adcc03f614b9ffc6081b20a028dc6ed809ec5994dc1f4bacdf91c3ab072eeb55

Analysis

max time kernel
129s
max time network
100s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
01/07/2024, 01:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

adcc03f614b9ffc6081b20a028dc6ed809ec5994dc1f4bacdf91c3ab072eeb55.exe
Size

99KB
MD5

2910b50a5152c4b8d60feb1365118eea
SHA1

009ac7e3484a6844ac673db73e3b4c2ce385378d
SHA256

adcc03f614b9ffc6081b20a028dc6ed809ec5994dc1f4bacdf91c3ab072eeb55
SHA512

ce12008b0b5b6e0680da47fb4de95e0e42adf45eaf04d36ad6d3d28b985db9a3ccd505bd398836919774d20f9ac379ed5a1eefb6660fc74f1246c0e715753f7c
SSDEEP

3072:G16UddXXW9HAhfxZPqR8Bgb3a3+X13XRzG:G16W5sH+xpC8O7aOl3BzG

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hmdedo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Iiibkn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ipegmg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ijkljp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mglack32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnhfee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ngedij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gameonno.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hpenfjad.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ijaida32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jbhmdbnp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kbfiep32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kmnjhioc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mgghhlhq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jpjqhgol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jaimbj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jidbflcj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdhbec32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hjmoibog.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gmoliohh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gjapmdid.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jjpeepnb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jpojcf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kkbkamnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Iapjlk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcmofolg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lgneampk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nceonl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Njcpee32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iakaql32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mjqjih32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nklfoi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gcbnejem.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hbanme32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hjhfnccl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kgphpo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqfbaq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gjapmdid.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Liekmj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mdmegp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gcggpj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gifmnpnl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Imgkql32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kpccnefa.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndghmo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gmmocpjk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hjhfnccl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jjpeepnb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kinemkko.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjeddggd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Maaepd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Haggelfd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mdiklqhm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jdhine32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcbahlip.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ijdeiaio.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mncmjfmk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gfcgge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gcidfi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hadkpm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Njacpf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nbkhfc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iiibkn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Imgkql32.exe

Executes dropped EXE 64 IoCs

pid	Process
1244	Gjjjle32.exe
1760	Gqdbiofi.exe
2452	Gcbnejem.exe
2116	Gfqjafdq.exe
4888	Giofnacd.exe
660	Gcekkjcj.exe
3440	Gfcgge32.exe
3488	Gmmocpjk.exe
3920	Gcggpj32.exe
4068	Gjapmdid.exe
1132	Gmoliohh.exe
1044	Gcidfi32.exe
1860	Gifmnpnl.exe
1984	Gameonno.exe
1748	Hboagf32.exe
3844	Hmdedo32.exe
3912	Hbanme32.exe
2344	Hjhfnccl.exe
884	Hpenfjad.exe
1752	Hjjbcbqj.exe
3000	Hadkpm32.exe
864	Hccglh32.exe
4776	Hjmoibog.exe
4860	Haggelfd.exe
1156	Hbhdmd32.exe
3952	Hibljoco.exe
3804	Ipldfi32.exe
4928	Ijaida32.exe
3120	Iakaql32.exe
3264	Icjmmg32.exe
3596	Ijdeiaio.exe
4428	Imbaemhc.exe
2608	Ipqnahgf.exe
4936	Ibojncfj.exe
4564	Iiibkn32.exe
5000	Iapjlk32.exe
832	Idofhfmm.exe
4224	Ijhodq32.exe
1820	Imgkql32.exe
548	Ipegmg32.exe
3496	Ijkljp32.exe
5064	Iinlemia.exe
1628	Jpgdbg32.exe
4548	Jfaloa32.exe
4604	Jiphkm32.exe
2592	Jpjqhgol.exe
4612	Jbhmdbnp.exe
4404	Jjpeepnb.exe
8	Jaimbj32.exe
2624	Jdhine32.exe
4444	Jidbflcj.exe
2932	Jpojcf32.exe
2812	Jfhbppbc.exe
4640	Jigollag.exe
4512	Jpaghf32.exe
2292	Jfkoeppq.exe
4592	Jiikak32.exe
1632	Kpccnefa.exe
4824	Kgmlkp32.exe
1448	Kmgdgjek.exe
5040	Kpepcedo.exe
4956	Kgphpo32.exe
1520	Kinemkko.exe
4924	Kaemnhla.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Ijkljp32.exe	Ipegmg32.exe
File created	C:\Windows\SysWOW64\Jpaghf32.exe	Jigollag.exe
File opened for modification	C:\Windows\SysWOW64\Jpaghf32.exe	Jigollag.exe
File opened for modification	C:\Windows\SysWOW64\Gcbnejem.exe	Gqdbiofi.exe
File opened for modification	C:\Windows\SysWOW64\Iakaql32.exe	Ijaida32.exe
File created	C:\Windows\SysWOW64\Kflflhfg.dll	Imgkql32.exe
File created	C:\Windows\SysWOW64\Nqjfoc32.dll	Kpepcedo.exe
File created	C:\Windows\SysWOW64\Hefffnbk.dll	Kipabjil.exe
File created	C:\Windows\SysWOW64\Fneiph32.dll	Mpaifalo.exe
File created	C:\Windows\SysWOW64\Fcdjjo32.dll	Nqfbaq32.exe
File opened for modification	C:\Windows\SysWOW64\Ngedij32.exe	Ndghmo32.exe
File created	C:\Windows\SysWOW64\Ldooifgl.dll	Hmdedo32.exe
File opened for modification	C:\Windows\SysWOW64\Haggelfd.exe	Hjmoibog.exe
File opened for modification	C:\Windows\SysWOW64\Hjjbcbqj.exe	Hpenfjad.exe
File opened for modification	C:\Windows\SysWOW64\Jpgdbg32.exe	Iinlemia.exe
File created	C:\Windows\SysWOW64\Jjpeepnb.exe	Jbhmdbnp.exe
File created	C:\Windows\SysWOW64\Kmnjhioc.exe	Kkpnlm32.exe
File opened for modification	C:\Windows\SysWOW64\Nklfoi32.exe	Nceonl32.exe
File created	C:\Windows\SysWOW64\Dlddhggk.dll	Nbkhfc32.exe
File created	C:\Windows\SysWOW64\Gfqjafdq.exe	Gcbnejem.exe
File opened for modification	C:\Windows\SysWOW64\Gmmocpjk.exe	Gfcgge32.exe
File created	C:\Windows\SysWOW64\Jpgdbg32.exe	Iinlemia.exe
File created	C:\Windows\SysWOW64\Leqcod32.dll	Jjpeepnb.exe
File created	C:\Windows\SysWOW64\Ppaaagol.dll	Kaemnhla.exe
File created	C:\Windows\SysWOW64\Gcdihi32.dll	Kdhbec32.exe
File created	C:\Windows\SysWOW64\Liggbi32.exe	Lcmofolg.exe
File created	C:\Windows\SysWOW64\Gcgqhjop.dll	Lcmofolg.exe
File created	C:\Windows\SysWOW64\Djmdfpmb.dll	Gcggpj32.exe
File created	C:\Windows\SysWOW64\Hmdedo32.exe	Hboagf32.exe
File created	C:\Windows\SysWOW64\Ndclfb32.dll	Ldmlpbbj.exe
File created	C:\Windows\SysWOW64\Oimhnoch.dll	Kkpnlm32.exe
File created	C:\Windows\SysWOW64\Ijaida32.exe	Ipldfi32.exe
File opened for modification	C:\Windows\SysWOW64\Jfhbppbc.exe	Jpojcf32.exe
File created	C:\Windows\SysWOW64\Ipldfi32.exe	Hibljoco.exe
File opened for modification	C:\Windows\SysWOW64\Ibojncfj.exe	Ipqnahgf.exe
File created	C:\Windows\SysWOW64\Jbhmdbnp.exe	Jpjqhgol.exe
File created	C:\Windows\SysWOW64\Jgengpmj.dll	Mjeddggd.exe
File created	C:\Windows\SysWOW64\Jlnpomfk.dll	Nnjbke32.exe
File opened for modification	C:\Windows\SysWOW64\Nkcmohbg.exe	Ncldnkae.exe
File opened for modification	C:\Windows\SysWOW64\Gjjjle32.exe	adcc03f614b9ffc6081b20a028dc6ed809ec5994dc1f4bacdf91c3ab072eeb55.exe
File created	C:\Windows\SysWOW64\Hibljoco.exe	Hbhdmd32.exe
File opened for modification	C:\Windows\SysWOW64\Nnjbke32.exe	Nklfoi32.exe
File created	C:\Windows\SysWOW64\Nkcmohbg.exe	Ncldnkae.exe
File opened for modification	C:\Windows\SysWOW64\Idofhfmm.exe	Iapjlk32.exe
File created	C:\Windows\SysWOW64\Ipegmg32.exe	Imgkql32.exe
File created	C:\Windows\SysWOW64\Eqbmje32.dll	Liggbi32.exe
File created	C:\Windows\SysWOW64\Lgneampk.exe	Lcbiao32.exe
File created	C:\Windows\SysWOW64\Hbocda32.dll	Lcbiao32.exe
File opened for modification	C:\Windows\SysWOW64\Ljnnch32.exe	Ldaeka32.exe
File created	C:\Windows\SysWOW64\Ibojncfj.exe	Ipqnahgf.exe
File created	C:\Windows\SysWOW64\Liekmj32.exe	Kkbkamnl.exe
File created	C:\Windows\SysWOW64\Kmgdgjek.exe	Kgmlkp32.exe
File created	C:\Windows\SysWOW64\Kinemkko.exe	Kgphpo32.exe
File created	C:\Windows\SysWOW64\Njcpee32.exe	Ngedij32.exe
File created	C:\Windows\SysWOW64\Ibilnj32.dll	Hbanme32.exe
File created	C:\Windows\SysWOW64\Fojkiimn.dll	Ipqnahgf.exe
File opened for modification	C:\Windows\SysWOW64\Mgghhlhq.exe	Mdiklqhm.exe
File created	C:\Windows\SysWOW64\Mkepnjng.exe	Mamleegg.exe
File opened for modification	C:\Windows\SysWOW64\Hpenfjad.exe	Hjhfnccl.exe
File opened for modification	C:\Windows\SysWOW64\Hadkpm32.exe	Hjjbcbqj.exe
File created	C:\Windows\SysWOW64\Iakaql32.exe	Ijaida32.exe
File opened for modification	C:\Windows\SysWOW64\Iinlemia.exe	Ijkljp32.exe
File created	C:\Windows\SysWOW64\Mfpoqooh.dll	Jpaghf32.exe
File created	C:\Windows\SysWOW64\Imppcc32.dll	Kkbkamnl.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5824	5644	WerFault.exe	204

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jokmgc32.dll"	Gqdbiofi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Gfcgge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eeopdi32.dll"	Ibojncfj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jiphkm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ldobbkdk.dll"	Kmgdgjek.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mdiklqhm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Njacpf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Njacpf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hadkpm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nceonl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Adijolgl.dll"	Gmoliohh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ibojncfj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kgphpo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lppbjjia.dll"	Lddbqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nklfoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Njcpee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Gmoliohh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Paadnmaq.dll"	Ndghmo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nbkhfc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ginahd32.dll"	Gjjjle32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fojkiimn.dll"	Ipqnahgf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Imgkql32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mkepnjng.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Maaepd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ngedij32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ijhodq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mgghhlhq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hbhdmd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hibljoco.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Imbaemhc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jdhine32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fhpdhp32.dll"	Maaepd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nkjjij32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nqfbaq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nqfbaq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hehifldd.dll"	Kpccnefa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nnhfee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ddpfgd32.dll"	Ngedij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hpenfjad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Egoqlckf.dll"	Ipldfi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kflflhfg.dll"	Imgkql32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eqbmje32.dll"	Liggbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kijjfe32.dll"	Hjhfnccl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nceonl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nddkgonp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ebkdha32.dll"	Idofhfmm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kbmfdgkm.dll"	Kbfiep32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lpocjdld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ngcgcjnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Gfqjafdq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ipldfi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdkind32.dll"	Jfaloa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jjpeepnb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Liekmj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mkepnjng.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mdmegp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mjjmog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mcbahlip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Gcbnejem.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jiikak32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kaemnhla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kdhbec32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Gmmocpjk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jiikak32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3740 wrote to memory of 1244	3740	adcc03f614b9ffc6081b20a028dc6ed809ec5994dc1f4bacdf91c3ab072eeb55.exe	82
PID 3740 wrote to memory of 1244	3740	adcc03f614b9ffc6081b20a028dc6ed809ec5994dc1f4bacdf91c3ab072eeb55.exe	82
PID 3740 wrote to memory of 1244	3740	adcc03f614b9ffc6081b20a028dc6ed809ec5994dc1f4bacdf91c3ab072eeb55.exe	82
PID 1244 wrote to memory of 1760	1244	Gjjjle32.exe	83
PID 1244 wrote to memory of 1760	1244	Gjjjle32.exe	83
PID 1244 wrote to memory of 1760	1244	Gjjjle32.exe	83
PID 1760 wrote to memory of 2452	1760	Gqdbiofi.exe	84
PID 1760 wrote to memory of 2452	1760	Gqdbiofi.exe	84
PID 1760 wrote to memory of 2452	1760	Gqdbiofi.exe	84
PID 2452 wrote to memory of 2116	2452	Gcbnejem.exe	85
PID 2452 wrote to memory of 2116	2452	Gcbnejem.exe	85
PID 2452 wrote to memory of 2116	2452	Gcbnejem.exe	85
PID 2116 wrote to memory of 4888	2116	Gfqjafdq.exe	86
PID 2116 wrote to memory of 4888	2116	Gfqjafdq.exe	86
PID 2116 wrote to memory of 4888	2116	Gfqjafdq.exe	86
PID 4888 wrote to memory of 660	4888	Giofnacd.exe	87
PID 4888 wrote to memory of 660	4888	Giofnacd.exe	87
PID 4888 wrote to memory of 660	4888	Giofnacd.exe	87
PID 660 wrote to memory of 3440	660	Gcekkjcj.exe	88
PID 660 wrote to memory of 3440	660	Gcekkjcj.exe	88
PID 660 wrote to memory of 3440	660	Gcekkjcj.exe	88
PID 3440 wrote to memory of 3488	3440	Gfcgge32.exe	89
PID 3440 wrote to memory of 3488	3440	Gfcgge32.exe	89
PID 3440 wrote to memory of 3488	3440	Gfcgge32.exe	89
PID 3488 wrote to memory of 3920	3488	Gmmocpjk.exe	90
PID 3488 wrote to memory of 3920	3488	Gmmocpjk.exe	90
PID 3488 wrote to memory of 3920	3488	Gmmocpjk.exe	90
PID 3920 wrote to memory of 4068	3920	Gcggpj32.exe	91
PID 3920 wrote to memory of 4068	3920	Gcggpj32.exe	91
PID 3920 wrote to memory of 4068	3920	Gcggpj32.exe	91
PID 4068 wrote to memory of 1132	4068	Gjapmdid.exe	92
PID 4068 wrote to memory of 1132	4068	Gjapmdid.exe	92
PID 4068 wrote to memory of 1132	4068	Gjapmdid.exe	92
PID 1132 wrote to memory of 1044	1132	Gmoliohh.exe	93
PID 1132 wrote to memory of 1044	1132	Gmoliohh.exe	93
PID 1132 wrote to memory of 1044	1132	Gmoliohh.exe	93
PID 1044 wrote to memory of 1860	1044	Gcidfi32.exe	94
PID 1044 wrote to memory of 1860	1044	Gcidfi32.exe	94
PID 1044 wrote to memory of 1860	1044	Gcidfi32.exe	94
PID 1860 wrote to memory of 1984	1860	Gifmnpnl.exe	95
PID 1860 wrote to memory of 1984	1860	Gifmnpnl.exe	95
PID 1860 wrote to memory of 1984	1860	Gifmnpnl.exe	95
PID 1984 wrote to memory of 1748	1984	Gameonno.exe	96
PID 1984 wrote to memory of 1748	1984	Gameonno.exe	96
PID 1984 wrote to memory of 1748	1984	Gameonno.exe	96
PID 1748 wrote to memory of 3844	1748	Hboagf32.exe	97
PID 1748 wrote to memory of 3844	1748	Hboagf32.exe	97
PID 1748 wrote to memory of 3844	1748	Hboagf32.exe	97
PID 3844 wrote to memory of 3912	3844	Hmdedo32.exe	98
PID 3844 wrote to memory of 3912	3844	Hmdedo32.exe	98
PID 3844 wrote to memory of 3912	3844	Hmdedo32.exe	98
PID 3912 wrote to memory of 2344	3912	Hbanme32.exe	99
PID 3912 wrote to memory of 2344	3912	Hbanme32.exe	99
PID 3912 wrote to memory of 2344	3912	Hbanme32.exe	99
PID 2344 wrote to memory of 884	2344	Hjhfnccl.exe	101
PID 2344 wrote to memory of 884	2344	Hjhfnccl.exe	101
PID 2344 wrote to memory of 884	2344	Hjhfnccl.exe	101
PID 884 wrote to memory of 1752	884	Hpenfjad.exe	102
PID 884 wrote to memory of 1752	884	Hpenfjad.exe	102
PID 884 wrote to memory of 1752	884	Hpenfjad.exe	102
PID 1752 wrote to memory of 3000	1752	Hjjbcbqj.exe	103
PID 1752 wrote to memory of 3000	1752	Hjjbcbqj.exe	103
PID 1752 wrote to memory of 3000	1752	Hjjbcbqj.exe	103
PID 3000 wrote to memory of 864	3000	Hadkpm32.exe	104

C:\Users\Admin\AppData\Local\Temp\adcc03f614b9ffc6081b20a028dc6ed809ec5994dc1f4bacdf91c3ab072eeb55.exe
"C:\Users\Admin\AppData\Local\Temp\adcc03f614b9ffc6081b20a028dc6ed809ec5994dc1f4bacdf91c3ab072eeb55.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3740
- C:\Windows\SysWOW64\Gjjjle32.exe
  C:\Windows\system32\Gjjjle32.exe
  2⤵
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1244
- - C:\Windows\SysWOW64\Gqdbiofi.exe
    C:\Windows\system32\Gqdbiofi.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:1760
  - - C:\Windows\SysWOW64\Gcbnejem.exe
      C:\Windows\system32\Gcbnejem.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2452
    - - C:\Windows\SysWOW64\Gfqjafdq.exe
        
        C:\Windows\system32\Gfqjafdq.exe
        5⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2116
      - C:\Windows\SysWOW64\Giofnacd.exe
        
        C:\Windows\system32\Giofnacd.exe
        6⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4888
        
        C:\Windows\SysWOW64\Gcekkjcj.exe
        
        C:\Windows\system32\Gcekkjcj.exe
        7⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:660
        
        C:\Windows\SysWOW64\Gfcgge32.exe
        
        C:\Windows\system32\Gfcgge32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3440
        
        C:\Windows\SysWOW64\Gmmocpjk.exe
        
        C:\Windows\system32\Gmmocpjk.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3488
        
        C:\Windows\SysWOW64\Gcggpj32.exe
        
        C:\Windows\system32\Gcggpj32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3920
        
        C:\Windows\SysWOW64\Gjapmdid.exe
        
        C:\Windows\system32\Gjapmdid.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4068
        
        C:\Windows\SysWOW64\Gmoliohh.exe
        
        C:\Windows\system32\Gmoliohh.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1132
        
        C:\Windows\SysWOW64\Gcidfi32.exe
        
        C:\Windows\system32\Gcidfi32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1044
        
        C:\Windows\SysWOW64\Gifmnpnl.exe
        
        C:\Windows\system32\Gifmnpnl.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1860
        
        C:\Windows\SysWOW64\Gameonno.exe
        
        C:\Windows\system32\Gameonno.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1984
        
        C:\Windows\SysWOW64\Hboagf32.exe
        
        C:\Windows\system32\Hboagf32.exe
        16⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1748
        
        C:\Windows\SysWOW64\Hmdedo32.exe
        
        C:\Windows\system32\Hmdedo32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3844
        
        C:\Windows\SysWOW64\Hbanme32.exe
        
        C:\Windows\system32\Hbanme32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3912
        
        C:\Windows\SysWOW64\Hjhfnccl.exe
        
        C:\Windows\system32\Hjhfnccl.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2344
        
        C:\Windows\SysWOW64\Hpenfjad.exe
        
        C:\Windows\system32\Hpenfjad.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:884
        
        C:\Windows\SysWOW64\Hjjbcbqj.exe
        
        C:\Windows\system32\Hjjbcbqj.exe
        21⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1752
        
        C:\Windows\SysWOW64\Hadkpm32.exe
        
        C:\Windows\system32\Hadkpm32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3000
        
        C:\Windows\SysWOW64\Hccglh32.exe
        
        C:\Windows\system32\Hccglh32.exe
        23⤵
        Executes dropped EXE
        
        PID:864
        
        C:\Windows\SysWOW64\Hjmoibog.exe
        
        C:\Windows\system32\Hjmoibog.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4776
        
        C:\Windows\SysWOW64\Haggelfd.exe
        
        C:\Windows\system32\Haggelfd.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4860
        
        C:\Windows\SysWOW64\Hbhdmd32.exe
        
        C:\Windows\system32\Hbhdmd32.exe
        26⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1156
        
        C:\Windows\SysWOW64\Hibljoco.exe
        
        C:\Windows\system32\Hibljoco.exe
        27⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3952
        
        C:\Windows\SysWOW64\Ipldfi32.exe
        
        C:\Windows\system32\Ipldfi32.exe
        28⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3804
        
        C:\Windows\SysWOW64\Ijaida32.exe
        
        C:\Windows\system32\Ijaida32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4928
        
        C:\Windows\SysWOW64\Iakaql32.exe
        
        C:\Windows\system32\Iakaql32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3120
        
        C:\Windows\SysWOW64\Icjmmg32.exe
        
        C:\Windows\system32\Icjmmg32.exe
        31⤵
        Executes dropped EXE
        
        PID:3264
        
        C:\Windows\SysWOW64\Ijdeiaio.exe
        
        C:\Windows\system32\Ijdeiaio.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3596
        
        C:\Windows\SysWOW64\Imbaemhc.exe
        
        C:\Windows\system32\Imbaemhc.exe
        33⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4428
        
        C:\Windows\SysWOW64\Ipqnahgf.exe
        
        C:\Windows\system32\Ipqnahgf.exe
        34⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2608
        
        C:\Windows\SysWOW64\Ibojncfj.exe
        
        C:\Windows\system32\Ibojncfj.exe
        35⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4936
        
        C:\Windows\SysWOW64\Iiibkn32.exe
        
        C:\Windows\system32\Iiibkn32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4564
        
        C:\Windows\SysWOW64\Iapjlk32.exe
        
        C:\Windows\system32\Iapjlk32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5000
        
        C:\Windows\SysWOW64\Idofhfmm.exe
        
        C:\Windows\system32\Idofhfmm.exe
        38⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:832
        
        C:\Windows\SysWOW64\Ijhodq32.exe
        
        C:\Windows\system32\Ijhodq32.exe
        39⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4224
        
        C:\Windows\SysWOW64\Imgkql32.exe
        
        C:\Windows\system32\Imgkql32.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1820
        
        C:\Windows\SysWOW64\Ipegmg32.exe
        
        C:\Windows\system32\Ipegmg32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:548
        
        C:\Windows\SysWOW64\Ijkljp32.exe
        
        C:\Windows\system32\Ijkljp32.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3496
        
        C:\Windows\SysWOW64\Iinlemia.exe
        
        C:\Windows\system32\Iinlemia.exe
        43⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5064
        
        C:\Windows\SysWOW64\Jpgdbg32.exe
        
        C:\Windows\system32\Jpgdbg32.exe
        44⤵
        Executes dropped EXE
        
        PID:1628
        
        C:\Windows\SysWOW64\Jfaloa32.exe
        
        C:\Windows\system32\Jfaloa32.exe
        45⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4548
        
        C:\Windows\SysWOW64\Jiphkm32.exe
        
        C:\Windows\system32\Jiphkm32.exe
        46⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4604
        
        C:\Windows\SysWOW64\Jpjqhgol.exe
        
        C:\Windows\system32\Jpjqhgol.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2592
        
        C:\Windows\SysWOW64\Jbhmdbnp.exe
        
        C:\Windows\system32\Jbhmdbnp.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4612
        
        C:\Windows\SysWOW64\Jjpeepnb.exe
        
        C:\Windows\system32\Jjpeepnb.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4404
        
        C:\Windows\SysWOW64\Jaimbj32.exe
        
        C:\Windows\system32\Jaimbj32.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:8
        
        C:\Windows\SysWOW64\Jdhine32.exe
        
        C:\Windows\system32\Jdhine32.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2624
        
        C:\Windows\SysWOW64\Jidbflcj.exe
        
        C:\Windows\system32\Jidbflcj.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4444
        
        C:\Windows\SysWOW64\Jpojcf32.exe
        
        C:\Windows\system32\Jpojcf32.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2932
        
        C:\Windows\SysWOW64\Jfhbppbc.exe
        
        C:\Windows\system32\Jfhbppbc.exe
        54⤵
        Executes dropped EXE
        
        PID:2812
        
        C:\Windows\SysWOW64\Jigollag.exe
        
        C:\Windows\system32\Jigollag.exe
        55⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4640
        
        C:\Windows\SysWOW64\Jpaghf32.exe
        
        C:\Windows\system32\Jpaghf32.exe
        56⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4512
        
        C:\Windows\SysWOW64\Jfkoeppq.exe
        
        C:\Windows\system32\Jfkoeppq.exe
        57⤵
        Executes dropped EXE
        
        PID:2292
        
        C:\Windows\SysWOW64\Jiikak32.exe
        
        C:\Windows\system32\Jiikak32.exe
        58⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4592
        
        C:\Windows\SysWOW64\Kpccnefa.exe
        
        C:\Windows\system32\Kpccnefa.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1632
        
        C:\Windows\SysWOW64\Kgmlkp32.exe
        
        C:\Windows\system32\Kgmlkp32.exe
        60⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4824
        
        C:\Windows\SysWOW64\Kmgdgjek.exe
        
        C:\Windows\system32\Kmgdgjek.exe
        61⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1448
        
        C:\Windows\SysWOW64\Kpepcedo.exe
        
        C:\Windows\system32\Kpepcedo.exe
        62⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5040
        
        C:\Windows\SysWOW64\Kgphpo32.exe
        
        C:\Windows\system32\Kgphpo32.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4956
        
        C:\Windows\SysWOW64\Kinemkko.exe
        
        C:\Windows\system32\Kinemkko.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1520
        
        C:\Windows\SysWOW64\Kaemnhla.exe
        
        C:\Windows\system32\Kaemnhla.exe
        65⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4924
        
        C:\Windows\SysWOW64\Kbfiep32.exe
        
        C:\Windows\system32\Kbfiep32.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:3980
        
        C:\Windows\SysWOW64\Kipabjil.exe
        
        C:\Windows\system32\Kipabjil.exe
        67⤵
        Drops file in System32 directory
        
        PID:3608
        
        C:\Windows\SysWOW64\Kagichjo.exe
        
        C:\Windows\system32\Kagichjo.exe
        68⤵
        
        PID:4212
        
        C:\Windows\SysWOW64\Kkpnlm32.exe
        
        C:\Windows\system32\Kkpnlm32.exe
        69⤵
        Drops file in System32 directory
        
        PID:1972
        
        C:\Windows\SysWOW64\Kmnjhioc.exe
        
        C:\Windows\system32\Kmnjhioc.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2820
        
        C:\Windows\SysWOW64\Kdhbec32.exe
        
        C:\Windows\system32\Kdhbec32.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:1672
        
        C:\Windows\SysWOW64\Kkbkamnl.exe
        
        C:\Windows\system32\Kkbkamnl.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:1680
        
        C:\Windows\SysWOW64\Liekmj32.exe
        
        C:\Windows\system32\Liekmj32.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:1364
        
        C:\Windows\SysWOW64\Lpocjdld.exe
        
        C:\Windows\system32\Lpocjdld.exe
        74⤵
        Modifies registry class
        
        PID:3384
        
        C:\Windows\SysWOW64\Lcmofolg.exe
        
        C:\Windows\system32\Lcmofolg.exe
        75⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:1660
        
        C:\Windows\SysWOW64\Liggbi32.exe
        
        C:\Windows\system32\Liggbi32.exe
        76⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:3160
        
        C:\Windows\SysWOW64\Ldmlpbbj.exe
        
        C:\Windows\system32\Ldmlpbbj.exe
        77⤵
        Drops file in System32 directory
        
        PID:2984
        
        C:\Windows\SysWOW64\Lgkhlnbn.exe
        
        C:\Windows\system32\Lgkhlnbn.exe
        78⤵
        
        PID:4908
        
        C:\Windows\SysWOW64\Lcbiao32.exe
        
        C:\Windows\system32\Lcbiao32.exe
        79⤵
        Drops file in System32 directory
        
        PID:3212
        
        C:\Windows\SysWOW64\Lgneampk.exe
        
        C:\Windows\system32\Lgneampk.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1968
        
        C:\Windows\SysWOW64\Lilanioo.exe
        
        C:\Windows\system32\Lilanioo.exe
        81⤵
        
        PID:4044
        
        C:\Windows\SysWOW64\Ldaeka32.exe
        
        C:\Windows\system32\Ldaeka32.exe
        82⤵
        Drops file in System32 directory
        
        PID:3260
        
        C:\Windows\SysWOW64\Ljnnch32.exe
        
        C:\Windows\system32\Ljnnch32.exe
        83⤵
        
        PID:1020
        
        C:\Windows\SysWOW64\Laefdf32.exe
        
        C:\Windows\system32\Laefdf32.exe
        84⤵
        
        PID:5100
        
        C:\Windows\SysWOW64\Lddbqa32.exe
        
        C:\Windows\system32\Lddbqa32.exe
        85⤵
        Modifies registry class
        
        PID:2148
        
        C:\Windows\SysWOW64\Mjqjih32.exe
        
        C:\Windows\system32\Mjqjih32.exe
        86⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3216
        
        C:\Windows\SysWOW64\Mdfofakp.exe
        
        C:\Windows\system32\Mdfofakp.exe
        87⤵
        
        PID:544
        
        C:\Windows\SysWOW64\Majopeii.exe
        
        C:\Windows\system32\Majopeii.exe
        88⤵
        
        PID:1832
        
        C:\Windows\SysWOW64\Mdiklqhm.exe
        
        C:\Windows\system32\Mdiklqhm.exe
        89⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5140
        
        C:\Windows\SysWOW64\Mgghhlhq.exe
        
        C:\Windows\system32\Mgghhlhq.exe
        90⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5176
        
        C:\Windows\SysWOW64\Mjeddggd.exe
        
        C:\Windows\system32\Mjeddggd.exe
        91⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5228
        
        C:\Windows\SysWOW64\Mamleegg.exe
        
        C:\Windows\system32\Mamleegg.exe
        92⤵
        Drops file in System32 directory
        
        PID:5276
        
        C:\Windows\SysWOW64\Mkepnjng.exe
        
        C:\Windows\system32\Mkepnjng.exe
        93⤵
        Modifies registry class
        
        PID:5320
        
        C:\Windows\SysWOW64\Mncmjfmk.exe
        
        C:\Windows\system32\Mncmjfmk.exe
        94⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5364
        
        C:\Windows\SysWOW64\Mpaifalo.exe
        
        C:\Windows\system32\Mpaifalo.exe
        95⤵
        Drops file in System32 directory
        
        PID:5408
        
        C:\Windows\SysWOW64\Mdmegp32.exe
        
        C:\Windows\system32\Mdmegp32.exe
        96⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5452
        
        C:\Windows\SysWOW64\Mglack32.exe
        
        C:\Windows\system32\Mglack32.exe
        97⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5496
        
        C:\Windows\SysWOW64\Mjjmog32.exe
        
        C:\Windows\system32\Mjjmog32.exe
        98⤵
        Modifies registry class
        
        PID:5540
        
        C:\Windows\SysWOW64\Maaepd32.exe
        
        C:\Windows\system32\Maaepd32.exe
        99⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5580
        
        C:\Windows\SysWOW64\Mdpalp32.exe
        
        C:\Windows\system32\Mdpalp32.exe
        100⤵
        
        PID:5624
        
        C:\Windows\SysWOW64\Mcbahlip.exe
        
        C:\Windows\system32\Mcbahlip.exe
        101⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5672
        
        C:\Windows\SysWOW64\Nkjjij32.exe
        
        C:\Windows\system32\Nkjjij32.exe
        102⤵
        Modifies registry class
        
        PID:5716
        
        C:\Windows\SysWOW64\Nnhfee32.exe
        
        C:\Windows\system32\Nnhfee32.exe
        103⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5748
        
        C:\Windows\SysWOW64\Nqfbaq32.exe
        
        C:\Windows\system32\Nqfbaq32.exe
        104⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5800
        
        C:\Windows\SysWOW64\Nceonl32.exe
        
        C:\Windows\system32\Nceonl32.exe
        105⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5852
        
        C:\Windows\SysWOW64\Nklfoi32.exe
        
        C:\Windows\system32\Nklfoi32.exe
        106⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5900
        
        C:\Windows\SysWOW64\Nnjbke32.exe
        
        C:\Windows\system32\Nnjbke32.exe
        107⤵
        Drops file in System32 directory
        
        PID:5948
        
        C:\Windows\SysWOW64\Nddkgonp.exe
        
        C:\Windows\system32\Nddkgonp.exe
        108⤵
        Modifies registry class
        
        PID:6000
        
        C:\Windows\SysWOW64\Ngcgcjnc.exe
        
        C:\Windows\system32\Ngcgcjnc.exe
        109⤵
        Modifies registry class
        
        PID:6064
        
        C:\Windows\SysWOW64\Njacpf32.exe
        
        C:\Windows\system32\Njacpf32.exe
        110⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6116
        
        C:\Windows\SysWOW64\Nbhkac32.exe
        
        C:\Windows\system32\Nbhkac32.exe
        111⤵
        
        PID:5136
        
        C:\Windows\SysWOW64\Ndghmo32.exe
        
        C:\Windows\system32\Ndghmo32.exe
        112⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5216
        
        C:\Windows\SysWOW64\Ngedij32.exe
        
        C:\Windows\system32\Ngedij32.exe
        113⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5288
        
        C:\Windows\SysWOW64\Njcpee32.exe
        
        C:\Windows\system32\Njcpee32.exe
        114⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5372
        
        C:\Windows\SysWOW64\Nbkhfc32.exe
        
        C:\Windows\system32\Nbkhfc32.exe
        115⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5472
        
        C:\Windows\SysWOW64\Ncldnkae.exe
        
        C:\Windows\system32\Ncldnkae.exe
        116⤵
        Drops file in System32 directory
        
        PID:5568
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        117⤵
        
        PID:5644
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5644 -s 416
        118⤵
        Program crash
        
        PID:5824

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 5644 -ip 5644
1⤵
PID:5776

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Gameonno.exe

Filesize
99KB

MD5
1159ca69fa9de7e89bd9711752e73e0c

SHA1
d524ed5649edcf023e1d4dd9fc8ee18b0aad44a8

SHA256
64f5280c353644f397341e4b3c78149f9ac79a134bb693dcc9a471a8600b5ffc

SHA512
6cf297da6d62a375176fe0c1cfc118bf627807f8734a3f1d5dad99470a248616b89e4f514b9a774ccb1ed7deba59509c49644676f01206671b00bd11e307f1d4

Download Submit
C:\Windows\SysWOW64\Gcbnejem.exe

Filesize
99KB

MD5
d9b929405fc4b38d3cc57d68d2ac5e41

SHA1
39ff4232316dabb1625b08b850925b839891c14f

SHA256
73f1fd659da8aa8ff3a37ead89584d9f949d0b1b6ad94f953b25ce7ed9fe30fd

SHA512
a61c06836462690c85fc38c0b356178be35507d5c3e288fec71612130659e2e3d2d75b229fc3067375c9ca16cf9ce792dfce60db378de0f155e02fba1e2362a0

Download Submit
C:\Windows\SysWOW64\Gcekkjcj.exe

Filesize
99KB

MD5
6ed33a4858b70ac690481b7f018e8eeb

SHA1
aa3e24ee45d45fc197f4477bb48fd28855bd9570

SHA256
142a78c7824bcd93e4e5a5775ab3e215988852f535c3a29e4deef83d6b2ede45

SHA512
7d5c4f960250f275b866ff6837f776b9b4d955bc66f13daab8a5bbc268de043f9722cc9467076614fe6239b3f348cb34329cc8130672714936c19b94643edef4

Download Submit
C:\Windows\SysWOW64\Gcggpj32.exe

Filesize
99KB

MD5
5d6356d8e1331deab4eaef25a3d40041

SHA1
a91baf3c08aa38128cc7407f1aefc198af225163

SHA256
71bb6d2be7e8612d93c8978eb1196ad353a2ba0b383a71cd5d7fd68d3aac3dbd

SHA512
25338082998c0ba717aaeb8aaf8a7c25b7ac240d3acc88b3541c5994a7017224a64cf99af59923fb14be671f3267057f89fa834ad7cfef9885e9b45fc4c1f09f

Download Submit
C:\Windows\SysWOW64\Gcidfi32.exe

Filesize
99KB

MD5
20f069832c24399dd13d06bd56fa2970

SHA1
bda9168b7adf4f41191315fa5e0b4a958ae07bb3

SHA256
b156ee18285a0f8dce21f26a314aa7e7550edb42f74e95fd5bee9f4c803c6167

SHA512
14b1717e543b2ce24679077b520837c2e00868030f6d9bcfcc74f75648b696ad2b02d33b1f249ef06fc44006747161191ad95b98f5ae5f3333004a47b9a43ee7

Download Submit
C:\Windows\SysWOW64\Gfcgge32.exe

Filesize
99KB

MD5
94e4878a8b620e5834c7453fbba790a6

SHA1
2b2383c67ab92b75b8cd151124805c3e27e35716

SHA256
5c3f2746f7a0473b50f225c1a74153a65c0a220b413068708f97627b9f68c360

SHA512
12ba750979be05804c7de6892fbd016bdacb47a497dc3ba2bf1dbad8d2505a92e2591c383b4198d766f348abe04ac4cd940e77939d03c9645ea7f932fdc3a0cb

Download Submit
C:\Windows\SysWOW64\Gfqjafdq.exe

Filesize
99KB

MD5
b921530e041a63c735361c15a3b6f522

SHA1
43f9de9103a9f040fd1a7cfd826c7a05b6350856

SHA256
d3a865b7b3fb0803cc04b99b7f5c5338039daf69ecb64ad45645e21637852a9d

SHA512
66760493d5f3ade411ccdb556a502ea465b9e7e70b593d5c6fdc8fbb83ee7fe16a6ae7d445781adf330efa8af6febbd58cd5137ccfb62479f701382f9c314ff7

Download Submit
C:\Windows\SysWOW64\Gifmnpnl.exe

Filesize
99KB

MD5
16390d80c9c0dae969448f789039136d

SHA1
483ca0c1b99a99ec87270cce273ea461144110ca

SHA256
0250b1d064004a5b9e9188ef6c02d4bbe587aa3b66828e2b2d6266ac11ba9169

SHA512
a84ca7ce96726a413635202009f2c4074a9ac9d570f78ba2a480bb10ebdf1e71eedddb370769a77c64cb7ee3a9977d3dd8a678af4292f0e519b42a471e257bdd

Download Submit
C:\Windows\SysWOW64\Giofnacd.exe

Filesize
99KB

MD5
b11f62a9041c29c4fa44fb9271015e3c

SHA1
5e231a23b7ab8a2979513911af5aa6d79abb7d8f

SHA256
5d2d53c2ca3c7233a1cf05b81f535514eb2ff24d787c7e3cb3a62d1a26de1262

SHA512
6c52b60d2e468e1a3c19c7001d7fc80b3111170699ccc5883918f56109ce964680a052608f5d667e7dbca192f4aaf30c6d768fdc3ed5cdd6bcd3328d941d67b0

Download Submit
C:\Windows\SysWOW64\Gjapmdid.exe

Filesize
99KB

MD5
3562b6551e4a6aca331ea3743e46e356

SHA1
97e758227cb20a875c3492f2c226f2147310664e

SHA256
4038a287797bc3d39bb19a02b50d4da013a3ed9619028ba8c184e44e88c56cf0

SHA512
65f201d912e46554f51f32d7a6b8825dac475a793efa5edcd2ab57fec62e4a42c5579b31466808921170856bff0fe74613e204290ba8178d4346037c58c2f443

Download Submit
C:\Windows\SysWOW64\Gjjjle32.exe

Filesize
99KB

MD5
efba46c52a8f01e09849253a813ab170

SHA1
90e92feea70e0963a14e622d94e5300df8a23224

SHA256
6af5fb1097758a1ab1dc144e8d448a1dc5879ec648139d2483b8fb3b8a47dc2c

SHA512
862529e3017b19b41f0a5ccacee52a755ffa8925e4e77dbf2bae894e26d143abe5e7658d49c3c6eb18b1462105c7f6c06c1ec065f0e52f0377b5b98fa0ff1924

Download Submit
C:\Windows\SysWOW64\Gmmocpjk.exe

Filesize
99KB

MD5
0a0748abf33e5e153607ae32b0354b60

SHA1
4c4eb34971cd29675015ad8a2f5e26632796cf12

SHA256
d71cebf0b98874a6a0bd160b4dd37f69fd746f429f0994b04eb288f366db35ca

SHA512
1be50caca4a89c8d88e90109d06956c5b3b80829446051921781a7e59e66767807cecc1c8738b2deb7ad297884f590ee627bebd9b73da0669df9d325f27434b2

Download Submit
C:\Windows\SysWOW64\Gmoliohh.exe

Filesize
99KB

MD5
82e2e4a7e8b55b1063f2ba5360c3a5e1

SHA1
343d72efb041cce12f475238e516e92b53f9f592

SHA256
1079f3b5afe1f22378a7705c3c5493f2381ced61dd084783c88540f9c42bd6a8

SHA512
05eeb25e8339d7bdb3dea3bfdd061590abb7ba498a746d4bd72a729feb7566e817f405f4c7eae91bda90312a995214169ad287be48046d9c06f4d9704d57a479

Download Submit
C:\Windows\SysWOW64\Gqdbiofi.exe

Filesize
99KB

MD5
b6b565c279bbd91b9f55984f1a22228c

SHA1
1d137ad479c9f0fdf9d338cb7de54fb5761cdb0b

SHA256
b1f3ffd0d3af46ccf153268abc3ec23ef8cfe3a128ad31eb2517292a9447dfe0

SHA512
c12fe1c21104ec65da840aaf195af3bcb59021e912342eb9dd7edf25b717dc8fe4a67f363cdf75f644331a90c6af26d33f40ed2214ad4ca3889cb1b9cc944c71

Download Submit
C:\Windows\SysWOW64\Hadkpm32.exe

Filesize
99KB

MD5
1573cbb7a3ebdb1af51be93c474b59a8

SHA1
38eebbc654a203c2e6e15ae6b542893ab3f62654

SHA256
b86e50cf8db38be829588208888307a09134acd35ec6be4e159eba481324e55b

SHA512
3d7e3be3a57508db575e14a972eff1931f076aea147d2feee6781f5ec7fcf8573006c6df2365ef1415e0fb63ec5b81100fda6c507b8a20275f25330290f8baf5

Download Submit
C:\Windows\SysWOW64\Haggelfd.exe

Filesize
99KB

MD5
80705a6eba94b213fc265f1dc139a0d5

SHA1
ef23914575d6d82171f63ebabebc365cfecad8ee

SHA256
836c21427d2892388fe7de2325d50b62289f0b394f80027e99033a0b7e78524a

SHA512
16055db57b57ef53e8fc75369438a4871b6a5861c2a5082f492b22b300e64c22b6f6e3f247f84caef4522df4384d35db69a2e340125c0367613f7f6245c9593a

Download Submit
C:\Windows\SysWOW64\Hbanme32.exe

Filesize
99KB

MD5
84eba78e79d72d4d43fecad60f3f2b57

SHA1
40b8ff981cf0a5d334c9acf5ac664471579e12b2

SHA256
ec03d902a67b7f339cb9f0a9b33539baf5ffbdb86ac96f5e2f50c448adb0d2ce

SHA512
3a0e0d92e6179c6ec5056c9e1454c4ad308adbf1b614ad9828ccb9df040451208f5cc60ad0d4c2ef742a067d95f161ba950053775ddfb65ee895384517866edf

Download Submit
C:\Windows\SysWOW64\Hbhdmd32.exe

Filesize
99KB

MD5
60d9f995981b36d771b31b6beaa2a3d0

SHA1
fe773bc234722cac40907c3db290adcee9847b5a

SHA256
a30cd674aaf332a79c4a69ada5b2445410472453415eeb0df876bd61e87f155d

SHA512
6638790194a1c777d05824d7645b9272ee6a838cb943d81ef85c259fef059fc8e88702235322161c55b1e11f8faa6074111cc347f19a05045f6ae95c593d064e

Download Submit
C:\Windows\SysWOW64\Hboagf32.exe

Filesize
99KB

MD5
a867a49dbccaf997049134d8b2521fcb

SHA1
736ade22df8668d416ed8ee8de79cccbdbdeb633

SHA256
c9393a85e186331e4d274428ad56812cba6442d4ea30878c496888c9e4e12f68

SHA512
4dc453c134a540840bc67958acbbd3fc44411ef73e6ca56e3ee0ac9b8173cd2adeb8da7d624e0c9b8ca1b8fddbbc4f5041618a682626b07c09a81342de2e3766

Download Submit
C:\Windows\SysWOW64\Hccglh32.exe

Filesize
99KB

MD5
b74115221a6abfb8f22daa3053307472

SHA1
8149fcb0d29082d7d56f5c831437be426aebff97

SHA256
524cdfacbb6a94254a3c14f7ef7ebf269c4fdafdc339cfd96044a0e133d78509

SHA512
559fe405716ad5051126cf24272ca0ae29189c7f28f820c6337f43a4760651a74048d85cd8bda01f06ac7c1f140784cf40522b576918c566f3db68b2e588b3ba

Download Submit
C:\Windows\SysWOW64\Hibljoco.exe

Filesize
99KB

MD5
00b0e25bcae04bd8837970353ba4a2d0

SHA1
0fd4c73d78c90dadfbe9417652dfd997f22bd1f3

SHA256
f8dbd11d1d02a89f42bf3246bae376024e7bb0fd7f68207256a4aa569ef0ad4b

SHA512
f7e391e364ad52446c51eab6ae7235c4c2471c5ebe328dfc049d7e23308fc14192d1c8171b4ff477a0bba1f5c038dd01fb3d2b501101653af307439e61a25134

Download Submit
C:\Windows\SysWOW64\Hifqbnpb.dll

Filesize
7KB

MD5
b6e43e2ccf3435b377bdd55a057f0262

SHA1
8a1892dd57f43f6da7d5dc8a6ed49b4fe58ee6ba

SHA256
4e145f3b7045c10f30126a058d439d919bc0f6514fb20943327b8de52f7c0530

SHA512
d5b57cf1507bc29e067acbf74cf5a98597fc12ceb4472dbeeb7687ff0964bba1fd0f5015985c218fa9acb5a6272de98a18b2d2b90a721e99bf36baa3a410c225

Download Submit
C:\Windows\SysWOW64\Hjhfnccl.exe

Filesize
99KB

MD5
3dcaac9077a8feecc375de962eb48378

SHA1
bdc1e923ab58fbe63f25e9447a2bd1f457df304b

SHA256
cc15321e0ad32d6ad988fe12a32e9dd018f32a1ea5d64ca82b94ef41a0c23760

SHA512
c353160a165a3ad045848389cf2613a3ad248c596bb767755c3e757dbb0e9c4aae18f803a42c2c7b97990f6b4302ed1af1a7169fca32f7a73786c5bbd952dae1

Download Submit
C:\Windows\SysWOW64\Hjjbcbqj.exe

Filesize
99KB

MD5
45d01a6cd0e8699348cc6dfde9d67c58

SHA1
f0ccac2cea3ae3795116a517772a4fbad9770eee

SHA256
55fc2dfcd34d0668125965c3a3e0510f599c715749cf38a6f362740bbea1248e

SHA512
f7ff24c007e2b54c109b0d6880044447ab0e08e05bd09aff3c8510dec9501f5290f081a0414532c67e8bf39ef2adc02df7821f622ef7e40141244d70647e45e4

Download Submit
C:\Windows\SysWOW64\Hjmoibog.exe

Filesize
99KB

MD5
5747f6d3f5b128d3b4a2a3ce45dca2c8

SHA1
92209f64f73c2817735236a79b044f08f1cd0fcd

SHA256
7531baa11b99a9ba4d0d3daecb7559ab8ae129588787f38ad70a18342073bd66

SHA512
7b9e08853e6fade10d5f97cbcb693895b3b8826e90af7fbb2b80ed28c0332941ba87db5b1997bd721cd6d8d055eec95fc156ed18c4553fd19ef5ae705edd7790

Download Submit
C:\Windows\SysWOW64\Hmdedo32.exe

Filesize
99KB

MD5
406375226092e07c6f004e5acb1055ff

SHA1
23f17cbee6fd23dc994e070586f08ca8b0106542

SHA256
db5d857e9b94cd0be05c451bbdff63859455ebc3ccd999bfa605ae0c0c267cb0

SHA512
6d74c3cf0ff918b9687aa59665c3af05a32e80673d4a8e565663b554e702e37e0e016ea4a5af5486b97fdd4f06b92e03965dc80f66a64fac6a901bc3781208ed

Download Submit
C:\Windows\SysWOW64\Hpenfjad.exe

Filesize
99KB

MD5
34afbe753bcfe1c2592104fb9fc9768c

SHA1
f31e54bbf7fbeceaff551d72468aef7289b98de7

SHA256
677df6b7f72e7df8e0748424fe168e8bd6ea73b26570b2e25ffe8e3ef226e5a9

SHA512
cd430499b942e5c550268bf699e76a7c729015da3be431b3744193be32b54bfa96cfaa3bff73bc813fa02fbd3725af1b791137418c3db4ea74235517092cc8c3

Download Submit
C:\Windows\SysWOW64\Iakaql32.exe

Filesize
99KB

MD5
22d881440134e8574671b1d8234605dd

SHA1
1387e0fa93e77da293ab359e373a941d8d25d061

SHA256
6ca04c656989bb2a74c1b96c259ee3d92a1a19e5ad5ee8a80e8476c832553721

SHA512
f0b96d202adc350f0719b4bf07adb719b6ea876b368a492ed287a320f15bbaa098ce8c0525300bbc0aca914f269c8885dc30dfa019b332c7cb3bdf66b9d25a65

Download Submit
C:\Windows\SysWOW64\Icjmmg32.exe

Filesize
99KB

MD5
5e32a6edb2a7ac9ffede27b3f088aa94

SHA1
478de008ff25d28c349de98fba8dcd351e31d3dc

SHA256
527b1f4b8ce91e4f70c0f0df5b7bb1404e1dd4981bcd4fa1d3ae765370d52a0e

SHA512
016e3de2981a424e2d31715e2cf6d302e8f791c4d2de8f5f9ce7646bb73d87f9abb7c75a25e50aaf1a9a7746ca7482d58a9fdf6976ee7445a7506afaea4fcefe

Download Submit
C:\Windows\SysWOW64\Ijaida32.exe

Filesize
99KB

MD5
a02760c5d565c909ea52ffe72f7a2265

SHA1
095f838a6119db48c9de4e0e98560025f3aaab75

SHA256
af2bb4886340e3bfd9f84b78f02ca33f7bae4d495d9dfcecb78e24ef92fec2ee

SHA512
1e7620f2593a5263d6a60f15946f05bbd00acd303b9ae8ebd1af9c2c0ec66133b617ce103c0c153bfdf807a73ab7dfcd1d0c26a6fa8cd9b5a6e304cde23bbde0

Download Submit
C:\Windows\SysWOW64\Ijdeiaio.exe

Filesize
99KB

MD5
46dc761885af2939ec2329fb522527cc

SHA1
3cfeae778c83bd67408967d409c6d912c8cb1169

SHA256
6d9d9ee51077653fcb06e20bbfa7e3b438a7033019adb4380c64d0438eb6fee4

SHA512
b3b97a49d7c82586f7fa47972d2cde63f746363e55a4a9acf5e96ed70681c3f6bdf1cff6c6dc0397763da916c830f2439caeb15ad73e5c8bc4ee962527962654

Download Submit
C:\Windows\SysWOW64\Imbaemhc.exe

Filesize
99KB

MD5
525b131fcdb2f2c873156d89a2275c2b

SHA1
5c47f19b505bbdeb54168bd309ef2e59cabd0c17

SHA256
9359d9b130a16334c0d067567d53123f26aa5ecb7c55821b428f34790e24d7c5

SHA512
706399ec951bca1bffae001d694336f80beecb74dd7b9d94619e60c721dba08ae10a794b816cbba888990708219361b8943ffcd3ab3ecbf4fc3fb8fab2715696

Download Submit
C:\Windows\SysWOW64\Ipldfi32.exe

Filesize
99KB

MD5
e97332474324cf6ba36a4d252b0e48ad

SHA1
2db70bc5bde7bd2628303bfc1052ce88afd35b57

SHA256
ac1cf7a04cf69ce9782bc5075b92dfebffbb90d9c96d4a41815858edd898a6f6

SHA512
33e4526fff43fca24041e60e4e6ef1af1de93662ebc064ab3fd56ab7a8eced55e3b5742c06ce1ac83ffcfd32e628f4334e1dbea9ef31b7b926b9a4e218614d6d

Download Submit
C:\Windows\SysWOW64\Jfaloa32.exe

Filesize
99KB

MD5
4acb19ebe3b3b51d3a54152fce9b15c8

SHA1
b4f99ab35b74134f7e7bb147085ea34da95e01b7

SHA256
f7f75678cf46be3fb3c3307e67e611f5f26f665d5dc68e2e60ee1ec440ddf90f

SHA512
e7c0a345aba8a59ece12099294c263b961634483ede0974b64bc8262979daef218a9d5c16468be9d487ebe03d446fdaf359f06625d34524b985438d254935fd5

Download Submit
C:\Windows\SysWOW64\Kinemkko.exe

Filesize
99KB

MD5
c3ea32ba86d2080bf9247eca5b3b8709

SHA1
c7e545b18e110d3efa2dc579eafc25cb74d8a979

SHA256
11bc16a810b864f1cf3f50fbfc070981dc4a06fa6810ac786e302e75419bf7c4

SHA512
516a6df7cdf4ace30aa7b7a0b56af209455f30f465c856d35c124c4319dd2bcd326dc862aaef872c0e02991f735ed9a4d74e60d1ce07480d8ceaf9f3a5d41f5f

Download Submit
C:\Windows\SysWOW64\Mamleegg.exe

Filesize
99KB

MD5
c8d39a9a0db3c693cae900f19159a763

SHA1
ab96b2c04ae2d317895265db14d35eca6d6be77c

SHA256
b8669817f48e52754d8874af021a6d14692f62170ebade434cd568f44ca7cb48

SHA512
6b7ffdb31b3369ab4dc9b8543fdace00d62fcc2b79aa539220c5fd3ad5308d6f9f980c9f3f96992af93fc5b19a71d24c90a1aca50b03eb4713369464e50ea1df

Download Submit
memory/8-362-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/544-586-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/548-304-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/660-585-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/660-48-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/832-290-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/864-176-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/884-152-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1020-558-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1044-95-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1132-88-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1156-199-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1244-8-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1244-551-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1364-496-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1448-424-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1520-446-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1628-322-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1632-412-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1660-513-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1672-489-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1680-490-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1748-119-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1752-160-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1760-20-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1820-302-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1832-597-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1860-104-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1968-543-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1972-472-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1984-111-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2116-571-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2116-36-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2148-572-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2292-400-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2344-144-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2452-24-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2452-564-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2592-345-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2608-267-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2624-364-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2812-382-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2820-482-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2932-376-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2984-520-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3000-172-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3120-231-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3160-514-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3212-532-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3216-579-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3260-552-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3264-244-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3384-507-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3440-56-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3440-592-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3488-604-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3488-64-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3496-314-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3596-253-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3608-460-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3740-544-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3740-0-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3804-220-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3844-128-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3912-141-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3920-72-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3952-208-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3980-454-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4044-545-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4068-80-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4212-466-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4224-296-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4404-352-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4428-261-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4444-374-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4512-394-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4548-328-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4564-278-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4592-406-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4604-338-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4612-346-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4640-392-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4776-184-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4824-418-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4860-192-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4888-39-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4888-578-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4908-526-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4924-448-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4928-230-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4936-272-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4956-440-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/5000-280-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/5040-430-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/5064-316-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/5100-569-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads