a8a6317bb1cff63001a9a57a5b6e8322bcc2f6203c7b1759bdf7563156defe7b

Analysis

max time kernel
137s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
26/06/2024, 01:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a8a6317bb1cff63001a9a57a5b6e8322bcc2f6203c7b1759bdf7563156defe7b.exe
Size

93KB
MD5

e451a5520b450ab7d43a94f40ea4454a
SHA1

a7b2ffc97b0c22f316a4c9adb6fff54eba83ab13
SHA256

a8a6317bb1cff63001a9a57a5b6e8322bcc2f6203c7b1759bdf7563156defe7b
SHA512

5f22d9a0f233ebe302bb4d2eaf9d3bd52f19185a726c4d28a1874811619a9fc65c2a244f0521d672e7c70a3f41c7c8e91d527f6a3232eb31d44ced35744c65da
SSDEEP

1536:y9+y4lu0Him8iOXzpqGzz4dhDijurDaPDkrBR6NiTUjiwg58:yzzpT4ajrrmyNioY58

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hcqjfh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kgbefoji.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjhqjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nqklmpdd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ijdeiaio.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jmnaakne.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kdhbec32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mncmjfmk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnjbke32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hmklen32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hpihai32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ibjqcd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kpjjod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jmpngk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lgpagm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mgekbljc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Iannfk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kilhgk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njljefql.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lmccchkn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jmkdlkph.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kmgdgjek.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Majopeii.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	a8a6317bb1cff63001a9a57a5b6e8322bcc2f6203c7b1759bdf7563156defe7b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jpgdbg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdiklqhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Maohkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hfachc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jfaloa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jmnaakne.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kilhgk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lpocjdld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hmfbjnbp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ldaeka32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjjmog32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Impepm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ipnalhii.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jmkdlkph.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kgbefoji.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdfofakp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Iabgaklg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ljnnch32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ndbnboqb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ldkojb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ldmlpbbj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Majopeii.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpolqa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iikopmkd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kibnhjgj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lnhmng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nnolfdcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hccglh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kpjjod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Iapjlk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jpjqhgol.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hpbaqj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mjjmog32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndbnboqb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hpbaqj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kmegbjgn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kbdmpqcb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kphmie32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lmccchkn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ldmlpbbj.exe

Executes dropped EXE 64 IoCs

pid	Process
1136	Hmdedo32.exe
3756	Hpbaqj32.exe
1364	Hbanme32.exe
1624	Hjhfnccl.exe
632	Hmfbjnbp.exe
4456	Hcqjfh32.exe
2180	Hjjbcbqj.exe
3572	Hmioonpn.exe
2892	Hccglh32.exe
4360	Hfachc32.exe
776	Hmklen32.exe
1464	Hpihai32.exe
3224	Hfcpncdk.exe
808	Hmmhjm32.exe
1616	Ipldfi32.exe
1376	Ibjqcd32.exe
4076	Impepm32.exe
1620	Ipnalhii.exe
2384	Ifhiib32.exe
4036	Ijdeiaio.exe
2344	Iannfk32.exe
3608	Icljbg32.exe
1680	Iapjlk32.exe
1108	Ibagcc32.exe
3448	Iikopmkd.exe
3988	Iabgaklg.exe
4848	Idacmfkj.exe
3432	Imihfl32.exe
1384	Jpgdbg32.exe
3692	Jfaloa32.exe
3236	Jmkdlkph.exe
4588	Jpjqhgol.exe
4636	Jbhmdbnp.exe
4860	Jjpeepnb.exe
448	Jmnaakne.exe
2172	Jplmmfmi.exe
4252	Jbkjjblm.exe
4164	Jjbako32.exe
1040	Jmpngk32.exe
924	Jdjfcecp.exe
4536	Jkdnpo32.exe
2604	Jmbklj32.exe
2648	Jpaghf32.exe
3696	Jbocea32.exe
1004	Jkfkfohj.exe
1796	Kmegbjgn.exe
3380	Kdopod32.exe
8	Kgmlkp32.exe
3412	Kilhgk32.exe
3728	Kmgdgjek.exe
3848	Kdaldd32.exe
5092	Kbdmpqcb.exe
3736	Kinemkko.exe
4476	Kmjqmi32.exe
1804	Kphmie32.exe
4660	Kgbefoji.exe
4056	Kipabjil.exe
2444	Kagichjo.exe
2660	Kpjjod32.exe
2664	Kgdbkohf.exe
3084	Kibnhjgj.exe
5032	Kmnjhioc.exe
2748	Kdhbec32.exe
5080	Kgfoan32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Jkdnpo32.exe	Jdjfcecp.exe
File opened for modification	C:\Windows\SysWOW64\Lgikfn32.exe	Ldkojb32.exe
File created	C:\Windows\SysWOW64\Lmccchkn.exe	Lgikfn32.exe
File opened for modification	C:\Windows\SysWOW64\Maaepd32.exe	Mjjmog32.exe
File opened for modification	C:\Windows\SysWOW64\Mcbahlip.exe	Maaepd32.exe
File opened for modification	C:\Windows\SysWOW64\Hmioonpn.exe	Hjjbcbqj.exe
File created	C:\Windows\SysWOW64\Qdhoohmo.dll	Jbhmdbnp.exe
File created	C:\Windows\SysWOW64\Jmnaakne.exe	Jjpeepnb.exe
File created	C:\Windows\SysWOW64\Lkfbjdpq.dll	Nnolfdcn.exe
File created	C:\Windows\SysWOW64\Hmklen32.exe	Hfachc32.exe
File opened for modification	C:\Windows\SysWOW64\Kmgdgjek.exe	Kilhgk32.exe
File created	C:\Windows\SysWOW64\Lidmdfdo.dll	Laalifad.exe
File created	C:\Windows\SysWOW64\Kdhbec32.exe	Kmnjhioc.exe
File opened for modification	C:\Windows\SysWOW64\Mglack32.exe	Mdmegp32.exe
File created	C:\Windows\SysWOW64\Maaepd32.exe	Mjjmog32.exe
File created	C:\Windows\SysWOW64\Njogjfoj.exe	Nceonl32.exe
File created	C:\Windows\SysWOW64\Cknpkhch.dll	Nkqpjidj.exe
File created	C:\Windows\SysWOW64\Hdgpjm32.dll	Ipldfi32.exe
File opened for modification	C:\Windows\SysWOW64\Kgmlkp32.exe	Kdopod32.exe
File created	C:\Windows\SysWOW64\Kagichjo.exe	Kipabjil.exe
File opened for modification	C:\Windows\SysWOW64\Ncldnkae.exe	Nqmhbpba.exe
File opened for modification	C:\Windows\SysWOW64\Ncihikcg.exe	Nqklmpdd.exe
File created	C:\Windows\SysWOW64\Bbbjnidp.dll	Jmnaakne.exe
File created	C:\Windows\SysWOW64\Kdopod32.exe	Kmegbjgn.exe
File opened for modification	C:\Windows\SysWOW64\Majopeii.exe	Mgekbljc.exe
File created	C:\Windows\SysWOW64\Bpcbnd32.dll	Kgdbkohf.exe
File created	C:\Windows\SysWOW64\Ncihikcg.exe	Nqklmpdd.exe
File created	C:\Windows\SysWOW64\Mlmpolji.dll	Hpihai32.exe
File created	C:\Windows\SysWOW64\Dendnoah.dll	Iannfk32.exe
File opened for modification	C:\Windows\SysWOW64\Jmkdlkph.exe	Jfaloa32.exe
File created	C:\Windows\SysWOW64\Hehifldd.dll	Kdopod32.exe
File created	C:\Windows\SysWOW64\Kmjqmi32.exe	Kinemkko.exe
File opened for modification	C:\Windows\SysWOW64\Kdhbec32.exe	Kmnjhioc.exe
File opened for modification	C:\Windows\SysWOW64\Hpbaqj32.exe	Hmdedo32.exe
File created	C:\Windows\SysWOW64\Ndninjfg.dll	Jmkdlkph.exe
File opened for modification	C:\Windows\SysWOW64\Jplmmfmi.exe	Jmnaakne.exe
File opened for modification	C:\Windows\SysWOW64\Kdopod32.exe	Kmegbjgn.exe
File opened for modification	C:\Windows\SysWOW64\Kilhgk32.exe	Kgmlkp32.exe
File opened for modification	C:\Windows\SysWOW64\Mpolqa32.exe	Mnapdf32.exe
File opened for modification	C:\Windows\SysWOW64\Maohkd32.exe	Mncmjfmk.exe
File opened for modification	C:\Windows\SysWOW64\Hmdedo32.exe	a8a6317bb1cff63001a9a57a5b6e8322bcc2f6203c7b1759bdf7563156defe7b.exe
File opened for modification	C:\Windows\SysWOW64\Iannfk32.exe	Ijdeiaio.exe
File created	C:\Windows\SysWOW64\Bpqnnk32.dll	Iabgaklg.exe
File opened for modification	C:\Windows\SysWOW64\Mkbchk32.exe	Mdiklqhm.exe
File created	C:\Windows\SysWOW64\Mpolqa32.exe	Mnapdf32.exe
File opened for modification	C:\Windows\SysWOW64\Nqklmpdd.exe	Njacpf32.exe
File created	C:\Windows\SysWOW64\Hfachc32.exe	Hccglh32.exe
File opened for modification	C:\Windows\SysWOW64\Hmmhjm32.exe	Hfcpncdk.exe
File created	C:\Windows\SysWOW64\Ockcknah.dll	Majopeii.exe
File created	C:\Windows\SysWOW64\Ehifigof.dll	Jmpngk32.exe
File created	C:\Windows\SysWOW64\Dnapla32.dll	Lcbiao32.exe
File created	C:\Windows\SysWOW64\Fldggfbc.dll	Ljnnch32.exe
File created	C:\Windows\SysWOW64\Lphfpbdi.exe	Lnjjdgee.exe
File created	C:\Windows\SysWOW64\Mdiklqhm.exe	Majopeii.exe
File created	C:\Windows\SysWOW64\Pjpdme32.dll	a8a6317bb1cff63001a9a57a5b6e8322bcc2f6203c7b1759bdf7563156defe7b.exe
File created	C:\Windows\SysWOW64\Denfkg32.dll	Hcqjfh32.exe
File opened for modification	C:\Windows\SysWOW64\Hccglh32.exe	Hmioonpn.exe
File opened for modification	C:\Windows\SysWOW64\Nnjbke32.exe	Njogjfoj.exe
File created	C:\Windows\SysWOW64\Nnolfdcn.exe	Nkqpjidj.exe
File created	C:\Windows\SysWOW64\Jkfkfohj.exe	Jbocea32.exe
File created	C:\Windows\SysWOW64\Lgikfn32.exe	Ldkojb32.exe
File created	C:\Windows\SysWOW64\Bebboiqi.dll	Mjjmog32.exe
File opened for modification	C:\Windows\SysWOW64\Ndbnboqb.exe	Nqfbaq32.exe
File created	C:\Windows\SysWOW64\Aqnhjk32.dll	Impepm32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5416	5220	WerFault.exe	202

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aqnhjk32.dll"	Impepm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jbhmdbnp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogdimilg.dll"	Kmnjhioc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Maaepd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ncldnkae.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	a8a6317bb1cff63001a9a57a5b6e8322bcc2f6203c7b1759bdf7563156defe7b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hjhfnccl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hpihai32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jpgdbg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jfaloa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bgllgqcp.dll"	Jpjqhgol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ldkojb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lphfpbdi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hbanme32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hccglh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lihoogdd.dll"	Ibagcc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lnohlokp.dll"	Mgekbljc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Geegicjl.dll"	Mglack32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mgnnhk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ppmeid32.dll"	Hfachc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jmbklj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnkdikig.dll"	Ldkojb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ipnalhii.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jkdnpo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mgnnhk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jmnaakne.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jmpngk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kdhbec32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ljnnch32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Npckna32.dll"	Njljefql.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mlmpolji.dll"	Hpihai32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Impepm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Iapjlk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kagichjo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jifkeoll.dll"	Lpocjdld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lpocjdld.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Laciofpa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mdmegp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jbkjjblm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kdaldd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Milgab32.dll"	Kphmie32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Opocad32.dll"	Hfcpncdk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kdaldd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ockcknah.dll"	Majopeii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kbmfdgkm.dll"	Kgbefoji.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lpocjdld.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mgekbljc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mgekbljc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ncihikcg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hjjbcbqj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibadbaha.dll"	Hmklen32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jpjqhgol.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nqmhbpba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Flfmin32.dll"	Mnlfigcc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nbkhfc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnibdpde.dll"	Ncldnkae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kbmebabl.dll"	Ijdeiaio.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cpjljp32.dll"	Jkdnpo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lgkhlnbn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ojmmkpmf.dll"	Kdaldd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mkeebhjc.dll"	Kmjqmi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kagichjo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Liekmj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ldmlpbbj.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3964 wrote to memory of 1136	3964	a8a6317bb1cff63001a9a57a5b6e8322bcc2f6203c7b1759bdf7563156defe7b.exe	83
PID 3964 wrote to memory of 1136	3964	a8a6317bb1cff63001a9a57a5b6e8322bcc2f6203c7b1759bdf7563156defe7b.exe	83
PID 3964 wrote to memory of 1136	3964	a8a6317bb1cff63001a9a57a5b6e8322bcc2f6203c7b1759bdf7563156defe7b.exe	83
PID 1136 wrote to memory of 3756	1136	Hmdedo32.exe	84
PID 1136 wrote to memory of 3756	1136	Hmdedo32.exe	84
PID 1136 wrote to memory of 3756	1136	Hmdedo32.exe	84
PID 3756 wrote to memory of 1364	3756	Hpbaqj32.exe	85
PID 3756 wrote to memory of 1364	3756	Hpbaqj32.exe	85
PID 3756 wrote to memory of 1364	3756	Hpbaqj32.exe	85
PID 1364 wrote to memory of 1624	1364	Hbanme32.exe	86
PID 1364 wrote to memory of 1624	1364	Hbanme32.exe	86
PID 1364 wrote to memory of 1624	1364	Hbanme32.exe	86
PID 1624 wrote to memory of 632	1624	Hjhfnccl.exe	87
PID 1624 wrote to memory of 632	1624	Hjhfnccl.exe	87
PID 1624 wrote to memory of 632	1624	Hjhfnccl.exe	87
PID 632 wrote to memory of 4456	632	Hmfbjnbp.exe	88
PID 632 wrote to memory of 4456	632	Hmfbjnbp.exe	88
PID 632 wrote to memory of 4456	632	Hmfbjnbp.exe	88
PID 4456 wrote to memory of 2180	4456	Hcqjfh32.exe	89
PID 4456 wrote to memory of 2180	4456	Hcqjfh32.exe	89
PID 4456 wrote to memory of 2180	4456	Hcqjfh32.exe	89
PID 2180 wrote to memory of 3572	2180	Hjjbcbqj.exe	90
PID 2180 wrote to memory of 3572	2180	Hjjbcbqj.exe	90
PID 2180 wrote to memory of 3572	2180	Hjjbcbqj.exe	90
PID 3572 wrote to memory of 2892	3572	Hmioonpn.exe	91
PID 3572 wrote to memory of 2892	3572	Hmioonpn.exe	91
PID 3572 wrote to memory of 2892	3572	Hmioonpn.exe	91
PID 2892 wrote to memory of 4360	2892	Hccglh32.exe	92
PID 2892 wrote to memory of 4360	2892	Hccglh32.exe	92
PID 2892 wrote to memory of 4360	2892	Hccglh32.exe	92
PID 4360 wrote to memory of 776	4360	Hfachc32.exe	93
PID 4360 wrote to memory of 776	4360	Hfachc32.exe	93
PID 4360 wrote to memory of 776	4360	Hfachc32.exe	93
PID 776 wrote to memory of 1464	776	Hmklen32.exe	94
PID 776 wrote to memory of 1464	776	Hmklen32.exe	94
PID 776 wrote to memory of 1464	776	Hmklen32.exe	94
PID 1464 wrote to memory of 3224	1464	Hpihai32.exe	95
PID 1464 wrote to memory of 3224	1464	Hpihai32.exe	95
PID 1464 wrote to memory of 3224	1464	Hpihai32.exe	95
PID 3224 wrote to memory of 808	3224	Hfcpncdk.exe	96
PID 3224 wrote to memory of 808	3224	Hfcpncdk.exe	96
PID 3224 wrote to memory of 808	3224	Hfcpncdk.exe	96
PID 808 wrote to memory of 1616	808	Hmmhjm32.exe	97
PID 808 wrote to memory of 1616	808	Hmmhjm32.exe	97
PID 808 wrote to memory of 1616	808	Hmmhjm32.exe	97
PID 1616 wrote to memory of 1376	1616	Ipldfi32.exe	98
PID 1616 wrote to memory of 1376	1616	Ipldfi32.exe	98
PID 1616 wrote to memory of 1376	1616	Ipldfi32.exe	98
PID 1376 wrote to memory of 4076	1376	Ibjqcd32.exe	99
PID 1376 wrote to memory of 4076	1376	Ibjqcd32.exe	99
PID 1376 wrote to memory of 4076	1376	Ibjqcd32.exe	99
PID 4076 wrote to memory of 1620	4076	Impepm32.exe	100
PID 4076 wrote to memory of 1620	4076	Impepm32.exe	100
PID 4076 wrote to memory of 1620	4076	Impepm32.exe	100
PID 1620 wrote to memory of 2384	1620	Ipnalhii.exe	101
PID 1620 wrote to memory of 2384	1620	Ipnalhii.exe	101
PID 1620 wrote to memory of 2384	1620	Ipnalhii.exe	101
PID 2384 wrote to memory of 4036	2384	Ifhiib32.exe	102
PID 2384 wrote to memory of 4036	2384	Ifhiib32.exe	102
PID 2384 wrote to memory of 4036	2384	Ifhiib32.exe	102
PID 4036 wrote to memory of 2344	4036	Ijdeiaio.exe	104
PID 4036 wrote to memory of 2344	4036	Ijdeiaio.exe	104
PID 4036 wrote to memory of 2344	4036	Ijdeiaio.exe	104
PID 2344 wrote to memory of 3608	2344	Iannfk32.exe	105

C:\Users\Admin\AppData\Local\Temp\a8a6317bb1cff63001a9a57a5b6e8322bcc2f6203c7b1759bdf7563156defe7b.exe
"C:\Users\Admin\AppData\Local\Temp\a8a6317bb1cff63001a9a57a5b6e8322bcc2f6203c7b1759bdf7563156defe7b.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3964
- C:\Windows\SysWOW64\Hmdedo32.exe
  C:\Windows\system32\Hmdedo32.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:1136
- - C:\Windows\SysWOW64\Hpbaqj32.exe
    C:\Windows\system32\Hpbaqj32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:3756
  - - C:\Windows\SysWOW64\Hbanme32.exe
      C:\Windows\system32\Hbanme32.exe
      4⤵
      Executes dropped EXE
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:1364
    - - C:\Windows\SysWOW64\Hjhfnccl.exe
        
        C:\Windows\system32\Hjhfnccl.exe
        5⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1624
      - C:\Windows\SysWOW64\Hmfbjnbp.exe
        
        C:\Windows\system32\Hmfbjnbp.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:632
        
        C:\Windows\SysWOW64\Hcqjfh32.exe
        
        C:\Windows\system32\Hcqjfh32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4456
        
        C:\Windows\SysWOW64\Hjjbcbqj.exe
        
        C:\Windows\system32\Hjjbcbqj.exe
        8⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2180
        
        C:\Windows\SysWOW64\Hmioonpn.exe
        
        C:\Windows\system32\Hmioonpn.exe
        9⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3572
        
        C:\Windows\SysWOW64\Hccglh32.exe
        
        C:\Windows\system32\Hccglh32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2892
        
        C:\Windows\SysWOW64\Hfachc32.exe
        
        C:\Windows\system32\Hfachc32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4360
        
        C:\Windows\SysWOW64\Hmklen32.exe
        
        C:\Windows\system32\Hmklen32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:776
        
        C:\Windows\SysWOW64\Hpihai32.exe
        
        C:\Windows\system32\Hpihai32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1464
        
        C:\Windows\SysWOW64\Hfcpncdk.exe
        
        C:\Windows\system32\Hfcpncdk.exe
        14⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3224
        
        C:\Windows\SysWOW64\Hmmhjm32.exe
        
        C:\Windows\system32\Hmmhjm32.exe
        15⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:808
        
        C:\Windows\SysWOW64\Ipldfi32.exe
        
        C:\Windows\system32\Ipldfi32.exe
        16⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1616
        
        C:\Windows\SysWOW64\Ibjqcd32.exe
        
        C:\Windows\system32\Ibjqcd32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1376
        
        C:\Windows\SysWOW64\Impepm32.exe
        
        C:\Windows\system32\Impepm32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4076
        
        C:\Windows\SysWOW64\Ipnalhii.exe
        
        C:\Windows\system32\Ipnalhii.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1620
        
        C:\Windows\SysWOW64\Ifhiib32.exe
        
        C:\Windows\system32\Ifhiib32.exe
        20⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2384
        
        C:\Windows\SysWOW64\Ijdeiaio.exe
        
        C:\Windows\system32\Ijdeiaio.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4036
        
        C:\Windows\SysWOW64\Iannfk32.exe
        
        C:\Windows\system32\Iannfk32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2344
        
        C:\Windows\SysWOW64\Icljbg32.exe
        
        C:\Windows\system32\Icljbg32.exe
        23⤵
        Executes dropped EXE
        
        PID:3608
        
        C:\Windows\SysWOW64\Iapjlk32.exe
        
        C:\Windows\system32\Iapjlk32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1680
        
        C:\Windows\SysWOW64\Ibagcc32.exe
        
        C:\Windows\system32\Ibagcc32.exe
        25⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1108
        
        C:\Windows\SysWOW64\Iikopmkd.exe
        
        C:\Windows\system32\Iikopmkd.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3448
        
        C:\Windows\SysWOW64\Iabgaklg.exe
        
        C:\Windows\system32\Iabgaklg.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3988
        
        C:\Windows\SysWOW64\Idacmfkj.exe
        
        C:\Windows\system32\Idacmfkj.exe
        28⤵
        Executes dropped EXE
        
        PID:4848
        
        C:\Windows\SysWOW64\Imihfl32.exe
        
        C:\Windows\system32\Imihfl32.exe
        29⤵
        Executes dropped EXE
        
        PID:3432
        
        C:\Windows\SysWOW64\Jpgdbg32.exe
        
        C:\Windows\system32\Jpgdbg32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1384
        
        C:\Windows\SysWOW64\Jfaloa32.exe
        
        C:\Windows\system32\Jfaloa32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3692
        
        C:\Windows\SysWOW64\Jmkdlkph.exe
        
        C:\Windows\system32\Jmkdlkph.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3236
        
        C:\Windows\SysWOW64\Jpjqhgol.exe
        
        C:\Windows\system32\Jpjqhgol.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4588
        
        C:\Windows\SysWOW64\Jbhmdbnp.exe
        
        C:\Windows\system32\Jbhmdbnp.exe
        34⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4636
        
        C:\Windows\SysWOW64\Jjpeepnb.exe
        
        C:\Windows\system32\Jjpeepnb.exe
        35⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4860
        
        C:\Windows\SysWOW64\Jmnaakne.exe
        
        C:\Windows\system32\Jmnaakne.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:448
        
        C:\Windows\SysWOW64\Jplmmfmi.exe
        
        C:\Windows\system32\Jplmmfmi.exe
        37⤵
        Executes dropped EXE
        
        PID:2172
        
        C:\Windows\SysWOW64\Jbkjjblm.exe
        
        C:\Windows\system32\Jbkjjblm.exe
        38⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4252
        
        C:\Windows\SysWOW64\Jjbako32.exe
        
        C:\Windows\system32\Jjbako32.exe
        39⤵
        Executes dropped EXE
        
        PID:4164
        
        C:\Windows\SysWOW64\Jmpngk32.exe
        
        C:\Windows\system32\Jmpngk32.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1040
        
        C:\Windows\SysWOW64\Jdjfcecp.exe
        
        C:\Windows\system32\Jdjfcecp.exe
        41⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:924
        
        C:\Windows\SysWOW64\Jkdnpo32.exe
        
        C:\Windows\system32\Jkdnpo32.exe
        42⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4536
        
        C:\Windows\SysWOW64\Jmbklj32.exe
        
        C:\Windows\system32\Jmbklj32.exe
        43⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2604
        
        C:\Windows\SysWOW64\Jpaghf32.exe
        
        C:\Windows\system32\Jpaghf32.exe
        44⤵
        Executes dropped EXE
        
        PID:2648
        
        C:\Windows\SysWOW64\Jbocea32.exe
        
        C:\Windows\system32\Jbocea32.exe
        45⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3696
        
        C:\Windows\SysWOW64\Jkfkfohj.exe
        
        C:\Windows\system32\Jkfkfohj.exe
        46⤵
        Executes dropped EXE
        
        PID:1004
        
        C:\Windows\SysWOW64\Kmegbjgn.exe
        
        C:\Windows\system32\Kmegbjgn.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1796
        
        C:\Windows\SysWOW64\Kdopod32.exe
        
        C:\Windows\system32\Kdopod32.exe
        48⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3380
        
        C:\Windows\SysWOW64\Kgmlkp32.exe
        
        C:\Windows\system32\Kgmlkp32.exe
        49⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:8
        
        C:\Windows\SysWOW64\Kilhgk32.exe
        
        C:\Windows\system32\Kilhgk32.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3412
        
        C:\Windows\SysWOW64\Kmgdgjek.exe
        
        C:\Windows\system32\Kmgdgjek.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3728
        
        C:\Windows\SysWOW64\Kdaldd32.exe
        
        C:\Windows\system32\Kdaldd32.exe
        52⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3848
        
        C:\Windows\SysWOW64\Kbdmpqcb.exe
        
        C:\Windows\system32\Kbdmpqcb.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:5092
        
        C:\Windows\SysWOW64\Kinemkko.exe
        
        C:\Windows\system32\Kinemkko.exe
        54⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3736
        
        C:\Windows\SysWOW64\Kmjqmi32.exe
        
        C:\Windows\system32\Kmjqmi32.exe
        55⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4476
        
        C:\Windows\SysWOW64\Kphmie32.exe
        
        C:\Windows\system32\Kphmie32.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1804
        
        C:\Windows\SysWOW64\Kgbefoji.exe
        
        C:\Windows\system32\Kgbefoji.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4660
        
        C:\Windows\SysWOW64\Kipabjil.exe
        
        C:\Windows\system32\Kipabjil.exe
        58⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4056
        
        C:\Windows\SysWOW64\Kagichjo.exe
        
        C:\Windows\system32\Kagichjo.exe
        59⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2444
        
        C:\Windows\SysWOW64\Kpjjod32.exe
        
        C:\Windows\system32\Kpjjod32.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2660
        
        C:\Windows\SysWOW64\Kgdbkohf.exe
        
        C:\Windows\system32\Kgdbkohf.exe
        61⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2664
        
        C:\Windows\SysWOW64\Kibnhjgj.exe
        
        C:\Windows\system32\Kibnhjgj.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3084
        
        C:\Windows\SysWOW64\Kmnjhioc.exe
        
        C:\Windows\system32\Kmnjhioc.exe
        63⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5032
        
        C:\Windows\SysWOW64\Kdhbec32.exe
        
        C:\Windows\system32\Kdhbec32.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2748
        
        C:\Windows\SysWOW64\Kgfoan32.exe
        
        C:\Windows\system32\Kgfoan32.exe
        65⤵
        Executes dropped EXE
        
        PID:5080
        
        C:\Windows\SysWOW64\Liekmj32.exe
        
        C:\Windows\system32\Liekmj32.exe
        66⤵
        Modifies registry class
        
        PID:4940
        
        C:\Windows\SysWOW64\Lpocjdld.exe
        
        C:\Windows\system32\Lpocjdld.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:3788
        
        C:\Windows\SysWOW64\Ldkojb32.exe
        
        C:\Windows\system32\Ldkojb32.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:836
        
        C:\Windows\SysWOW64\Lgikfn32.exe
        
        C:\Windows\system32\Lgikfn32.exe
        69⤵
        Drops file in System32 directory
        
        PID:3476
        
        C:\Windows\SysWOW64\Lmccchkn.exe
        
        C:\Windows\system32\Lmccchkn.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2412
        
        C:\Windows\SysWOW64\Ldmlpbbj.exe
        
        C:\Windows\system32\Ldmlpbbj.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4308
        
        C:\Windows\SysWOW64\Lgkhlnbn.exe
        
        C:\Windows\system32\Lgkhlnbn.exe
        72⤵
        Modifies registry class
        
        PID:2968
        
        C:\Windows\SysWOW64\Lijdhiaa.exe
        
        C:\Windows\system32\Lijdhiaa.exe
        73⤵
        
        PID:4752
        
        C:\Windows\SysWOW64\Laalifad.exe
        
        C:\Windows\system32\Laalifad.exe
        74⤵
        Drops file in System32 directory
        
        PID:372
        
        C:\Windows\SysWOW64\Lcbiao32.exe
        
        C:\Windows\system32\Lcbiao32.exe
        75⤵
        Drops file in System32 directory
        
        PID:1524
        
        C:\Windows\SysWOW64\Lnhmng32.exe
        
        C:\Windows\system32\Lnhmng32.exe
        76⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4888
        
        C:\Windows\SysWOW64\Laciofpa.exe
        
        C:\Windows\system32\Laciofpa.exe
        77⤵
        Modifies registry class
        
        PID:3940
        
        C:\Windows\SysWOW64\Ldaeka32.exe
        
        C:\Windows\system32\Ldaeka32.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2992
        
        C:\Windows\SysWOW64\Lgpagm32.exe
        
        C:\Windows\system32\Lgpagm32.exe
        79⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1660
        
        C:\Windows\SysWOW64\Ljnnch32.exe
        
        C:\Windows\system32\Ljnnch32.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:796
        
        C:\Windows\SysWOW64\Lnjjdgee.exe
        
        C:\Windows\system32\Lnjjdgee.exe
        81⤵
        Drops file in System32 directory
        
        PID:1472
        
        C:\Windows\SysWOW64\Lphfpbdi.exe
        
        C:\Windows\system32\Lphfpbdi.exe
        82⤵
        Modifies registry class
        
        PID:4224
        
        C:\Windows\SysWOW64\Lknjmkdo.exe
        
        C:\Windows\system32\Lknjmkdo.exe
        83⤵
        
        PID:4304
        
        C:\Windows\SysWOW64\Mnlfigcc.exe
        
        C:\Windows\system32\Mnlfigcc.exe
        84⤵
        Modifies registry class
        
        PID:4876
        
        C:\Windows\SysWOW64\Mdfofakp.exe
        
        C:\Windows\system32\Mdfofakp.exe
        85⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2724
        
        C:\Windows\SysWOW64\Mgekbljc.exe
        
        C:\Windows\system32\Mgekbljc.exe
        86⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:2864
        
        C:\Windows\SysWOW64\Majopeii.exe
        
        C:\Windows\system32\Majopeii.exe
        87⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:4924
        
        C:\Windows\SysWOW64\Mdiklqhm.exe
        
        C:\Windows\system32\Mdiklqhm.exe
        88⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:1904
        
        C:\Windows\SysWOW64\Mkbchk32.exe
        
        C:\Windows\system32\Mkbchk32.exe
        89⤵
        
        PID:3860
        
        C:\Windows\SysWOW64\Mnapdf32.exe
        
        C:\Windows\system32\Mnapdf32.exe
        90⤵
        Drops file in System32 directory
        
        PID:3452
        
        C:\Windows\SysWOW64\Mpolqa32.exe
        
        C:\Windows\system32\Mpolqa32.exe
        91⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4756
        
        C:\Windows\SysWOW64\Mgidml32.exe
        
        C:\Windows\system32\Mgidml32.exe
        92⤵
        
        PID:5144
        
        C:\Windows\SysWOW64\Mjhqjg32.exe
        
        C:\Windows\system32\Mjhqjg32.exe
        93⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5184
        
        C:\Windows\SysWOW64\Mncmjfmk.exe
        
        C:\Windows\system32\Mncmjfmk.exe
        94⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5248
        
        C:\Windows\SysWOW64\Maohkd32.exe
        
        C:\Windows\system32\Maohkd32.exe
        95⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5292
        
        C:\Windows\SysWOW64\Mdmegp32.exe
        
        C:\Windows\system32\Mdmegp32.exe
        96⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5368
        
        C:\Windows\SysWOW64\Mglack32.exe
        
        C:\Windows\system32\Mglack32.exe
        97⤵
        Modifies registry class
        
        PID:5408
        
        C:\Windows\SysWOW64\Mjjmog32.exe
        
        C:\Windows\system32\Mjjmog32.exe
        98⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5456
        
        C:\Windows\SysWOW64\Maaepd32.exe
        
        C:\Windows\system32\Maaepd32.exe
        99⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5500
        
        C:\Windows\SysWOW64\Mcbahlip.exe
        
        C:\Windows\system32\Mcbahlip.exe
        100⤵
        
        PID:5544
        
        C:\Windows\SysWOW64\Mgnnhk32.exe
        
        C:\Windows\system32\Mgnnhk32.exe
        101⤵
        Modifies registry class
        
        PID:5588
        
        C:\Windows\SysWOW64\Njljefql.exe
        
        C:\Windows\system32\Njljefql.exe
        102⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5632
        
        C:\Windows\SysWOW64\Nqfbaq32.exe
        
        C:\Windows\system32\Nqfbaq32.exe
        103⤵
        Drops file in System32 directory
        
        PID:5676
        
        C:\Windows\SysWOW64\Ndbnboqb.exe
        
        C:\Windows\system32\Ndbnboqb.exe
        104⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5720
        
        C:\Windows\SysWOW64\Nceonl32.exe
        
        C:\Windows\system32\Nceonl32.exe
        105⤵
        Drops file in System32 directory
        
        PID:5764
        
        C:\Windows\SysWOW64\Njogjfoj.exe
        
        C:\Windows\system32\Njogjfoj.exe
        106⤵
        Drops file in System32 directory
        
        PID:5804
        
        C:\Windows\SysWOW64\Nnjbke32.exe
        
        C:\Windows\system32\Nnjbke32.exe
        107⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5848
        
        C:\Windows\SysWOW64\Njacpf32.exe
        
        C:\Windows\system32\Njacpf32.exe
        108⤵
        Drops file in System32 directory
        
        PID:5892
        
        C:\Windows\SysWOW64\Nqklmpdd.exe
        
        C:\Windows\system32\Nqklmpdd.exe
        109⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5936
        
        C:\Windows\SysWOW64\Ncihikcg.exe
        
        C:\Windows\system32\Ncihikcg.exe
        110⤵
        Modifies registry class
        
        PID:5980
        
        C:\Windows\SysWOW64\Nkqpjidj.exe
        
        C:\Windows\system32\Nkqpjidj.exe
        111⤵
        Drops file in System32 directory
        
        PID:6024
        
        C:\Windows\SysWOW64\Nnolfdcn.exe
        
        C:\Windows\system32\Nnolfdcn.exe
        112⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6060
        
        C:\Windows\SysWOW64\Nbkhfc32.exe
        
        C:\Windows\system32\Nbkhfc32.exe
        113⤵
        Modifies registry class
        
        PID:6104
        
        C:\Windows\SysWOW64\Nqmhbpba.exe
        
        C:\Windows\system32\Nqmhbpba.exe
        114⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:3288
        
        C:\Windows\SysWOW64\Ncldnkae.exe
        
        C:\Windows\system32\Ncldnkae.exe
        115⤵
        Modifies registry class
        
        PID:5176
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        116⤵
        
        PID:5220
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5220 -s 412
        117⤵
        Program crash
        
        PID:5416

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 5220 -ip 5220
1⤵
PID:5376

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Bejkjg32.dll

Filesize
7KB

MD5
ff6b1ee3f1fcf1e858bce9c459f41905

SHA1
1873c5e24a065be3cda3472025f0573723e06017

SHA256
4454ea908b4b83e322bc43550c6293ad122c28247f1d7d470a9c83636e012fbf

SHA512
2d29d3040eb5fce19336aa407e3e60b729e600b9bf850cca17c63c3d15ad2d4d2eef5ebabaa6541e68c2032111fa3c9ee74e89ec28d4aca5642c4e1f6cbec9d6

Download Submit
C:\Windows\SysWOW64\Hbanme32.exe

Filesize
93KB

MD5
6069a5facbc8bad3d621c30f59705383

SHA1
02f4b32210d0ea302f88201e7d8940c8c02a3deb

SHA256
f0e8fa07e1f3499f83fc6030caaf73b29d0cd6dabddc4e5a49586926e768ddbe

SHA512
0a68dd396106d15f7f165dbb229459edf3f914c81712da780f02347a996c8900c7f7712cae4f584ca52db96ca33540e3ac3be79b525f6c2962869d1b8a5e6bb7

Download Submit
C:\Windows\SysWOW64\Hccglh32.exe

Filesize
93KB

MD5
0f6991515a29c9943791c6a8f6ff954a

SHA1
4a46f03c2dd271d025a18c53db7e68110138ac9b

SHA256
d929daba7360b82a3aedac35f06ceee880f0f83e999ed0ded118ccabf26f767f

SHA512
1bd70957cf9e4da7836554e8ddd9ee5d3dac33f4b7ed36b75e73d7abe3b2a64114f28817f0213a3f95697b6bfa5bf834c9bdbd10131913b716eb0652d8338420

Download Submit
C:\Windows\SysWOW64\Hcqjfh32.exe

Filesize
93KB

MD5
d6c9fee1a8bfecc4fbc6321772a3cdd7

SHA1
a94b6ccedbcfe7732d2e029b2234d29902647d3e

SHA256
52a51ab0a62d8591e3fc68f55b1d391364936af2c0f168cab15996ae639c2ba2

SHA512
77258cdb8efa9192bee9e7cbba1d18faa8e7d5a70023b30f78fc10770bddc2778aef2493ac938cfb807a1e8b9b6603d5979e83640b2efc0f575d6095968c8ef1

Download Submit
C:\Windows\SysWOW64\Hfachc32.exe

Filesize
93KB

MD5
58894a4c010485c2902c0cd34d715412

SHA1
17b3990e8e49641a7432c8d359ecc04988294dfe

SHA256
efb7d91b23e663b99b3b8d7c86a255501da801d3fe44a016c83d5f993a47a398

SHA512
4d2f69eb65cdd63fcc7ab9ce818679457e2f91df322b6f8267b8487b860f3f6e91e7b2c057703066e5a92ca62178a579fbc55b19c54d0a6ade03e00546bfe6df

Download Submit
C:\Windows\SysWOW64\Hfcpncdk.exe

Filesize
93KB

MD5
704bdc0dbea964889c8bdc3ba66fc517

SHA1
b339899c53b9656ab41891fe858566c6842d921e

SHA256
7af9f87315531509215e4619657fe10a89e012454adf84cb2bb063f61fd43c88

SHA512
3227810dcdf72bfb775db7dcf68c5c230d9a25601782600cabd598990a37caf0e60c2bdeb253967e8cf1a19e7ac60c4b7a10b33a60865cc27d5bb58c7838df6f

Download Submit
C:\Windows\SysWOW64\Hjhfnccl.exe

Filesize
93KB

MD5
0847651abbdd3ba54d6e91d508461ccb

SHA1
1756529d3a8755995c74a11952b78e8373b97a03

SHA256
8dc50f5572ca11a24f3656fe9659eb777026586130e3f86aff8afeafd1f7b187

SHA512
3992cdf23c1639ea05bcad6563fbed9ce324a5f9538f6a3cca3794f7eb75f4b72ae82b5e2f39046bb0ec915499e8d6b50c97997fc1d500cab8224041b28d9775

Download Submit
C:\Windows\SysWOW64\Hjjbcbqj.exe

Filesize
93KB

MD5
43670909a06d51088b86c83b15a8d00b

SHA1
a568d29b4eb85ac683f9f514f96ebdf18370edb3

SHA256
6e65a6cabba69ef58ccd884271a3f1b21bd676cb9a3c6b4fa57fe98483841f60

SHA512
5b56144f884d5f21e19dad71b6eeb3be99142c6384c837135c054baac14e23e68437dec7bde3468e01985ac01e3e4a26600c69e916bcb92a3551686578756094

Download Submit
C:\Windows\SysWOW64\Hmdedo32.exe

Filesize
93KB

MD5
986c4abe8664bbb9c997c5cfd0553ecc

SHA1
a7bf3d55a3c8dd1108a5193ed54ceba53b7698eb

SHA256
85285ba5caa1b07a839d4c25f444a5603d639dcbcc42fbc6c258af4e251860a5

SHA512
64c3879eba54387177739b6846632b2cd840ef79a79a401558e6dbf4ade0d6e98f9cc5e1c1e736af84e2d8d988fbe35df5a08e60cd25b036909687535e598621

Download Submit
C:\Windows\SysWOW64\Hmfbjnbp.exe

Filesize
93KB

MD5
bf0e9f9d63a3d3bfe76ed350eb23a6a3

SHA1
cb6cea6a8b9d05c37512e4a1f8f495e141f2041d

SHA256
f7c8617586efee37907f19b053fae55b8b070ad38bb62de086cfc921f2b22a43

SHA512
4c3cfd1f837cfe68682470b964640a58b8c1cb10fd2b11cf4a16526c10b31565830b7114a6c3059e0314e70d8b442fe5d062e9cba0d4e385f6ad94f15b5323b4

Download Submit
C:\Windows\SysWOW64\Hmioonpn.exe

Filesize
93KB

MD5
d737c51c13287f08bb9f0305a7e54f56

SHA1
616ac0e0ab3fe8340c7d62ce75986518b9e828e9

SHA256
9bf8c13b0a3d0d1056c974f4ce3c8fb033f3249181cfbff20f253790487c7016

SHA512
99dc92a250c5f5a543e52169472da01068e3f753c909e7ab47aec18235664202a840dc73ccc1ffe3c49cb4c38102e00ed5b4e8cdd62a6845f6530a12a7f1976f

Download Submit
C:\Windows\SysWOW64\Hmklen32.exe

Filesize
93KB

MD5
cf953e8f7c6c1947dd00588c8715358d

SHA1
2b132bf59d3227949489f07cc7d92fab6444878f

SHA256
b9b4e55c160b9266c902fe1c2a9487c1fee390bf916c7056e90d79ab28bea488

SHA512
3306ca7f8e68163dba18e31138bd681ec067420ef17c89669ea0ef353a74b950f66bbea7efa018d7897ab4ead5be961a677d234bdb3e522fc42ded62efcf03b4

Download Submit
C:\Windows\SysWOW64\Hmmhjm32.exe

Filesize
93KB

MD5
35e8731d687ea05748fe221c90c8450e

SHA1
4413226f71c03ad35f9fb5d2576a73434a50cb45

SHA256
4b408d12fe11890904272c110e1749f48d1a6934580675a63409d2515c76e18f

SHA512
70cc3ab039400e11c6769619b0f2fce6b589698d798653af00a483dc6bb0857784f07cb41620613b00e4dc41f42e485075089fcaef4115ef7fc6422c66d0655a

Download Submit
C:\Windows\SysWOW64\Hpbaqj32.exe

Filesize
93KB

MD5
e5a246acad1ac36957a4031920aaf477

SHA1
56ed69a1338d9e3e6fb07437ac9972fd1168da0f

SHA256
1bf6e7e323a8ff5bf06b62c38eee4b924cc09a0729ab946d8c4758d4273858a5

SHA512
f603ecef8d60f58a4691d13c85865f712216ccbfe4907feedd5f73151655a3b3eb5911784957312ec2a1a913ffb10987f51d961539ffbab0558c1b156ec55757

Download Submit
C:\Windows\SysWOW64\Hpihai32.exe

Filesize
93KB

MD5
8078535f6ef8c58095eb3331cd97d753

SHA1
df0085e9205bd2bab3d446ab56f29e42df4a6364

SHA256
420327ab6b13486aa370c36ea25ec1983c5c609d3c3641337ad4673aa4b47e1e

SHA512
f1248eba7a440a3b0b7305682ee6a6392512b665c0562a08f7b5e37b915afbfdec05cbe107755d16c75d5c44577eda0c34d54b3e69a17abba2aaa84c07207eac

Download Submit
C:\Windows\SysWOW64\Iabgaklg.exe

Filesize
93KB

MD5
0022cabe422d4745c9a9ea4470a9fb3c

SHA1
6fe9b4d881c6a48d2834ef9ba2ed7f775c835426

SHA256
3952172e49cb9c0d3329c47b231885121325578833b693a9f858c54cac2becda

SHA512
bad35f8559d4134f0e57aac499e2a81cf808af8d4373944aee9c0e197af2be81453f524841485979f1f72c9dd3c3b3f73ae8f1f9117105a847390884ee81ba47

Download Submit
C:\Windows\SysWOW64\Iannfk32.exe

Filesize
93KB

MD5
1e9990afd5be61cbd6d86a9101be81b4

SHA1
cbfbe559533dab6f378beb843ad1e630d03d0a8a

SHA256
504d31e7bcdea11cec3c0757595dc0638786c73d96a724b4209e600b4fc25484

SHA512
80fbb0c098c52bbe6ffe03947787be5d1e24818dbd5ee3d32e76e1587344d49438a0068cece28c791521d77bcc295425f932a3b721f0dad471ae036a04305372

Download Submit
C:\Windows\SysWOW64\Iapjlk32.exe

Filesize
93KB

MD5
535365914fd15241fd210fa5d346eaaf

SHA1
90129e2e6fdb3d69cb76779aefab45b0d4500267

SHA256
d3e302e3e089e9eadebf61e4ac54e3536921fcaa24b02cd4b0d8760fc34f67b2

SHA512
1eaa41dab6d2e438c196dfabaac6c7400f7a44e33d19d82370f2be689671612a86d0348f9847c924bc4d8500c86c1242a37a63823700f1be69b9db8231c5ccc4

Download Submit
C:\Windows\SysWOW64\Ibagcc32.exe

Filesize
93KB

MD5
2100c2f039f62c2cdc2972683a85845f

SHA1
ebd5fdf6c2cd76c542c9b73d7ce8b7b915926d59

SHA256
c98c93be0af1a34d6ed127586497c808fd5a591579cc5ce98064ae17624d18ca

SHA512
3a069fb8500d3158e189d146d63f8e81cc78d1843501c9d0c3bed43f26179c9ac30a8463e24d23011a0cb948ebbf1e6076ee104be9ca306ce9575b30ca8301d0

Download Submit
C:\Windows\SysWOW64\Ibjqcd32.exe

Filesize
93KB

MD5
fbbfd04e041ec544ac44d1b8e1c5d1ff

SHA1
fbffed2d7a81b8754a9b9be3e28f928060e91b4f

SHA256
601ad377745a9703a55214ca10c9ef9a45de373590fb3f828bc25ea0502a2ea9

SHA512
9e5c68553b946bb9c807650139507be47cfdd63def8865dabea47fc8298b9a5ff3ff851c4c47210bdad78006d6381a1624a578ced57f18eae40b001f2b3fd333

Download Submit
C:\Windows\SysWOW64\Icljbg32.exe

Filesize
93KB

MD5
2995e636e8b2e219f2a623d5a0c99aa3

SHA1
b00a72ae2d29adab59edbb38f3a7e3bea5669c61

SHA256
0f5723256de9f9e77321f7f33c70f33a8b124d886b585f4f3c146b60df0515c7

SHA512
f889a4a488f544449f252970cfd5ec44aaf843c032ec3926575b7d3fe87dc6e2998d5acff42908efa4b8449e4b27ed57d79d3972ec358832711c5df9a4ffe453

Download Submit
C:\Windows\SysWOW64\Idacmfkj.exe

Filesize
93KB

MD5
fc43ef8264c82b786f46f52f5f0f099a

SHA1
704956978abcdb768811c7f1874c56556eec10e8

SHA256
3995984a906721b0bd55688a50edc4a30a2b5feab10e6241ce3948f3c9c95773

SHA512
0accee33920b684db0754f88327af00d613290c26c0c0ac02b2e01e53c2c4047b6951a9e7aad5c666984211e42a81a2c609995a0b9b34ef56d2a8a12f2aad703

Download Submit
C:\Windows\SysWOW64\Ifhiib32.exe

Filesize
93KB

MD5
d515532b82ce32ff99234ffece5bb65d

SHA1
7940c650fd80d4eca234c32d194f620c738d08ce

SHA256
b615c23b1aaca870fa15e7961c0de67ee95f2305b8b7c4772892e40c1aec7c5b

SHA512
49a0147bb7e6798bd362deac59b56d680331b95f1e237400d06d54282cc38f90da4ba36836cc7c56ef728ff0deffc3be61f93a6a451aac8619a7eff5a80d6195

Download Submit
C:\Windows\SysWOW64\Iikopmkd.exe

Filesize
93KB

MD5
02f03aaa7a2009f9dd007d6a0e66ddfb

SHA1
7634573be8367eef08ee99ae480406a0d116526b

SHA256
3fe7cb454ec76540e3d98a681272e0c80e29759cca1b3a66b10869bae4f194c0

SHA512
cfc51c24def0b3e5c7d8e3858bd177401a73554adc7f1a64ac0f35c9044a91b20019081761c628b1721beb10b180314ae50f259e1f127e241b80e4f5947dfd2b

Download Submit
C:\Windows\SysWOW64\Ijdeiaio.exe

Filesize
93KB

MD5
2aa746b956f32a9c83444b4d8fa89199

SHA1
03bfb3d037295f381a173d7f3edd572098854634

SHA256
48169919659527dcc4204eb3081f81f152fe8f4c8a186ddfe96a03331db48c9e

SHA512
4ed71c8ced5823949fea889617c64e9ac7c4a74ea6e8011980c77f65b223ee71d2bb13b634cb5a10bdb86462d9aff97d5de96248885eedfa77cb6a350987c172

Download Submit
C:\Windows\SysWOW64\Imihfl32.exe

Filesize
93KB

MD5
59e8c8e3a5cbb8819e34f8c902a6330b

SHA1
2d78fac73e78dddf3521a88bc6e124ae76239f06

SHA256
6aa2e74dfd52951fe873c539e8f3e1499ac5bd26420a2ddf2d1f9fc29e7b4e55

SHA512
c57551779abe5dfc381e788df5f97b370431490b50ee82b55f59cebbb49d2bab1dad65a54de865bb1cc5c86a570cd619a6e4a76056d7f5b98e3386f7bd0e4ab3

Download Submit
C:\Windows\SysWOW64\Impepm32.exe

Filesize
93KB

MD5
6ec69a31c9d224a3ec040223ac9803e3

SHA1
114f2cea74064df0e203c7e0d7e20aacdeeb23b9

SHA256
8219bc74193cce7ff456cbcf620b93fee2ea6d48d1999652298bb628108ade16

SHA512
f2d438e18631cd88944e04a051e247b48904f85a03ac555926cdf225f211841badc45245fd5cfba135403e4edc512ce4636b58e7d47f93c623b357c3985cf5db

Download Submit
C:\Windows\SysWOW64\Ipldfi32.exe

Filesize
93KB

MD5
99d494e4c675d89d95387b0af2551700

SHA1
59b7b82dcac5840e411e3d7a133f636df5eb1230

SHA256
52e1f98558a6964bb17998a5715c31e040b5293569920268475cd1f062c517dd

SHA512
8a3ffd64ec8be334a2b0c6c8df3b80004287f0f76d9ce44c11ae36db5cf56c0eff3c0bb4069c67fbd75b9a0fa0f1d259b2cd6eb09cf27f9594c5fedbc9821bdc

Download Submit
C:\Windows\SysWOW64\Ipnalhii.exe

Filesize
93KB

MD5
f9b87567d90e0e15660a68d11d24e84a

SHA1
98a76edbd9638e59329a253a76d0f51edaf0b123

SHA256
1445fae19366ed520cb14f61c6ddc5fab88a701e57c37bb8b7ddaa86b363031d

SHA512
fc964dd2c0760e4ee319ff2f528ed27312c468517519f2f60b3074b1b6abe9944a3f4013730b785aa4e623d19fedee4e044a17e2fe5727ed6d74f05784a0d194

Download Submit
C:\Windows\SysWOW64\Jfaloa32.exe

Filesize
93KB

MD5
9aabde21a61b2e6b6a34d8b637c994c4

SHA1
3d86300b3460647d047b6a70cb65cbb38ffde872

SHA256
4a93768918e629bd4223db4a8125db92bfb97889f5b12a4cc8c71ab78c324b12

SHA512
3a965d0fa3fb61eedee90d7d219c89495b732205a974389fe548d5bd2203acaa58467184f8d265f67e39e2a6f1237e2f3341b3e74ade6d8322c5f72dc5ded3a8

Download Submit
C:\Windows\SysWOW64\Jmkdlkph.exe

Filesize
93KB

MD5
fea9411ef867ca21c5aaba8686385b49

SHA1
510c7e25220b1192ca2bf9ca8113a5d7ee237611

SHA256
6d4d02bf2c4628c97b762042371e4bf569f625fb87eaca30ca719342a5a2c1da

SHA512
658740818debebe3f4088f5df0aa0200098e8ff988b3cd684b3e60e186ff1c5143c39b825d2e6c130da3459f257f550ff615853a657f02cc0b1718e9e7192c39

Download Submit
C:\Windows\SysWOW64\Jpgdbg32.exe

Filesize
93KB

MD5
7fe9192f0d3af702c3f4f855cc05f685

SHA1
5aec9f1a5f358a0009ee92cd06b16c681656effc

SHA256
763df21bd34cf39372f0da5129fa4be9573481a22e213d27727a6e19f14f991b

SHA512
15862fc1b84d6863134594a35fc0296eca23314e0f1cadf6bb2679dcba3e4c69d17ee8eeae4d1391b63cd9994b42155b94d849777cdbb97a39fd2023bfb855c0

Download Submit
C:\Windows\SysWOW64\Jpjqhgol.exe

Filesize
93KB

MD5
ff8a3da31289b9ee201cd164fe67840c

SHA1
25f3c51fe9c7a5108f849848a6bd5a5c504d3df7

SHA256
dd686c3a47f357bdb75613e8e4a8b785b8d808856dec4c399e14a786fcf951cb

SHA512
9386ae0975523d012bb55202c44368bd4e58e33be391b2cbd934b4729b247c9c1058d4f37d11fb9304ae5cf1eecfdd172402c1318f10786f7eb2eb94970d6103

Download Submit
C:\Windows\SysWOW64\Lcbiao32.exe

Filesize
93KB

MD5
aa3e97b83d465ecd54f5ff6f4973a7a6

SHA1
8a0b1eebac6d12e97e5bd00e0e2ce15be912e9f9

SHA256
196357398c448eac2a22535f40feff55128ec92cbff101e4c6575fde6ebfa256

SHA512
dd030c3327df025e25d33f7494fb6044ffbaff56faaed82118d55ffd9361a52893cbe61e200260c6296eb46a061398c43035cc65efac5f346b066d5ac792ee5c

Download Submit
C:\Windows\SysWOW64\Lijdhiaa.exe

Filesize
93KB

MD5
c4d06b1732a46886124f5599e507bfd0

SHA1
adeeaa98dace59cf4294ffe8f8e56b30e29ad785

SHA256
a3c0900a715ef2f38015ebf25d2ccaea68effd6eb6f199f345025d91cb34f049

SHA512
eb6f834f4313283c5a92911f9038e63feb169887769e423f55cb8003ddc8771da1e54ba2bef283c3b07c7e24b2b811e6eefe74f3920b47f50e05ed38d23722d5

Download Submit
C:\Windows\SysWOW64\Mcbahlip.exe

Filesize
93KB

MD5
1a9682d23417a1c0b5a5351d66dfce3b

SHA1
1d0795df7858e481d44513b83d2e5a5884960230

SHA256
07f7dc147fb8877c52bfc45f60287d58cbd7e740f508d69f4876488c1d5d1c1b

SHA512
40e797fefece3b86f2d2168e7761d22a213b563ad9fbf31d4e2d3d746f9cfccec0c53d5ed47510a8f3dcd7392970a0fb22625e2d472e5d6674ab3bcd1de507d1

Download Submit
C:\Windows\SysWOW64\Mpolqa32.exe

Filesize
93KB

MD5
6308ea04026b1612420e0e471085d14d

SHA1
847e8a3c558eb845ea9a0fc7a49af3f8de8774a9

SHA256
27db98fe808d34d1909c13dbf139f7161236a9e467e8d5bbdb3b9bfdb3f4f2a9

SHA512
131c3c445df3bc7b3c4d622f2b2bd627917054e2c6ca7f59b0a7b0a95e57fdb06e4c524399b14419430f226322b8d6d72bdbcda8c8480001b14fcb99d55985f2

Download Submit
memory/8-352-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/372-502-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/448-279-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/632-579-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/632-40-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/776-88-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/796-538-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/808-111-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/836-466-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/924-304-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1004-338-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1040-298-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1108-196-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1136-7-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1136-551-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1364-565-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1364-28-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1376-127-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1384-232-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1464-95-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1472-545-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1524-508-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1616-120-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1620-144-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1624-31-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1624-572-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1660-532-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1680-184-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1796-340-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1804-394-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1904-594-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2172-280-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2180-60-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2180-593-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2344-168-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2384-152-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2412-478-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2444-417-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2604-321-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2648-322-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2660-418-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2664-429-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2724-577-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2748-447-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2864-580-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2892-72-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2968-490-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2992-530-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3084-430-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3224-104-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3236-252-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3380-346-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3412-362-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3432-228-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3448-204-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3476-476-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3572-63-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3608-175-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3692-244-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3696-328-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3728-364-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3736-382-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3756-16-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3756-562-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3788-460-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3848-375-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3940-524-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3964-544-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3964-0-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3988-211-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4036-160-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4056-410-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4076-136-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4164-296-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4224-552-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4252-290-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4304-564-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4308-484-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4360-80-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4456-586-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4456-48-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4476-388-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4536-310-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4588-260-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4636-266-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4660-400-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4752-496-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4848-215-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4860-272-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4876-566-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4888-518-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4924-591-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4940-454-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/5032-436-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/5080-448-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/5092-376-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads