1f8640430ee127a4bc522929d57645563810c613f7b0abe49f35bd9f67490ab5

Analysis

max time kernel
149s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
04/07/2024, 00:04

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

1f8640430ee127a4bc522929d57645563810c613f7b0abe49f35bd9f67490ab5.exe
Size

128KB
MD5

dcc5a8071bd57ffc8ed033bd824d2f90
SHA1

49e25091279131cefd5239ea070bf7398572daaf
SHA256

1f8640430ee127a4bc522929d57645563810c613f7b0abe49f35bd9f67490ab5
SHA512

a10e551991ab23b30e46a4d84a85d66eda58e3be16ec0b1485c37208d61015f50921fd37cf648b33271d9bd54ee7578061cd03a473b4a0688534ceddeecfa8d8
SSDEEP

3072:pTmHdnSua4BhC8e4QS5DSCopsIm81+jq2832dp5Xp+7+10l:tmBiaC14QSZSCZj81+jq4peBl

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Iiffen32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Majopeii.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndbnboqb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ejgdpg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gbjhlfhb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hpihai32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kgfoan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fqhbmqqg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Icgqggce.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kpccnefa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Haidklda.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jiikak32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Djnaji32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fihqmb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gfqjafdq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Epmcab32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Idofhfmm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Njacpf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Efikji32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hpenfjad.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Impepm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ldkojb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lnjjdgee.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lphfpbdi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mciobn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mgnnhk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nkncdifl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Njcpee32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Efpajh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hpihai32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgpagm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fodeolof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jbhmdbnp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jibeql32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jibeql32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jiikak32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	1f8640430ee127a4bc522929d57645563810c613f7b0abe49f35bd9f67490ab5.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Djnaji32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fbqefhpm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lijdhiaa.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lphfpbdi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Icjmmg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jmbklj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kgfoan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fodeolof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kgmlkp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njcpee32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncldnkae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ncldnkae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Diihojkb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dphifcoi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Elhmablc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcbiao32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hapaemll.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Icljbg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jdcpcf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gcidfi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hccglh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iiffen32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jmpngk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Elhmablc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fhajlc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fmocba32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gppekj32.exe

Executes dropped EXE 64 IoCs

pid	Process
2844	Clckpf32.exe
764	Coagla32.exe
4852	Dhjkdg32.exe
2736	Diihojkb.exe
1708	Dcalgo32.exe
5048	Dhnepfpj.exe
2684	Djnaji32.exe
2244	Dphifcoi.exe
772	Dfdbojmq.exe
4984	Dhcnke32.exe
3864	Ejbkehcg.exe
3432	Epmcab32.exe
4432	Efikji32.exe
2420	Eoapbo32.exe
1176	Ejgdpg32.exe
2728	Eodlho32.exe
516	Elhmablc.exe
4844	Efpajh32.exe
3572	Ehonfc32.exe
816	Ecdbdl32.exe
1012	Fhajlc32.exe
2800	Fqhbmqqg.exe
1988	Fbioei32.exe
316	Fmocba32.exe
3452	Fifdgblo.exe
4992	Fbnhphbp.exe
3816	Fihqmb32.exe
3884	Fbqefhpm.exe
1676	Fijmbb32.exe
4832	Fodeolof.exe
4252	Gfnnlffc.exe
3000	Gcbnejem.exe
3524	Gfqjafdq.exe
2224	Gqfooodg.exe
2028	Gbgkfg32.exe
1052	Gqikdn32.exe
4764	Gbjhlfhb.exe
3164	Gmoliohh.exe
4072	Gcidfi32.exe
4912	Gifmnpnl.exe
1736	Gppekj32.exe
2312	Hjfihc32.exe
2140	Hapaemll.exe
1932	Hfljmdjc.exe
776	Habnjm32.exe
2924	Hpenfjad.exe
1476	Hjjbcbqj.exe
3244	Hmioonpn.exe
5112	Hccglh32.exe
2580	Hjmoibog.exe
3556	Hpihai32.exe
2088	Hjolnb32.exe
512	Haidklda.exe
2704	Icgqggce.exe
644	Impepm32.exe
4092	Icjmmg32.exe
4680	Iiffen32.exe
1672	Icljbg32.exe
2780	Ijfboafl.exe
4472	Imdnklfp.exe
3200	Idofhfmm.exe
5072	Idacmfkj.exe
3416	Iinlemia.exe
4444	Jdcpcf32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Jjmhppqd.exe	Jdcpcf32.exe
File created	C:\Windows\SysWOW64\Gkillp32.dll	Icjmmg32.exe
File created	C:\Windows\SysWOW64\Ggdddife.dll	Gqikdn32.exe
File opened for modification	C:\Windows\SysWOW64\Iiffen32.exe	Icjmmg32.exe
File created	C:\Windows\SysWOW64\Lcbiao32.exe	Laalifad.exe
File created	C:\Windows\SysWOW64\Knceql32.dll	Djnaji32.exe
File created	C:\Windows\SysWOW64\Efikji32.exe	Epmcab32.exe
File opened for modification	C:\Windows\SysWOW64\Gcidfi32.exe	Gmoliohh.exe
File created	C:\Windows\SysWOW64\Dcalgo32.exe	Diihojkb.exe
File created	C:\Windows\SysWOW64\Lmqgnhmp.exe	Kgfoan32.exe
File created	C:\Windows\SysWOW64\Jibeql32.exe	Jbhmdbnp.exe
File created	C:\Windows\SysWOW64\Bbbjnidp.dll	Jibeql32.exe
File created	C:\Windows\SysWOW64\Bnckcnhb.dll	Kacphh32.exe
File opened for modification	C:\Windows\SysWOW64\Njljefql.exe	Mgnnhk32.exe
File created	C:\Windows\SysWOW64\Jkeang32.dll	Nddkgonp.exe
File created	C:\Windows\SysWOW64\Ncihikcg.exe	Nqklmpdd.exe
File created	C:\Windows\SysWOW64\Gcidfi32.exe	Gmoliohh.exe
File created	C:\Windows\SysWOW64\Kgmlkp32.exe	Kpccnefa.exe
File created	C:\Windows\SysWOW64\Dfdbojmq.exe	Dphifcoi.exe
File created	C:\Windows\SysWOW64\Ngpjnkpf.exe	Ndbnboqb.exe
File created	C:\Windows\SysWOW64\Dphifcoi.exe	Djnaji32.exe
File created	C:\Windows\SysWOW64\Kpmkpqcp.dll	Dphifcoi.exe
File opened for modification	C:\Windows\SysWOW64\Ejbkehcg.exe	Dhcnke32.exe
File opened for modification	C:\Windows\SysWOW64\Efikji32.exe	Epmcab32.exe
File opened for modification	C:\Windows\SysWOW64\Dfdbojmq.exe	Dphifcoi.exe
File created	C:\Windows\SysWOW64\Fhajlc32.exe	Ecdbdl32.exe
File opened for modification	C:\Windows\SysWOW64\Jplmmfmi.exe	Jibeql32.exe
File created	C:\Windows\SysWOW64\Gjoceo32.dll	Laopdgcg.exe
File opened for modification	C:\Windows\SysWOW64\Mjcgohig.exe	Mciobn32.exe
File created	C:\Windows\SysWOW64\Icljbg32.exe	Iiffen32.exe
File opened for modification	C:\Windows\SysWOW64\Lilanioo.exe	Lcbiao32.exe
File opened for modification	C:\Windows\SysWOW64\Lgpagm32.exe	Ldaeka32.exe
File opened for modification	C:\Windows\SysWOW64\Idofhfmm.exe	Imdnklfp.exe
File opened for modification	C:\Windows\SysWOW64\Mjjmog32.exe	Mkgmcjld.exe
File created	C:\Windows\SysWOW64\Nkncdifl.exe	Nddkgonp.exe
File opened for modification	C:\Windows\SysWOW64\Jdemhe32.exe	Jmkdlkph.exe
File created	C:\Windows\SysWOW64\Mfpoqooh.dll	Jdmcidam.exe
File created	C:\Windows\SysWOW64\Jiikak32.exe	Jfkoeppq.exe
File opened for modification	C:\Windows\SysWOW64\Jiikak32.exe	Jfkoeppq.exe
File created	C:\Windows\SysWOW64\Nddkgonp.exe	Nafokcol.exe
File created	C:\Windows\SysWOW64\Dgcifj32.dll	Mamleegg.exe
File created	C:\Windows\SysWOW64\Kkkdan32.exe	Kdaldd32.exe
File created	C:\Windows\SysWOW64\Laopdgcg.exe	Lkdggmlj.exe
File created	C:\Windows\SysWOW64\Pellipfm.dll	Lkdggmlj.exe
File created	C:\Windows\SysWOW64\Ekipni32.dll	Mdmegp32.exe
File created	C:\Windows\SysWOW64\Gnbbnj32.dll	Gcidfi32.exe
File created	C:\Windows\SysWOW64\Bbgkjl32.dll	Ldaeka32.exe
File opened for modification	C:\Windows\SysWOW64\Ncldnkae.exe	Njcpee32.exe
File created	C:\Windows\SysWOW64\Denfkg32.dll	Hpenfjad.exe
File created	C:\Windows\SysWOW64\Hjfihc32.exe	Gppekj32.exe
File created	C:\Windows\SysWOW64\Jfkoeppq.exe	Jdmcidam.exe
File opened for modification	C:\Windows\SysWOW64\Laalifad.exe	Lijdhiaa.exe
File created	C:\Windows\SysWOW64\Jcoegc32.dll	Njogjfoj.exe
File created	C:\Windows\SysWOW64\Lifenaok.dll	Mpkbebbf.exe
File created	C:\Windows\SysWOW64\Ecppdbpl.dll	Jmbklj32.exe
File created	C:\Windows\SysWOW64\Mlhblb32.dll	Ndbnboqb.exe
File created	C:\Windows\SysWOW64\Hnfmbf32.dll	Mpdelajl.exe
File opened for modification	C:\Windows\SysWOW64\Djnaji32.exe	Dhnepfpj.exe
File created	C:\Windows\SysWOW64\Fmocba32.exe	Fbioei32.exe
File opened for modification	C:\Windows\SysWOW64\Mpkbebbf.exe	Mjqjih32.exe
File created	C:\Windows\SysWOW64\Mdiklqhm.exe	Majopeii.exe
File created	C:\Windows\SysWOW64\Ejbkehcg.exe	Dhcnke32.exe
File created	C:\Windows\SysWOW64\Lmbocjjm.dll	Gbgkfg32.exe
File created	C:\Windows\SysWOW64\Dhnepfpj.exe	Dcalgo32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5792	5908	WerFault.exe	222

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fbqefhpm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kdcijcke.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kkkdan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhjkdg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fijmbb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jmkdlkph.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjoceo32.dll"	Laopdgcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnfmbf32.dll"	Mpdelajl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	1f8640430ee127a4bc522929d57645563810c613f7b0abe49f35bd9f67490ab5.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gcidfi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mcnhmm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jdmcidam.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jiikak32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mjeddggd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Majopeii.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mamleegg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nddkgonp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hbiklpin.dll"	Dhjkdg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lmbocjjm.dll"	Gbgkfg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jdcpcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jjmhppqd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lijiaonm.dll"	Hjolnb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfcbokki.dll"	Ngpjnkpf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mgidml32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nkncdifl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ncihikcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lghekack.dll"	Fihqmb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jmbklj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jifkeoll.dll"	Lmqgnhmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Diihojkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mfpoqooh.dll"	Jdmcidam.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lppbjjia.dll"	Lcgblncm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fogjfmfe.dll"	Kgbefoji.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kgdbkohf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ncldnkae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ejbkehcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gqikdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lnohlokp.dll"	Mjcgohig.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lcbiao32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lcgblncm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Majopeii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Knceql32.dll"	Djnaji32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hfljmdjc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qknpkqim.dll"	Jdjfcecp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ncldnkae.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Eodlho32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hpihai32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ddpfgd32.dll"	Nkqpjidj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogijli32.dll"	Lcpllo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mgnnhk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Djnaji32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kpmfddnf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ofdhdf32.dll"	Kgfoan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mkgmcjld.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhnepfpj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Laopdgcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lcbiao32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jfkoeppq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Icgqggce.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Icjmmg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nkqpjidj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dlddhggk.dll"	Njcpee32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mpkbebbf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ockcknah.dll"	Majopeii.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2104 wrote to memory of 2844	2104	1f8640430ee127a4bc522929d57645563810c613f7b0abe49f35bd9f67490ab5.exe	82
PID 2104 wrote to memory of 2844	2104	1f8640430ee127a4bc522929d57645563810c613f7b0abe49f35bd9f67490ab5.exe	82
PID 2104 wrote to memory of 2844	2104	1f8640430ee127a4bc522929d57645563810c613f7b0abe49f35bd9f67490ab5.exe	82
PID 2844 wrote to memory of 764	2844	Clckpf32.exe	83
PID 2844 wrote to memory of 764	2844	Clckpf32.exe	83
PID 2844 wrote to memory of 764	2844	Clckpf32.exe	83
PID 764 wrote to memory of 4852	764	Coagla32.exe	84
PID 764 wrote to memory of 4852	764	Coagla32.exe	84
PID 764 wrote to memory of 4852	764	Coagla32.exe	84
PID 4852 wrote to memory of 2736	4852	Dhjkdg32.exe	85
PID 4852 wrote to memory of 2736	4852	Dhjkdg32.exe	85
PID 4852 wrote to memory of 2736	4852	Dhjkdg32.exe	85
PID 2736 wrote to memory of 1708	2736	Diihojkb.exe	86
PID 2736 wrote to memory of 1708	2736	Diihojkb.exe	86
PID 2736 wrote to memory of 1708	2736	Diihojkb.exe	86
PID 1708 wrote to memory of 5048	1708	Dcalgo32.exe	87
PID 1708 wrote to memory of 5048	1708	Dcalgo32.exe	87
PID 1708 wrote to memory of 5048	1708	Dcalgo32.exe	87
PID 5048 wrote to memory of 2684	5048	Dhnepfpj.exe	88
PID 5048 wrote to memory of 2684	5048	Dhnepfpj.exe	88
PID 5048 wrote to memory of 2684	5048	Dhnepfpj.exe	88
PID 2684 wrote to memory of 2244	2684	Djnaji32.exe	89
PID 2684 wrote to memory of 2244	2684	Djnaji32.exe	89
PID 2684 wrote to memory of 2244	2684	Djnaji32.exe	89
PID 2244 wrote to memory of 772	2244	Dphifcoi.exe	90
PID 2244 wrote to memory of 772	2244	Dphifcoi.exe	90
PID 2244 wrote to memory of 772	2244	Dphifcoi.exe	90
PID 772 wrote to memory of 4984	772	Dfdbojmq.exe	91
PID 772 wrote to memory of 4984	772	Dfdbojmq.exe	91
PID 772 wrote to memory of 4984	772	Dfdbojmq.exe	91
PID 4984 wrote to memory of 3864	4984	Dhcnke32.exe	92
PID 4984 wrote to memory of 3864	4984	Dhcnke32.exe	92
PID 4984 wrote to memory of 3864	4984	Dhcnke32.exe	92
PID 3864 wrote to memory of 3432	3864	Ejbkehcg.exe	93
PID 3864 wrote to memory of 3432	3864	Ejbkehcg.exe	93
PID 3864 wrote to memory of 3432	3864	Ejbkehcg.exe	93
PID 3432 wrote to memory of 4432	3432	Epmcab32.exe	94
PID 3432 wrote to memory of 4432	3432	Epmcab32.exe	94
PID 3432 wrote to memory of 4432	3432	Epmcab32.exe	94
PID 4432 wrote to memory of 2420	4432	Efikji32.exe	96
PID 4432 wrote to memory of 2420	4432	Efikji32.exe	96
PID 4432 wrote to memory of 2420	4432	Efikji32.exe	96
PID 2420 wrote to memory of 1176	2420	Eoapbo32.exe	97
PID 2420 wrote to memory of 1176	2420	Eoapbo32.exe	97
PID 2420 wrote to memory of 1176	2420	Eoapbo32.exe	97
PID 1176 wrote to memory of 2728	1176	Ejgdpg32.exe	98
PID 1176 wrote to memory of 2728	1176	Ejgdpg32.exe	98
PID 1176 wrote to memory of 2728	1176	Ejgdpg32.exe	98
PID 2728 wrote to memory of 516	2728	Eodlho32.exe	99
PID 2728 wrote to memory of 516	2728	Eodlho32.exe	99
PID 2728 wrote to memory of 516	2728	Eodlho32.exe	99
PID 516 wrote to memory of 4844	516	Elhmablc.exe	100
PID 516 wrote to memory of 4844	516	Elhmablc.exe	100
PID 516 wrote to memory of 4844	516	Elhmablc.exe	100
PID 4844 wrote to memory of 3572	4844	Efpajh32.exe	102
PID 4844 wrote to memory of 3572	4844	Efpajh32.exe	102
PID 4844 wrote to memory of 3572	4844	Efpajh32.exe	102
PID 3572 wrote to memory of 816	3572	Ehonfc32.exe	103
PID 3572 wrote to memory of 816	3572	Ehonfc32.exe	103
PID 3572 wrote to memory of 816	3572	Ehonfc32.exe	103
PID 816 wrote to memory of 1012	816	Ecdbdl32.exe	104
PID 816 wrote to memory of 1012	816	Ecdbdl32.exe	104
PID 816 wrote to memory of 1012	816	Ecdbdl32.exe	104
PID 1012 wrote to memory of 2800	1012	Fhajlc32.exe	105

C:\Users\Admin\AppData\Local\Temp\1f8640430ee127a4bc522929d57645563810c613f7b0abe49f35bd9f67490ab5.exe
"C:\Users\Admin\AppData\Local\Temp\1f8640430ee127a4bc522929d57645563810c613f7b0abe49f35bd9f67490ab5.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2104
- C:\Windows\SysWOW64\Clckpf32.exe
  C:\Windows\system32\Clckpf32.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2844
- - C:\Windows\SysWOW64\Coagla32.exe
    C:\Windows\system32\Coagla32.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:764
  - - C:\Windows\SysWOW64\Dhjkdg32.exe
      C:\Windows\system32\Dhjkdg32.exe
      4⤵
      Executes dropped EXE
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:4852
    - - C:\Windows\SysWOW64\Diihojkb.exe
        
        C:\Windows\system32\Diihojkb.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2736
      - C:\Windows\SysWOW64\Dcalgo32.exe
        
        C:\Windows\system32\Dcalgo32.exe
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1708
        
        C:\Windows\SysWOW64\Dhnepfpj.exe
        
        C:\Windows\system32\Dhnepfpj.exe
        7⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5048
        
        C:\Windows\SysWOW64\Djnaji32.exe
        
        C:\Windows\system32\Djnaji32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2684
        
        C:\Windows\SysWOW64\Dphifcoi.exe
        
        C:\Windows\system32\Dphifcoi.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2244
        
        C:\Windows\SysWOW64\Dfdbojmq.exe
        
        C:\Windows\system32\Dfdbojmq.exe
        10⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:772
        
        C:\Windows\SysWOW64\Dhcnke32.exe
        
        C:\Windows\system32\Dhcnke32.exe
        11⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4984
        
        C:\Windows\SysWOW64\Ejbkehcg.exe
        
        C:\Windows\system32\Ejbkehcg.exe
        12⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3864
        
        C:\Windows\SysWOW64\Epmcab32.exe
        
        C:\Windows\system32\Epmcab32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3432
        
        C:\Windows\SysWOW64\Efikji32.exe
        
        C:\Windows\system32\Efikji32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4432
        
        C:\Windows\SysWOW64\Eoapbo32.exe
        
        C:\Windows\system32\Eoapbo32.exe
        15⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2420
        
        C:\Windows\SysWOW64\Ejgdpg32.exe
        
        C:\Windows\system32\Ejgdpg32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1176
        
        C:\Windows\SysWOW64\Eodlho32.exe
        
        C:\Windows\system32\Eodlho32.exe
        17⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2728
        
        C:\Windows\SysWOW64\Elhmablc.exe
        
        C:\Windows\system32\Elhmablc.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:516
        
        C:\Windows\SysWOW64\Efpajh32.exe
        
        C:\Windows\system32\Efpajh32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4844
        
        C:\Windows\SysWOW64\Ehonfc32.exe
        
        C:\Windows\system32\Ehonfc32.exe
        20⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3572
        
        C:\Windows\SysWOW64\Ecdbdl32.exe
        
        C:\Windows\system32\Ecdbdl32.exe
        21⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:816
        
        C:\Windows\SysWOW64\Fhajlc32.exe
        
        C:\Windows\system32\Fhajlc32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1012
        
        C:\Windows\SysWOW64\Fqhbmqqg.exe
        
        C:\Windows\system32\Fqhbmqqg.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2800
        
        C:\Windows\SysWOW64\Fbioei32.exe
        
        C:\Windows\system32\Fbioei32.exe
        24⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1988
        
        C:\Windows\SysWOW64\Fmocba32.exe
        
        C:\Windows\system32\Fmocba32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:316
        
        C:\Windows\SysWOW64\Fifdgblo.exe
        
        C:\Windows\system32\Fifdgblo.exe
        26⤵
        Executes dropped EXE
        
        PID:3452
        
        C:\Windows\SysWOW64\Fbnhphbp.exe
        
        C:\Windows\system32\Fbnhphbp.exe
        27⤵
        Executes dropped EXE
        
        PID:4992
        
        C:\Windows\SysWOW64\Fihqmb32.exe
        
        C:\Windows\system32\Fihqmb32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3816
        
        C:\Windows\SysWOW64\Fbqefhpm.exe
        
        C:\Windows\system32\Fbqefhpm.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3884
        
        C:\Windows\SysWOW64\Fijmbb32.exe
        
        C:\Windows\system32\Fijmbb32.exe
        30⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1676
        
        C:\Windows\SysWOW64\Fodeolof.exe
        
        C:\Windows\system32\Fodeolof.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4832
        
        C:\Windows\SysWOW64\Gfnnlffc.exe
        
        C:\Windows\system32\Gfnnlffc.exe
        32⤵
        Executes dropped EXE
        
        PID:4252
        
        C:\Windows\SysWOW64\Gcbnejem.exe
        
        C:\Windows\system32\Gcbnejem.exe
        33⤵
        Executes dropped EXE
        
        PID:3000
        
        C:\Windows\SysWOW64\Gfqjafdq.exe
        
        C:\Windows\system32\Gfqjafdq.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3524
        
        C:\Windows\SysWOW64\Gqfooodg.exe
        
        C:\Windows\system32\Gqfooodg.exe
        35⤵
        Executes dropped EXE
        
        PID:2224
        
        C:\Windows\SysWOW64\Gbgkfg32.exe
        
        C:\Windows\system32\Gbgkfg32.exe
        36⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2028
        
        C:\Windows\SysWOW64\Gqikdn32.exe
        
        C:\Windows\system32\Gqikdn32.exe
        37⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1052
        
        C:\Windows\SysWOW64\Gbjhlfhb.exe
        
        C:\Windows\system32\Gbjhlfhb.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4764
        
        C:\Windows\SysWOW64\Gmoliohh.exe
        
        C:\Windows\system32\Gmoliohh.exe
        39⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3164
        
        C:\Windows\SysWOW64\Gcidfi32.exe
        
        C:\Windows\system32\Gcidfi32.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4072
        
        C:\Windows\SysWOW64\Gifmnpnl.exe
        
        C:\Windows\system32\Gifmnpnl.exe
        41⤵
        Executes dropped EXE
        
        PID:4912
        
        C:\Windows\SysWOW64\Gppekj32.exe
        
        C:\Windows\system32\Gppekj32.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1736
        
        C:\Windows\SysWOW64\Hjfihc32.exe
        
        C:\Windows\system32\Hjfihc32.exe
        43⤵
        Executes dropped EXE
        
        PID:2312
        
        C:\Windows\SysWOW64\Hapaemll.exe
        
        C:\Windows\system32\Hapaemll.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2140
        
        C:\Windows\SysWOW64\Hfljmdjc.exe
        
        C:\Windows\system32\Hfljmdjc.exe
        45⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1932
        
        C:\Windows\SysWOW64\Habnjm32.exe
        
        C:\Windows\system32\Habnjm32.exe
        46⤵
        Executes dropped EXE
        
        PID:776
        
        C:\Windows\SysWOW64\Hpenfjad.exe
        
        C:\Windows\system32\Hpenfjad.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2924
        
        C:\Windows\SysWOW64\Hjjbcbqj.exe
        
        C:\Windows\system32\Hjjbcbqj.exe
        48⤵
        Executes dropped EXE
        
        PID:1476
        
        C:\Windows\SysWOW64\Hmioonpn.exe
        
        C:\Windows\system32\Hmioonpn.exe
        49⤵
        Executes dropped EXE
        
        PID:3244
        
        C:\Windows\SysWOW64\Hccglh32.exe
        
        C:\Windows\system32\Hccglh32.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:5112
        
        C:\Windows\SysWOW64\Hjmoibog.exe
        
        C:\Windows\system32\Hjmoibog.exe
        51⤵
        Executes dropped EXE
        
        PID:2580
        
        C:\Windows\SysWOW64\Hpihai32.exe
        
        C:\Windows\system32\Hpihai32.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3556
        
        C:\Windows\SysWOW64\Hjolnb32.exe
        
        C:\Windows\system32\Hjolnb32.exe
        53⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2088
        
        C:\Windows\SysWOW64\Haidklda.exe
        
        C:\Windows\system32\Haidklda.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:512
        
        C:\Windows\SysWOW64\Icgqggce.exe
        
        C:\Windows\system32\Icgqggce.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2704
        
        C:\Windows\SysWOW64\Impepm32.exe
        
        C:\Windows\system32\Impepm32.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:644
        
        C:\Windows\SysWOW64\Icjmmg32.exe
        
        C:\Windows\system32\Icjmmg32.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4092
        
        C:\Windows\SysWOW64\Iiffen32.exe
        
        C:\Windows\system32\Iiffen32.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4680
        
        C:\Windows\SysWOW64\Icljbg32.exe
        
        C:\Windows\system32\Icljbg32.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1672
        
        C:\Windows\SysWOW64\Ijfboafl.exe
        
        C:\Windows\system32\Ijfboafl.exe
        60⤵
        Executes dropped EXE
        
        PID:2780
        
        C:\Windows\SysWOW64\Imdnklfp.exe
        
        C:\Windows\system32\Imdnklfp.exe
        61⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4472
        
        C:\Windows\SysWOW64\Idofhfmm.exe
        
        C:\Windows\system32\Idofhfmm.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3200
        
        C:\Windows\SysWOW64\Idacmfkj.exe
        
        C:\Windows\system32\Idacmfkj.exe
        63⤵
        Executes dropped EXE
        
        PID:5072
        
        C:\Windows\SysWOW64\Iinlemia.exe
        
        C:\Windows\system32\Iinlemia.exe
        64⤵
        Executes dropped EXE
        
        PID:3416
        
        C:\Windows\SysWOW64\Jdcpcf32.exe
        
        C:\Windows\system32\Jdcpcf32.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4444
        
        C:\Windows\SysWOW64\Jjmhppqd.exe
        
        C:\Windows\system32\Jjmhppqd.exe
        66⤵
        Modifies registry class
        
        PID:384
        
        C:\Windows\SysWOW64\Jmkdlkph.exe
        
        C:\Windows\system32\Jmkdlkph.exe
        67⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1560
        
        C:\Windows\SysWOW64\Jdemhe32.exe
        
        C:\Windows\system32\Jdemhe32.exe
        68⤵
        
        PID:4704
        
        C:\Windows\SysWOW64\Jbhmdbnp.exe
        
        C:\Windows\system32\Jbhmdbnp.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:2476
        
        C:\Windows\SysWOW64\Jibeql32.exe
        
        C:\Windows\system32\Jibeql32.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:3440
        
        C:\Windows\SysWOW64\Jplmmfmi.exe
        
        C:\Windows\system32\Jplmmfmi.exe
        71⤵
        
        PID:4900
        
        C:\Windows\SysWOW64\Jfffjqdf.exe
        
        C:\Windows\system32\Jfffjqdf.exe
        72⤵
        
        PID:4440
        
        C:\Windows\SysWOW64\Jmpngk32.exe
        
        C:\Windows\system32\Jmpngk32.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2992
        
        C:\Windows\SysWOW64\Jdjfcecp.exe
        
        C:\Windows\system32\Jdjfcecp.exe
        74⤵
        Modifies registry class
        
        PID:1348
        
        C:\Windows\SysWOW64\Jkdnpo32.exe
        
        C:\Windows\system32\Jkdnpo32.exe
        75⤵
        
        PID:844
        
        C:\Windows\SysWOW64\Jmbklj32.exe
        
        C:\Windows\system32\Jmbklj32.exe
        76⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:748
        
        C:\Windows\SysWOW64\Jdmcidam.exe
        
        C:\Windows\system32\Jdmcidam.exe
        77⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4384
        
        C:\Windows\SysWOW64\Jfkoeppq.exe
        
        C:\Windows\system32\Jfkoeppq.exe
        78⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:3940
        
        C:\Windows\SysWOW64\Jiikak32.exe
        
        C:\Windows\system32\Jiikak32.exe
        79⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4716
        
        C:\Windows\SysWOW64\Kpccnefa.exe
        
        C:\Windows\system32\Kpccnefa.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:396
        
        C:\Windows\SysWOW64\Kgmlkp32.exe
        
        C:\Windows\system32\Kgmlkp32.exe
        81⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4424
        
        C:\Windows\SysWOW64\Kacphh32.exe
        
        C:\Windows\system32\Kacphh32.exe
        82⤵
        Drops file in System32 directory
        
        PID:2980
        
        C:\Windows\SysWOW64\Kdaldd32.exe
        
        C:\Windows\system32\Kdaldd32.exe
        83⤵
        Drops file in System32 directory
        
        PID:4972
        
        C:\Windows\SysWOW64\Kkkdan32.exe
        
        C:\Windows\system32\Kkkdan32.exe
        84⤵
        Modifies registry class
        
        PID:2184
        
        C:\Windows\SysWOW64\Kdcijcke.exe
        
        C:\Windows\system32\Kdcijcke.exe
        85⤵
        Modifies registry class
        
        PID:2124
        
        C:\Windows\SysWOW64\Kgbefoji.exe
        
        C:\Windows\system32\Kgbefoji.exe
        86⤵
        Modifies registry class
        
        PID:4820
        
        C:\Windows\SysWOW64\Kgdbkohf.exe
        
        C:\Windows\system32\Kgdbkohf.exe
        87⤵
        Modifies registry class
        
        PID:4888
        
        C:\Windows\SysWOW64\Kibnhjgj.exe
        
        C:\Windows\system32\Kibnhjgj.exe
        88⤵
        
        PID:4160
        
        C:\Windows\SysWOW64\Kpmfddnf.exe
        
        C:\Windows\system32\Kpmfddnf.exe
        89⤵
        Modifies registry class
        
        PID:928
        
        C:\Windows\SysWOW64\Kgfoan32.exe
        
        C:\Windows\system32\Kgfoan32.exe
        90⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:4284
        
        C:\Windows\SysWOW64\Lmqgnhmp.exe
        
        C:\Windows\system32\Lmqgnhmp.exe
        91⤵
        Modifies registry class
        
        PID:3256
        
        C:\Windows\SysWOW64\Ldkojb32.exe
        
        C:\Windows\system32\Ldkojb32.exe
        92⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5144
        
        C:\Windows\SysWOW64\Lkdggmlj.exe
        
        C:\Windows\system32\Lkdggmlj.exe
        93⤵
        Drops file in System32 directory
        
        PID:5212
        
        C:\Windows\SysWOW64\Laopdgcg.exe
        
        C:\Windows\system32\Laopdgcg.exe
        94⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5260
        
        C:\Windows\SysWOW64\Lcpllo32.exe
        
        C:\Windows\system32\Lcpllo32.exe
        95⤵
        Modifies registry class
        
        PID:5304
        
        C:\Windows\SysWOW64\Lijdhiaa.exe
        
        C:\Windows\system32\Lijdhiaa.exe
        96⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5356
        
        C:\Windows\SysWOW64\Laalifad.exe
        
        C:\Windows\system32\Laalifad.exe
        97⤵
        Drops file in System32 directory
        
        PID:5400
        
        C:\Windows\SysWOW64\Lcbiao32.exe
        
        C:\Windows\system32\Lcbiao32.exe
        98⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5444
        
        C:\Windows\SysWOW64\Lilanioo.exe
        
        C:\Windows\system32\Lilanioo.exe
        99⤵
        
        PID:5488
        
        C:\Windows\SysWOW64\Ldaeka32.exe
        
        C:\Windows\system32\Ldaeka32.exe
        100⤵
        Drops file in System32 directory
        
        PID:5532
        
        C:\Windows\SysWOW64\Lgpagm32.exe
        
        C:\Windows\system32\Lgpagm32.exe
        101⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5576
        
        C:\Windows\SysWOW64\Lnjjdgee.exe
        
        C:\Windows\system32\Lnjjdgee.exe
        102⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5620
        
        C:\Windows\SysWOW64\Lphfpbdi.exe
        
        C:\Windows\system32\Lphfpbdi.exe
        103⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5664
        
        C:\Windows\SysWOW64\Lcgblncm.exe
        
        C:\Windows\system32\Lcgblncm.exe
        104⤵
        Modifies registry class
        
        PID:5704
        
        C:\Windows\SysWOW64\Mjqjih32.exe
        
        C:\Windows\system32\Mjqjih32.exe
        105⤵
        Drops file in System32 directory
        
        PID:5752
        
        C:\Windows\SysWOW64\Mpkbebbf.exe
        
        C:\Windows\system32\Mpkbebbf.exe
        106⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5808
        
        C:\Windows\SysWOW64\Mciobn32.exe
        
        C:\Windows\system32\Mciobn32.exe
        107⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5852
        
        C:\Windows\SysWOW64\Mjcgohig.exe
        
        C:\Windows\system32\Mjcgohig.exe
        108⤵
        Modifies registry class
        
        PID:5900
        
        C:\Windows\SysWOW64\Majopeii.exe
        
        C:\Windows\system32\Majopeii.exe
        109⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5944
        
        C:\Windows\SysWOW64\Mdiklqhm.exe
        
        C:\Windows\system32\Mdiklqhm.exe
        110⤵
        
        PID:6008
        
        C:\Windows\SysWOW64\Mjeddggd.exe
        
        C:\Windows\system32\Mjeddggd.exe
        111⤵
        Modifies registry class
        
        PID:6052
        
        C:\Windows\SysWOW64\Mamleegg.exe
        
        C:\Windows\system32\Mamleegg.exe
        112⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6096
        
        C:\Windows\SysWOW64\Mcnhmm32.exe
        
        C:\Windows\system32\Mcnhmm32.exe
        113⤵
        Modifies registry class
        
        PID:6140
        
        C:\Windows\SysWOW64\Mgidml32.exe
        
        C:\Windows\system32\Mgidml32.exe
        114⤵
        Modifies registry class
        
        PID:5208
        
        C:\Windows\SysWOW64\Mjhqjg32.exe
        
        C:\Windows\system32\Mjhqjg32.exe
        115⤵
        
        PID:5240
        
        C:\Windows\SysWOW64\Mpaifalo.exe
        
        C:\Windows\system32\Mpaifalo.exe
        116⤵
        
        PID:5328
        
        C:\Windows\SysWOW64\Mdmegp32.exe
        
        C:\Windows\system32\Mdmegp32.exe
        117⤵
        Drops file in System32 directory
        
        PID:5440
        
        C:\Windows\SysWOW64\Mkgmcjld.exe
        
        C:\Windows\system32\Mkgmcjld.exe
        118⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5496
        
        C:\Windows\SysWOW64\Mjjmog32.exe
        
        C:\Windows\system32\Mjjmog32.exe
        119⤵
        
        PID:5572
        
        C:\Windows\SysWOW64\Mpdelajl.exe
        
        C:\Windows\system32\Mpdelajl.exe
        120⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5656
        
        C:\Windows\SysWOW64\Mgnnhk32.exe
        
        C:\Windows\system32\Mgnnhk32.exe
        121⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5728
        
        C:\Windows\SysWOW64\Njljefql.exe
        
        C:\Windows\system32\Njljefql.exe
        122⤵
        
        PID:5828
        
        C:\Windows\SysWOW64\Ndbnboqb.exe
        
        C:\Windows\system32\Ndbnboqb.exe
        123⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5920
        
        C:\Windows\SysWOW64\Ngpjnkpf.exe
        
        C:\Windows\system32\Ngpjnkpf.exe
        124⤵
        Modifies registry class
        
        PID:6016
        
        C:\Windows\SysWOW64\Njogjfoj.exe
        
        C:\Windows\system32\Njogjfoj.exe
        125⤵
        Drops file in System32 directory
        
        PID:6092
        
        C:\Windows\SysWOW64\Nafokcol.exe
        
        C:\Windows\system32\Nafokcol.exe
        126⤵
        Drops file in System32 directory
        
        PID:5184
        
        C:\Windows\SysWOW64\Nddkgonp.exe
        
        C:\Windows\system32\Nddkgonp.exe
        127⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5332
        
        C:\Windows\SysWOW64\Nkncdifl.exe
        
        C:\Windows\system32\Nkncdifl.exe
        128⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5508
        
        C:\Windows\SysWOW64\Njacpf32.exe
        
        C:\Windows\system32\Njacpf32.exe
        129⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5648
        
        C:\Windows\SysWOW64\Nqklmpdd.exe
        
        C:\Windows\system32\Nqklmpdd.exe
        130⤵
        Drops file in System32 directory
        
        PID:5772
        
        C:\Windows\SysWOW64\Ncihikcg.exe
        
        C:\Windows\system32\Ncihikcg.exe
        131⤵
        Modifies registry class
        
        PID:6028
        
        C:\Windows\SysWOW64\Nkqpjidj.exe
        
        C:\Windows\system32\Nkqpjidj.exe
        132⤵
        Modifies registry class
        
        PID:6108
        
        C:\Windows\SysWOW64\Njcpee32.exe
        
        C:\Windows\system32\Njcpee32.exe
        133⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:3800
        
        C:\Windows\SysWOW64\Ncldnkae.exe
        
        C:\Windows\system32\Ncldnkae.exe
        134⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5700
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        135⤵
        
        PID:5908
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5908 -s 408
        136⤵
        Program crash
        
        PID:5792

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 5908 -ip 5908
1⤵
PID:5540

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Clckpf32.exe

Filesize
128KB

MD5
67941a7b9ec5ddf1dca10056cddba069

SHA1
aa119d030bce6aea2c056143fffe490a30639b4b

SHA256
157e20f2cd4db919fbfe86264a67d9023c7075e67036ca8a86089bf357118898

SHA512
36b2cb8ce8b4552430541dccc2f5ea3565cdc9f5a06a6621c8a1fdf05002a15569c8bef2b673ea46db48db6a3c3297976a4cd1bae123265b1e046ec2aa843cdd

Download Submit
C:\Windows\SysWOW64\Coagla32.exe

Filesize
128KB

MD5
a8e7f968ffdbcab1f6fbb1907b0bb060

SHA1
c8a0872468097fbe2bd63d0b2ad6093f172cfbcb

SHA256
145c7edd1baff40df54971062c82ac5fd7b59f33dcb660a3e137e724e68cc7ee

SHA512
5197bd44e2bdf70313f93ef34ea34f3e1618f2236a75d3488eb2ddad76a056687806b6402eb31a50c4c8c747f95eb97bf2203e98a052716b746d794797af9af8

Download Submit
C:\Windows\SysWOW64\Dcalgo32.exe

Filesize
128KB

MD5
862df38c6d76c4214872c05d9d6cf9a4

SHA1
b2c20624f34bd8952812f5ccde273337c9c224b3

SHA256
70a657b0b1cc20a3d11d881ba30149d8792ed6d57095e34f6c0add0eab63e905

SHA512
277d48d76517a4ee24f147a4f293c5e5b8e2ed6dd628f8b5b3d3b7a8f977ec2e43287cd3a3414c038fc0257cb787c5b963df5ec0ce62e63c795113ef8873985e

Download Submit
C:\Windows\SysWOW64\Dfdbojmq.exe

Filesize
128KB

MD5
4ddb892ec881ea5a3178c632a2c2bb85

SHA1
12ddec6d5479be9dcd080e5f4ad060463cbe508a

SHA256
2777547d704b201fff0fa3c6178a8ffced60fe49dd696216353307746710bb78

SHA512
b09943edfab71d039bca58b3128b0b9c3534e56a9c08ae3248f29175b806d545c6ef3fa4dcb3b9955c54cbb9be4ac8a64e59793b28aa13bb87891147c0f9ba3e

Download Submit
C:\Windows\SysWOW64\Dhcnke32.exe

Filesize
128KB

MD5
b08fbed07ab7a5d27ded433f1a8e8896

SHA1
499fcb235e283c1a88b6ad82df28b819ac3bf51b

SHA256
85e9128f9b4e85285bb3d3786d5f2263ecc12ce1b8fa287a319e507d0c9a592a

SHA512
40bf0f9a0f20dbf1304a43e328be5f79aff5797f646824b7f8113e66ccd1037a50514110473c8aaad956bdcd12f1be011de6c7689a9fbf18fba456b4847974c5

Download Submit
C:\Windows\SysWOW64\Dhjkdg32.exe

Filesize
128KB

MD5
384797e11c220b4a4d9a1ae95adb6a66

SHA1
d465004e085d9295400a229536b80ca96bde3559

SHA256
db56b6c7eae10f094e9c29c0f2fa06801dfe22c8d96168fa68d766c581a9afc3

SHA512
f3a50c54cf3c0abf90979e0139c02d20e46ddc3efa689ae5f4fd56d1e35a87bdfd43cd6e8140f290938a41e729ca3b71a64acf8ef46018ec9b6eea6c7b2eb35c

Download Submit
C:\Windows\SysWOW64\Dhnepfpj.exe

Filesize
128KB

MD5
e1cf9b02235e5f11aeb8c6b3e32b0388

SHA1
492af4b7def60288158e20bc5d32331c28a4452d

SHA256
5114dcabbac04bff7ee9a14f577e3ccf3ec628b576466bb72fe3d7ad5ec03540

SHA512
298694ac1c6aaba32440881421258e3e64da57ae1d2e49928ac785265b2c438f86a3fde175aa418a4d011598cb75a042f3c9b81b6954b67ad1e67de91bb29782

Download Submit
C:\Windows\SysWOW64\Diihojkb.exe

Filesize
128KB

MD5
ca5e258dbb0e7907ddbe825fcde536b4

SHA1
b57e6a27833f6af89681dfff32a2fe81b8481a38

SHA256
542b5d23263dbe2cb62e70a60d08692f4d4b55de98c01f0f52a482a9fef6f898

SHA512
a26ce4eaf76c7a29aeaaff81f6cc3a8077166f0a7fdce206da42cfef8094ce9e1a29e3aebf6068ece78d3238fea2047aa5e75224b56b86dd587d32601b7aaaf4

Download Submit
C:\Windows\SysWOW64\Djnaji32.exe

Filesize
128KB

MD5
21ac72b4c5ef2bbdc8a2c9b2df302bdc

SHA1
87d3d4cbb22e38eeca0b1272384af933c94ba817

SHA256
5dc80ee1e264a1517cd5812ad112310b565ce864874aacdef6f3f04386b440e7

SHA512
a28633a5c85de1e04781cf5103ccf3c56f2bb9a94766534f7ac65e85b4eff49bfba72a5e2d7ab837fe8a7c56859cc7d2276d810f2677f55a2231bb5674f18a9f

Download Submit
C:\Windows\SysWOW64\Dphifcoi.exe

Filesize
128KB

MD5
54603858336cd7216f0e1fe3d215951e

SHA1
f999d8029894331608784078cf25791a45c05a71

SHA256
cee76ce2458405820a3e0b88ef7fabd3706a9b4073dfc2bb4a389a80a3ea4ce7

SHA512
33db1c606e8f3e893c7c7426fa91641354020fb32c0fa58f26a0e621fb370b88af75aa5d949d7bec76046c7d721ad3be517a354b6d649ec9cb90ea05083d53ae

Download Submit
C:\Windows\SysWOW64\Ecdbdl32.exe

Filesize
128KB

MD5
364f4ab9d09f94c4d2356396aa3a553f

SHA1
4ef9c702a11ba2d4160008ce34ae196cf915cc71

SHA256
50767898a23d4058d329fa00262b2f066d01c0439a36451c123ab92b4a5090b3

SHA512
7dbe077c9c02f2736de6cb661c02d8b83a75a6b3ee1f6613aeddc0d20264e1d97b851870eb080657c97469650a3a255e846288b28ade2769fb69db4f799266b4

Download Submit
C:\Windows\SysWOW64\Efikji32.exe

Filesize
128KB

MD5
741451fcf5cbead51d447b123ba1d0cf

SHA1
e2f4bdf15b04f8aff026d2a81d15f6fb7d8f671c

SHA256
9548e361f1965094befb25925dcebc5bcd944a049f7f4d2fd5336afba000df8e

SHA512
1fcc281924043669588d604ab9e45360e92233ac4c39fbfc0d782b8321480948db4c99d135edba1bd17be391acc9fff1e1ad2bebd6fc31e9ad25cf39bae34ccb

Download Submit
C:\Windows\SysWOW64\Efpajh32.exe

Filesize
128KB

MD5
0bf34fd0b1a7c5a681cd06cf62deb0c9

SHA1
ba8dea48f85d11b32ceb2419c04fd7afb92c4cea

SHA256
b75ba50fc4ac00eb653fbd366c1d5a7824b269363a2a4b17aa438691fee8b003

SHA512
b56f73e99669531e3f5e26cee7b6d1bc8ffaa00e74a089ee6e82e0aae015ea81defa7ab60eccae1df863c08c01ade18fcfd0710c1d220fca00defd8d5736dbdf

Download Submit
C:\Windows\SysWOW64\Ehonfc32.exe

Filesize
128KB

MD5
49729de5a57c5400b47edb735a075aa5

SHA1
6a8249d3a4b4e1726a54dd0dfaba86ef9f42ca46

SHA256
61471dbb24b1b9a6d116f1beacd4533ecf2e27c7b0c2f60dd0128be7d08a0027

SHA512
499bf6810609f3a3e3ba79cc3dfbcff77ac82e36f97888a983a8f992ebc336dc74d727ac0c72b1ae23a332f8606de895540cbdb92c544d89cb6a8a2c96ce1ce4

Download Submit
C:\Windows\SysWOW64\Ejbkehcg.exe

Filesize
128KB

MD5
0f2fc570d770d94fb665b85629425c4e

SHA1
5d905dff0c96fd1592065adf527ac2f1ece8e23b

SHA256
0f2af93661417c558ff3aac4719a63734d0bb612e467630c5708476b62745f5d

SHA512
fdc12b0ecfb96d0da17b043aa3632cb12228213c1f25410ec26c98eafea1e7af041db42cc0044b4238b4ed34777d4d25138a5fc2be4af0bff14654cf2a27a4a6

Download Submit
C:\Windows\SysWOW64\Ejgdpg32.exe

Filesize
128KB

MD5
96b3bbd173e55f114a2d513524aa7ca9

SHA1
03e5d37020a47845a50fd71d5b73fd026cfb48d5

SHA256
99531a92bba56529979be6a4e8579b8fe32c0b2839234bf943bbb9f7941c3c9a

SHA512
6b896217e8fa1fd015fed378fa02c74172236e4db3eac95111f14974edb0af7b90cd15d684a9efd94c9c51fa63d6165e96b4f74f4c56344ac0e178c80daec863

Download Submit
C:\Windows\SysWOW64\Elhmablc.exe

Filesize
128KB

MD5
42d2ce3634f98027a3d046fe9c208891

SHA1
425aab243731093ad158af774806c82d51e1c614

SHA256
be9c888ff21906ef31c04c0c2f4641b75186a60dea4044b172e572531947073d

SHA512
d9ba97b2b5d046595412cb20c1757cf2555c33d487cdd54db68a700c657c1998728ed375871218b8c19a5fc509a38daebbd2caaf4ff959dcfcc9917ea63be7ad

Download Submit
C:\Windows\SysWOW64\Eoapbo32.exe

Filesize
128KB

MD5
06f81cf022fd901cdd5b6b665437c9c9

SHA1
43a1c704d782b2cbf4c0528554ea6dae8838463a

SHA256
8540f63b69a331624bcbd6c04a121d5107538badbc947ff29acf4da2108c00e6

SHA512
5cbf4efc40d020392e7ed8b671035797dbaf1dc96c697e1b6c89037a4eca0fc098156612667a420ff361cbfb084b3746a0289d4125a301ec424273495ff9a5c7

Download Submit
C:\Windows\SysWOW64\Eodlho32.exe

Filesize
128KB

MD5
b8d96b705b3754e2242dd8a5bba358e5

SHA1
febe38056b513007761f7021cef14758f42662f0

SHA256
55a13eeb8d408a6a3a5838c783d654cff47d06e47585fafc5f1cc1ab8f00d905

SHA512
9b1a7ff9baef626106c07cb26f9343870ed9ffdebf901247b871279a3465e640b9bf11f6bb9949481df01e4ead5ad2df9544c95943b5726f74b75b6eebcd102f

Download Submit
C:\Windows\SysWOW64\Epmcab32.exe

Filesize
128KB

MD5
c1b12e81bc6ee20f0cac3fd29038c4fa

SHA1
e959edffcd4d71130d71498b151a381cb4d4eb49

SHA256
ba3d002afa40e2b0abd21359e5e39361b773ea05670124ad384540d012d32c84

SHA512
45561b5f211ece4c02fc2f195457c18cc9b37adf57f5247f538dbc14cf699840dc352dfb9220248723539d57570ef8b44982e2c89f29972f51f04cccac07257f

Download Submit
C:\Windows\SysWOW64\Fbioei32.exe

Filesize
128KB

MD5
0cb73fb08bc46a1eb731711c12840cfb

SHA1
0a8b13e5ba71af42a0ac051c0f72b3b78fca16de

SHA256
2b4b868ba951946433475d8c03bce4d22aa162af1646900be8aff7c283e6888a

SHA512
19d96148768a6e7f8c6b125f4d574d6c3db368771536c5621db37a748dd6cf28410a5286d543f730d00f8514cc637e8b89f4c00b8a2a2d622136503df0738154

Download Submit
C:\Windows\SysWOW64\Fbnhphbp.exe

Filesize
128KB

MD5
1a1aeb9c219916fd561e5b1293b5844a

SHA1
8e7666aa12deea5f99bf697ab7cd647ae5c2f5e9

SHA256
5698fef5b39dd9f877bfe454a2572bc052ec04b44638843214df260923653587

SHA512
6ebc1101207ddbeecee0d68a63c229c226d2c975ad8396023afa1b94fc965878f84d3b498c9750739bc421fc1ab72a0107dc264cc986d842f7b6784b398e48ec

Download Submit
C:\Windows\SysWOW64\Fbqefhpm.exe

Filesize
128KB

MD5
a48739c53ebe8d8a11c3ed385185b650

SHA1
92e9835f49b49a38f095c9d0e4404306b920269b

SHA256
ede4040718951173f587925d029fd2d6fbd2aad95cfea0c7a0c52c1bc4905b55

SHA512
b85c71e5a458f4afd6e6c36947ef640819085b6ee1e5962a60927749f4c71942f90cd750e939419ab4b9d76d9fdddbc05909fea7661b28604ef20e33c85c8d29

Download Submit
C:\Windows\SysWOW64\Fhajlc32.exe

Filesize
128KB

MD5
3b01198afa8ed80fbd64078eee8babed

SHA1
e4823e9f05a300a2338e106d3472f194f5bc766e

SHA256
4da77a902904460b5c99f045c58401e6785428645d49c67292ba4702d2912b61

SHA512
48ca1d1362bd01fa4ca88f73c0b0bc514e2663842df10f4fcf33b388ce6c5e695f4e1bd20dacce98e137b60c8342561ced50c9e0e34b4d6c35b2d83933ac13b5

Download Submit
C:\Windows\SysWOW64\Fifdgblo.exe

Filesize
128KB

MD5
174d9bd30d2aa64a086d7eecb76760f4

SHA1
7f878c8ed2a453c8bcda9eab12264f9c5ebb3228

SHA256
089fc1eda847ae66dda5500b0905a0f2130a185f3a75c705fb010fc98b9f3eea

SHA512
f4421f54f1dfc0ec7e826b5a06d001ce4a29c9685d0fbd7ce707a8a0b0a5314986d69bfcb74f277e90f275a97f7d353202004fc09655467d7147563e1dc0ad94

Download Submit
C:\Windows\SysWOW64\Fihqmb32.exe

Filesize
128KB

MD5
d0fb4b29641fba3302b6fcbad81310f5

SHA1
3524c127cc0b3a1c341c2a9f7d5e519513677db2

SHA256
ebe8c57b7873775b9894952e790f8cadbf9a211232d9543725176b11485f3aa0

SHA512
bd9ab9e2ce85092702295f1b68dfebcf0019f92d9fa535f453a8d39720528844cc0246ac25edda87f73c5d2d8ea4ceda54ff112966d0040fad76661558539af6

Download Submit
C:\Windows\SysWOW64\Fijmbb32.exe

Filesize
128KB

MD5
f9df593cc98391446ed2803c3b8ee936

SHA1
0833a08a9f0d77206656dd3bbca9d201a5691ead

SHA256
e08619c49087f5ff119ea4c6fb680276d1cdd78a6d8ffad6ddb5974b40648e69

SHA512
394bdeab90746d8e9ab8d1de36cc234c1d7716740239d05c1f24aa0ef44762f02c4b06ef41c69429867bd4d64f57aa93244443bce7dfa70a7d65f61fd2688ae3

Download Submit
C:\Windows\SysWOW64\Fmocba32.exe

Filesize
128KB

MD5
d1cab53bd8d156a6597405cbe035ceaa

SHA1
3fc2624c18703ebc016c98f4697ca23aa45ada8a

SHA256
ee7560e4f2887d11d3163c0636040f568858152b67a238ed241d80103fcddf86

SHA512
88c6f8c6f6b65e066b38d0e8fb6c0a2165872fd049722b831b8f201f609496b3e62c5d218373d51fb867c49324a068885ef1504c6db8db9200678e4773ff2a42

Download Submit
C:\Windows\SysWOW64\Fodeolof.exe

Filesize
128KB

MD5
b3c0f164d43359864dfc0d9617751ef5

SHA1
cdd0f8a44fc5648825a86c7d34884d2c3407bc16

SHA256
0eddeff25a557ada113f4a8a40e8ab16bcd64826a3e1034afb0d78d4a03f6759

SHA512
d18545984c8dcd550b552f9cc99931b2891750493669c24f3aabec3789b8882441560011cb2ad36479e2ff8ec42afef3b929aa5b62489e0d18cd5c296299b551

Download Submit
C:\Windows\SysWOW64\Fqhbmqqg.exe

Filesize
128KB

MD5
d9e3fd0498abdc051a57a24ad223e5ad

SHA1
4db3182b9f713fcfcd72d9e884a3298ff112c452

SHA256
2aa5c6b7b983a09c313b685b02ed676cd955a1d241aa817b42b2de91ea31f7c9

SHA512
c594da279206cad5fa5798cbcf7ce4c39d71fe151f81174dcc96f4d4152af8937d25b27c4bdd7637cde9f1d6de1f6e53e6ea9183249771d6bf8e61db7b9baad2

Download Submit
C:\Windows\SysWOW64\Gcbnejem.exe

Filesize
128KB

MD5
0d56024672d39ee55afc53ef65b9c03a

SHA1
4118fa4183e3b92ecb2d8b8445cdedcc4e699608

SHA256
b8bd04cfede8e606b3e7973d2f8559992bba2c9b0818262d36d3c9de745307d8

SHA512
43d2db82355ff8ccee80aa68a69cea1075d30aee942bbd13bbec82f37d50c63bde8ca6b1d1d9cca417a020c9f20162237250e44a65ad114cd631e92e4e2e7c14

Download Submit
C:\Windows\SysWOW64\Gfnnlffc.exe

Filesize
128KB

MD5
9d18358ccf46d0ab3f80fd7c895cbfac

SHA1
fac049e79bad9df95b1145e54bf2a75110cff5ec

SHA256
112ece36bcf892c4e1ab5acd2115613ebaca37488a4f7048bd5d40b75f8389c3

SHA512
344614023ee10b7c642a10afa7ca6447d113cd9fcb6b2de6ae5ed52933bea4598281b467cde9bcd7501c156851fe1b91ae7b59472f6eb82e5daff74d9ca7728e

Download Submit
C:\Windows\SysWOW64\Iiffen32.exe

Filesize
128KB

MD5
332547f497de830d7ffcd55b5455a512

SHA1
8d10dd9fd6de7abcc0ecb690618a90662ffc2a4d

SHA256
f64ef7a33944a90d3efa2984542ac8d82d181eb653114f06304375c1a642a5f4

SHA512
263971ba0649c8f626a9219b80bac7e9a0c1381143a2b8fece5ae0c8e33524b62553f911c7d36b4e9d77011085ecda545c08164613aba6238b74f0cba56b53b7

Download Submit
C:\Windows\SysWOW64\Impepm32.exe

Filesize
128KB

MD5
38c36b8a76c6c4b2522708c3ff91e73c

SHA1
d6681a44d09829e61e49a14c6714e99922cce432

SHA256
ff52cf3d66e09192fd91d6d97cad40d1b7bbccfebb0144e1eaa748beabec3875

SHA512
00c5d2e442dff2a47becf818df8814a453f881a7d2699593207956a8e3e78af57efdcdb52e3348f6af563bcb461738c65e63341aea377ed4b87919b745f03288

Download Submit
C:\Windows\SysWOW64\Kgfoan32.exe

Filesize
128KB

MD5
a42322399c039a01e3baa01ebd436b27

SHA1
05aa05c50108427ec87d01270430b55b5dd5871e

SHA256
438f1cab01bd3c5f79479cffded2ebe722b009295827fc7a0765365d9718d6db

SHA512
ffaf958d840563a585d10f56528f7a950067094e65c53923666382fc12c8ebdec6d489829edeaa75a81904f2709969b6d89a3ef511137e42ab7f021f5983395f

Download Submit
C:\Windows\SysWOW64\Mgidml32.exe

Filesize
128KB

MD5
e1b8c4bb004cc6af6add835c070c63ed

SHA1
7e485fee5a78299cc97de0dfa356cdeb8444af8f

SHA256
9fec3990036781b690bbf3f5ff6f6a71405b208a9c94543091fff3e5b9a6f2ba

SHA512
d108f4b296354a750696d479e896abd633f00f16a4a72a2f456972ba045a29bd3bdc8d50781395093ba20327556f3aafc9cce74aaa9e4e057a0bf78b7f9ecb2f

Download Submit
C:\Windows\SysWOW64\Mjcgohig.exe

Filesize
128KB

MD5
6793b0fd2c9c68cf235fcb5b8a617bc5

SHA1
201e70514a92a83b1c1cb3f19a441b76159bd902

SHA256
6c60292a492d54354f0cc21491a601f4efdb68ddbf3311438311faf5ad6da222

SHA512
5cf2c156a633e55970b2a6ae73ec37726122ad4a29145b913c93b5a6ec77f9631d28cfc44c34ceecc8360266ece1cc7baade088e4dc9fe75094ee8ed4acdac47

Download Submit
C:\Windows\SysWOW64\Mpdelajl.exe

Filesize
128KB

MD5
903e30a22ac049a780d4bc7d6d060123

SHA1
e5c17bdcf2004c537634eb0ac71040f0fa52c255

SHA256
6694f17a3c81ac795878ffac215a8a92014fd358bb5309fbb18fb388cb5e42f0

SHA512
99dcc878d85b3aa43a55cf0f2f905cbf479f0d8062cfe668df4bcddcbed9a09f7e478846f40dbc88d1ae657def8aa0092fcfd04108aa631e324fba6f95ce7082

Download Submit
C:\Windows\SysWOW64\Ncihikcg.exe

Filesize
128KB

MD5
3fc61fe90d5329285099a4aca8e6e291

SHA1
1c780c1582bff0d749c942c3197436b407e6a45c

SHA256
06591d0fc71e9ee9bbadcf5f380850fb12a3c61aad2b4da409716d3db7d93b8f

SHA512
4387351be875bf5af69e28fb2f70c538ceb14c12a84dd80a765de343f301a8b99919bbca129dbf44dc551ab868af407c7a58a968dc2b1b4de7169f24f6777936

Download Submit
memory/316-192-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/384-455-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/396-544-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/512-383-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/516-137-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/644-399-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/748-515-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/764-17-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/764-563-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/772-73-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/776-339-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/816-161-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/844-509-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1012-169-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1052-283-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1176-121-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1348-507-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1476-351-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1560-461-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1672-417-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1676-233-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1708-580-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1708-40-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1736-316-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1932-329-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1988-185-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2028-279-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2088-377-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2104-539-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2104-0-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2104-5-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/2124-578-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2140-323-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2184-567-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2224-269-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2244-65-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2312-317-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2420-112-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2476-473-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2580-365-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2684-594-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2684-57-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2704-389-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2728-128-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2736-33-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2736-573-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2780-419-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2800-177-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2844-556-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2844-9-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2924-341-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2980-557-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2992-501-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3000-257-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3164-298-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3200-431-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3244-353-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3416-443-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3432-97-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3440-483-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3452-201-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3524-263-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3556-371-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3572-152-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3816-217-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3864-89-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3884-225-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3940-527-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4072-299-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4092-401-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4252-248-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4384-524-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4424-550-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4432-105-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4440-495-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4444-449-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4472-429-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4680-407-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4704-467-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4716-537-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4764-292-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4820-581-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4832-241-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4844-145-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4852-25-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4852-566-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4888-588-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4900-485-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4912-309-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4972-565-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4984-80-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4992-209-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5048-587-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5048-49-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5072-437-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5112-363-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads