384d10b156dd116589b9d5d66bc4cf329062c72753538335c550235f4721503a

Analysis

max time kernel
137s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
28-06-2024 20:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

384d10b156dd116589b9d5d66bc4cf329062c72753538335c550235f4721503a.exe
Size

208KB
MD5

b8b90ca1f80e8f633f81c86cfeff35b6
SHA1

59e0e98fce8ea6ccd909d6bdda14f2160d23cc6f
SHA256

384d10b156dd116589b9d5d66bc4cf329062c72753538335c550235f4721503a
SHA512

a6def5df0cfce2f5f18563764d04297db47929e5f7f683579b17b5d7a0a40a1105f29aaaf1e501a99b167df6333596de4f7d3978dd71f5cd113db74a9e4d6776
SSDEEP

6144:crOdYstGpRVuDX4EYtCwGtMtkiXOoloMr1JeSldqP7+x55KmC:cidYxrChtMtkM71r1MSXqPix55Kx

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hjmoibog.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Jjmhppqd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mjcgohig.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nqklmpdd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iakaql32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpdelajl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkbchk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Maaepd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jmbklj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lcpllo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mjjmog32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngedij32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ipqnahgf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lpappc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ncihikcg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Impepm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jdemhe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Jjpeepnb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Jmbklj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kpepcedo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nggqoj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kpjjod32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lpfijcfl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lphfpbdi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nggqoj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ipldfi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Imbaemhc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kpepcedo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Liggbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lilanioo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcbahlip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ngpjnkpf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kaemnhla.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcpllo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kmegbjgn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lijdhiaa.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgpagm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjhqjg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hmioonpn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kpccnefa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kmlnbi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqmhbpba.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nbhkac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Hcnnaikp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hccglh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Hccglh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jpgdbg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jjpeepnb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Jidbflcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kinemkko.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nceonl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ipldfi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ldohebqh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Njcpee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Hfcpncdk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ibjqcd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jjmhppqd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mahbje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Hmmhjm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jbocea32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mkbchk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ngcgcjnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nqmhbpba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ijkljp32.exe

Executes dropped EXE 64 IoCs

pid	Process
1888	Hcnnaikp.exe
1676	Hbanme32.exe
3436	Hmfbjnbp.exe
3928	Hpenfjad.exe
3628	Hfofbd32.exe
2464	Hmioonpn.exe
2900	Hccglh32.exe
3088	Hjmoibog.exe
2480	Haggelfd.exe
4380	Hcedaheh.exe
4712	Hfcpncdk.exe
1760	Hmmhjm32.exe
1472	Ipldfi32.exe
3520	Ibjqcd32.exe
1172	Impepm32.exe
5032	Iakaql32.exe
1372	Ibmmhdhm.exe
2384	Imbaemhc.exe
4344	Ipqnahgf.exe
2236	Ibojncfj.exe
3752	Idofhfmm.exe
2928	Ijhodq32.exe
2884	Ipegmg32.exe
1292	Ibccic32.exe
3788	Ijkljp32.exe
3588	Jpgdbg32.exe
2992	Jjmhppqd.exe
212	Jagqlj32.exe
980	Jdemhe32.exe
628	Jjpeepnb.exe
4476	Jmnaakne.exe
1152	Jplmmfmi.exe
4920	Jfffjqdf.exe
2064	Jidbflcj.exe
2444	Jaljgidl.exe
1540	Jdjfcecp.exe
4360	Jfhbppbc.exe
3084	Jmbklj32.exe
3092	Jangmibi.exe
4928	Jbocea32.exe
452	Jkfkfohj.exe
3104	Kmegbjgn.exe
2648	Kpccnefa.exe
2904	Kdopod32.exe
3812	Kgmlkp32.exe
1860	Kilhgk32.exe
3600	Kpepcedo.exe
1044	Kdaldd32.exe
1904	Kgphpo32.exe
4704	Kinemkko.exe
1864	Kaemnhla.exe
224	Kphmie32.exe
4504	Kgbefoji.exe
3560	Kmlnbi32.exe
3236	Kpjjod32.exe
4924	Kcifkp32.exe
4056	Kgdbkohf.exe
2840	Kajfig32.exe
4368	Kpmfddnf.exe
4408	Kdhbec32.exe
884	Kgfoan32.exe
748	Liekmj32.exe
4424	Lmqgnhmp.exe
3656	Lpocjdld.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Ggcjqj32.dll	Jjmhppqd.exe
File created	C:\Windows\SysWOW64\Cpjljp32.dll	Jfhbppbc.exe
File created	C:\Windows\SysWOW64\Nnhfee32.exe	Nkjjij32.exe
File opened for modification	C:\Windows\SysWOW64\Ncihikcg.exe	Nqklmpdd.exe
File opened for modification	C:\Windows\SysWOW64\Haggelfd.exe	Hjmoibog.exe
File opened for modification	C:\Windows\SysWOW64\Iakaql32.exe	Impepm32.exe
File opened for modification	C:\Windows\SysWOW64\Jfhbppbc.exe	Jdjfcecp.exe
File created	C:\Windows\SysWOW64\Milgab32.dll	Kphmie32.exe
File opened for modification	C:\Windows\SysWOW64\Lgpagm32.exe	Lpfijcfl.exe
File created	C:\Windows\SysWOW64\Ljnnch32.exe	Lgpagm32.exe
File created	C:\Windows\SysWOW64\Bebboiqi.dll	Mjjmog32.exe
File created	C:\Windows\SysWOW64\Ehifigof.dll	Jaljgidl.exe
File opened for modification	C:\Windows\SysWOW64\Lpocjdld.exe	Lmqgnhmp.exe
File created	C:\Windows\SysWOW64\Lgkhlnbn.exe	Lcpllo32.exe
File created	C:\Windows\SysWOW64\Odegmceb.dll	Mjeddggd.exe
File created	C:\Windows\SysWOW64\Mkgmcjld.exe	Mcpebmkb.exe
File opened for modification	C:\Windows\SysWOW64\Maaepd32.exe	Mjjmog32.exe
File created	C:\Windows\SysWOW64\Egqcbapl.dll	Mcbahlip.exe
File created	C:\Windows\SysWOW64\Qdhoohmo.dll	Jdemhe32.exe
File created	C:\Windows\SysWOW64\Nphqml32.dll	Kmegbjgn.exe
File opened for modification	C:\Windows\SysWOW64\Kpjjod32.exe	Kmlnbi32.exe
File opened for modification	C:\Windows\SysWOW64\Mdfofakp.exe	Mahbje32.exe
File created	C:\Windows\SysWOW64\Bejkjg32.dll	Hbanme32.exe
File opened for modification	C:\Windows\SysWOW64\Kmegbjgn.exe	Jkfkfohj.exe
File opened for modification	C:\Windows\SysWOW64\Kphmie32.exe	Kaemnhla.exe
File created	C:\Windows\SysWOW64\Lgpagm32.exe	Lpfijcfl.exe
File created	C:\Windows\SysWOW64\Lphfpbdi.exe	Ljnnch32.exe
File created	C:\Windows\SysWOW64\Kijjfe32.dll	Hmfbjnbp.exe
File opened for modification	C:\Windows\SysWOW64\Jagqlj32.exe	Jjmhppqd.exe
File opened for modification	C:\Windows\SysWOW64\Kdaldd32.exe	Kpepcedo.exe
File created	C:\Windows\SysWOW64\Lilanioo.exe	Lgneampk.exe
File created	C:\Windows\SysWOW64\Hcnnaikp.exe	384d10b156dd116589b9d5d66bc4cf329062c72753538335c550235f4721503a.exe
File created	C:\Windows\SysWOW64\Hjmoibog.exe	Hccglh32.exe
File opened for modification	C:\Windows\SysWOW64\Ibjqcd32.exe	Ipldfi32.exe
File created	C:\Windows\SysWOW64\Kinemkko.exe	Kgphpo32.exe
File created	C:\Windows\SysWOW64\Kdhbec32.exe	Kpmfddnf.exe
File created	C:\Windows\SysWOW64\Liekmj32.exe	Kgfoan32.exe
File created	C:\Windows\SysWOW64\Lgneampk.exe	Ldohebqh.exe
File created	C:\Windows\SysWOW64\Ockcknah.dll	Majopeii.exe
File created	C:\Windows\SysWOW64\Kaemnhla.exe	Kinemkko.exe
File created	C:\Windows\SysWOW64\Lpocjdld.exe	Lmqgnhmp.exe
File opened for modification	C:\Windows\SysWOW64\Ldohebqh.exe	Laalifad.exe
File opened for modification	C:\Windows\SysWOW64\Mnlfigcc.exe	Lgbnmm32.exe
File created	C:\Windows\SysWOW64\Nkjjij32.exe	Mcbahlip.exe
File created	C:\Windows\SysWOW64\Kgkocp32.dll	Lgneampk.exe
File opened for modification	C:\Windows\SysWOW64\Hfofbd32.exe	Hpenfjad.exe
File created	C:\Windows\SysWOW64\Ceaklo32.dll	Hjmoibog.exe
File created	C:\Windows\SysWOW64\Gmbkmemo.dll	Iakaql32.exe
File created	C:\Windows\SysWOW64\Ijkljp32.exe	Ibccic32.exe
File created	C:\Windows\SysWOW64\Jkfkfohj.exe	Jbocea32.exe
File opened for modification	C:\Windows\SysWOW64\Kgmlkp32.exe	Kdopod32.exe
File created	C:\Windows\SysWOW64\Jchbak32.dll	Lmqgnhmp.exe
File opened for modification	C:\Windows\SysWOW64\Hmfbjnbp.exe	Hbanme32.exe
File created	C:\Windows\SysWOW64\Hmioonpn.exe	Hfofbd32.exe
File created	C:\Windows\SysWOW64\Hmmhjm32.exe	Hfcpncdk.exe
File opened for modification	C:\Windows\SysWOW64\Mkbchk32.exe	Mdiklqhm.exe
File opened for modification	C:\Windows\SysWOW64\Maohkd32.exe	Mjhqjg32.exe
File created	C:\Windows\SysWOW64\Mcbahlip.exe	Mpdelajl.exe
File created	C:\Windows\SysWOW64\Hnibdpde.dll	Nggqoj32.exe
File created	C:\Windows\SysWOW64\Ibccic32.exe	Ipegmg32.exe
File created	C:\Windows\SysWOW64\Jjpeepnb.exe	Jdemhe32.exe
File created	C:\Windows\SysWOW64\Gmlgol32.dll	Jangmibi.exe
File created	C:\Windows\SysWOW64\Mciobn32.exe	Mdfofakp.exe
File created	C:\Windows\SysWOW64\Lnohlokp.dll	Mjcgohig.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5888	5552	WerFault.exe	203

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Hbanme32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Hfofbd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Nbkhfc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Addjcmqn.dll"	Nqmhbpba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnibdpde.dll"	Nggqoj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Hpenfjad.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Lgneampk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Nqmhbpba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Haggelfd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Kaemnhla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mkepnjng.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mcbahlip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ngpjnkpf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ipldfi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Kpmfddnf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Lmqgnhmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gcgqhjop.dll"	Lcmofolg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Lpappc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Laalifad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ngedij32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Jidbflcj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mjhqjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mkgmcjld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Kajfig32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	384d10b156dd116589b9d5d66bc4cf329062c72753538335c550235f4721503a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnplgc32.dll"	Hpenfjad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Hjmoibog.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eilljncf.dll"	Jbocea32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Kmegbjgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bnckcnhb.dll"	Kpepcedo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Jfffjqdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Hmfbjnbp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Omfnojog.dll"	Jjpeepnb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dbcjkf32.dll"	Jdjfcecp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Lcpllo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bbgkjl32.dll"	Lpfijcfl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mciobn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Jmbklj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eplmgmol.dll"	Kpccnefa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Kmlnbi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Kdhbec32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mpolqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pbcfgejn.dll"	Mjhqjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jkageheh.dll"	Hmioonpn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ijkljp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Jjpeepnb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ljnnch32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mdfofakp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Nkjjij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Lgbnmm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mkbchk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	384d10b156dd116589b9d5d66bc4cf329062c72753538335c550235f4721503a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cdcbljie.dll"	Ibmmhdhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Jpgdbg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Jfhbppbc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hbocda32.dll"	Ldohebqh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mecaoggc.dll"	Lphfpbdi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mpdelajl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hlmobp32.dll"	Nkjjij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Opocad32.dll"	Hfcpncdk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imppcc32.dll"	Kgfoan32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mpdelajl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ngedij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ljfemn32.dll"	Nbhkac32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3964 wrote to memory of 1888	3964	384d10b156dd116589b9d5d66bc4cf329062c72753538335c550235f4721503a.exe	83
PID 3964 wrote to memory of 1888	3964	384d10b156dd116589b9d5d66bc4cf329062c72753538335c550235f4721503a.exe	83
PID 3964 wrote to memory of 1888	3964	384d10b156dd116589b9d5d66bc4cf329062c72753538335c550235f4721503a.exe	83
PID 1888 wrote to memory of 1676	1888	Hcnnaikp.exe	84
PID 1888 wrote to memory of 1676	1888	Hcnnaikp.exe	84
PID 1888 wrote to memory of 1676	1888	Hcnnaikp.exe	84
PID 1676 wrote to memory of 3436	1676	Hbanme32.exe	85
PID 1676 wrote to memory of 3436	1676	Hbanme32.exe	85
PID 1676 wrote to memory of 3436	1676	Hbanme32.exe	85
PID 3436 wrote to memory of 3928	3436	Hmfbjnbp.exe	86
PID 3436 wrote to memory of 3928	3436	Hmfbjnbp.exe	86
PID 3436 wrote to memory of 3928	3436	Hmfbjnbp.exe	86
PID 3928 wrote to memory of 3628	3928	Hpenfjad.exe	87
PID 3928 wrote to memory of 3628	3928	Hpenfjad.exe	87
PID 3928 wrote to memory of 3628	3928	Hpenfjad.exe	87
PID 3628 wrote to memory of 2464	3628	Hfofbd32.exe	88
PID 3628 wrote to memory of 2464	3628	Hfofbd32.exe	88
PID 3628 wrote to memory of 2464	3628	Hfofbd32.exe	88
PID 2464 wrote to memory of 2900	2464	Hmioonpn.exe	89
PID 2464 wrote to memory of 2900	2464	Hmioonpn.exe	89
PID 2464 wrote to memory of 2900	2464	Hmioonpn.exe	89
PID 2900 wrote to memory of 3088	2900	Hccglh32.exe	90
PID 2900 wrote to memory of 3088	2900	Hccglh32.exe	90
PID 2900 wrote to memory of 3088	2900	Hccglh32.exe	90
PID 3088 wrote to memory of 2480	3088	Hjmoibog.exe	91
PID 3088 wrote to memory of 2480	3088	Hjmoibog.exe	91
PID 3088 wrote to memory of 2480	3088	Hjmoibog.exe	91
PID 2480 wrote to memory of 4380	2480	Haggelfd.exe	92
PID 2480 wrote to memory of 4380	2480	Haggelfd.exe	92
PID 2480 wrote to memory of 4380	2480	Haggelfd.exe	92
PID 4380 wrote to memory of 4712	4380	Hcedaheh.exe	93
PID 4380 wrote to memory of 4712	4380	Hcedaheh.exe	93
PID 4380 wrote to memory of 4712	4380	Hcedaheh.exe	93
PID 4712 wrote to memory of 1760	4712	Hfcpncdk.exe	94
PID 4712 wrote to memory of 1760	4712	Hfcpncdk.exe	94
PID 4712 wrote to memory of 1760	4712	Hfcpncdk.exe	94
PID 1760 wrote to memory of 1472	1760	Hmmhjm32.exe	95
PID 1760 wrote to memory of 1472	1760	Hmmhjm32.exe	95
PID 1760 wrote to memory of 1472	1760	Hmmhjm32.exe	95
PID 1472 wrote to memory of 3520	1472	Ipldfi32.exe	96
PID 1472 wrote to memory of 3520	1472	Ipldfi32.exe	96
PID 1472 wrote to memory of 3520	1472	Ipldfi32.exe	96
PID 3520 wrote to memory of 1172	3520	Ibjqcd32.exe	97
PID 3520 wrote to memory of 1172	3520	Ibjqcd32.exe	97
PID 3520 wrote to memory of 1172	3520	Ibjqcd32.exe	97
PID 1172 wrote to memory of 5032	1172	Impepm32.exe	98
PID 1172 wrote to memory of 5032	1172	Impepm32.exe	98
PID 1172 wrote to memory of 5032	1172	Impepm32.exe	98
PID 5032 wrote to memory of 1372	5032	Iakaql32.exe	100
PID 5032 wrote to memory of 1372	5032	Iakaql32.exe	100
PID 5032 wrote to memory of 1372	5032	Iakaql32.exe	100
PID 1372 wrote to memory of 2384	1372	Ibmmhdhm.exe	101
PID 1372 wrote to memory of 2384	1372	Ibmmhdhm.exe	101
PID 1372 wrote to memory of 2384	1372	Ibmmhdhm.exe	101
PID 2384 wrote to memory of 4344	2384	Imbaemhc.exe	102
PID 2384 wrote to memory of 4344	2384	Imbaemhc.exe	102
PID 2384 wrote to memory of 4344	2384	Imbaemhc.exe	102
PID 4344 wrote to memory of 2236	4344	Ipqnahgf.exe	103
PID 4344 wrote to memory of 2236	4344	Ipqnahgf.exe	103
PID 4344 wrote to memory of 2236	4344	Ipqnahgf.exe	103
PID 2236 wrote to memory of 3752	2236	Ibojncfj.exe	105
PID 2236 wrote to memory of 3752	2236	Ibojncfj.exe	105
PID 2236 wrote to memory of 3752	2236	Ibojncfj.exe	105
PID 3752 wrote to memory of 2928	3752	Idofhfmm.exe	106

C:\Users\Admin\AppData\Local\Temp\384d10b156dd116589b9d5d66bc4cf329062c72753538335c550235f4721503a.exe
"C:\Users\Admin\AppData\Local\Temp\384d10b156dd116589b9d5d66bc4cf329062c72753538335c550235f4721503a.exe"
1⤵
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3964
- C:\Windows\SysWOW64\Hcnnaikp.exe
  C:\Windows\system32\Hcnnaikp.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1888
- - C:\Windows\SysWOW64\Hbanme32.exe
    C:\Windows\system32\Hbanme32.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:1676
  - - C:\Windows\SysWOW64\Hmfbjnbp.exe
      C:\Windows\system32\Hmfbjnbp.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:3436
    - - C:\Windows\SysWOW64\Hpenfjad.exe
        
        C:\Windows\system32\Hpenfjad.exe
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3928
      - C:\Windows\SysWOW64\Hfofbd32.exe
        
        C:\Windows\system32\Hfofbd32.exe
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3628
        
        C:\Windows\SysWOW64\Hmioonpn.exe
        
        C:\Windows\system32\Hmioonpn.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2464
        
        C:\Windows\SysWOW64\Hccglh32.exe
        
        C:\Windows\system32\Hccglh32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2900
        
        C:\Windows\SysWOW64\Hjmoibog.exe
        
        C:\Windows\system32\Hjmoibog.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3088
        
        C:\Windows\SysWOW64\Haggelfd.exe
        
        C:\Windows\system32\Haggelfd.exe
        10⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2480
        
        C:\Windows\SysWOW64\Hcedaheh.exe
        
        C:\Windows\system32\Hcedaheh.exe
        11⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4380
        
        C:\Windows\SysWOW64\Hfcpncdk.exe
        
        C:\Windows\system32\Hfcpncdk.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4712
        
        C:\Windows\SysWOW64\Hmmhjm32.exe
        
        C:\Windows\system32\Hmmhjm32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1760
        
        C:\Windows\SysWOW64\Ipldfi32.exe
        
        C:\Windows\system32\Ipldfi32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1472
        
        C:\Windows\SysWOW64\Ibjqcd32.exe
        
        C:\Windows\system32\Ibjqcd32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3520
        
        C:\Windows\SysWOW64\Impepm32.exe
        
        C:\Windows\system32\Impepm32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1172
        
        C:\Windows\SysWOW64\Iakaql32.exe
        
        C:\Windows\system32\Iakaql32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:5032
        
        C:\Windows\SysWOW64\Ibmmhdhm.exe
        
        C:\Windows\system32\Ibmmhdhm.exe
        18⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1372
        
        C:\Windows\SysWOW64\Imbaemhc.exe
        
        C:\Windows\system32\Imbaemhc.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2384
        
        C:\Windows\SysWOW64\Ipqnahgf.exe
        
        C:\Windows\system32\Ipqnahgf.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4344
        
        C:\Windows\SysWOW64\Ibojncfj.exe
        
        C:\Windows\system32\Ibojncfj.exe
        21⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2236
        
        C:\Windows\SysWOW64\Idofhfmm.exe
        
        C:\Windows\system32\Idofhfmm.exe
        22⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3752
        
        C:\Windows\SysWOW64\Ijhodq32.exe
        
        C:\Windows\system32\Ijhodq32.exe
        23⤵
        Executes dropped EXE
        
        PID:2928
        
        C:\Windows\SysWOW64\Ipegmg32.exe
        
        C:\Windows\system32\Ipegmg32.exe
        24⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2884
        
        C:\Windows\SysWOW64\Ibccic32.exe
        
        C:\Windows\system32\Ibccic32.exe
        25⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1292
        
        C:\Windows\SysWOW64\Ijkljp32.exe
        
        C:\Windows\system32\Ijkljp32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3788
        
        C:\Windows\SysWOW64\Jpgdbg32.exe
        
        C:\Windows\system32\Jpgdbg32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3588
        
        C:\Windows\SysWOW64\Jjmhppqd.exe
        
        C:\Windows\system32\Jjmhppqd.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2992
        
        C:\Windows\SysWOW64\Jagqlj32.exe
        
        C:\Windows\system32\Jagqlj32.exe
        29⤵
        Executes dropped EXE
        
        PID:212
        
        C:\Windows\SysWOW64\Jdemhe32.exe
        
        C:\Windows\system32\Jdemhe32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:980
        
        C:\Windows\SysWOW64\Jjpeepnb.exe
        
        C:\Windows\system32\Jjpeepnb.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:628
        
        C:\Windows\SysWOW64\Jmnaakne.exe
        
        C:\Windows\system32\Jmnaakne.exe
        32⤵
        Executes dropped EXE
        
        PID:4476
        
        C:\Windows\SysWOW64\Jplmmfmi.exe
        
        C:\Windows\system32\Jplmmfmi.exe
        33⤵
        Executes dropped EXE
        
        PID:1152
        
        C:\Windows\SysWOW64\Jfffjqdf.exe
        
        C:\Windows\system32\Jfffjqdf.exe
        34⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4920
        
        C:\Windows\SysWOW64\Jidbflcj.exe
        
        C:\Windows\system32\Jidbflcj.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2064
        
        C:\Windows\SysWOW64\Jaljgidl.exe
        
        C:\Windows\system32\Jaljgidl.exe
        36⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2444
        
        C:\Windows\SysWOW64\Jdjfcecp.exe
        
        C:\Windows\system32\Jdjfcecp.exe
        37⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1540
        
        C:\Windows\SysWOW64\Jfhbppbc.exe
        
        C:\Windows\system32\Jfhbppbc.exe
        38⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4360
        
        C:\Windows\SysWOW64\Jmbklj32.exe
        
        C:\Windows\system32\Jmbklj32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3084
        
        C:\Windows\SysWOW64\Jangmibi.exe
        
        C:\Windows\system32\Jangmibi.exe
        40⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3092
        
        C:\Windows\SysWOW64\Jbocea32.exe
        
        C:\Windows\system32\Jbocea32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4928
        
        C:\Windows\SysWOW64\Jkfkfohj.exe
        
        C:\Windows\system32\Jkfkfohj.exe
        42⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:452
        
        C:\Windows\SysWOW64\Kmegbjgn.exe
        
        C:\Windows\system32\Kmegbjgn.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3104
        
        C:\Windows\SysWOW64\Kpccnefa.exe
        
        C:\Windows\system32\Kpccnefa.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2648
        
        C:\Windows\SysWOW64\Kdopod32.exe
        
        C:\Windows\system32\Kdopod32.exe
        45⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2904
        
        C:\Windows\SysWOW64\Kgmlkp32.exe
        
        C:\Windows\system32\Kgmlkp32.exe
        46⤵
        Executes dropped EXE
        
        PID:3812
        
        C:\Windows\SysWOW64\Kilhgk32.exe
        
        C:\Windows\system32\Kilhgk32.exe
        47⤵
        Executes dropped EXE
        
        PID:1860
        
        C:\Windows\SysWOW64\Kpepcedo.exe
        
        C:\Windows\system32\Kpepcedo.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3600
        
        C:\Windows\SysWOW64\Kdaldd32.exe
        
        C:\Windows\system32\Kdaldd32.exe
        49⤵
        Executes dropped EXE
        
        PID:1044
        
        C:\Windows\SysWOW64\Kgphpo32.exe
        
        C:\Windows\system32\Kgphpo32.exe
        50⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1904
        
        C:\Windows\SysWOW64\Kinemkko.exe
        
        C:\Windows\system32\Kinemkko.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4704
        
        C:\Windows\SysWOW64\Kaemnhla.exe
        
        C:\Windows\system32\Kaemnhla.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1864
        
        C:\Windows\SysWOW64\Kphmie32.exe
        
        C:\Windows\system32\Kphmie32.exe
        53⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:224
        
        C:\Windows\SysWOW64\Kgbefoji.exe
        
        C:\Windows\system32\Kgbefoji.exe
        54⤵
        Executes dropped EXE
        
        PID:4504
        
        C:\Windows\SysWOW64\Kmlnbi32.exe
        
        C:\Windows\system32\Kmlnbi32.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3560
        
        C:\Windows\SysWOW64\Kpjjod32.exe
        
        C:\Windows\system32\Kpjjod32.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3236
        
        C:\Windows\SysWOW64\Kcifkp32.exe
        
        C:\Windows\system32\Kcifkp32.exe
        57⤵
        Executes dropped EXE
        
        PID:4924
        
        C:\Windows\SysWOW64\Kgdbkohf.exe
        
        C:\Windows\system32\Kgdbkohf.exe
        58⤵
        Executes dropped EXE
        
        PID:4056
        
        C:\Windows\SysWOW64\Kajfig32.exe
        
        C:\Windows\system32\Kajfig32.exe
        59⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2840
        
        C:\Windows\SysWOW64\Kpmfddnf.exe
        
        C:\Windows\system32\Kpmfddnf.exe
        60⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4368
        
        C:\Windows\SysWOW64\Kdhbec32.exe
        
        C:\Windows\system32\Kdhbec32.exe
        61⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4408
        
        C:\Windows\SysWOW64\Kgfoan32.exe
        
        C:\Windows\system32\Kgfoan32.exe
        62⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:884
        
        C:\Windows\SysWOW64\Liekmj32.exe
        
        C:\Windows\system32\Liekmj32.exe
        63⤵
        Executes dropped EXE
        
        PID:748
        
        C:\Windows\SysWOW64\Lmqgnhmp.exe
        
        C:\Windows\system32\Lmqgnhmp.exe
        64⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4424
        
        C:\Windows\SysWOW64\Lpocjdld.exe
        
        C:\Windows\system32\Lpocjdld.exe
        65⤵
        Executes dropped EXE
        
        PID:3656
        
        C:\Windows\SysWOW64\Lcmofolg.exe
        
        C:\Windows\system32\Lcmofolg.exe
        66⤵
        Modifies registry class
        
        PID:3228
        
        C:\Windows\SysWOW64\Liggbi32.exe
        
        C:\Windows\system32\Liggbi32.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4996
        
        C:\Windows\SysWOW64\Lpappc32.exe
        
        C:\Windows\system32\Lpappc32.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:3728
        
        C:\Windows\SysWOW64\Lcpllo32.exe
        
        C:\Windows\system32\Lcpllo32.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:3244
        
        C:\Windows\SysWOW64\Lgkhlnbn.exe
        
        C:\Windows\system32\Lgkhlnbn.exe
        70⤵
        
        PID:2616
        
        C:\Windows\SysWOW64\Lijdhiaa.exe
        
        C:\Windows\system32\Lijdhiaa.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3220
        
        C:\Windows\SysWOW64\Laalifad.exe
        
        C:\Windows\system32\Laalifad.exe
        72⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:3784
        
        C:\Windows\SysWOW64\Ldohebqh.exe
        
        C:\Windows\system32\Ldohebqh.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:4512
        
        C:\Windows\SysWOW64\Lgneampk.exe
        
        C:\Windows\system32\Lgneampk.exe
        74⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:372
        
        C:\Windows\SysWOW64\Lilanioo.exe
        
        C:\Windows\system32\Lilanioo.exe
        75⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4664
        
        C:\Windows\SysWOW64\Lpfijcfl.exe
        
        C:\Windows\system32\Lpfijcfl.exe
        76⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:4192
        
        C:\Windows\SysWOW64\Lgpagm32.exe
        
        C:\Windows\system32\Lgpagm32.exe
        77⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:1108
        
        C:\Windows\SysWOW64\Ljnnch32.exe
        
        C:\Windows\system32\Ljnnch32.exe
        78⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4848
        
        C:\Windows\SysWOW64\Lphfpbdi.exe
        
        C:\Windows\system32\Lphfpbdi.exe
        79⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:720
        
        C:\Windows\SysWOW64\Lgbnmm32.exe
        
        C:\Windows\system32\Lgbnmm32.exe
        80⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1076
        
        C:\Windows\SysWOW64\Mnlfigcc.exe
        
        C:\Windows\system32\Mnlfigcc.exe
        81⤵
        
        PID:1180
        
        C:\Windows\SysWOW64\Mahbje32.exe
        
        C:\Windows\system32\Mahbje32.exe
        82⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:1484
        
        C:\Windows\SysWOW64\Mdfofakp.exe
        
        C:\Windows\system32\Mdfofakp.exe
        83⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:3256
        
        C:\Windows\SysWOW64\Mciobn32.exe
        
        C:\Windows\system32\Mciobn32.exe
        84⤵
        Modifies registry class
        
        PID:4536
        
        C:\Windows\SysWOW64\Mjcgohig.exe
        
        C:\Windows\system32\Mjcgohig.exe
        85⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4364
        
        C:\Windows\SysWOW64\Majopeii.exe
        
        C:\Windows\system32\Majopeii.exe
        86⤵
        Drops file in System32 directory
        
        PID:2080
        
        C:\Windows\SysWOW64\Mdiklqhm.exe
        
        C:\Windows\system32\Mdiklqhm.exe
        87⤵
        Drops file in System32 directory
        
        PID:1100
        
        C:\Windows\SysWOW64\Mkbchk32.exe
        
        C:\Windows\system32\Mkbchk32.exe
        88⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4480
        
        C:\Windows\SysWOW64\Mjeddggd.exe
        
        C:\Windows\system32\Mjeddggd.exe
        89⤵
        Drops file in System32 directory
        
        PID:5168
        
        C:\Windows\SysWOW64\Mpolqa32.exe
        
        C:\Windows\system32\Mpolqa32.exe
        90⤵
        Modifies registry class
        
        PID:5208
        
        C:\Windows\SysWOW64\Mkepnjng.exe
        
        C:\Windows\system32\Mkepnjng.exe
        91⤵
        Modifies registry class
        
        PID:5256
        
        C:\Windows\SysWOW64\Mjhqjg32.exe
        
        C:\Windows\system32\Mjhqjg32.exe
        92⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5296
        
        C:\Windows\SysWOW64\Maohkd32.exe
        
        C:\Windows\system32\Maohkd32.exe
        93⤵
        
        PID:5340
        
        C:\Windows\SysWOW64\Mdmegp32.exe
        
        C:\Windows\system32\Mdmegp32.exe
        94⤵
        
        PID:5388
        
        C:\Windows\SysWOW64\Mcpebmkb.exe
        
        C:\Windows\system32\Mcpebmkb.exe
        95⤵
        Drops file in System32 directory
        
        PID:5432
        
        C:\Windows\SysWOW64\Mkgmcjld.exe
        
        C:\Windows\system32\Mkgmcjld.exe
        96⤵
        Modifies registry class
        
        PID:5472
        
        C:\Windows\SysWOW64\Mjjmog32.exe
        
        C:\Windows\system32\Mjjmog32.exe
        97⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5520
        
        C:\Windows\SysWOW64\Maaepd32.exe
        
        C:\Windows\system32\Maaepd32.exe
        98⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5568
        
        C:\Windows\SysWOW64\Mpdelajl.exe
        
        C:\Windows\system32\Mpdelajl.exe
        99⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5612
        
        C:\Windows\SysWOW64\Mcbahlip.exe
        
        C:\Windows\system32\Mcbahlip.exe
        100⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5656
        
        C:\Windows\SysWOW64\Nkjjij32.exe
        
        C:\Windows\system32\Nkjjij32.exe
        101⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5700
        
        C:\Windows\SysWOW64\Nnhfee32.exe
        
        C:\Windows\system32\Nnhfee32.exe
        102⤵
        
        PID:5740
        
        C:\Windows\SysWOW64\Nacbfdao.exe
        
        C:\Windows\system32\Nacbfdao.exe
        103⤵
        
        PID:5796
        
        C:\Windows\SysWOW64\Nceonl32.exe
        
        C:\Windows\system32\Nceonl32.exe
        104⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5840
        
        C:\Windows\SysWOW64\Ngpjnkpf.exe
        
        C:\Windows\system32\Ngpjnkpf.exe
        105⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5900
        
        C:\Windows\SysWOW64\Njogjfoj.exe
        
        C:\Windows\system32\Njogjfoj.exe
        106⤵
        
        PID:5968
        
        C:\Windows\SysWOW64\Ngcgcjnc.exe
        
        C:\Windows\system32\Ngcgcjnc.exe
        107⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6012
        
        C:\Windows\SysWOW64\Nbhkac32.exe
        
        C:\Windows\system32\Nbhkac32.exe
        108⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6052
        
        C:\Windows\SysWOW64\Nqklmpdd.exe
        
        C:\Windows\system32\Nqklmpdd.exe
        109⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6092
        
        C:\Windows\SysWOW64\Ncihikcg.exe
        
        C:\Windows\system32\Ncihikcg.exe
        110⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6128
        
        C:\Windows\SysWOW64\Ngedij32.exe
        
        C:\Windows\system32\Ngedij32.exe
        111⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5148
        
        C:\Windows\SysWOW64\Njcpee32.exe
        
        C:\Windows\system32\Njcpee32.exe
        112⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5204
        
        C:\Windows\SysWOW64\Nbkhfc32.exe
        
        C:\Windows\system32\Nbkhfc32.exe
        113⤵
        Modifies registry class
        
        PID:5304
        
        C:\Windows\SysWOW64\Nqmhbpba.exe
        
        C:\Windows\system32\Nqmhbpba.exe
        114⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5364
        
        C:\Windows\SysWOW64\Nggqoj32.exe
        
        C:\Windows\system32\Nggqoj32.exe
        115⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5452
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        116⤵
        
        PID:5552
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5552 -s 416
        117⤵
        Program crash
        
        PID:5888

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 5552 -ip 5552
1⤵
PID:5708

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Dnplgc32.dll

Filesize
7KB

MD5
0c9639c1e866eaeb46671feddc5e0d9e

SHA1
fd9be82ce8a455534616c8334866b96ee8b0ffab

SHA256
f065cf7218204866c034e075e66a05f01fc7afa1187def2c6153ad53ce6872a2

SHA512
b95fc76b3b4b6e50e8f427cf4ba9e21fddff2fb5db3cc80fea9ae0c98562ae6ad9bdf4b53d906460ad701198ef237f6a3f2dbd8659f204cb51c57288128fa7e0

Download Submit
C:\Windows\SysWOW64\Haggelfd.exe

Filesize
208KB

MD5
d0eb9f7e7712fc9f8b3fd9910ad9eabe

SHA1
e266e98f1c4f7cf07ab950d89895f37205effd95

SHA256
d88736ce99cbbcc260c26dc92b057f2a332809b968a9317ce0b9f5b68d6b8cc7

SHA512
3e65e2e0523d59b28a798f7aa8b4c3b4ed9de1e0d4dc3265f6cb77a39408b7ea36d95b42c35a77da9611c0aecb96b5daec1b8aeab1ae524713e63bdda4de9ab4

Download Submit
C:\Windows\SysWOW64\Hbanme32.exe

Filesize
208KB

MD5
5915adf6e135366770dc989dee3140b8

SHA1
c5410b010310aa746af0f53274ec7f008708bb64

SHA256
00edfa12a2597d6c248dce57c6790c1585fe0c3626751270d7980f652d0c7d2f

SHA512
5fb01e28cb64841b69e3b8ac822204cbaee11cf635096c3b3dc00f3951a7f26ae80616a0832eabf8af5bbdc775721db816f03603bb1fd1302191408e1d370595

Download Submit
C:\Windows\SysWOW64\Hbanme32.exe

Filesize
192KB

MD5
7ec8974392ec8766df0eac78bd0e667e

SHA1
521c4d957f00a215f30d0a55f1b41faa9e2c71bf

SHA256
b95893db9573f0b77f72ca015242aa3de167df762f97d601a35f3bf3b25c935b

SHA512
a00ca94d6739d11b576ca0a0e848e16c935a7100a868e4b9851eb86a1d56a702812a6d1d6bada5bdc5cfd602aa34afcde39e99bbe956228d1e383dff56707abf

Download Submit
C:\Windows\SysWOW64\Hccglh32.exe

Filesize
208KB

MD5
0c8a47300339b70abbdbaffe4ad35de3

SHA1
4070b7e8d2238181754a37e1aa00284072a961eb

SHA256
9e48e8af61a4efa057fb000bbf3033b2549a2617802ac3f0b7d932a190f4c41d

SHA512
4b5e581210b5b6507a731babcdf7685fbf27bbc2d38324dc4a0cdf40eceabca14dc41213cf2cdb559aa5d94accf51414a45b728a2e2cfff827b4657d915e5ce3

Download Submit
C:\Windows\SysWOW64\Hcedaheh.exe

Filesize
208KB

MD5
3ea99aa156bb4f72d4e67f5580072b6a

SHA1
bf50faac908321a221338acb2a7fcc56ac0e1e98

SHA256
dea9a2fa39cfb284c434d9c1c0d9182a6df8c56382296b781efbf8ac07550a42

SHA512
fc12a7b4b4c1a42a9fbe75bf6bb403fccb21fa0162998110d8699f06ce9e860b08674a89be993c1ba2b5c5438b1553a74d9c7e8f900d4680baaf0c92afde899d

Download Submit
C:\Windows\SysWOW64\Hcnnaikp.exe

Filesize
208KB

MD5
61bedf3f036b5a410fa6d146080b3866

SHA1
3f471996890352ce6251e837ad748e8a65c3debc

SHA256
66e46157e556bc872e5bccdade2ebd0b32804d8cb93815d3f61770edb4285df5

SHA512
3e40b8021a1a58e907db6a6f2eebd70d2bffb34da54b442e851a43ba842c6e3b8c7892843560e27816e290498d77daadb3914b1ebb76c8b6eab99a59150c9a11

Download Submit
C:\Windows\SysWOW64\Hfcpncdk.exe

Filesize
208KB

MD5
cf6e6ad9f69758925e6e79a7788a69e4

SHA1
481c9777acefaaad19c66ecc62b0503a5a5103e9

SHA256
4e2cb30e962df386bace235f31018b957982ae9cc817701032e19cd4eaa7cb30

SHA512
49f2c276d4dfaa4d3c6073f6051b221b4a9170af1bcbb06f8b3b7e5df47fd6d02063ef6b620cd881b6182533d6dad7be86752739f85ae8963271f23f45f1d919

Download Submit
C:\Windows\SysWOW64\Hfofbd32.exe

Filesize
208KB

MD5
017583f35b0f412c7006f0cfe549da3b

SHA1
ec4c3832d4e07a7e081a4e7a0b923c72c072304e

SHA256
e4c4330076dc960fc797a0778a63c34b6e5ae6c777d4ce8b294a2753b7bca24f

SHA512
751243b086fd856d4fbb81fb835d28b63f959b762fc0725928041dd6b74a2466519c22423bb556c37a39a9738be95cad6082dc420653c74fde93cb731be49679

Download Submit
C:\Windows\SysWOW64\Hjmoibog.exe

Filesize
208KB

MD5
65b8572d3bfc07b8668f728d649f4084

SHA1
50f5043d395658236150a0baca36ab8a256b2cfb

SHA256
02bb9eaef7f3b5158275d5816466f44ddca86876ccf961c1dbeba7a9a20fd4aa

SHA512
08b4a98837a69363f37314339490e53bc8cbd241be9804e00ec06d867e0e884f2ee5795d1f9e54038312465e2a87d5dd65dd59f0041d540ce77150366d3f00d8

Download Submit
C:\Windows\SysWOW64\Hmfbjnbp.exe

Filesize
208KB

MD5
d4b7193958968d3ba75372b2160a0c00

SHA1
b44d8da0b466bf80bcfa931c26db662be19c6529

SHA256
ab1d68b2827b2bea403f86332d67ec325826eb9e0ac7ef187984de9d0c98a747

SHA512
7f5d4a79dbe19ca4d283da4e6ede0938edef0f7d3ed012a8b0b75d358afa7246908da487a746bf8df78cf725a5633726915531650c93119f07a3578ac738b2e0

Download Submit
C:\Windows\SysWOW64\Hmioonpn.exe

Filesize
208KB

MD5
81de58ebd0aad8fdee0ec81358987eed

SHA1
95f4cd8b8fca59f534e40e08e8425e0c5cf85787

SHA256
19c4c4c8d0f5b16ce1b7fddba4a2deeccedac1478088652087412b876a316324

SHA512
69328acabbe0a79cf03533e7e98ca1c4a1c54fcf5d7d482d93c4dc00e9ef9b47729204d5b1a178f007f9c5b312aba7103057923372adfc37f360e4f93a4a9959

Download Submit
C:\Windows\SysWOW64\Hmmhjm32.exe

Filesize
208KB

MD5
28bf99b7be7bfb731469a32123f70eff

SHA1
fe0336cefe34fe5cd3b6e80ec2656382dd1b26f5

SHA256
9ea46fae768f23c27cedb4abeeeb92fe375a435c88394cf59406ef2bbafa6b32

SHA512
05a5a0f6def603e483771e4ce645c9dfbd41267117c51022421e5ea9267d387d2c10a832e0fb593aa5e9f6a51d47435bbedfee22e2dbff0a5f89cf4effe5729f

Download Submit
C:\Windows\SysWOW64\Hpenfjad.exe

Filesize
208KB

MD5
f53f5da4e888149083ef9043765b9c9a

SHA1
71b8b53e14aaf0c7e8c8433353bf500fed7e9f52

SHA256
6635b491faea8df29d804cbb7a90e3ae9e2163a7650b96688d8043b56c1c7b5c

SHA512
763ee9ee96eeedf8e54e1cf3929966e67ba9563facad93d95e7cc47dfcb6d2956d3379b1937665606bfd6622b9f532b6223fbc13a21a6101c7f0d65faf05713d

Download Submit
C:\Windows\SysWOW64\Iakaql32.exe

Filesize
208KB

MD5
b49990213427485e9ef7be5028712fd2

SHA1
a8a457e11d8c5a90ba61d084736e9eb22650bfc8

SHA256
88116c30c2ee25b3f7f8a57f7cd6991a3c64c0b339b521441d6dfc9b4fbf1f1f

SHA512
1263fcb3cfcd730f69280f5d17b77b3448777ba0ef3d063b53ac657249f13014d7239ae3a501fba63715545fcc6142f90f0973650396a1f5feae1d970bd0d577

Download Submit
C:\Windows\SysWOW64\Ibccic32.exe

Filesize
208KB

MD5
d437cfb7495196829e1bd95d6dfad86f

SHA1
f24c7ba5393720b754de5ac503eae3c70a61a00f

SHA256
9dfb4796a66b55d3cca566d874864b5c12d0f02c5e923a556a29e699e42f9b8b

SHA512
d8ddfa7bb0903e62a2ff8d089d43221bb18f1b735a41861aa759a1f1cdc4dbaf57f268245dc8aab076eb12bfe24a040afe52ddebe415ec304c576b1610e54dfe

Download Submit
C:\Windows\SysWOW64\Ibjqcd32.exe

Filesize
208KB

MD5
498040880ac3cdcc6d4434670c88d8f6

SHA1
edbb094c1a8e60d0da8c39c5823171e191ccfe0f

SHA256
4f1e811ad280a9e8539b5687eddd134ae96aded9a0d74a53a55791de1adf48b4

SHA512
9eb503a3162808082b6f24878c09e6dc59bfc40e976eb29ffc4c292d3cea7320099c1aee2965c5895d5dd275ac7ecf4cd46b0952c0cd0d366b902c31cfa99132

Download Submit
C:\Windows\SysWOW64\Ibmmhdhm.exe

Filesize
208KB

MD5
a4718ea9d786b437aa79ac7b49ab5cf7

SHA1
f7bface6aafdd01589277a2188d2698c301b2caf

SHA256
9f3943bc09e4d9c27607e92df14e25f7c4f6e43e7e3ac0ccf611990e9cd63ac1

SHA512
18bbd917144975038cb8530b34e6ea1b6d843ded466986f14473243683ceeaa217f447e989c26b53923d18e58b1159683409da9be372afd561cc2e855820a52f

Download Submit
C:\Windows\SysWOW64\Ibojncfj.exe

Filesize
208KB

MD5
e8a8cff4993b61b56962522630a433c6

SHA1
a5bfa839666a9918b49c98aa242853edb10d19f4

SHA256
85ffbf0600d2391bcf962025b506e043740397e678f86cf6ab5e56e7eea5c1b2

SHA512
97c119c14ea77733fb566016e670d06eb64be2e34351a91df7c04e2859d2ccf124050f3db38ee6aa5588d1b7878b1be308596cd1ed5a20fe3fbd97579c9b9dca

Download Submit
C:\Windows\SysWOW64\Idofhfmm.exe

Filesize
208KB

MD5
05dc235cf97c7a2c98b440d2129ec2ac

SHA1
42c90995f86dfe987b37a134427287f98441d43c

SHA256
3ebcd1f51f581eee966c8076f8d32288c2c6ad40949dedbb88df8986f2136cc3

SHA512
773612c39a56c64b3a3da33852fbfb0616e570d43b332838545f2e6c0704497e76970086fa15ea791b6e8491a60dba35cc05aedb8e53f976438587f4b6a65e6c

Download Submit
C:\Windows\SysWOW64\Ijhodq32.exe

Filesize
208KB

MD5
4082ebcde22d3f44325de26c801a0780

SHA1
e78d60dff076e9ade1cb1b920082dff40fe257dc

SHA256
73a43b64a572640a4b743213e36c1f56bd71233053a7291b0df388494ebefa96

SHA512
7c4633628d2225195ea6ea854efe6c5b7999b421cd4b16ae557fec0d6330bc4da9c06cb358cb7dd07027995698b9771a8125d13b2501949db1d62def048be38d

Download Submit
C:\Windows\SysWOW64\Ijkljp32.exe

Filesize
208KB

MD5
e5dc5a24aa6e2231798eeb43f2418288

SHA1
216fe964593f405917c22893ce54f180735b0cd6

SHA256
687f320e32dbdd518dc1920f8afc4ddbca01662788c98cf984522d368a88e30d

SHA512
4530623de639492318fbee35c201ce6366b2a8da03ff97d19bc4c135e2ea1eebe07b47eb1149d5760258b7b43571ab436be484d478927f6647918b474cecad75

Download Submit
C:\Windows\SysWOW64\Imbaemhc.exe

Filesize
208KB

MD5
61146506c0d3e758747f67b821730d39

SHA1
325087ba820b2f3406e4126bb5f16a71aebb4631

SHA256
6c054e926c6c83e095fc52a68c5c5b8526576fe8add733f859acd0920b1a6f4f

SHA512
cf6879c086a47a60a9b5d37590b137d422c4bfa3192bf57c5d9829169190a4d320b4874359e7149404a102609842762b8cb3dcdd4dcecf96a92d1913c8799033

Download Submit
C:\Windows\SysWOW64\Impepm32.exe

Filesize
208KB

MD5
10336824e66555ac19c6b8e5bcac8064

SHA1
cd1b3831dc950394349e4be9e82495fe1fd1417a

SHA256
a02550a45a1df5fa3b7cdae75d921707840bc6b8c89241d86faade93e15259cc

SHA512
5ece78e69e8fba2864ef3b1a4ab8c194d2b6f91522d9fa4f31b4302899742522374eb414fd98be37e973f208c9f3758c103ae73f5f9fd66b8bb3b069afb065ae

Download Submit
C:\Windows\SysWOW64\Ipegmg32.exe

Filesize
208KB

MD5
6cd44d9fd851ba94fec7f6a8b3361b2f

SHA1
eb0fef508d49934da9b4a9cbd9a6ccc72f562f79

SHA256
dd5946980e66d8b09e0601bac8c1ab4f87cd67687aea31e1fc093db0bb6b7fcc

SHA512
ebd9c1ee1ba0e0f3bf0356063748eb5162f5b6be9084d082331402aa470eabb10b265e463a017027921daffec6340fe3ffa06e4c7c67e8d0ad27cf2faa7cef3b

Download Submit
C:\Windows\SysWOW64\Ipldfi32.exe

Filesize
208KB

MD5
5aafe62820ebe7bd334fc7b57c05907c

SHA1
4ce13361e5ca8e1bea88d52bec8c4572c0e16ea0

SHA256
389e266bc9ce0239424f1088bfb9e6795f8b5ccae813c1850af573f9d6b546fd

SHA512
ae20f389771d6545e26416f81c8833446d6a0951061cdfae19bfc99d97bdaedad35fdc3a82b2b419059e33fa2f1dd9c02031a74d09722dfbc1bfd492d8a5f93a

Download Submit
C:\Windows\SysWOW64\Ipqnahgf.exe

Filesize
208KB

MD5
2a9b34a4eed852c39d509da5dd2e4804

SHA1
a0369eab207dd5691cc308fd80c443bfefa3cd7f

SHA256
7469bbd9737e2783d4a928aaea0829690af8c6d3d40f9d0d849185b58d27337c

SHA512
8b1f706d36f550aaa6391ca11bfb89c13ecc7610bae162ce6cbe202671f0653c2220a49848953f752285caedb2368c5d162b68e16e897e17172e7f949b988e24

Download Submit
C:\Windows\SysWOW64\Jagqlj32.exe

Filesize
208KB

MD5
f59db46678e7a836b119f31734b7bb45

SHA1
018271f94541297293bcf5fbe82adb55200fa177

SHA256
d3103c234c4de8930363a0c8102627f52ffcb719219e1869b648bd1bd865fe5b

SHA512
3007e4a11561748324a4e69a89954cfa84af3f97d701e1fb6ce018f58a6f6ad4c516e663eed92fb11c90bb4856dc8c5358ad2a33addec2613d963f26752bdc0b

Download Submit
C:\Windows\SysWOW64\Jdemhe32.exe

Filesize
208KB

MD5
e02d11b56ab2efa41f942de95827467e

SHA1
057496d2b0b35e1b1458028f27cd12994c434523

SHA256
784f60ee65e5d80f67009c206f614c1891c9708726bc0ee4c8c4416e94248fd5

SHA512
9a8f33565d7a19f7e502717db523d8fa2eab87ce7316ea3969286a30c0ec7fa46374cd86f90139ce459a9747ef86e7cac14b7cdfc0d27a426ffb8907a7df0369

Download Submit
C:\Windows\SysWOW64\Jjmhppqd.exe

Filesize
208KB

MD5
a59781107941eed738fc43c5c2802ed8

SHA1
8bc5f0f73ba76d3f63f13311459df2024fe41873

SHA256
208f75b4245d1afbf01cf3b8da0cebc06d11c46c8e74ecf45604b0419375605a

SHA512
982ca6a6b2b01d50252ab3db1a15accb0399e21673a5b8be9286ebc79325b459b93a2e5eec8a7889b85309313f2ddf1fb06a8b2241f8de1b636b9750ebb4938c

Download Submit
C:\Windows\SysWOW64\Jjpeepnb.exe

Filesize
208KB

MD5
413dc983306a731eebf8e84e6de16520

SHA1
76b5559dd8a356903416c893a4d133ff6c36ab2e

SHA256
798c8bc8e0857fdc531189595673af4c984744d5cc51f7cf3406e40c2c97f681

SHA512
f8daac4c2ca26267f339ddf3390a708f33865ee7d4b43c45fea355c61ddbbf662b647c3523c3868315d896ded534d19c550c7952b4d3803196e5e8ba05bed199

Download Submit
C:\Windows\SysWOW64\Jmnaakne.exe

Filesize
208KB

MD5
ce8ff691f68eb31cbd3e814450cf4e37

SHA1
9073ff2cf01e2adb996a46d6ae6b81d387d7f12b

SHA256
28c734507a8d0366df089f42476c3e2340078cda1ac855807e719df2846f7930

SHA512
979be8c4bf1562b87f4713b7ac635db057e227b5d66fa831a5468df0cda97d591184cda0337f1110d5c802f75b58c6abf2642acca8c7eb817b54287fa17edede

Download Submit
C:\Windows\SysWOW64\Jpgdbg32.exe

Filesize
208KB

MD5
ad020b856c8fa70f25b6acfea109d504

SHA1
0158db5ef100218fa6ca30dd80bb7b86fe8899c9

SHA256
fb5351874c3da32d0b7b77277eb17b0cca52123373399dd66ecbe624d6ba72dd

SHA512
cb91197ba463bd487a16361f26834714c354f73961753eae3ee2c42ea2b247ea13e902fb2a9a5417f1c54f55385ce3997b85562bfbf04c4a14d24a9cc6460c84

Download Submit
C:\Windows\SysWOW64\Jplmmfmi.exe

Filesize
208KB

MD5
c06bbd5be5a7f21dfe8c4464f949758a

SHA1
5822d16c85fec2b0ab7de0e9a3c92ca6fb81062e

SHA256
e819cb215a936b9b9a61b83c6cc282a392c2fe999bc9cdd95b1bc32612a34bc6

SHA512
8e6c0682bdf641e2ae5d99e830904eebf38c8350730fe8406321db7433f2b0f219bfa6ba394e30c1db6685ef7ad7e0eafc6a0b7a4fe2474a7a521a0ac38457ee

Download Submit
C:\Windows\SysWOW64\Kgdbkohf.exe

Filesize
208KB

MD5
f3b33c0479f0baeb5b6bef787f20c643

SHA1
4f238bc8417364f2cd736e87d864b17e44968baa

SHA256
497655b4f0760f4eb3cf19c2ebc9243ea34865cab679c1c9e5b0e4cfc10bdce4

SHA512
0b007185e0b054515ef6e3b7a1e04e34176b469994036650fc3f7629b65b74974ab5eb947a729fa46a3c689fffa33752744958ad1c38824c56482559f6a15c31

Download Submit
C:\Windows\SysWOW64\Liggbi32.exe

Filesize
192KB

MD5
3d4ffac65f44c7dd396294b8ed5d97a2

SHA1
e88cba1520b123400f636eab4936988ca46721bf

SHA256
2e4b2a9de13d904c0b2afe607dc6d2f67d2c6f3d6fc05c904a06465bd01e667f

SHA512
22be98aaa4f3f0a1777dfb926825af27ed01c4356278d431bfbd61853e922341a8e90588a2a0b090bf3349ed95c0d83c2130f4aa2eb83ae0b1f306a27a852a7d

Download Submit
C:\Windows\SysWOW64\Lilanioo.exe

Filesize
208KB

MD5
e965b8fd574e0dca315617a840dfc325

SHA1
c5f271edd8fb78ffbcc030936442e6c2e25f0b0a

SHA256
cfd5055e6e1d8dc2617430c456a22fa03a8f9b77911ee5f33fb547c037692937

SHA512
95a3dcdefe9bb42d6e9cadb60729559431b7ea35a36a6809bfe1333b7bc76d576fdbfe4e831ef1b3172f2e32d71373310d4ca6f5822a841035bc48e8927c01be

Download Submit
C:\Windows\SysWOW64\Mkepnjng.exe

Filesize
208KB

MD5
ee943dd65562fec3e99aca48f853d5d3

SHA1
7e9e315d85c5c12499746be5e7994f8ab8451192

SHA256
b8481592b48438afeb600ff025e10a62fe2f3985607a5eefd21c3e9bf5acad6f

SHA512
dec2979eb35089072e84d1240e2ad872346d8b64eb44b14fe25ee5a2dae3b0e352df5ef92ca67260cc1c0173c0da57a9a700c3227877a68a732693c420442685

Download Submit
C:\Windows\SysWOW64\Nceonl32.exe

Filesize
208KB

MD5
d4020d7fb0e73526295e10cc61bc7d91

SHA1
aa7a017f00c64418251ebfde26a2af54557bda03

SHA256
904c3318ef45059053253b487ecf598c9cac06e2ffc71f53eb4416fc78b7b408

SHA512
1b60d5230714c51cf9dbeaed1f4e1223ef97dad4ec121cd0df4f936dd9a0a365c54ed1c6983c64013f2a6cff00714fe86bd137341e2943e585a37c639f64e205

Download Submit
C:\Windows\SysWOW64\Ngcgcjnc.exe

Filesize
208KB

MD5
05508abba9b5546f580e3a0168f85376

SHA1
8c3bea531bffc819f812073bf0120e5f8cd9f55f

SHA256
e862d4160cdc67254f63343ca198108071cda3215f9937379d035848088e8955

SHA512
f9eed1163bc003d8195cef1d0067a143d9248a3fbe0859f0649919c74203eede2864094ff0f226a29d2ab4a04af26df085d00ddc5d42d9402cf832a8033efe3f

Download Submit
memory/212-229-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/224-381-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/372-502-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/452-310-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/628-244-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/720-532-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/748-440-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/884-434-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/980-236-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1044-356-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1076-538-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1100-587-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1108-520-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1152-260-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1172-120-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1180-544-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1292-196-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1372-135-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1472-104-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1484-554-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1540-284-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1676-20-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1760-95-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1860-340-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1864-374-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1888-563-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1888-8-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1904-362-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2064-271-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2080-580-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2236-160-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2384-144-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2444-274-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2464-599-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2464-47-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2480-71-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2616-478-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2648-322-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2840-412-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2884-184-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2900-55-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2900-602-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2904-328-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2928-175-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2992-216-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3084-292-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3088-63-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3088-613-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3092-298-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3104-320-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3220-484-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3228-454-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3236-394-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3244-476-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3256-557-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3436-28-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3520-111-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3560-388-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3588-212-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3600-346-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3628-588-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3628-40-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3656-452-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3728-475-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3752-168-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3784-494-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3788-204-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3812-338-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3928-36-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3964-556-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3964-0-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4056-406-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4192-514-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4344-153-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4360-290-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4364-570-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4368-422-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4380-80-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4408-427-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4424-446-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4476-250-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4480-589-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4504-382-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4512-496-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4536-568-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4664-512-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4704-364-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4712-88-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4848-526-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4920-262-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4924-400-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4928-309-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4996-460-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/5032-132-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/5168-601-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/5208-603-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads