Gbjhlfhb.exe	92
PID 3580 wrote to memory of 1600	3580	Gbjhlfhb.exe	92
PID 1600 wrote to memory of 2348	1600	Gfedle32.exe	93
PID 1600 wrote to memory of 2348	1600	Gfedle32.exe	93
PID 1600 wrote to memory of 2348	1600	Gfedle32.exe	93
PID 2348 wrote to memory of 4224	2348	Gjapmdid.exe	94
PID 2348 wrote to memory of 4224	2348	Gjapmdid.exe	94
PID 2348 wrote to memory of 4224	2348	Gjapmdid.exe	94
PID 4224 wrote to memory of 5048	4224	Gmoliohh.exe	95
PID 4224 wrote to memory of 5048	4224	Gmoliohh.exe	95
PID 4224 wrote to memory of 5048	4224	Gmoliohh.exe	95
PID 5048 wrote to memory of 4648	5048	Gqkhjn32.exe	96
PID 5048 wrote to memory of 4648	5048	Gqkhjn32.exe	96
PID 5048 wrote to memory of 4648	5048	Gqkhjn32.exe	96
PID 4648 wrote to memory of 1424	4648	Gcidfi32.exe	97
PID 4648 wrote to memory of 1424	4648	Gcidfi32.exe	97
PID 4648 wrote to memory of 1424	4648	Gcidfi32.exe	97
PID 1424 wrote to memory of 4524	1424	Gbldaffp.exe	98
PID 1424 wrote to memory of 4524	1424	Gbldaffp.exe	98
PID 1424 wrote to memory of 4524	1424	Gbldaffp.exe	98
PID 4524 wrote to memory of 4716	4524	Gfhqbe32.exe	99
PID 4524 wrote to memory of 4716	4524	Gfhqbe32.exe	99
PID 4524 wrote to memory of 4716	4524	Gfhqbe32.exe	99
PID 4716 wrote to memory of 2020	4716	Gjclbc32.exe	100
PID 4716 wrote to memory of 2020	4716	Gjclbc32.exe	100
PID 4716 wrote to memory of 2020	4716	Gjclbc32.exe	100
PID 2020 wrote to memory of 640	2020	Gmaioo32.exe	101
PID 2020 wrote to memory of 640	2020	Gmaioo32.exe	101
PID 2020 wrote to memory of 640	2020	Gmaioo32.exe	101
PID 640 wrote to memory of 3788	640	Gameonno.exe	102
PID 640 wrote to memory of 3788	640	Gameonno.exe	102
PID 640 wrote to memory of 3788	640	Gameonno.exe	102
PID 3788 wrote to memory of 4940	3788	Hclakimb.exe	103

C:\Users\Admin\AppData\Local\Temp\940d14de6651ddaa491bb92dfb0eeb41759bcdd73bb703e42e50265db9db30f7.exe
"C:\Users\Admin\AppData\Local\Temp\940d14de6651ddaa491bb92dfb0eeb41759bcdd73bb703e42e50265db9db30f7.exe"
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4164
- C:\Windows\SysWOW64\Gcbnejem.exe
  C:\Windows\system32\Gcbnejem.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:2340
- - C:\Windows\SysWOW64\Gmkbnp32.exe
    C:\Windows\system32\Gmkbnp32.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:1088
  - - C:\Windows\SysWOW64\Goiojk32.exe
      C:\Windows\system32\Goiojk32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:1948
    - - C:\Windows\SysWOW64\Gcekkjcj.exe
        
        C:\Windows\system32\Gcekkjcj.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3632
      - C:\Windows\SysWOW64\Gfcgge32.exe
        
        C:\Windows\system32\Gfcgge32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2564
        
        C:\Windows\SysWOW64\Gjocgdkg.exe
        
        C:\Windows\system32\Gjocgdkg.exe
        7⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2488
        
        C:\Windows\SysWOW64\Gmmocpjk.exe
        
        C:\Windows\system32\Gmmocpjk.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4316
        
        C:\Windows\SysWOW64\Gqikdn32.exe
        
        C:\Windows\system32\Gqikdn32.exe
        9⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4244
        
        C:\Windows\SysWOW64\Gcggpj32.exe
        
        C:\Windows\system32\Gcggpj32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4980
        
        C:\Windows\SysWOW64\Gbjhlfhb.exe
        
        C:\Windows\system32\Gbjhlfhb.exe
        11⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3580
        
        C:\Windows\SysWOW64\Gfedle32.exe
        
        C:\Windows\system32\Gfedle32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1600
        
        C:\Windows\SysWOW64\Gjapmdid.exe
        
        C:\Windows\system32\Gjapmdid.exe
        13⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2348
        
        C:\Windows\SysWOW64\Gmoliohh.exe
        
        C:\Windows\system32\Gmoliohh.exe
        14⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4224
        
        C:\Windows\SysWOW64\Gqkhjn32.exe
        
        C:\Windows\system32\Gqkhjn32.exe
        15⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5048
        
        C:\Windows\SysWOW64\Gcidfi32.exe
        
        C:\Windows\system32\Gcidfi32.exe
        16⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4648
        
        C:\Windows\SysWOW64\Gbldaffp.exe
        
        C:\Windows\system32\Gbldaffp.exe
        17⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1424
        
        C:\Windows\SysWOW64\Gfhqbe32.exe
        
        C:\Windows\system32\Gfhqbe32.exe
        18⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4524
        
        C:\Windows\SysWOW64\Gjclbc32.exe
        
        C:\Windows\system32\Gjclbc32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4716
        
        C:\Windows\SysWOW64\Gmaioo32.exe
        
        C:\Windows\system32\Gmaioo32.exe
        20⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2020
        
        C:\Windows\SysWOW64\Gameonno.exe
        
        C:\Windows\system32\Gameonno.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:640
        
        C:\Windows\SysWOW64\Hclakimb.exe
        
        C:\Windows\system32\Hclakimb.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3788
        
        C:\Windows\SysWOW64\Hboagf32.exe
        
        C:\Windows\system32\Hboagf32.exe
        23⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4940
        
        C:\Windows\SysWOW64\Hfjmgdlf.exe
        
        C:\Windows\system32\Hfjmgdlf.exe
        24⤵
        Executes dropped EXE
        
        PID:4800
        
        C:\Windows\SysWOW64\Hihicplj.exe
        
        C:\Windows\system32\Hihicplj.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:548
        
        C:\Windows\SysWOW64\Hmdedo32.exe
        
        C:\Windows\system32\Hmdedo32.exe
        26⤵
        Executes dropped EXE
        
        PID:4216
        
        C:\Windows\SysWOW64\Hapaemll.exe
        
        C:\Windows\system32\Hapaemll.exe
        27⤵
        Executes dropped EXE
        
        PID:884
        
        C:\Windows\SysWOW64\Hpbaqj32.exe
        
        C:\Windows\system32\Hpbaqj32.exe
        28⤵
        Executes dropped EXE
        
        PID:1728
        
        C:\Windows\SysWOW64\Hcnnaikp.exe
        
        C:\Windows\system32\Hcnnaikp.exe
        29⤵
        Executes dropped EXE
        
        PID:2332
        
        C:\Windows\SysWOW64\Hbanme32.exe
        
        C:\Windows\system32\Hbanme32.exe
        30⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1908
        
        C:\Windows\SysWOW64\Hjhfnccl.exe
        
        C:\Windows\system32\Hjhfnccl.exe
        31⤵
        Executes dropped EXE
        
        PID:1784
        
        C:\Windows\SysWOW64\Hikfip32.exe
        
        C:\Windows\system32\Hikfip32.exe
        32⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4804
        
        C:\Windows\SysWOW64\Hmfbjnbp.exe
        
        C:\Windows\system32\Hmfbjnbp.exe
        33⤵
        Executes dropped EXE
        
        PID:1524
        
        C:\Windows\SysWOW64\Habnjm32.exe
        
        C:\Windows\system32\Habnjm32.exe
        34⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4032
        
        C:\Windows\SysWOW64\Hpenfjad.exe
        
        C:\Windows\system32\Hpenfjad.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3436
        
        C:\Windows\SysWOW64\Hcqjfh32.exe
        
        C:\Windows\system32\Hcqjfh32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1952
        
        C:\Windows\SysWOW64\Hbckbepg.exe
        
        C:\Windows\system32\Hbckbepg.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4864
        
        C:\Windows\SysWOW64\Hmioonpn.exe
        
        C:\Windows\system32\Hmioonpn.exe
        38⤵
        Executes dropped EXE
        
        PID:3140
        
        C:\Windows\SysWOW64\Hadkpm32.exe
        
        C:\Windows\system32\Hadkpm32.exe
        39⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:368
        
        C:\Windows\SysWOW64\Hpgkkioa.exe
        
        C:\Windows\system32\Hpgkkioa.exe
        40⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:5044
        
        C:\Windows\SysWOW64\Hccglh32.exe
        
        C:\Windows\system32\Hccglh32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4328
        
        C:\Windows\SysWOW64\Hbeghene.exe
        
        C:\Windows\system32\Hbeghene.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2944
        
        C:\Windows\SysWOW64\Hfachc32.exe
        
        C:\Windows\system32\Hfachc32.exe
        43⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:928
        
        C:\Windows\SysWOW64\Hjmoibog.exe
        
        C:\Windows\system32\Hjmoibog.exe
        44⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4660
        
        C:\Windows\SysWOW64\Hippdo32.exe
        
        C:\Windows\system32\Hippdo32.exe
        45⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:5080
        
        C:\Windows\SysWOW64\Hmklen32.exe
        
        C:\Windows\system32\Hmklen32.exe
        46⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1444
        
        C:\Windows\SysWOW64\Haggelfd.exe
        
        C:\Windows\system32\Haggelfd.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2612
        
        C:\Windows\SysWOW64\Hpihai32.exe
        
        C:\Windows\system32\Hpihai32.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3776
        
        C:\Windows\SysWOW64\Hbhdmd32.exe
        
        C:\Windows\system32\Hbhdmd32.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4308
        
        C:\Windows\SysWOW64\Hfcpncdk.exe
        
        C:\Windows\system32\Hfcpncdk.exe
        50⤵
        Executes dropped EXE
        
        PID:4672
        
        C:\Windows\SysWOW64\Hjolnb32.exe
        
        C:\Windows\system32\Hjolnb32.exe
        51⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3568
        
        C:\Windows\SysWOW64\Hibljoco.exe
        
        C:\Windows\system32\Hibljoco.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3992
        
        C:\Windows\SysWOW64\Hmmhjm32.exe
        
        C:\Windows\system32\Hmmhjm32.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3652
        
        C:\Windows\SysWOW64\Haidklda.exe
        
        C:\Windows\system32\Haidklda.exe
        54⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1252
        
        C:\Windows\SysWOW64\Ipldfi32.exe
        
        C:\Windows\system32\Ipldfi32.exe
        55⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2804
        
        C:\Windows\SysWOW64\Icgqggce.exe
        
        C:\Windows\system32\Icgqggce.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2916
        
        C:\Windows\SysWOW64\Iffmccbi.exe
        
        C:\Windows\system32\Iffmccbi.exe
        57⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:912
        
        C:\Windows\SysWOW64\Ijaida32.exe
        
        C:\Windows\system32\Ijaida32.exe
        58⤵
        Executes dropped EXE
        
        PID:4048
        
        C:\Windows\SysWOW64\Iidipnal.exe
        
        C:\Windows\system32\Iidipnal.exe
        59⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1480
        
        C:\Windows\SysWOW64\Impepm32.exe
        
        C:\Windows\system32\Impepm32.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4476
        
        C:\Windows\SysWOW64\Iakaql32.exe
        
        C:\Windows\system32\Iakaql32.exe
        61⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2584
        
        C:\Windows\SysWOW64\Ipnalhii.exe
        
        C:\Windows\system32\Ipnalhii.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5096
        
        C:\Windows\SysWOW64\Icjmmg32.exe
        
        C:\Windows\system32\Icjmmg32.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3300
        
        C:\Windows\SysWOW64\Ifhiib32.exe
        
        C:\Windows\system32\Ifhiib32.exe
        64⤵
        Executes dropped EXE
        
        PID:2624
        
        C:\Windows\SysWOW64\Ijdeiaio.exe
        
        C:\Windows\system32\Ijdeiaio.exe
        65⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1020
        
        C:\Windows\SysWOW64\Iiffen32.exe
        
        C:\Windows\system32\Iiffen32.exe
        66⤵
        Drops file in System32 directory
        
        PID:1260
        
        C:\Windows\SysWOW64\Imbaemhc.exe
        
        C:\Windows\system32\Imbaemhc.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:3212
        
        C:\Windows\SysWOW64\Iannfk32.exe
        
        C:\Windows\system32\Iannfk32.exe
        68⤵
        
        PID:952
        
        C:\Windows\SysWOW64\Icljbg32.exe
        
        C:\Windows\system32\Icljbg32.exe
        69⤵
        Modifies registry class
        
        PID:804
        
        C:\Windows\SysWOW64\Ibojncfj.exe
        
        C:\Windows\system32\Ibojncfj.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1400
        
        C:\Windows\SysWOW64\Ijfboafl.exe
        
        C:\Windows\system32\Ijfboafl.exe
        71⤵
        Modifies registry class
        
        PID:3324
        
        C:\Windows\SysWOW64\Iiibkn32.exe
        
        C:\Windows\system32\Iiibkn32.exe
        72⤵
        Drops file in System32 directory
        
        PID:2576
        
        C:\Windows\SysWOW64\Iapjlk32.exe
        
        C:\Windows\system32\Iapjlk32.exe
        73⤵
        
        PID:2420
        
        C:\Windows\SysWOW64\Ipckgh32.exe
        
        C:\Windows\system32\Ipckgh32.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1692
        
        C:\Windows\SysWOW64\Iikopmkd.exe
        
        C:\Windows\system32\Iikopmkd.exe
        75⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:1900
        
        C:\Windows\SysWOW64\Iabgaklg.exe
        
        C:\Windows\system32\Iabgaklg.exe
        76⤵
        Drops file in System32 directory
        
        PID:2976
        
        C:\Windows\SysWOW64\Jfaloa32.exe
        
        C:\Windows\system32\Jfaloa32.exe
        77⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3576
        
        C:\Windows\SysWOW64\Kdaldd32.exe
        
        C:\Windows\system32\Kdaldd32.exe
        78⤵
        Modifies registry class
        
        PID:4360
        
        C:\Windows\SysWOW64\Kgphpo32.exe
        
        C:\Windows\system32\Kgphpo32.exe
        79⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:3520
        
        C:\Windows\SysWOW64\Kinemkko.exe
        
        C:\Windows\system32\Kinemkko.exe
        80⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4292
        
        C:\Windows\SysWOW64\Kaemnhla.exe
        
        C:\Windows\system32\Kaemnhla.exe
        81⤵
        Drops file in System32 directory
        
        PID:3708
        
        C:\Windows\SysWOW64\Kphmie32.exe
        
        C:\Windows\system32\Kphmie32.exe
        82⤵
        
        PID:4732
        
        C:\Windows\SysWOW64\Kipabjil.exe
        
        C:\Windows\system32\Kipabjil.exe
        83⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:2568
        
        C:\Windows\SysWOW64\Kdffocib.exe
        
        C:\Windows\system32\Kdffocib.exe
        84⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:1612
        
        C:\Windows\SysWOW64\Kcifkp32.exe
        
        C:\Windows\system32\Kcifkp32.exe
        85⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:1632
        
        C:\Windows\SysWOW64\Kkpnlm32.exe
        
        C:\Windows\system32\Kkpnlm32.exe
        86⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4284
        
        C:\Windows\SysWOW64\Kibnhjgj.exe
        
        C:\Windows\system32\Kibnhjgj.exe
        87⤵
        Drops file in System32 directory
        
        PID:4956
        
        C:\Windows\SysWOW64\Kckbqpnj.exe
        
        C:\Windows\system32\Kckbqpnj.exe
        88⤵
        Modifies registry class
        
        PID:4420
        
        C:\Windows\SysWOW64\Lpocjdld.exe
        
        C:\Windows\system32\Lpocjdld.exe
        89⤵
        
        PID:1084
        
        C:\Windows\SysWOW64\Lcmofolg.exe
        
        C:\Windows\system32\Lcmofolg.exe
        90⤵
        
        PID:1416
        
        C:\Windows\SysWOW64\Lkdggmlj.exe
        
        C:\Windows\system32\Lkdggmlj.exe
        91⤵
        
        PID:740
        
        C:\Windows\SysWOW64\Lmccchkn.exe
        
        C:\Windows\system32\Lmccchkn.exe
        92⤵
        
        PID:2352
        
        C:\Windows\SysWOW64\Lkgdml32.exe
        
        C:\Windows\system32\Lkgdml32.exe
        93⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4004
        
        C:\Windows\SysWOW64\Lpcmec32.exe
        
        C:\Windows\system32\Lpcmec32.exe
        94⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:3748
        
        C:\Windows\SysWOW64\Lkiqbl32.exe
        
        C:\Windows\system32\Lkiqbl32.exe
        95⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4856
        
        C:\Windows\SysWOW64\Lilanioo.exe
        
        C:\Windows\system32\Lilanioo.exe
        96⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4336
        
        C:\Windows\SysWOW64\Laciofpa.exe
        
        C:\Windows\system32\Laciofpa.exe
        97⤵
        Drops file in System32 directory
        
        PID:3352
        
        C:\Windows\SysWOW64\Lcdegnep.exe
        
        C:\Windows\system32\Lcdegnep.exe
        98⤵
        
        PID:4968
        
        C:\Windows\SysWOW64\Lgpagm32.exe
        
        C:\Windows\system32\Lgpagm32.exe
        99⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:2444
        
        C:\Windows\SysWOW64\Ljnnch32.exe
        
        C:\Windows\system32\Ljnnch32.exe
        100⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:664
        
        C:\Windows\SysWOW64\Lphfpbdi.exe
        
        C:\Windows\system32\Lphfpbdi.exe
        101⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5052
        
        C:\Windows\SysWOW64\Lcgblncm.exe
        
        C:\Windows\system32\Lcgblncm.exe
        102⤵
        
        PID:2464
        
        C:\Windows\SysWOW64\Lknjmkdo.exe
        
        C:\Windows\system32\Lknjmkdo.exe
        103⤵
        Modifies registry class
        
        PID:540
        
        C:\Windows\SysWOW64\Mpkbebbf.exe
        
        C:\Windows\system32\Mpkbebbf.exe
        104⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5132
        
        C:\Windows\SysWOW64\Mgekbljc.exe
        
        C:\Windows\system32\Mgekbljc.exe
        105⤵
        
        PID:5168
        
        C:\Windows\SysWOW64\Mjcgohig.exe
        
        C:\Windows\system32\Mjcgohig.exe
        106⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5208
        
        C:\Windows\SysWOW64\Mnocof32.exe
        
        C:\Windows\system32\Mnocof32.exe
        107⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5240
        
        C:\Windows\SysWOW64\Mpmokb32.exe
        
        C:\Windows\system32\Mpmokb32.exe
        108⤵
        Modifies registry class
        
        PID:5288
        
        C:\Windows\SysWOW64\Mgghhlhq.exe
        
        C:\Windows\system32\Mgghhlhq.exe
        109⤵
        Modifies registry class
        
        PID:5324
        
        C:\Windows\SysWOW64\Mjeddggd.exe
        
        C:\Windows\system32\Mjeddggd.exe
        110⤵
        Modifies registry class
        
        PID:5360
        
        C:\Windows\SysWOW64\Mpolqa32.exe
        
        C:\Windows\system32\Mpolqa32.exe
        111⤵
        
        PID:5400
        
        C:\Windows\SysWOW64\Mcnhmm32.exe
        
        C:\Windows\system32\Mcnhmm32.exe
        112⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5440
        
        C:\Windows\SysWOW64\Mjhqjg32.exe
        
        C:\Windows\system32\Mjhqjg32.exe
        113⤵
        Drops file in System32 directory
        
        PID:5480
        
        C:\Windows\SysWOW64\Mncmjfmk.exe
        
        C:\Windows\system32\Mncmjfmk.exe
        114⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5516
        
        C:\Windows\SysWOW64\Mpaifalo.exe
        
        C:\Windows\system32\Mpaifalo.exe
        115⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5548
        
        C:\Windows\SysWOW64\Mglack32.exe
        
        C:\Windows\system32\Mglack32.exe
        116⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5592
        
        C:\Windows\SysWOW64\Mkgmcjld.exe
        
        C:\Windows\system32\Mkgmcjld.exe
        117⤵
        Modifies registry class
        
        PID:5628
        
        C:\Windows\SysWOW64\Maaepd32.exe
        
        C:\Windows\system32\Maaepd32.exe
        118⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5668
        
        C:\Windows\SysWOW64\Mdpalp32.exe
        
        C:\Windows\system32\Mdpalp32.exe
        119⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5704
        
        C:\Windows\SysWOW64\Nkjjij32.exe
        
        C:\Windows\system32\Nkjjij32.exe
        120⤵
        
        PID:5744
        
        C:\Windows\SysWOW64\Njljefql.exe
        
        C:\Windows\system32\Njljefql.exe
        121⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5780
        
        C:\Windows\SysWOW64\Ndbnboqb.exe
        
        C:\Windows\system32\Ndbnboqb.exe
        122⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5820
        
        C:\Windows\SysWOW64\Ngpjnkpf.exe
        
        C:\Windows\system32\Ngpjnkpf.exe
        123⤵
        Modifies registry class
        
        PID:5856
        
        C:\Windows\SysWOW64\Nnjbke32.exe
        
        C:\Windows\system32\Nnjbke32.exe
        124⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5900
        
        C:\Windows\SysWOW64\Nqiogp32.exe
        
        C:\Windows\system32\Nqiogp32.exe
        125⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5944
        
        C:\Windows\SysWOW64\Ngcgcjnc.exe
        
        C:\Windows\system32\Ngcgcjnc.exe
        126⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5984
        
        C:\Windows\SysWOW64\Njacpf32.exe
        
        C:\Windows\system32\Njacpf32.exe
        127⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6024
        
        C:\Windows\SysWOW64\Nqklmpdd.exe
        
        C:\Windows\system32\Nqklmpdd.exe
        128⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6056
        
        C:\Windows\SysWOW64\Ncihikcg.exe
        
        C:\Windows\system32\Ncihikcg.exe
        129⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6096
        
        C:\Windows\SysWOW64\Njcpee32.exe
        
        C:\Windows\system32\Njcpee32.exe
        130⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6136
        
        C:\Windows\SysWOW64\Nbkhfc32.exe
        
        C:\Windows\system32\Nbkhfc32.exe
        131⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5164
        
        C:\Windows\SysWOW64\Nggqoj32.exe
        
        C:\Windows\system32\Nggqoj32.exe
        132⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5228
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        133⤵
        
        PID:5312
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5312 -s 408
        134⤵
        Program crash
        
        PID:5452

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 5312 -ip 5312
1⤵
PID:5476

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Gameonno.exe

Filesize
335KB

MD5
58c011d4d3cdf656d303177a5e64bd6e

SHA1
c9718ef2a0cc777eb3b6c44df86f74b5994ec2e7

SHA256
f62c74b2c69ea9c7ed91c5c57d53d0dafcb4582887c2368d74f857c74ca79622

SHA512
1d95cbba299153d384796a6187ea7cf52dbbc5fc0e0f61850d3dae6fe292bb38379a4f8c0c85b97daa70940610c5ccf0c67a1b924054aceb69f7f792fdbebe28

Download Submit
C:\Windows\SysWOW64\Gbjhlfhb.exe

Filesize
335KB

MD5
e1f625ff1396173cd4abd0eff5d5329c

SHA1
b0b210fa0a2916067899559dfb209e9996341604

SHA256
9b60c0ec067682672064dcc62db8dfd35bd3e7efb16a7e2c9c9cf56efa43dc87

SHA512
fb3e2428a5fefbdc85a877b2363af0af55f17042efa6894ee459d84adaa56e468553bebd4d8064e632e52df9c28a536b1984f91f05dd9c0893b728f6a9f87e70

Download Submit
C:\Windows\SysWOW64\Gbldaffp.exe

Filesize
335KB

MD5
2d388c33c1a4d652a96b0d264c52077e

SHA1
adc0cceb8067d1eb14899d44b3257e8e0aca83b0

SHA256
0ad11cec4ed9795d67fca85efa39e7e17141c9bf18b5611d995653651a1efb69

SHA512
4e7e8992460402732592b4be9c616b2041bd8b2117e465315cf8f6a9065cd5a00c4c936e9b878ef8be69d0ed3e0fee3444afb0252ca3b6fad38a99ae1c3f1c80

Download Submit
C:\Windows\SysWOW64\Gcbnejem.exe

Filesize
335KB

MD5
a3630a5abbd56c9546601eb5b24109d0

SHA1
7cd7970db4de9647dd831b564e732a1fa711b51f

SHA256
d2ad420054bdb6657ad80862b286f919da34591a13d045e7d126aa5f87b0eadd

SHA512
59f97ebfe6f03a0d792a3d0f63db89f3f7f96fd9507299b95232574582fb5c8e2eba4373f0833890e4ff95be9fa31af4c0abae66268fd86d3b2344da6d228a0e

Download Submit
C:\Windows\SysWOW64\Gcekkjcj.exe

Filesize
335KB

MD5
c564a8e7e5aa45c15b70b508ad864bd3

SHA1
c93d4895305c57392d9006891789a099ed0a5ffd

SHA256
e352daaa626a50a29a8401ba7bd8fa1d642516517d956dd7194a82a3d4a2bca4

SHA512
40417a67688143de5452a867553f18b8df612e3d3c2bf2f8acf57efebec20b2f989776ac61775536ffbf3269530eae1877658e96e2025de2154f1fa5acd100e0

Download Submit
C:\Windows\SysWOW64\Gcggpj32.exe

Filesize
335KB

MD5
c56fd05c28ad784e3037385035bbdf44

SHA1
04bbf6f3f8c9008757969c37c7b968479ecdd367

SHA256
1f6df9e511c6dc771e479a7729a9da5d870a04873e81d054aee91134173ae35b

SHA512
4701af368fa03a62999dc76ad815c78a073f16f422c5fcedc9b34c52967126c78b1ed403287c51d9a2584888611380c36b3f6dae00c89ee6937e14f53191b75a

Download Submit
C:\Windows\SysWOW64\Gcidfi32.exe

Filesize
335KB

MD5
1b48e4a026ad0787d0aeefef2ac75571

SHA1
674584f4e626634a8ec4efe848c703225fb51c3e

SHA256
e8d7a279f93341fab2d07d8ed11a2320d064f402db7457e9da7f02ac97ce222a

SHA512
c85148e2e7735681d65dad32ebd2c26efd22afc8d94e89fbf1ce08e1a26d28ea38223c95c2897bf4f0038bfa5476bc8169eb3eab4361b4067b3cd93a5e9e5182

Download Submit
C:\Windows\SysWOW64\Gfcgge32.exe

Filesize
335KB

MD5
67d723db0cfbbf99d9d670384c6adb88

SHA1
d403e0a486787bae1253db5ff39a816891447a4e

SHA256
a3e967d11f385c2faea47e214e8f22b08e0300a7353847802890de7f86be63df

SHA512
01c7ebb64ef69798130e70f4f37424fadd2cde0c4724bafe3fd9622c5e99ea577a19be7d2ee755145c40e8d3a9153356550eb650115f24ea0471139863b476df

Download Submit
C:\Windows\SysWOW64\Gfedle32.exe

Filesize
335KB

MD5
de06618ace70bbd236ad1c8b21cd1b6d

SHA1
dc8b2b3a98964980e088a525bb63e38f44f2f481

SHA256
cc8794bd727f89ae6f65a38c35c1986cf69d5fb2f1e9c2961482a3f5524b525d

SHA512
a7508d2e1d81b061f802e4fed142cd2c67b0636f0f21db8955bf8b0aab8d1c177f06e8ab7212e8581ec40c98194ef78191a242f23438447e04391358f1cb1989

Download Submit
C:\Windows\SysWOW64\Gfhqbe32.exe

Filesize
335KB

MD5
934399ba20c0af6632638a7ca7ba9ec9

SHA1
2d26c59a223800c41bce970e207841bc60a3fd10

SHA256
588f1675ee36c4b831f2c122ffc5e1bc80f12a63dac5ce63ab12ee3ed1bf0039

SHA512
3652c163fed4eed3a821d72c6dc6fc9adf9aedab88eab15b207b38dc10d7927b6d82c2ddc2751a63b929198ee29d90a2a1335fbbeab74f9d8d33b144e53a8614

Download Submit
C:\Windows\SysWOW64\Gjapmdid.exe

Filesize
335KB

MD5
7d3d15f13755c46af6b1862e2c53c449

SHA1
e16a0fe5ec043bbcef2adfd50393789c095bb044

SHA256
7311dd0fa3eb40132dd24d49da7e79cb38aebffac4da6951c7b18b9f98d468d2

SHA512
1278d3da598dafe9f83bce72d125657b944646099d090d008d0aad9961b5599bb8727bb885fca4c387867dc91ac90b942a926064e1abac006482e1abef8c03da

Download Submit
C:\Windows\SysWOW64\Gjclbc32.exe

Filesize
335KB

MD5
a85cbd2575e42e299e9c3f8d74781b6d

SHA1
ca2715d8aa0b5908fee8aabef07d147f862fb793

SHA256
bcb28e70ab7e64add92eb38c1cadf048119310d4a53002bd3e1d7fcf9e7c70c0

SHA512
21d0cc1acdb19f0c95aa4c044b49c7a2080430e0bb01d12bbf62d72f61e068feca2110ff37c8c057d85dea84376f2a450434578def654ad3ca57f1311f0b3ee8

Download Submit
C:\Windows\SysWOW64\Gjocgdkg.exe

Filesize
335KB

MD5
3ebe0c4af8cc8b10826370b1d29407db

SHA1
3116a4d27a8c0e36e5f7090581c1fc429e6fff5b

SHA256
bc069fe47117e842ee31129ffffc6a7a87b300652d91529bd62adce550a4ca0d

SHA512
c69fcaba705056d8be1731d83d178975bfe351e1f3247fc033ef4dee25f25ed700d788a4bfa0d4949ec0b02e65e2906ebf2d3826a4adb69d88f55f56e9c9b0d0

Download Submit
C:\Windows\SysWOW64\Gmaioo32.exe

Filesize
335KB

MD5
d3e5b70a278618ca83ef43b0bf15565a

SHA1
1eda22bc8ad5a24ca72be3f5819836f69a8c63ad

SHA256
0af1c60cae47bae51391c73c6468b2ce192f582eedca4184df4b97452d8dd17a

SHA512
e127c5162da70b58d88031021110140f12ff9cc15e747031c2cd8f73e2d76b1de0fed186971aea3b90e198ec50525ca41cd197bafbcc400b98a6705aa773000e

Download Submit
C:\Windows\SysWOW64\Gmkbnp32.exe

Filesize
335KB

MD5
57de2f72fc4fde5eefa1a6a4cef5b204

SHA1
d78e2af400659d29d5d50be4162555437426dc7f

SHA256
c045457ec8b4588b56b17fcbc8eacdc62f350aa8834e9ff6a34c88511c3fcbe4

SHA512
4f9e327d9ff1565236036b90ed9b52284dcd6e5dadb91f3ac692c172102ef6a5c5fdf0236bb1971bc3e7c43cea25f6fd566c2936b48266f200daa29e8217307d

Download Submit
C:\Windows\SysWOW64\Gmmocpjk.exe

Filesize
335KB

MD5
998153fa8a3e8e9c3eca721f5795d0aa

SHA1
03258bbaf19ab29728fbc3d120632f8c5b3c37fd

SHA256
30cde5e3cd14000e313f99f80c1359b945cfa6dd4e8661f1327595548cf84f6b

SHA512
011700658929b2eaf1c7ee6e016e67a68df706ad3e6250305787e94f9b257d6b8f8c60c90cda327c26e260e6464c42cf271dfc8d7bc1f94f26032fd99d0e6e7f

Download Submit
C:\Windows\SysWOW64\Gmoliohh.exe

Filesize
335KB

MD5
af3cc0e8896ce404d0f257ec0ff8f1a1

SHA1
b0148a2fc780e16756dd6eddac92a27cfbde5ca0

SHA256
ff834b4c3b1d511de00d0eccddd91e617ce8271c9c7b876c7bc9f78d467a676f

SHA512
edbbbb04c8f6c187d4d3a665a88a316e9a14bd9812c5e662146f811db5b31391e688c500ee5c95c8de8bf1340cce178a361921db273c27fb1d179719b4577d58

Download Submit
C:\Windows\SysWOW64\Goiojk32.exe

Filesize
335KB

MD5
06641d3881e88345eb40516aa53be23b

SHA1
988f6ef43e3601d1552cbb2037e3d439f9bc8eca

SHA256
ddc32f3c78a21bd46a2d011129a5800b98a3d08b57d6a30d568e237258419999

SHA512
9d87b644debdaa6c3055112054daaae14a6e4527d266e821b26569bc74739532a6f4d76524870b1df15f7aba132de4511d4172e156838546ccef17e78f6b9c43

Download Submit
C:\Windows\SysWOW64\Gqikdn32.exe

Filesize
335KB

MD5
369771795ada8f3b8c1338478a8f2d6c

SHA1
c983199223db367c1d66ce766c8047fc9696fd46

SHA256
b128b812870d82fc2ea5f50e474cdcdd9f6399a7f806213f55b2d13bb83b9573

SHA512
37b89c0f9032995c49b726c2f094d3c4311ad0bf82a92c2929345a86560b27fa88ad52ece41ec43ff7b8e1e9404c2244f667f5c975a7064c91b227b527f09a3d

Download Submit
C:\Windows\SysWOW64\Gqkhjn32.exe

Filesize
335KB

MD5
b2c476201f5d09cc876156b6a52144f3

SHA1
36dd432cf905181229998b8e117b36a57125941b

SHA256
5043c7536464b89eec461976fa668b9af2f3b60e8a065ea94f58f0a753a192c5

SHA512
d9d65f016a45560594f2712a7818e63d7b2d1fc1f66fd6773e4205f8236653466062fe0ccfbd77db595d8fa52cc718ff0a42d08952fe24e4c686522daae794ef

Download Submit
C:\Windows\SysWOW64\Hapaemll.exe

Filesize
335KB

MD5
a24699ffdaf4ae5bfeaa28ee30c82493

SHA1
4049a716b450492336aee046a2dd7f76cd71c0be

SHA256
cdbe4c301af2d99bd88232f7c267e9f1df0cbc9e2e21b68065aa61bab4dae657

SHA512
087f5bb8387f4b124bb10384e34cb32151384c5a6cc1db9dad89fb8bf425f9329cf4d14b11a9eeb62abccf62a91f24853b6d017797328f3c6dc5ab1f7ef11928

Download Submit
C:\Windows\SysWOW64\Hbanme32.exe

Filesize
335KB

MD5
d6f5c0f9c2453adfed0f94a615c86a2c

SHA1
83db6be27e3804524f3eafa9cec4aebac253c9d3

SHA256
6974286f62283bacb5d20e6ff7dbf46990a485940e7cc459bfd15e2b26ede364

SHA512
cd60bb000e4b9c58b545b229baa62859b34529949e73e5465b979c6d88ea67fa0f3bf5e13940e8001afef91417159151a4138f4bddabf52812e03d323c89f1eb

Download Submit
C:\Windows\SysWOW64\Hboagf32.exe

Filesize
335KB

MD5
39bf1eb0816fee19fe0b7ecd495cea8c

SHA1
febfd6683db1eb6ba4b294e7a0d37cec57a4423f

SHA256
1844ffa02af02202e0feac866578825e3482614688779ad2a6ce934e2362083e

SHA512
ed7f97d9109b17b29d919349c860ef5f9b18b6ca4efeafa4e520b52b3d4c61b31f2a3eaa5fa2edd238e3c5efce7abc612e20e5c7b2c4da63f00de1f04a996361

Download Submit
C:\Windows\SysWOW64\Hclakimb.exe

Filesize
335KB

MD5
5ad49bfa0cf4a69d20c431e90e83d951

SHA1
4125b2858875cbe2ef2112ad7cb21114a27b2131

SHA256
b22bde6b951a35e08b5db5d423759a485b0fcb0787f2808e9e47ea0414640e93

SHA512
a8e4fd45663a66aa13058c041e8f33ff379a835e8e1e2346bf8faae3801420f3e164c76118c0b1335f8b8e652b23318a349d66a1c93a347ea281adee1eebb6eb

Download Submit
C:\Windows\SysWOW64\Hcnnaikp.exe

Filesize
335KB

MD5
631e08e724d1704486672cad77547df2

SHA1
6fef8ee1769e90ce5c2df0e69e88d6e26c57d61c

SHA256
430ce93f5ce4c8074f7792791aee9aaabf8089c56306cd7782d16a2b19a25224

SHA512
21841fd6e352a47f1b127a60c1d8c75c57b7875ccaa6ebb16087735c5267d3c1635162cbbef12639072c08a9b4f2d6cc3c632f0faa63249a003ae760b09ba20d

Download Submit
C:\Windows\SysWOW64\Hfjmgdlf.exe

Filesize
335KB

MD5
980775c328a004fdd9fa8bc1b2499007

SHA1
e9a5d2b988598f089e821651c546e9f8d147e89a

SHA256
96c19949f00c124dd92f0428c182aad44229cfc5b3b7f5ddeac370bc3ad7bb74

SHA512
2f1b0f04271f2c657ef227abe099676bd16ea93ee097779b8fad7e6f8aef5147317abec342e802fc982d2aa0170482bf1f08c6073ac33b55a93380f2e61d5388

Download Submit
C:\Windows\SysWOW64\Hihicplj.exe

Filesize
335KB

MD5
fa0b1108531a65fea4936e73275dbba9

SHA1
4b2a86fbe685194b7a7489ce2d3734f6c1f457e8

SHA256
25527f78a117e2e940a428dbe1c82f5a2ab8746b48536945fbb001fb5d050994

SHA512
94609e0befaa05b6e157bdbcccec89db564d87a1107227f68d097d5fe135c6ccff7006894803b98e9e50c62c163226112e8c3d83a24bd6ff18db88dc8f1a7fea

Download Submit
C:\Windows\SysWOW64\Hikfip32.exe

Filesize
335KB

MD5
ec2cac79e2cbdb1994d65cf73c5c9bf6

SHA1
8b30b7ed13dff9623682e3e6a91f0de7d56e67d9

SHA256
be9560c74e0147f6f5f5b5c6d16ae351d3aed587e4e2209d68f76fb195bb51c6

SHA512
15e2130db2309408bd7df730a2156b0c8455dd1acd72de2c15703770777716b88f536c3ac10e530de4bdda722445e84e1090cf771c8afe7a982cc8768ff822be

Download Submit
C:\Windows\SysWOW64\Hjhfnccl.exe

Filesize
335KB

MD5
4c035ef90d71d0b841cfa2df19818cc1

SHA1
c3f573028ff45eaccc0826e11a16abedb2124b0a

SHA256
25b7fe256d6028fd2f6802616c5507a0f8aa3eeb84d5043001abd0506fce6dfe

SHA512
9852eec0980dea3812d05656441bd039f8fda2c32cc031d3cc6308ca368dae27cf8da654550400dfbdff977839e9e251f9d27eda001cabefa3b3e43f0396ac7c

Download Submit
C:\Windows\SysWOW64\Hmdedo32.exe

Filesize
335KB

MD5
764f95fafe726ee5056bcba695ae460f

SHA1
43a9e1c021324c9ead02883fc5be913788059058

SHA256
443f33a1464a08315367f155f4fa04ad950f01dfc93c324103511817a7cdc326

SHA512
25f42a5ae16d2c5ac3e54d5219a72754cabff1b5d5e943d99b15c5453fdf240d6c5694e63331056b30a73306892f929f01e4f9a44c8e30cc6f8dd2049c536d4c

Download Submit
C:\Windows\SysWOW64\Hmfbjnbp.exe

Filesize
335KB

MD5
b84bbbd7e6b0495585e5d043b7312b50

SHA1
4eeb145f545ebe00a5fa9ca9e49210e3a4e4d829

SHA256
a4a9af7f7266cf0d0a5653ed5206e3445fe342e99e7d640d0eb4d62c37f398f9

SHA512
9f4b4d585bc6abb0dc24cefddd7c57c368900815821ef476ae246eb1d45b65d5f3258464e16ce45d9a6d7c4dfbbd2915b95e2854405f566e2ac35eed535c320f

Download Submit
C:\Windows\SysWOW64\Hpbaqj32.exe

Filesize
335KB

MD5
91abdf4dc4f408ea9b0d3ab01f92a57a

SHA1
7cdde0ec8cfdee1fc45051e1c4372a7f1e68423e

SHA256
b6670ee6dd3b51ecd52e255f371094f57cfbda56f3a9f4b81523dd81c49558bc

SHA512
5825644f9d6f45722783a46165f8b09c52d5e2dd884ab3115eca1cfe9881fee01c46d80a243c130044e111e6b797ce8e237575d7cfb573727d3af9e43af61354

Download Submit
C:\Windows\SysWOW64\Kphmie32.exe

Filesize
335KB

MD5
6455a1c6d5870a29a4a2b402ca0bc991

SHA1
43884bc640543f20292cfac41a9eaf857823fd31

SHA256
f0a995f2aff180e668f2d38377450a4e951d8f854cfdc46d8726efcdaa0f4084

SHA512
0179f3ccc38823784295bf782a3209136f7f2b48370458c4f046f60f160d9a7048f24738ca0d79d81febc7a16b9efbb3f65ef5380f10b6c24d687c9f0752e06f

Download Submit
C:\Windows\SysWOW64\Lmccchkn.exe

Filesize
335KB

MD5
baa73ac8a24b98db389e64edd3618422

SHA1
55cda67b40e9c1ce419e406179b657fb163ee6b0

SHA256
32e00cf517c73bf91802138f7bae7fb84ac4217c620cbe735659635051524303

SHA512
30f8d894729cdad0250ed1d66602f60d1a5bcbe65354072d61f5b5d9ad7c6f9f3ddc8aefbe351010cb253d04b92580b7afe705958bb0b91036a74209b2f1938e

Download Submit
C:\Windows\SysWOW64\Lpocjdld.exe

Filesize
335KB

MD5
9a444e757250e1072808317e369d3cf4

SHA1
da78215a600f53d817f0a05d103679c692545e4b

SHA256
236d879c85a40fb356762e57ddd6bfdb55d8f1886d94867f097734e38f385bdf

SHA512
47841fcae4a46e6fbffb8a2e4bce54e5adebbb39bcdf690c55f04e2f1e4d7ec21a16561988fe68b26fd79a029ec0bb6b8e8165875e39637d76e5976fcfa91b6d

Download Submit
C:\Windows\SysWOW64\Nkcmohbg.exe

Filesize
335KB

MD5
2ef92088d8dc5789ade7d90306f04bd3

SHA1
49b3a3b9024441c0cbbe35cd673d78c1a68f7862

SHA256
d717b545044140c8839f3e988901e7748aeefb2daa69c3c40d1df42eaa5902eb

SHA512
fe4d899326f61d24a0beaf6254ca1c1c8b6184b4f21723fa14f8db21aa0ff6bc1e269f2008d4d1cac5ca8f348e5c120088c8854f35ded1cb5958dd2546505b1d

Download Submit
memory/540-623-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/548-457-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/640-448-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/740-554-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/1088-20-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/1416-553-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/1424-445-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/1600-440-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/1612-518-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/1784-460-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/1908-459-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/1948-28-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/2332-458-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/2340-7-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/2348-441-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/2352-560-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/2444-601-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/2464-617-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/2488-52-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/2564-45-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/2568-508-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/2612-465-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/2976-467-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/3576-473-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/3580-439-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/3632-36-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/3708-496-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/3748-572-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/3788-449-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/4004-566-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/4164-0-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/4224-442-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/4244-437-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/4284-530-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/4292-495-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/4316-436-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/4336-587-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/4360-483-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/4420-537-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/4524-446-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/4648-444-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/4716-447-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/4732-502-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/4800-456-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/4940-454-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/4956-531-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/4968-599-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/4980-438-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/5048-443-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/5052-616-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/5132-634-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/5164-780-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/5164-798-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/5208-644-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/5228-797-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/5228-786-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/5240-846-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/5240-650-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/5288-844-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/5312-795-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/5312-792-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/5324-842-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/5360-662-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/5360-840-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/5400-838-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/5400-672-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/5440-836-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/5440-674-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/5480-834-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/5516-689-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/5516-832-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/5548-830-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/5592-700-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/5592-828-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/5628-826-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/5668-711-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/5668-824-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/5704-822-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/5744-820-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/5744-723-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/5780-818-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/5820-734-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/5820-816-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/5856-735-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/5856-814-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/5900-812-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/5944-809-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/5944-746-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/5984-756-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/5984-810-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/6024-804-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/6056-807-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/6056-767-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/6096-802-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/6136-779-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/6136-800-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads