31f14a7ae535f8676fb5554598482bf5e55af8f401aa47b15ee73ebbcd047d9e

Analysis

max time kernel
135s
max time network
129s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
01/07/2024, 20:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

31f14a7ae535f8676fb5554598482bf5e55af8f401aa47b15ee73ebbcd047d9e.exe
Size

896KB
MD5

1131bc835450605fea04be686dfd1648
SHA1

e5a6cee2a6092dc70f7c4cb21cceb3261428683e
SHA256

31f14a7ae535f8676fb5554598482bf5e55af8f401aa47b15ee73ebbcd047d9e
SHA512

e3e7c36a804c8c3e8d4d77cd070ce9eaee480f21a85f1d9d1d732093f0b5934f639754f5ea55cad8d89ec923083d4ede2e94cf0957a4ff09902c8579439af9cc
SSDEEP

12288:TNDA2ByvNv54B9f01ZmqLonfBHLqF1Nw5ILonfByvNv5HV:TUvr4B9f01ZmoENOVvr1

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mcbahlip.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncihikcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Fomonm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hjolnb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kacphh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lnepih32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjjmog32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ipnalhii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kibnhjgj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lcmofolg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nacbfdao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Jmkdlkph.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kgdbkohf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lilanioo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hfjmgdlf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdffocib.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lpfijcfl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnjbke32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nbkhfc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Hfofbd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Icljbg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jbfpobpb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jdemhe32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdfofakp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdhbec32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hcedaheh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ifhiib32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Icljbg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ijhodq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jigollag.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jagqlj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njljefql.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nnjbke32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Fjcclf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Hpbaqj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hippdo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Impepm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Jaimbj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jjmhppqd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdopod32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kilhgk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lilanioo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Jfffjqdf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iannfk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	31f14a7ae535f8676fb5554598482bf5e55af8f401aa47b15ee73ebbcd047d9e.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hpbaqj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kgmlkp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hfofbd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mncmjfmk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fjcclf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iiffen32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kinemkko.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lmqgnhmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Gfhqbe32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hikfip32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jdmcidam.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lmqgnhmp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Giofnacd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kajfig32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Liekmj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gbgkfg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gpnhekgl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mncmjfmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mjjmog32.exe

Executes dropped EXE 64 IoCs

pid	Process
824	Fomonm32.exe
4440	Fjcclf32.exe
2856	Fmapha32.exe
1952	Fbqefhpm.exe
3016	Fijmbb32.exe
2556	Gbcakg32.exe
1312	Gogbdl32.exe
3616	Giofnacd.exe
2912	Gbgkfg32.exe
5088	Gbjhlfhb.exe
2504	Gpnhekgl.exe
3688	Gfhqbe32.exe
2280	Hfjmgdlf.exe
4492	Hpbaqj32.exe
2960	Hikfip32.exe
4404	Hfofbd32.exe
3912	Himcoo32.exe
3856	Hpgkkioa.exe
3780	Hjmoibog.exe
1836	Hippdo32.exe
3940	Haggelfd.exe
1736	Hcedaheh.exe
4464	Hfcpncdk.exe
2972	Hjolnb32.exe
4620	Hmmhjm32.exe
3716	Ipldfi32.exe
1060	Ibjqcd32.exe
4520	Iffmccbi.exe
4360	Iidipnal.exe
3932	Impepm32.exe
4348	Ipnalhii.exe
3132	Icjmmg32.exe
1832	Ifhiib32.exe
3032	Iiffen32.exe
1972	Iannfk32.exe
2896	Icljbg32.exe
1476	Ifjfnb32.exe
1904	Iiibkn32.exe
3128	Iapjlk32.exe
3700	Ipckgh32.exe
3520	Ibagcc32.exe
2276	Ijhodq32.exe
1936	Iabgaklg.exe
380	Ijkljp32.exe
4800	Imihfl32.exe
4816	Jpgdbg32.exe
3880	Jbfpobpb.exe
3824	Jjmhppqd.exe
3944	Jmkdlkph.exe
3136	Jagqlj32.exe
916	Jdemhe32.exe
3608	Jjpeepnb.exe
2344	Jaimbj32.exe
3596	Jdhine32.exe
3876	Jfffjqdf.exe
1856	Jidbflcj.exe
3968	Jpojcf32.exe
5080	Jdjfcecp.exe
1756	Jkdnpo32.exe
1600	Jigollag.exe
2916	Jangmibi.exe
2152	Jdmcidam.exe
4644	Jfkoeppq.exe
2032	Jkfkfohj.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Iiffen32.exe	Ifhiib32.exe
File created	C:\Windows\SysWOW64\Iannfk32.exe	Iiffen32.exe
File created	C:\Windows\SysWOW64\Lpfihl32.dll	Ipckgh32.exe
File opened for modification	C:\Windows\SysWOW64\Iabgaklg.exe	Ijhodq32.exe
File opened for modification	C:\Windows\SysWOW64\Jpojcf32.exe	Jidbflcj.exe
File created	C:\Windows\SysWOW64\Lppaheqp.dll	Jigollag.exe
File created	C:\Windows\SysWOW64\Kdffocib.exe	Kinemkko.exe
File opened for modification	C:\Windows\SysWOW64\Nkcmohbg.exe	Nbkhfc32.exe
File opened for modification	C:\Windows\SysWOW64\Hfofbd32.exe	Hikfip32.exe
File created	C:\Windows\SysWOW64\Hpgkkioa.exe	Himcoo32.exe
File created	C:\Windows\SysWOW64\Ceaklo32.dll	Hippdo32.exe
File created	C:\Windows\SysWOW64\Dendnoah.dll	Iannfk32.exe
File opened for modification	C:\Windows\SysWOW64\Icjmmg32.exe	Ipnalhii.exe
File created	C:\Windows\SysWOW64\Jkfkfohj.exe	Jfkoeppq.exe
File opened for modification	C:\Windows\SysWOW64\Kgmlkp32.exe	Kdopod32.exe
File opened for modification	C:\Windows\SysWOW64\Kibnhjgj.exe	Kgdbkohf.exe
File created	C:\Windows\SysWOW64\Mdiklqhm.exe	Mnocof32.exe
File created	C:\Windows\SysWOW64\Mamleegg.exe	Mgghhlhq.exe
File created	C:\Windows\SysWOW64\Hpbaqj32.exe	Hfjmgdlf.exe
File created	C:\Windows\SysWOW64\Mbgaem32.dll	Himcoo32.exe
File created	C:\Windows\SysWOW64\Lilanioo.exe	Ldohebqh.exe
File created	C:\Windows\SysWOW64\Fnelfilp.dll	Mncmjfmk.exe
File created	C:\Windows\SysWOW64\Ehifigof.dll	Jpojcf32.exe
File opened for modification	C:\Windows\SysWOW64\Hfcpncdk.exe	Hcedaheh.exe
File opened for modification	C:\Windows\SysWOW64\Jaimbj32.exe	Jjpeepnb.exe
File created	C:\Windows\SysWOW64\Jdhine32.exe	Jaimbj32.exe
File created	C:\Windows\SysWOW64\Eplmgmol.dll	Kpccnefa.exe
File opened for modification	C:\Windows\SysWOW64\Lddbqa32.exe	Lklnhlfb.exe
File created	C:\Windows\SysWOW64\Mcbahlip.exe	Mpdelajl.exe
File opened for modification	C:\Windows\SysWOW64\Ngpjnkpf.exe	Ndbnboqb.exe
File opened for modification	C:\Windows\SysWOW64\Nqiogp32.exe	Nnjbke32.exe
File created	C:\Windows\SysWOW64\Hifqbnpb.dll	Gogbdl32.exe
File created	C:\Windows\SysWOW64\Iebapp32.dll	Giofnacd.exe
File created	C:\Windows\SysWOW64\Hcedaheh.exe	Haggelfd.exe
File created	C:\Windows\SysWOW64\Ndclfb32.dll	Lcmofolg.exe
File created	C:\Windows\SysWOW64\Gbjhlfhb.exe	Gbgkfg32.exe
File opened for modification	C:\Windows\SysWOW64\Ifhiib32.exe	Icjmmg32.exe
File created	C:\Windows\SysWOW64\Jagqlj32.exe	Jmkdlkph.exe
File opened for modification	C:\Windows\SysWOW64\Jidbflcj.exe	Jfffjqdf.exe
File created	C:\Windows\SysWOW64\Mfpoqooh.dll	Jdmcidam.exe
File created	C:\Windows\SysWOW64\Ncgkcl32.exe	Nqiogp32.exe
File created	C:\Windows\SysWOW64\Ipldfi32.exe	Hmmhjm32.exe
File created	C:\Windows\SysWOW64\Nbkhfc32.exe	Nkqpjidj.exe
File created	C:\Windows\SysWOW64\Fbqefhpm.exe	Fmapha32.exe
File created	C:\Windows\SysWOW64\Hdgpjm32.dll	Ipldfi32.exe
File created	C:\Windows\SysWOW64\Mnnkcb32.dll	Imihfl32.exe
File opened for modification	C:\Windows\SysWOW64\Jmkdlkph.exe	Jjmhppqd.exe
File opened for modification	C:\Windows\SysWOW64\Jfffjqdf.exe	Jdhine32.exe
File created	C:\Windows\SysWOW64\Fogjfmfe.dll	Kdffocib.exe
File created	C:\Windows\SysWOW64\Lddbqa32.exe	Lklnhlfb.exe
File created	C:\Windows\SysWOW64\Ibjqcd32.exe	Ipldfi32.exe
File created	C:\Windows\SysWOW64\Mmpfpdoi.dll	Iidipnal.exe
File opened for modification	C:\Windows\SysWOW64\Ibagcc32.exe	Ipckgh32.exe
File opened for modification	C:\Windows\SysWOW64\Jkdnpo32.exe	Jdjfcecp.exe
File created	C:\Windows\SysWOW64\Kacphh32.exe	Kilhgk32.exe
File created	C:\Windows\SysWOW64\Oedbld32.dll	Mdfofakp.exe
File opened for modification	C:\Windows\SysWOW64\Mpdelajl.exe	Mjjmog32.exe
File created	C:\Windows\SysWOW64\Pipfna32.dll	Nqiogp32.exe
File opened for modification	C:\Windows\SysWOW64\Gbgkfg32.exe	Giofnacd.exe
File opened for modification	C:\Windows\SysWOW64\Iapjlk32.exe	Iiibkn32.exe
File created	C:\Windows\SysWOW64\Pipagf32.dll	Kdhbec32.exe
File created	C:\Windows\SysWOW64\Mbaohn32.dll	Lilanioo.exe
File created	C:\Windows\SysWOW64\Ogpnaafp.dll	Ncihikcg.exe
File created	C:\Windows\SysWOW64\Lkbhbe32.dll	Hfcpncdk.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
6032	5936	WerFault.exe	198

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	31f14a7ae535f8676fb5554598482bf5e55af8f401aa47b15ee73ebbcd047d9e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}	31f14a7ae535f8676fb5554598482bf5e55af8f401aa47b15ee73ebbcd047d9e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Giofnacd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Hpbaqj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mbgaem32.dll"	Himcoo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mlmpolji.dll"	Hcedaheh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Iapjlk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Jjpeepnb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbhnnj32.dll"	Kibnhjgj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jchbak32.dll"	Lmqgnhmp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Lpfijcfl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ockcknah.dll"	Mnocof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dgcifj32.dll"	Mamleegg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	31f14a7ae535f8676fb5554598482bf5e55af8f401aa47b15ee73ebbcd047d9e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Kdopod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Kdffocib.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Lilanioo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mdiklqhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iebapp32.dll"	Giofnacd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmlfmg32.dll"	Hpgkkioa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Iidipnal.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iljnde32.dll"	Jkfkfohj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Kmegbjgn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Kacphh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dihcoe32.dll"	Nacbfdao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Nacbfdao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Hikfip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pglanoaq.dll"	Ipnalhii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Iabgaklg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Jdmcidam.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Lddbqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ifhmhq32.dll"	Hjmoibog.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Iiibkn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Jaimbj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fbkmec32.dll"	Jidbflcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Kibnhjgj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mcnhmm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Fomonm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dempmq32.dll"	Icjmmg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Jaimbj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mfpoqooh.dll"	Jdmcidam.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ncgkcl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qgenhgdd.dll"	Fijmbb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hdgpjm32.dll"	Ipldfi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Kdopod32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Lgkhlnbn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lelgbkio.dll"	Mpdelajl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Nqklmpdd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	31f14a7ae535f8676fb5554598482bf5e55af8f401aa47b15ee73ebbcd047d9e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnplgc32.dll"	Hikfip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghmfdf32.dll"	Jaimbj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ciiqgjgg.dll"	Mcnhmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkckjila.dll"	Nqklmpdd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Icjmmg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Jbfpobpb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Jangmibi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Kacphh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Nnjbke32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hndnbj32.dll"	31f14a7ae535f8676fb5554598482bf5e55af8f401aa47b15ee73ebbcd047d9e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gkillp32.dll"	Ifhiib32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mnocof32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Gbjhlfhb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lkbhbe32.dll"	Hfcpncdk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Icljbg32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4588 wrote to memory of 824	4588	31f14a7ae535f8676fb5554598482bf5e55af8f401aa47b15ee73ebbcd047d9e.exe	82
PID 4588 wrote to memory of 824	4588	31f14a7ae535f8676fb5554598482bf5e55af8f401aa47b15ee73ebbcd047d9e.exe	82
PID 4588 wrote to memory of 824	4588	31f14a7ae535f8676fb5554598482bf5e55af8f401aa47b15ee73ebbcd047d9e.exe	82
PID 824 wrote to memory of 4440	824	Fomonm32.exe	83
PID 824 wrote to memory of 4440	824	Fomonm32.exe	83
PID 824 wrote to memory of 4440	824	Fomonm32.exe	83
PID 4440 wrote to memory of 2856	4440	Fjcclf32.exe	84
PID 4440 wrote to memory of 2856	4440	Fjcclf32.exe	84
PID 4440 wrote to memory of 2856	4440	Fjcclf32.exe	84
PID 2856 wrote to memory of 1952	2856	Fmapha32.exe	85
PID 2856 wrote to memory of 1952	2856	Fmapha32.exe	85
PID 2856 wrote to memory of 1952	2856	Fmapha32.exe	85
PID 1952 wrote to memory of 3016	1952	Fbqefhpm.exe	86
PID 1952 wrote to memory of 3016	1952	Fbqefhpm.exe	86
PID 1952 wrote to memory of 3016	1952	Fbqefhpm.exe	86
PID 3016 wrote to memory of 2556	3016	Fijmbb32.exe	87
PID 3016 wrote to memory of 2556	3016	Fijmbb32.exe	87
PID 3016 wrote to memory of 2556	3016	Fijmbb32.exe	87
PID 2556 wrote to memory of 1312	2556	Gbcakg32.exe	88
PID 2556 wrote to memory of 1312	2556	Gbcakg32.exe	88
PID 2556 wrote to memory of 1312	2556	Gbcakg32.exe	88
PID 1312 wrote to memory of 3616	1312	Gogbdl32.exe	90
PID 1312 wrote to memory of 3616	1312	Gogbdl32.exe	90
PID 1312 wrote to memory of 3616	1312	Gogbdl32.exe	90
PID 3616 wrote to memory of 2912	3616	Giofnacd.exe	91
PID 3616 wrote to memory of 2912	3616	Giofnacd.exe	91
PID 3616 wrote to memory of 2912	3616	Giofnacd.exe	91
PID 2912 wrote to memory of 5088	2912	Gbgkfg32.exe	93
PID 2912 wrote to memory of 5088	2912	Gbgkfg32.exe	93
PID 2912 wrote to memory of 5088	2912	Gbgkfg32.exe	93
PID 5088 wrote to memory of 2504	5088	Gbjhlfhb.exe	94
PID 5088 wrote to memory of 2504	5088	Gbjhlfhb.exe	94
PID 5088 wrote to memory of 2504	5088	Gbjhlfhb.exe	94
PID 2504 wrote to memory of 3688	2504	Gpnhekgl.exe	95
PID 2504 wrote to memory of 3688	2504	Gpnhekgl.exe	95
PID 2504 wrote to memory of 3688	2504	Gpnhekgl.exe	95
PID 3688 wrote to memory of 2280	3688	Gfhqbe32.exe	97
PID 3688 wrote to memory of 2280	3688	Gfhqbe32.exe	97
PID 3688 wrote to memory of 2280	3688	Gfhqbe32.exe	97
PID 2280 wrote to memory of 4492	2280	Hfjmgdlf.exe	98
PID 2280 wrote to memory of 4492	2280	Hfjmgdlf.exe	98
PID 2280 wrote to memory of 4492	2280	Hfjmgdlf.exe	98
PID 4492 wrote to memory of 2960	4492	Hpbaqj32.exe	99
PID 4492 wrote to memory of 2960	4492	Hpbaqj32.exe	99
PID 4492 wrote to memory of 2960	4492	Hpbaqj32.exe	99
PID 2960 wrote to memory of 4404	2960	Hikfip32.exe	100
PID 2960 wrote to memory of 4404	2960	Hikfip32.exe	100
PID 2960 wrote to memory of 4404	2960	Hikfip32.exe	100
PID 4404 wrote to memory of 3912	4404	Hfofbd32.exe	101
PID 4404 wrote to memory of 3912	4404	Hfofbd32.exe	101
PID 4404 wrote to memory of 3912	4404	Hfofbd32.exe	101
PID 3912 wrote to memory of 3856	3912	Himcoo32.exe	102
PID 3912 wrote to memory of 3856	3912	Himcoo32.exe	102
PID 3912 wrote to memory of 3856	3912	Himcoo32.exe	102
PID 3856 wrote to memory of 3780	3856	Hpgkkioa.exe	103
PID 3856 wrote to memory of 3780	3856	Hpgkkioa.exe	103
PID 3856 wrote to memory of 3780	3856	Hpgkkioa.exe	103
PID 3780 wrote to memory of 1836	3780	Hjmoibog.exe	104
PID 3780 wrote to memory of 1836	3780	Hjmoibog.exe	104
PID 3780 wrote to memory of 1836	3780	Hjmoibog.exe	104
PID 1836 wrote to memory of 3940	1836	Hippdo32.exe	105
PID 1836 wrote to memory of 3940	1836	Hippdo32.exe	105
PID 1836 wrote to memory of 3940	1836	Hippdo32.exe	105
PID 3940 wrote to memory of 1736	3940	Haggelfd.exe	106

C:\Users\Admin\AppData\Local\Temp\31f14a7ae535f8676fb5554598482bf5e55af8f401aa47b15ee73ebbcd047d9e.exe
"C:\Users\Admin\AppData\Local\Temp\31f14a7ae535f8676fb5554598482bf5e55af8f401aa47b15ee73ebbcd047d9e.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4588
- C:\Windows\SysWOW64\Fomonm32.exe
  C:\Windows\system32\Fomonm32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:824
- - C:\Windows\SysWOW64\Fjcclf32.exe
    C:\Windows\system32\Fjcclf32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:4440
  - - C:\Windows\SysWOW64\Fmapha32.exe
      C:\Windows\system32\Fmapha32.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious use of WriteProcessMemory
      PID:2856
    - - C:\Windows\SysWOW64\Fbqefhpm.exe
        
        C:\Windows\system32\Fbqefhpm.exe
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1952
      - C:\Windows\SysWOW64\Fijmbb32.exe
        
        C:\Windows\system32\Fijmbb32.exe
        6⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3016
        
        C:\Windows\SysWOW64\Gbcakg32.exe
        
        C:\Windows\system32\Gbcakg32.exe
        7⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2556
        
        C:\Windows\SysWOW64\Gogbdl32.exe
        
        C:\Windows\system32\Gogbdl32.exe
        8⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1312
        
        C:\Windows\SysWOW64\Giofnacd.exe
        
        C:\Windows\system32\Giofnacd.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3616
        
        C:\Windows\SysWOW64\Gbgkfg32.exe
        
        C:\Windows\system32\Gbgkfg32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2912
        
        C:\Windows\SysWOW64\Gbjhlfhb.exe
        
        C:\Windows\system32\Gbjhlfhb.exe
        11⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5088
        
        C:\Windows\SysWOW64\Gpnhekgl.exe
        
        C:\Windows\system32\Gpnhekgl.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2504
        
        C:\Windows\SysWOW64\Gfhqbe32.exe
        
        C:\Windows\system32\Gfhqbe32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3688
        
        C:\Windows\SysWOW64\Hfjmgdlf.exe
        
        C:\Windows\system32\Hfjmgdlf.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2280
        
        C:\Windows\SysWOW64\Hpbaqj32.exe
        
        C:\Windows\system32\Hpbaqj32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4492
        
        C:\Windows\SysWOW64\Hikfip32.exe
        
        C:\Windows\system32\Hikfip32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2960
        
        C:\Windows\SysWOW64\Hfofbd32.exe
        
        C:\Windows\system32\Hfofbd32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4404
        
        C:\Windows\SysWOW64\Himcoo32.exe
        
        C:\Windows\system32\Himcoo32.exe
        18⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3912
        
        C:\Windows\SysWOW64\Hpgkkioa.exe
        
        C:\Windows\system32\Hpgkkioa.exe
        19⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3856
        
        C:\Windows\SysWOW64\Hjmoibog.exe
        
        C:\Windows\system32\Hjmoibog.exe
        20⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3780
        
        C:\Windows\SysWOW64\Hippdo32.exe
        
        C:\Windows\system32\Hippdo32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1836
        
        C:\Windows\SysWOW64\Haggelfd.exe
        
        C:\Windows\system32\Haggelfd.exe
        22⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3940
        
        C:\Windows\SysWOW64\Hcedaheh.exe
        
        C:\Windows\system32\Hcedaheh.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1736
        
        C:\Windows\SysWOW64\Hfcpncdk.exe
        
        C:\Windows\system32\Hfcpncdk.exe
        24⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4464
        
        C:\Windows\SysWOW64\Hjolnb32.exe
        
        C:\Windows\system32\Hjolnb32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2972
        
        C:\Windows\SysWOW64\Hmmhjm32.exe
        
        C:\Windows\system32\Hmmhjm32.exe
        26⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4620
        
        C:\Windows\SysWOW64\Ipldfi32.exe
        
        C:\Windows\system32\Ipldfi32.exe
        27⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3716
        
        C:\Windows\SysWOW64\Ibjqcd32.exe
        
        C:\Windows\system32\Ibjqcd32.exe
        28⤵
        Executes dropped EXE
        
        PID:1060
        
        C:\Windows\SysWOW64\Iffmccbi.exe
        
        C:\Windows\system32\Iffmccbi.exe
        29⤵
        Executes dropped EXE
        
        PID:4520
        
        C:\Windows\SysWOW64\Iidipnal.exe
        
        C:\Windows\system32\Iidipnal.exe
        30⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4360
        
        C:\Windows\SysWOW64\Impepm32.exe
        
        C:\Windows\system32\Impepm32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3932
        
        C:\Windows\SysWOW64\Ipnalhii.exe
        
        C:\Windows\system32\Ipnalhii.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4348
        
        C:\Windows\SysWOW64\Icjmmg32.exe
        
        C:\Windows\system32\Icjmmg32.exe
        33⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3132
        
        C:\Windows\SysWOW64\Ifhiib32.exe
        
        C:\Windows\system32\Ifhiib32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1832
        
        C:\Windows\SysWOW64\Iiffen32.exe
        
        C:\Windows\system32\Iiffen32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3032
        
        C:\Windows\SysWOW64\Iannfk32.exe
        
        C:\Windows\system32\Iannfk32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1972
        
        C:\Windows\SysWOW64\Icljbg32.exe
        
        C:\Windows\system32\Icljbg32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2896
        
        C:\Windows\SysWOW64\Ifjfnb32.exe
        
        C:\Windows\system32\Ifjfnb32.exe
        38⤵
        Executes dropped EXE
        
        PID:1476
        
        C:\Windows\SysWOW64\Iiibkn32.exe
        
        C:\Windows\system32\Iiibkn32.exe
        39⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1904
        
        C:\Windows\SysWOW64\Iapjlk32.exe
        
        C:\Windows\system32\Iapjlk32.exe
        40⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3128
        
        C:\Windows\SysWOW64\Ipckgh32.exe
        
        C:\Windows\system32\Ipckgh32.exe
        41⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3700
        
        C:\Windows\SysWOW64\Ibagcc32.exe
        
        C:\Windows\system32\Ibagcc32.exe
        42⤵
        Executes dropped EXE
        
        PID:3520
        
        C:\Windows\SysWOW64\Ijhodq32.exe
        
        C:\Windows\system32\Ijhodq32.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2276
        
        C:\Windows\SysWOW64\Iabgaklg.exe
        
        C:\Windows\system32\Iabgaklg.exe
        44⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1936
        
        C:\Windows\SysWOW64\Ijkljp32.exe
        
        C:\Windows\system32\Ijkljp32.exe
        45⤵
        Executes dropped EXE
        
        PID:380
        
        C:\Windows\SysWOW64\Imihfl32.exe
        
        C:\Windows\system32\Imihfl32.exe
        46⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4800
        
        C:\Windows\SysWOW64\Jpgdbg32.exe
        
        C:\Windows\system32\Jpgdbg32.exe
        47⤵
        Executes dropped EXE
        
        PID:4816
        
        C:\Windows\SysWOW64\Jbfpobpb.exe
        
        C:\Windows\system32\Jbfpobpb.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3880
        
        C:\Windows\SysWOW64\Jjmhppqd.exe
        
        C:\Windows\system32\Jjmhppqd.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3824
        
        C:\Windows\SysWOW64\Jmkdlkph.exe
        
        C:\Windows\system32\Jmkdlkph.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3944
        
        C:\Windows\SysWOW64\Jagqlj32.exe
        
        C:\Windows\system32\Jagqlj32.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3136
        
        C:\Windows\SysWOW64\Jdemhe32.exe
        
        C:\Windows\system32\Jdemhe32.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:916
        
        C:\Windows\SysWOW64\Jjpeepnb.exe
        
        C:\Windows\system32\Jjpeepnb.exe
        53⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3608
        
        C:\Windows\SysWOW64\Jaimbj32.exe
        
        C:\Windows\system32\Jaimbj32.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2344
        
        C:\Windows\SysWOW64\Jdhine32.exe
        
        C:\Windows\system32\Jdhine32.exe
        55⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3596
        
        C:\Windows\SysWOW64\Jfffjqdf.exe
        
        C:\Windows\system32\Jfffjqdf.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3876
        
        C:\Windows\SysWOW64\Jidbflcj.exe
        
        C:\Windows\system32\Jidbflcj.exe
        57⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1856
        
        C:\Windows\SysWOW64\Jpojcf32.exe
        
        C:\Windows\system32\Jpojcf32.exe
        58⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3968
        
        C:\Windows\SysWOW64\Jdjfcecp.exe
        
        C:\Windows\system32\Jdjfcecp.exe
        59⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5080
        
        C:\Windows\SysWOW64\Jkdnpo32.exe
        
        C:\Windows\system32\Jkdnpo32.exe
        60⤵
        Executes dropped EXE
        
        PID:1756
        
        C:\Windows\SysWOW64\Jigollag.exe
        
        C:\Windows\system32\Jigollag.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1600
        
        C:\Windows\SysWOW64\Jangmibi.exe
        
        C:\Windows\system32\Jangmibi.exe
        62⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2916
        
        C:\Windows\SysWOW64\Jdmcidam.exe
        
        C:\Windows\system32\Jdmcidam.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2152
        
        C:\Windows\SysWOW64\Jfkoeppq.exe
        
        C:\Windows\system32\Jfkoeppq.exe
        64⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4644
        
        C:\Windows\SysWOW64\Jkfkfohj.exe
        
        C:\Windows\system32\Jkfkfohj.exe
        65⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2032
        
        C:\Windows\SysWOW64\Kmegbjgn.exe
        
        C:\Windows\system32\Kmegbjgn.exe
        66⤵
        Modifies registry class
        
        PID:4796
        
        C:\Windows\SysWOW64\Kpccnefa.exe
        
        C:\Windows\system32\Kpccnefa.exe
        67⤵
        Drops file in System32 directory
        
        PID:3620
        
        C:\Windows\SysWOW64\Kdopod32.exe
        
        C:\Windows\system32\Kdopod32.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:3952
        
        C:\Windows\SysWOW64\Kgmlkp32.exe
        
        C:\Windows\system32\Kgmlkp32.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2844
        
        C:\Windows\SysWOW64\Kilhgk32.exe
        
        C:\Windows\system32\Kilhgk32.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4368
        
        C:\Windows\SysWOW64\Kacphh32.exe
        
        C:\Windows\system32\Kacphh32.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:3980
        
        C:\Windows\SysWOW64\Kinemkko.exe
        
        C:\Windows\system32\Kinemkko.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:2480
        
        C:\Windows\SysWOW64\Kdffocib.exe
        
        C:\Windows\system32\Kdffocib.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:4176
        
        C:\Windows\SysWOW64\Kgdbkohf.exe
        
        C:\Windows\system32\Kgdbkohf.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:3048
        
        C:\Windows\SysWOW64\Kibnhjgj.exe
        
        C:\Windows\system32\Kibnhjgj.exe
        75⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:1464
        
        C:\Windows\SysWOW64\Kajfig32.exe
        
        C:\Windows\system32\Kajfig32.exe
        76⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1100
        
        C:\Windows\SysWOW64\Kdhbec32.exe
        
        C:\Windows\system32\Kdhbec32.exe
        77⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4640
        
        C:\Windows\SysWOW64\Kgfoan32.exe
        
        C:\Windows\system32\Kgfoan32.exe
        78⤵
        
        PID:3344
        
        C:\Windows\SysWOW64\Liekmj32.exe
        
        C:\Windows\system32\Liekmj32.exe
        79⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5104
        
        C:\Windows\SysWOW64\Lmqgnhmp.exe
        
        C:\Windows\system32\Lmqgnhmp.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4204
        
        C:\Windows\SysWOW64\Lpocjdld.exe
        
        C:\Windows\system32\Lpocjdld.exe
        81⤵
        
        PID:1688
        
        C:\Windows\SysWOW64\Lcmofolg.exe
        
        C:\Windows\system32\Lcmofolg.exe
        82⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4568
        
        C:\Windows\SysWOW64\Lgkhlnbn.exe
        
        C:\Windows\system32\Lgkhlnbn.exe
        83⤵
        Modifies registry class
        
        PID:4252
        
        C:\Windows\SysWOW64\Lnepih32.exe
        
        C:\Windows\system32\Lnepih32.exe
        84⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3380
        
        C:\Windows\SysWOW64\Ldohebqh.exe
        
        C:\Windows\system32\Ldohebqh.exe
        85⤵
        Drops file in System32 directory
        
        PID:4864
        
        C:\Windows\SysWOW64\Lilanioo.exe
        
        C:\Windows\system32\Lilanioo.exe
        86⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5060
        
        C:\Windows\SysWOW64\Lpfijcfl.exe
        
        C:\Windows\system32\Lpfijcfl.exe
        87⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:2444
        
        C:\Windows\SysWOW64\Lklnhlfb.exe
        
        C:\Windows\system32\Lklnhlfb.exe
        88⤵
        Drops file in System32 directory
        
        PID:1416
        
        C:\Windows\SysWOW64\Lddbqa32.exe
        
        C:\Windows\system32\Lddbqa32.exe
        89⤵
        Modifies registry class
        
        PID:4076
        
        C:\Windows\SysWOW64\Mnlfigcc.exe
        
        C:\Windows\system32\Mnlfigcc.exe
        90⤵
        
        PID:320
        
        C:\Windows\SysWOW64\Mdfofakp.exe
        
        C:\Windows\system32\Mdfofakp.exe
        91⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4912
        
        C:\Windows\SysWOW64\Mnocof32.exe
        
        C:\Windows\system32\Mnocof32.exe
        92⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1668
        
        C:\Windows\SysWOW64\Mdiklqhm.exe
        
        C:\Windows\system32\Mdiklqhm.exe
        93⤵
        Modifies registry class
        
        PID:5116
        
        C:\Windows\SysWOW64\Mgghhlhq.exe
        
        C:\Windows\system32\Mgghhlhq.exe
        94⤵
        Drops file in System32 directory
        
        PID:4680
        
        C:\Windows\SysWOW64\Mamleegg.exe
        
        C:\Windows\system32\Mamleegg.exe
        95⤵
        Modifies registry class
        
        PID:3428
        
        C:\Windows\SysWOW64\Mcnhmm32.exe
        
        C:\Windows\system32\Mcnhmm32.exe
        96⤵
        Modifies registry class
        
        PID:5164
        
        C:\Windows\SysWOW64\Mncmjfmk.exe
        
        C:\Windows\system32\Mncmjfmk.exe
        97⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5204
        
        C:\Windows\SysWOW64\Mpaifalo.exe
        
        C:\Windows\system32\Mpaifalo.exe
        98⤵
        
        PID:5248
        
        C:\Windows\SysWOW64\Mglack32.exe
        
        C:\Windows\system32\Mglack32.exe
        99⤵
        
        PID:5288
        
        C:\Windows\SysWOW64\Mjjmog32.exe
        
        C:\Windows\system32\Mjjmog32.exe
        100⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5328
        
        C:\Windows\SysWOW64\Mpdelajl.exe
        
        C:\Windows\system32\Mpdelajl.exe
        101⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5368
        
        C:\Windows\SysWOW64\Mcbahlip.exe
        
        C:\Windows\system32\Mcbahlip.exe
        102⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5408
        
        C:\Windows\SysWOW64\Njljefql.exe
        
        C:\Windows\system32\Njljefql.exe
        103⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5444
        
        C:\Windows\SysWOW64\Nacbfdao.exe
        
        C:\Windows\system32\Nacbfdao.exe
        104⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5492
        
        C:\Windows\SysWOW64\Ndbnboqb.exe
        
        C:\Windows\system32\Ndbnboqb.exe
        105⤵
        Drops file in System32 directory
        
        PID:5528
        
        C:\Windows\SysWOW64\Ngpjnkpf.exe
        
        C:\Windows\system32\Ngpjnkpf.exe
        106⤵
        
        PID:5572
        
        C:\Windows\SysWOW64\Nnjbke32.exe
        
        C:\Windows\system32\Nnjbke32.exe
        107⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5608
        
        C:\Windows\SysWOW64\Nqiogp32.exe
        
        C:\Windows\system32\Nqiogp32.exe
        108⤵
        Drops file in System32 directory
        
        PID:5648
        
        C:\Windows\SysWOW64\Ncgkcl32.exe
        
        C:\Windows\system32\Ncgkcl32.exe
        109⤵
        Modifies registry class
        
        PID:5688
        
        C:\Windows\SysWOW64\Njacpf32.exe
        
        C:\Windows\system32\Njacpf32.exe
        110⤵
        
        PID:5736
        
        C:\Windows\SysWOW64\Nqklmpdd.exe
        
        C:\Windows\system32\Nqklmpdd.exe
        111⤵
        Modifies registry class
        
        PID:5780
        
        C:\Windows\SysWOW64\Ncihikcg.exe
        
        C:\Windows\system32\Ncihikcg.exe
        112⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5820
        
        C:\Windows\SysWOW64\Nkqpjidj.exe
        
        C:\Windows\system32\Nkqpjidj.exe
        113⤵
        Drops file in System32 directory
        
        PID:5860
        
        C:\Windows\SysWOW64\Nbkhfc32.exe
        
        C:\Windows\system32\Nbkhfc32.exe
        114⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5900
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        115⤵
        
        PID:5936
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5936 -s 412
        116⤵
        Program crash
        
        PID:6032

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 5936 -ip 5936
1⤵
PID:6000

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Fbqefhpm.exe

Filesize
896KB

MD5
594dc7a6421bcc1aebf469fee21d7074

SHA1
fe6fda7ac2192e4e8fcf8f4babfcb88812ed24a4

SHA256
dd581e410de11ad5c71ddb752b66c1e82ea555378272bee99bd213545b9845e4

SHA512
ff4c135f95f706d60fe7e24c374abefa2a9d89393cb2879c0e970dcbdd1e8a221478bf31e8473866e56e4d1923b6bd846272a721695f7b42d2c7fd0ee92f7d6e

Download Submit
C:\Windows\SysWOW64\Fijmbb32.exe

Filesize
896KB

MD5
051bfdb8dab4f07cb6b794a3e6692b8f

SHA1
3c02b72e8265a812fc27f617015b6a8176f8d283

SHA256
d8396875177c41fcdd58b01592a36c30b5182bed580a4e96006155875ec08838

SHA512
91ad99102ff16e1f671283c80422384b61d86cedb9968578a05b43f601bb5b724ba5474958657e9457c82e2fddc7cac3181d54826e91df9587317d1b80d8db7a

Download Submit
C:\Windows\SysWOW64\Fjcclf32.exe

Filesize
896KB

MD5
97fc72b4816ec5f0b8f1d3a9c12ecc8d

SHA1
718a491a4825998153e3a8f361d74e211f58e5b1

SHA256
afb7df479ff3f351c3ff49602149450bcd3c5ff318bdbf377054657a15dd1444

SHA512
a5ab4d5d9e0a416f3b55e4c798ef1425002f7cf1e6110b6b614c3d9dd9d835ff2488eb8b243e65daceb1f60efb1f448b99a0dbce8d7ce577473f30286bfef3a2

Download Submit
C:\Windows\SysWOW64\Fmapha32.exe

Filesize
896KB

MD5
bf959189653f08254571582116d16112

SHA1
c3b542c03df5a8519a93d44da45d55d85ada4eac

SHA256
0a35b10ed1b5e44aea68718b7ed63bf86ce30c87bd24086707f1b0a969790651

SHA512
c220ccf5cac27b886cb1650e4d058aadfa762d54974675f53392e9e1ffd770bf7dcb62925aa59070fc9112f7c3910ae509d177b9e92e97893054ddb2f782524a

Download Submit
C:\Windows\SysWOW64\Fomonm32.exe

Filesize
896KB

MD5
fc4bd5380dab293ad19e58c2255694ac

SHA1
5d96eebfd507a66926e3f5a2a5e934083231d68e

SHA256
cc9b85741000b8c5c9bcefd689b6f52801280be772efb131ccf1000f8c7e55e9

SHA512
8557440c69ee17977d42f323ccb9dc2a344b581be2a6af3d34a55df74f256bc84cedc5a3e9d27b7c244fed230bfa7e41b066b84ac4e7da4700fe2e8bc661219d

Download Submit
C:\Windows\SysWOW64\Gbcakg32.exe

Filesize
896KB

MD5
ce302613534e49a3e3b7f8e842478e46

SHA1
6c581999fd68d6046ff18c63264708d99a94b043

SHA256
5c06c413e6c55a2388fab33d4e554d30278059820fd97cabaebbbb86db015ed9

SHA512
83c4fb52d231c43558e5d9ab4a5775f58f79a122482592db2f92138cb97c6459612148a8b36cc828bca6b6dc5c9bf698c23dc0d7de5ffb5b8c4cced4efc5b150

Download Submit
C:\Windows\SysWOW64\Gbgkfg32.exe

Filesize
896KB

MD5
c0c8fa02670c4c42649a03cf213f8678

SHA1
e6228f6417133bb2d3490ae63fd7de8155a8428f

SHA256
a63ad3e75ada2bae149388f739e5eb120728899c0f7eb75bf736b9dd1d5197c2

SHA512
0eb6f4900b53a09f05de1f1aa27e73544f8d8a659e5600a91108d16363fd4b11985133f7fac4d160e2d31760f4230483b8b1254dc9cbc54eb9bc9653da668a57

Download Submit
C:\Windows\SysWOW64\Gbjhlfhb.exe

Filesize
896KB

MD5
182a5957f0b6dddfffc1220d5e46e110

SHA1
422d8d0934641d175133a5ad739611bde35b9e70

SHA256
fdd543292b9fbe5c74d4f94b75ec872e940c1bf6aae3f59f6a6287031ca546ac

SHA512
63e164c791f3459b6ebf0e62ed31dcd741426ff8abd9175048deb5e3086bee9b7dca37f03ff7566e58abd9a161104b6a38724468bc7c7fb8b775936582e97d25

Download Submit
C:\Windows\SysWOW64\Gfhqbe32.exe

Filesize
896KB

MD5
a86454391a27f46eae8cb6d9f0f602af

SHA1
33c6528bfc5926981eee55e100db3351692ab2cd

SHA256
3f1a41ab25afc1033dc80a65e68574fca38a855cda31208ebb92b5ae46b20843

SHA512
373ea22e178d28943eb51c6ea9091ae768f4a4c7d8e140c643d107b00656c8418673bb672e2f969fcfd1e10f140dfc80cf753a3597474902aee0781d43533d41

Download Submit
C:\Windows\SysWOW64\Giofnacd.exe

Filesize
896KB

MD5
f320b19c70fb699ec1dc0f2f83243839

SHA1
365cb300941ee21a1e89f74e08de0e620103c786

SHA256
765c73f2f26509cd6501ce736def13a8d92e04607e020b46cb31db3b3c3f46d2

SHA512
9ca66c7225eed48702737dfc64813b2bb96d987c94999e0fcb8457948bacd4cd4641e1ed184382049e60eca8d27d1170a71e34d8928b366808bd3b86fc1f9953

Download Submit
C:\Windows\SysWOW64\Gogbdl32.exe

Filesize
896KB

MD5
3aa034f4a94af8754a814b2c23240fc5

SHA1
19b649f46e696537c21371de6afe4cb38f53cd08

SHA256
0f6f93dd49fede7756821164daf2e2db87c7c024637ea5526ecda164c27b83c1

SHA512
66b0e3407031e9313b7ed5c3a8de93b29388f1a1f3ae58d40c87e7d514c3cea6239d24a1282897093205a35648aadf6aca5a29673a6f19a95c30e704f94f63f3

Download Submit
C:\Windows\SysWOW64\Gpnhekgl.exe

Filesize
896KB

MD5
5ddb36ffe12e9c47884fe6c88338f2a7

SHA1
05bdffb524e5975ca5a3803577fd9592a8854c53

SHA256
9b15eea665a9f7733cdbbccdcce0ac3ade926b74b05035b4e6e8102042599bd5

SHA512
a51cfb57615e6bcbf86890d961188e02c5972db3260a28b1cba0c82148e97fe6af2a2549ff4850daf77f86a1c49d0265aa9f3c3c19cb57ecdd1d1125d7d7fb10

Download Submit
C:\Windows\SysWOW64\Haggelfd.exe

Filesize
896KB

MD5
7a6bfe0deda9edf358714b129a1a2e70

SHA1
ce9a8312c2112a5e9432b3825f44ec68d2b94034

SHA256
b1adc26b6f096ea63aeb24a7818341d911061db990b763d5702e64660be1b034

SHA512
d5937701ba4154832c6edd1bcb453c4f9de70c766ac23d45b8d5a235ee93bb6ffd8c2a2993bcca870ac99c2195c3f38f27da68270a97a8c2aa6098884f535044

Download Submit
C:\Windows\SysWOW64\Hcedaheh.exe

Filesize
896KB

MD5
8eeb352335ec41c77140aeb0d97284c9

SHA1
40882563ec4bb62bd7905c05fb63ce8deed67995

SHA256
81a697f27c2e94a7bd9a63bcfbf57feb4ada2c453c589c1ec3f26f71f67432e3

SHA512
6a86b1e84ce19ae8f68764f94efdc336a31b9ae54ac0010fd6b207ad3f68aa2f1b595a8b2ad255c31e2ee6810662499414bafd464612e8ec62254537ee8fc5c4

Download Submit
C:\Windows\SysWOW64\Hfcpncdk.exe

Filesize
896KB

MD5
b7b92b958ceb6079b1df4565fba0f2a7

SHA1
a9d8184f2bff1d278e81f146df429fd058b3fcf5

SHA256
c265d9cc6a0f8cd96da20ce57161ae01eba94fb47680549e3c7f7e04799cd1f6

SHA512
f922f0b4c38f54cb5abcbf274996640a643b81c98eea138abc5abdc045f4d2a79e9f55161f6d0ab9580ad1d1bc026a385e0ec30e3676eb829d8c7ad464020531

Download Submit
C:\Windows\SysWOW64\Hfjmgdlf.exe

Filesize
896KB

MD5
47efb8a9230a89e45dd03aa8f663d138

SHA1
5bb8246f811ac5eae81612017874b3381b064cef

SHA256
2bc0e2670f854668c2723d7b34faa57987fb347206b6781dd96efa1be9246210

SHA512
31b1f55c3449849c23c349bd6e81f112ccc2ab6012515e3407e04422c0ad1bc14b1a2c9a28bc9fdf201543cf993d217af3c0098d36584e8a9d2954b354dbcafb

Download Submit
C:\Windows\SysWOW64\Hfofbd32.exe

Filesize
896KB

MD5
c7dd33263f360e4bdabfd8c38a2da8c0

SHA1
37a8c11b7a14a4e0c5a4c390281ad27e476bb2ec

SHA256
6866be9736087ee0e7ed578ecc7737000e36ed082e3958fcb35a676dc6756bf0

SHA512
1d34c186f12530bad4fc0dc35b47f3aa324de0a409863110cf1c824156d93495e08ec2a28fd354fb895508396995b81e2358f1866abc738a1bbfa2bfe320df57

Download Submit
C:\Windows\SysWOW64\Hikfip32.exe

Filesize
896KB

MD5
383c91e212de73977b7f12547a3aa56b

SHA1
b9056de049bf251c5cb939ebcf5df18cbce1d34a

SHA256
d165fc778b2337323e915c0198dded85d6736910f2bf10b631f07c55f2add0b8

SHA512
395f7b6c5df88c2f7e6afcfb8ed3dbf80ad8318bd6cdb0bdbf1c212e4763bc4987bc7bbf84d4a88a37d63a26791a79b7a0e2206df716c77c528d96db1e9c8fb9

Download Submit
C:\Windows\SysWOW64\Himcoo32.exe

Filesize
896KB

MD5
0281cb90378d95ff324f3d7b5575b091

SHA1
4fafef8b855f94f1b590717b5f4e29eea6273aec

SHA256
fb3b062d08f9c04430fd889d55b5bed822a76dc9299247bbd05e29669513fc92

SHA512
42827bf2a72348067e08360de9d984de75b68f3db58d2039fe73454ef410ca895d7398f369880bf49799029a6d5a990cd66b2cad799152ba13e8fdccd903c48e

Download Submit
C:\Windows\SysWOW64\Hippdo32.exe

Filesize
896KB

MD5
ebdeb4d4f7564432b857e0f7368ca3b6

SHA1
ae9d4d13ce28fcb8f6c4310956cf154b2681ed2c

SHA256
2b9c5ec26e60ee794f1dd3bdfb4939540a4a5331e2e177ffd08dd959522b4133

SHA512
809839b3e97dc52c371498b033d0de961dedc01ee359a77b3a31961f0eef6d09dc2d3d6eba0a32281779502f05d0951371c188988df953e07c0ba160664fca89

Download Submit
C:\Windows\SysWOW64\Hjmoibog.exe

Filesize
896KB

MD5
71fff3f476d46f16a031a6ac18538d36

SHA1
a065a36875cc978a8e89a19f55ec9f0b93eab7e4

SHA256
dab668c5df9e2feb58f27a9a5bad232bbf958f53762a679bcad0cb54ebc62871

SHA512
bca04c188237036eafa1ed5a3bd756847b1535b9f7f723958ff9e643ecf9111d1a726e99b5c44dbd15079d3e85987d685ad94040c1a8926e13425259538971de

Download Submit
C:\Windows\SysWOW64\Hjolnb32.exe

Filesize
896KB

MD5
f51dd6682ef89906307df53d0f2e65e0

SHA1
44180f05fe38e1ebf56f0ebdd8614f05e0883aa4

SHA256
4c46f78e8ec9ac367b68ed43ed5adc03a0d6e97ff9b31eb519ffe0dab8eadec9

SHA512
c1a9358b29c313ce1894e0d2dc6ffb46e980fbc3c4c82ad47024a1825aa0f045f63d7c566acf8c5718a9a63928afb5a88770d81069d7675bd40d42b6dc27c3bb

Download Submit
C:\Windows\SysWOW64\Hmmhjm32.exe

Filesize
896KB

MD5
7a3d1440fee2b216b794ee4fb1727526

SHA1
6ece8dd1cc9a0d28836c25a6256f1d378bff0298

SHA256
9727ea50c98fb5bbe4a1cd3b99527ebbae55dcc9caede09be296594505e548fd

SHA512
273a4c01d8dda6e900726eb375375f1222b9c9ae45b0fa71eb8b245d355027ca25e6d521695cd8393dce2a3b3003a272ec69ec381680bbc4bcb1ad19cb1e4313

Download Submit
C:\Windows\SysWOW64\Hpbaqj32.exe

Filesize
896KB

MD5
bcc98409bedd7ed4058a129abedbf5fd

SHA1
db2b23c74d89e1c2d3929a2f8fd6229e7231a110

SHA256
ea80d32bd8562fb60138f2ca5553342779755cee986f70b3e21963daad0a5779

SHA512
f791d1bf9ff7dded5c5490955944c11a21c293a867e0bc6e9ed2ad1d07984a49d473d0c28dab8315fff67ac60b09f8564f55815c4ac65db6a353a3c213177282

Download Submit
C:\Windows\SysWOW64\Hpgkkioa.exe

Filesize
896KB

MD5
b9008e1fac9a9c5831c5906597732c90

SHA1
9456a80bac8bc928f332c6e788a85d60e4d22500

SHA256
a08f0414e7a86275d9763c66cddbaddb9e52362f3971524c9c7fba772e770a34

SHA512
d5b67a274dcb99d37d461028f80d7500f2afd7c41083591d63455edcf179f82565c5d0b30787d6e7a26f761063a7ad0631d2bcc846ca7bb0b88fa075bbd481b7

Download Submit
C:\Windows\SysWOW64\Ibjqcd32.exe

Filesize
896KB

MD5
9aba18bbb8892e1d7038f305e507a52a

SHA1
520666a582b25ea45c45fcec0afbfc68a442d809

SHA256
4f492dff479127a77627f807f247577b737a240e2b991401388746306f6ea30a

SHA512
0f6e3fa059183da115fd12c25f2ba0149e23cc17e6c620e5c51ce4ce6d2cdf8b87d7df759e0df27c8335f6b3bab6e1a71cc071de2fa05a5eb71bce6c8414291d

Download Submit
C:\Windows\SysWOW64\Icjmmg32.exe

Filesize
896KB

MD5
a8feee4f85fc37d311158aef93abffee

SHA1
1c09798e991cbc998d8bd48b10d9802377ba10d8

SHA256
2d98b6bf05e9918c9d01f253420d9019468398147d9308145ef7191e29279988

SHA512
a4ab80bd246ae28f09713123b58fa23422e3ffd75a6228330bda5f15527774fdd1c90d81e57e9901e5adf459a3c4d3a439c990d8926a2bef615ae972dbb1b0be

Download Submit
C:\Windows\SysWOW64\Iffmccbi.exe

Filesize
896KB

MD5
18104c60e0e8009195068f70739f68b9

SHA1
29b099be46e94c9625e005187a36da9f9a91e62c

SHA256
0366a38c590f7c48f9f66dd8fa6dec657d5639194c682e43fb45c444fdedfe97

SHA512
27652e280bf6bf51661787324c6cca0427b3afe96a899b8496512504fb1893365c6e6588ef50d1e24b8c387fa52f27fb001fae9739307f027c11eac9eabcd1de

Download Submit
C:\Windows\SysWOW64\Iidipnal.exe

Filesize
896KB

MD5
e1b61d2eda4e269ad8efbcb229f2c5c3

SHA1
de21efa80be659d662a4a472848bf03f0c28c33f

SHA256
c31d39f912d87bad4cc72646149a0aee8eb8cc7e5c6914544acbd6510cb51b4d

SHA512
dfa0f9a5c79dda8324542525559013cfe6046c125271108f249abb975deb74e69301baa4b8e54325060433f7cbbf088ae8e3e6a3282cba9c60f02d0f50a5f172

Download Submit
C:\Windows\SysWOW64\Impepm32.exe

Filesize
896KB

MD5
aecda986c98b5474161e5f4c403c4426

SHA1
f8bd3b4f7de4510fe7d18ed36e2cb9f9827c568e

SHA256
165abeb7547bf7a7e317e52860853463f01bd8f48ee7abf67c5ace0f528e9442

SHA512
0f5028df5e3265842948fa1ac532eee17d95337755df20fb32eb0c49387dcbba1f43895f20e8d22b8930c9f7b07ee52eb601e12574972b23938ff834cc28a3eb

Download Submit
C:\Windows\SysWOW64\Ipldfi32.exe

Filesize
896KB

MD5
4cba193659c0710276c750c3621f2a94

SHA1
e6bb0fdb25c40df5534ef9a2c9e47fb49685332b

SHA256
185970166aab050f1eb3b946da2007678681050602b2b277a0bae2bda3edbd18

SHA512
5f863f45da08f3bb8c3c6aeb5fab6cc83be12e0194f15bc254db3d3075e0d21ad4c7b1f93a001e0a1c097affb59970c991c43fc31034e78a8141ec9d9f1bd864

Download Submit
C:\Windows\SysWOW64\Ipnalhii.exe

Filesize
896KB

MD5
b81042bb1ab138c1310f5bcb8942b8ee

SHA1
5dcb78962d1874bc18efe673917311658b99aadf

SHA256
711dc7da037ee200b2042a4a16c026ca1e6333ffaa165707e0ed4fb992240e32

SHA512
4b29ee1f5e3b8cf298239fb129e2cdba535301970af9f13d8ca3ab05c4151eeb695960151450efbeaa082c8f6abb3f8f3fdb4f95ba77620a846bd85006eaa972

Download Submit
C:\Windows\SysWOW64\Kncfca32.dll

Filesize
7KB

MD5
ef4681283ddf9c9c4c0cf4e43163badb

SHA1
0731877bf0a28bd5be236588398d0eea45afc903

SHA256
2f07c686e3e30861bea177ad23ff1f9cb2c046f93100132d3b0c070aaff459f2

SHA512
38735cc764e990d81bb4126c267e63ddd16646f1531961f43f0e2687d0fee720285bfb7d614579105608cec74e577240f99bc30b6d0b5cf6ad8eb009cf5165b0

Download Submit
C:\Windows\SysWOW64\Ldohebqh.exe

Filesize
896KB

MD5
51a3eb9047db7cbd076446864560fc81

SHA1
af6649a1e291723abd2b508995f76fae2e42ab8c

SHA256
6085a899c161d37b371ada2b608fa6965b4af3411d93bbbbcc305b39f2aae172

SHA512
bd9976784983245fd22cc8dff703eba51e0e37cb837bd462256a81e4630f84b67008eeef7024036b148aee6bf494e300e1a19bb6b74495b1edbe8009d1ca53ca

Download Submit
C:\Windows\SysWOW64\Mjjmog32.exe

Filesize
896KB

MD5
c9924da07cb165fbfe5d5643eba025aa

SHA1
806a17fc32dc332e27f1ba4d67192fdd2bdaf153

SHA256
ba0f879df9bed97f705d62d9e736e6f3af2560f4fe98f99fcce86e4fd938a8e7

SHA512
67b9dc95d4df0bfa2de4960ea96d9bce7bd4719dd3e722b74de82f144d1047c873f84173718bb429360680898bf106ab94f90bd3170b4e68706b804de2f40a11

Download Submit
C:\Windows\SysWOW64\Nbkhfc32.exe

Filesize
896KB

MD5
abc2cf76601f0774c1859eb1e82eb71a

SHA1
32711c9e7874032d91f5670cf8b75063d356a498

SHA256
f0b802d8a1893c84a0f203888d6b94f8ef163bb4a8fb7a34ef8b24cd935fc1cf

SHA512
33f259b47805146c98455904287626b463c8e98e64cdbbf983ea1342a3f6d4da4d2eaa23dfbb7c138c73c7c2a5479c8e8f1cc35a007a7a0684d5855bc3499056

Download Submit
memory/320-598-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/380-457-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/824-11-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/916-464-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1060-436-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1100-540-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1312-59-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1416-586-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1464-538-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1476-446-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1600-474-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1668-610-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1688-548-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1736-431-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1756-473-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1832-442-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1836-429-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1856-470-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1904-447-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1936-456-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1952-32-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1972-444-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2032-478-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2152-476-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2276-455-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2280-104-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2344-467-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2444-580-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2444-797-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2480-535-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2504-88-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2556-47-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2844-482-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2856-24-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2896-445-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2912-72-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2916-475-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2960-125-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2972-433-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3016-40-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3032-443-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3048-537-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3128-448-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3132-441-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3136-463-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3344-545-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3380-562-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3428-628-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3520-452-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3596-468-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3608-466-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3616-64-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3620-480-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3688-95-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3700-450-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3716-435-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3780-428-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3824-461-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3856-148-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3876-469-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3880-460-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3912-141-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3932-439-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3940-430-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3944-462-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3952-481-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3968-471-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3980-534-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4076-592-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4176-536-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4204-547-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4252-556-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4348-440-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4360-438-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4368-483-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4404-133-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4440-20-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4464-432-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4492-112-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4520-437-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4568-555-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4588-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4620-434-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4640-542-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4644-477-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4680-626-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4796-479-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4800-458-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4816-459-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4864-568-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4912-604-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5060-574-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5080-472-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5088-80-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5104-546-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5116-616-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5164-634-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5736-757-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads