63789ef00ecaba6d1981075043f9a37bbe17e3eeb4fe755a6727015918d08e46

Analysis

max time kernel
147s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
06/03/2024, 20:28

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

63789ef00ecaba6d1981075043f9a37bbe17e3eeb4fe755a6727015918d08e46.exe
Size

400KB
MD5

b38f51522f328432a52126b6e4074a0a
SHA1

0918ca884bf245ca3bfffe8563b7e72c19e7b6d1
SHA256

63789ef00ecaba6d1981075043f9a37bbe17e3eeb4fe755a6727015918d08e46
SHA512

cbb2df648170d042604122cca8f4bb8c74b4dd2be2576724420fc9e611acefa3ed54f9d84cfd71300c01a95460cbe51eefde60f55fa73fd2ed4a1b799f399e9e
SSDEEP

12288:J32ETInxX7YJ07kE0KoFtw2gu9RxrBIUbPLwH96/I0lOZ0vbqFB:J32RntYJ07kE0KoFtw2gu9RxrBIUbPLs

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nggjdc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bcjlcn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Klgqcqkl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Olhlhjpd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lljfpnjg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pqknig32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Acnlgp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Agoabn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Gohhpe32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gmlhii32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kbceejpf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	63789ef00ecaba6d1981075043f9a37bbe17e3eeb4fe755a6727015918d08e46.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aqncedbp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dgbdlf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pdmpje32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qddfkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ajhddjfn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ojoign32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Fdnjgmle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Gbdgfa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ndfqbhia.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chjaol32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Heapdjlp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ngpccdlj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnmcjg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajhddjfn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hfifmnij.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ibnccmbo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ojllan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ibnccmbo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lpnlpnih.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Heapdjlp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bganhm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bganhm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mckemg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngpccdlj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pgefeajb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Hfifmnij.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pgllfp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ddakjkqi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qffbbldm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Chjaol32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lpcfkm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnlhfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nnlhfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nfgmjqop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ojoign32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Qnhahj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bcjlcn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dmjocp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lingibiq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mlampmdo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mmbfpp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Qjoankoi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ageolo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hobkfd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hcdmga32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pdkcde32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ibqpimpl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cmgjgcgo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Imdgqfbd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mckemg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Npfkgjdn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pggbkagp.exe

Executes dropped EXE 64 IoCs

pid	Process
3068	Fooeif32.exe
3844	Fhgjblfq.exe
1852	Fdnjgmle.exe
3780	Gododflk.exe
3708	Gdqgmmjb.exe
4288	Gbdgfa32.exe
4600	Gohhpe32.exe
1328	Gbgdlq32.exe
4696	Gmlhii32.exe
2084	Hfifmnij.exe
2636	Hobkfd32.exe
2752	Hkikkeeo.exe
1700	Heapdjlp.exe
1620	Hcdmga32.exe
3132	Icgjmapi.exe
3572	Ipnjab32.exe
3548	Imakkfdg.exe
2356	Ibnccmbo.exe
3612	Imdgqfbd.exe
5052	Ibqpimpl.exe
3160	Jfaedkdp.exe
4264	Jpijnqkp.exe
4824	Jfeopj32.exe
1760	Jcioiood.exe
4860	Jcllonma.exe
4332	Klgqcqkl.exe
5040	Kbaipkbi.exe
344	Kmijbcpl.exe
3984	Kmkfhc32.exe
4472	Kfckahdj.exe
1868	Lpnlpnih.exe
1404	Lpcfkm32.exe
4064	Lgmngglp.exe
2704	Lljfpnjg.exe
3140	Lingibiq.exe
2956	Medgncoe.exe
3088	Mlampmdo.exe
1408	Mckemg32.exe
3108	Mmbfpp32.exe
2212	Mcpnhfhf.exe
2748	Menjdbgj.exe
940	Mlhbal32.exe
2544	Ngmgne32.exe
4324	Npfkgjdn.exe
4436	Ngpccdlj.exe
4808	Nnjlpo32.exe
2320	Ncfdie32.exe
1936	Nnlhfn32.exe
4428	Ndfqbhia.exe
728	Nfgmjqop.exe
3316	Nggjdc32.exe
4408	Njefqo32.exe
2588	Oponmilc.exe
3768	Ojgbfocc.exe
2976	Ocpgod32.exe
4084	Olhlhjpd.exe
4596	Ocbddc32.exe
212	Ojllan32.exe
2156	Odapnf32.exe
3700	Ojoign32.exe
2200	Ocgmpccl.exe
2584	Pqknig32.exe
3660	Pgefeajb.exe
4364	Pmannhhj.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Nggjdc32.exe	Nfgmjqop.exe
File created	C:\Windows\SysWOW64\Llmglb32.dll	Olhlhjpd.exe
File created	C:\Windows\SysWOW64\Ceckcp32.exe	Cnicfe32.exe
File opened for modification	C:\Windows\SysWOW64\Gohhpe32.exe	Gbdgfa32.exe
File opened for modification	C:\Windows\SysWOW64\Klgqcqkl.exe	Jcllonma.exe
File opened for modification	C:\Windows\SysWOW64\Ngmgne32.exe	Mlhbal32.exe
File created	C:\Windows\SysWOW64\Gbmgladp.dll	Ngpccdlj.exe
File created	C:\Windows\SysWOW64\Clncadfb.dll	Odapnf32.exe
File created	C:\Windows\SysWOW64\Oicmfmok.dll	Acnlgp32.exe
File created	C:\Windows\SysWOW64\Efmolq32.dll	Anmjcieo.exe
File opened for modification	C:\Windows\SysWOW64\Pgllfp32.exe	Pdmpje32.exe
File created	C:\Windows\SysWOW64\Hdoemjgn.dll	Pgefeajb.exe
File created	C:\Windows\SysWOW64\Hmmblqfc.dll	Pdmpje32.exe
File created	C:\Windows\SysWOW64\Bnmcjg32.exe	Bnkgeg32.exe
File created	C:\Windows\SysWOW64\Ghkebndc.dll	Hkikkeeo.exe
File created	C:\Windows\SysWOW64\Mnodjf32.dll	Oponmilc.exe
File created	C:\Windows\SysWOW64\Pgefeajb.exe	Pqknig32.exe
File created	C:\Windows\SysWOW64\Jjlogcip.dll	Bjddphlq.exe
File opened for modification	C:\Windows\SysWOW64\Chjaol32.exe	Bapiabak.exe
File created	C:\Windows\SysWOW64\Dgbdlf32.exe	Dmjocp32.exe
File created	C:\Windows\SysWOW64\Mlhbal32.exe	Menjdbgj.exe
File created	C:\Windows\SysWOW64\Pncgmkmj.exe	Pdkcde32.exe
File opened for modification	C:\Windows\SysWOW64\Bcjlcn32.exe	Bnmcjg32.exe
File opened for modification	C:\Windows\SysWOW64\Olhlhjpd.exe	Ocpgod32.exe
File created	C:\Windows\SysWOW64\Hmphmhjc.dll	Pgllfp32.exe
File opened for modification	C:\Windows\SysWOW64\Qddfkd32.exe	Qjoankoi.exe
File opened for modification	C:\Windows\SysWOW64\Anmjcieo.exe	Qffbbldm.exe
File created	C:\Windows\SysWOW64\Ajfhnjhq.exe	Agglboim.exe
File opened for modification	C:\Windows\SysWOW64\Jcllonma.exe	Jcioiood.exe
File opened for modification	C:\Windows\SysWOW64\Kbaipkbi.exe	Klgqcqkl.exe
File created	C:\Windows\SysWOW64\Jdeflhhf.dll	Nggjdc32.exe
File created	C:\Windows\SysWOW64\Jclhkbae.dll	Njefqo32.exe
File created	C:\Windows\SysWOW64\Chcddk32.exe	Cjpckf32.exe
File created	C:\Windows\SysWOW64\Icgjmapi.exe	Hcdmga32.exe
File created	C:\Windows\SysWOW64\Gjdlbifk.dll	Jpijnqkp.exe
File created	C:\Windows\SysWOW64\Mckemg32.exe	Mlampmdo.exe
File opened for modification	C:\Windows\SysWOW64\Mckemg32.exe	Mlampmdo.exe
File created	C:\Windows\SysWOW64\Bcjlcn32.exe	Bnmcjg32.exe
File created	C:\Windows\SysWOW64\Hhqeiena.dll	Bcjlcn32.exe
File opened for modification	C:\Windows\SysWOW64\Bnkgeg32.exe	Bganhm32.exe
File opened for modification	C:\Windows\SysWOW64\Cjpckf32.exe	Ceckcp32.exe
File created	C:\Windows\SysWOW64\Bobiobnp.dll	Ddakjkqi.exe
File opened for modification	C:\Windows\SysWOW64\Fdnjgmle.exe	Fhgjblfq.exe
File created	C:\Windows\SysWOW64\Deeiam32.dll	Pdkcde32.exe
File created	C:\Windows\SysWOW64\Pkmlea32.dll	Qffbbldm.exe
File opened for modification	C:\Windows\SysWOW64\Jfaedkdp.exe	Ibqpimpl.exe
File opened for modification	C:\Windows\SysWOW64\Jpijnqkp.exe	Jfaedkdp.exe
File opened for modification	C:\Windows\SysWOW64\Kmijbcpl.exe	Kbceejpf.exe
File created	C:\Windows\SysWOW64\Amhpcomb.dll	Lpnlpnih.exe
File created	C:\Windows\SysWOW64\Maghgl32.dll	Ajfhnjhq.exe
File created	C:\Windows\SysWOW64\Fhgjblfq.exe	Fooeif32.exe
File opened for modification	C:\Windows\SysWOW64\Hobkfd32.exe	Hfifmnij.exe
File created	C:\Windows\SysWOW64\Hkikkeeo.exe	Hobkfd32.exe
File created	C:\Windows\SysWOW64\Hjakkfbf.dll	Ipnjab32.exe
File created	C:\Windows\SysWOW64\Chjaol32.exe	Bapiabak.exe
File opened for modification	C:\Windows\SysWOW64\Ddakjkqi.exe	Danecp32.exe
File opened for modification	C:\Windows\SysWOW64\Ojllan32.exe	Ocbddc32.exe
File created	C:\Windows\SysWOW64\Pggbkagp.exe	Pmannhhj.exe
File created	C:\Windows\SysWOW64\Jcioiood.exe	Jfeopj32.exe
File created	C:\Windows\SysWOW64\Kmkfhc32.exe	Kmijbcpl.exe
File created	C:\Windows\SysWOW64\Agocgbni.dll	Mlhbal32.exe
File created	C:\Windows\SysWOW64\Menjdbgj.exe	Mcpnhfhf.exe
File created	C:\Windows\SysWOW64\Aabmqd32.exe	Ajhddjfn.exe
File created	C:\Windows\SysWOW64\Cnicfe32.exe	Cdcoim32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5368	6060	WerFault.exe	207

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Icgjmapi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ibqpimpl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckijjqka.dll"	Lingibiq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Medgncoe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Pgllfp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mmbfpp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qjkmdp32.dll"	Npfkgjdn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fibbmq32.dll"	Ncfdie32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Agoabn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lejfpelg.dll"	Gmlhii32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Edgbbfnk.dll"	Kmkfhc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mlhbal32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cnicfe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cnkfcl32.dll"	Gbdgfa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mgdjapoo.dll"	Imdgqfbd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Menjdbgj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ocbddc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkmlea32.dll"	Qffbbldm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Aabmqd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Kbaipkbi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Nggjdc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjfhhm32.dll"	Chjaol32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lcgdbi32.dll"	Gdqgmmjb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Hobkfd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Hkikkeeo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Jpijnqkp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Jcioiood.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Gododflk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Agocgbni.dll"	Mlhbal32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ngmgne32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oicmfmok.dll"	Acnlgp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bjddphlq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Acqimo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfihel32.dll"	Bapiabak.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Gmlhii32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Gmlhii32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Jfaedkdp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjdlbifk.dll"	Jpijnqkp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Nggjdc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Pqknig32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bilonkon.dll"	Cjpckf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dmjocp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Canidb32.dll"	Kmijbcpl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Kmkfhc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Lljfpnjg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dfdjmlhn.dll"	Ocbddc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihlnnp32.dll"	Jcioiood.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dqfhilhd.dll"	Aminee32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	63789ef00ecaba6d1981075043f9a37bbe17e3eeb4fe755a6727015918d08e46.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghkebndc.dll"	Hkikkeeo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aoqimi32.dll"	Qddfkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Agoabn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nedmmlba.dll"	Cnffqf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eifnachf.dll"	Cnicfe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elogmm32.dll"	Ibqpimpl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Nnjlpo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oijgnaaa.dll"	Fooeif32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Heapdjlp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Npfkgjdn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dfiafg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Lingibiq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Onliio32.dll"	Mmbfpp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ajfhnjhq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ajhddjfn.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3848 wrote to memory of 3068	3848	63789ef00ecaba6d1981075043f9a37bbe17e3eeb4fe755a6727015918d08e46.exe	88
PID 3848 wrote to memory of 3068	3848	63789ef00ecaba6d1981075043f9a37bbe17e3eeb4fe755a6727015918d08e46.exe	88
PID 3848 wrote to memory of 3068	3848	63789ef00ecaba6d1981075043f9a37bbe17e3eeb4fe755a6727015918d08e46.exe	88
PID 3068 wrote to memory of 3844	3068	Fooeif32.exe	89
PID 3068 wrote to memory of 3844	3068	Fooeif32.exe	89
PID 3068 wrote to memory of 3844	3068	Fooeif32.exe	89
PID 3844 wrote to memory of 1852	3844	Fhgjblfq.exe	90
PID 3844 wrote to memory of 1852	3844	Fhgjblfq.exe	90
PID 3844 wrote to memory of 1852	3844	Fhgjblfq.exe	90
PID 1852 wrote to memory of 3780	1852	Fdnjgmle.exe	91
PID 1852 wrote to memory of 3780	1852	Fdnjgmle.exe	91
PID 1852 wrote to memory of 3780	1852	Fdnjgmle.exe	91
PID 3780 wrote to memory of 3708	3780	Gododflk.exe	92
PID 3780 wrote to memory of 3708	3780	Gododflk.exe	92
PID 3780 wrote to memory of 3708	3780	Gododflk.exe	92
PID 3708 wrote to memory of 4288	3708	Gdqgmmjb.exe	93
PID 3708 wrote to memory of 4288	3708	Gdqgmmjb.exe	93
PID 3708 wrote to memory of 4288	3708	Gdqgmmjb.exe	93
PID 4288 wrote to memory of 4600	4288	Gbdgfa32.exe	94
PID 4288 wrote to memory of 4600	4288	Gbdgfa32.exe	94
PID 4288 wrote to memory of 4600	4288	Gbdgfa32.exe	94
PID 4600 wrote to memory of 1328	4600	Gohhpe32.exe	95
PID 4600 wrote to memory of 1328	4600	Gohhpe32.exe	95
PID 4600 wrote to memory of 1328	4600	Gohhpe32.exe	95
PID 1328 wrote to memory of 4696	1328	Gbgdlq32.exe	97
PID 1328 wrote to memory of 4696	1328	Gbgdlq32.exe	97
PID 1328 wrote to memory of 4696	1328	Gbgdlq32.exe	97
PID 4696 wrote to memory of 2084	4696	Gmlhii32.exe	98
PID 4696 wrote to memory of 2084	4696	Gmlhii32.exe	98
PID 4696 wrote to memory of 2084	4696	Gmlhii32.exe	98
PID 2084 wrote to memory of 2636	2084	Hfifmnij.exe	100
PID 2084 wrote to memory of 2636	2084	Hfifmnij.exe	100
PID 2084 wrote to memory of 2636	2084	Hfifmnij.exe	100
PID 2636 wrote to memory of 2752	2636	Hobkfd32.exe	101
PID 2636 wrote to memory of 2752	2636	Hobkfd32.exe	101
PID 2636 wrote to memory of 2752	2636	Hobkfd32.exe	101
PID 2752 wrote to memory of 1700	2752	Hkikkeeo.exe	102
PID 2752 wrote to memory of 1700	2752	Hkikkeeo.exe	102
PID 2752 wrote to memory of 1700	2752	Hkikkeeo.exe	102
PID 1700 wrote to memory of 1620	1700	Heapdjlp.exe	103
PID 1700 wrote to memory of 1620	1700	Heapdjlp.exe	103
PID 1700 wrote to memory of 1620	1700	Heapdjlp.exe	103
PID 1620 wrote to memory of 3132	1620	Hcdmga32.exe	104
PID 1620 wrote to memory of 3132	1620	Hcdmga32.exe	104
PID 1620 wrote to memory of 3132	1620	Hcdmga32.exe	104
PID 3132 wrote to memory of 3572	3132	Icgjmapi.exe	105
PID 3132 wrote to memory of 3572	3132	Icgjmapi.exe	105
PID 3132 wrote to memory of 3572	3132	Icgjmapi.exe	105
PID 3572 wrote to memory of 3548	3572	Ipnjab32.exe	106
PID 3572 wrote to memory of 3548	3572	Ipnjab32.exe	106
PID 3572 wrote to memory of 3548	3572	Ipnjab32.exe	106
PID 3548 wrote to memory of 2356	3548	Imakkfdg.exe	107
PID 3548 wrote to memory of 2356	3548	Imakkfdg.exe	107
PID 3548 wrote to memory of 2356	3548	Imakkfdg.exe	107
PID 2356 wrote to memory of 3612	2356	Ibnccmbo.exe	109
PID 2356 wrote to memory of 3612	2356	Ibnccmbo.exe	109
PID 2356 wrote to memory of 3612	2356	Ibnccmbo.exe	109
PID 3612 wrote to memory of 5052	3612	Imdgqfbd.exe	110
PID 3612 wrote to memory of 5052	3612	Imdgqfbd.exe	110
PID 3612 wrote to memory of 5052	3612	Imdgqfbd.exe	110
PID 5052 wrote to memory of 3160	5052	Ibqpimpl.exe	111
PID 5052 wrote to memory of 3160	5052	Ibqpimpl.exe	111
PID 5052 wrote to memory of 3160	5052	Ibqpimpl.exe	111
PID 3160 wrote to memory of 4264	3160	Jfaedkdp.exe	112

C:\Users\Admin\AppData\Local\Temp\63789ef00ecaba6d1981075043f9a37bbe17e3eeb4fe755a6727015918d08e46.exe
"C:\Users\Admin\AppData\Local\Temp\63789ef00ecaba6d1981075043f9a37bbe17e3eeb4fe755a6727015918d08e46.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3848
- C:\Windows\SysWOW64\Fooeif32.exe
  C:\Windows\system32\Fooeif32.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3068
- - C:\Windows\SysWOW64\Fhgjblfq.exe
    C:\Windows\system32\Fhgjblfq.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious use of WriteProcessMemory
    PID:3844
  - - C:\Windows\SysWOW64\Fdnjgmle.exe
      C:\Windows\system32\Fdnjgmle.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:1852
    - - C:\Windows\SysWOW64\Gododflk.exe
        
        C:\Windows\system32\Gododflk.exe
        5⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3780
      - C:\Windows\SysWOW64\Gdqgmmjb.exe
        
        C:\Windows\system32\Gdqgmmjb.exe
        6⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3708
        
        C:\Windows\SysWOW64\Gbdgfa32.exe
        
        C:\Windows\system32\Gbdgfa32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4288
        
        C:\Windows\SysWOW64\Gohhpe32.exe
        
        C:\Windows\system32\Gohhpe32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4600
        
        C:\Windows\SysWOW64\Gbgdlq32.exe
        
        C:\Windows\system32\Gbgdlq32.exe
        9⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1328
        
        C:\Windows\SysWOW64\Gmlhii32.exe
        
        C:\Windows\system32\Gmlhii32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4696
        
        C:\Windows\SysWOW64\Hfifmnij.exe
        
        C:\Windows\system32\Hfifmnij.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2084
        
        C:\Windows\SysWOW64\Hobkfd32.exe
        
        C:\Windows\system32\Hobkfd32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2636
        
        C:\Windows\SysWOW64\Hkikkeeo.exe
        
        C:\Windows\system32\Hkikkeeo.exe
        13⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2752
        
        C:\Windows\SysWOW64\Heapdjlp.exe
        
        C:\Windows\system32\Heapdjlp.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1700
        
        C:\Windows\SysWOW64\Hcdmga32.exe
        
        C:\Windows\system32\Hcdmga32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1620
        
        C:\Windows\SysWOW64\Icgjmapi.exe
        
        C:\Windows\system32\Icgjmapi.exe
        16⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3132
        
        C:\Windows\SysWOW64\Ipnjab32.exe
        
        C:\Windows\system32\Ipnjab32.exe
        17⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3572
        
        C:\Windows\SysWOW64\Imakkfdg.exe
        
        C:\Windows\system32\Imakkfdg.exe
        18⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3548
        
        C:\Windows\SysWOW64\Ibnccmbo.exe
        
        C:\Windows\system32\Ibnccmbo.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2356
        
        C:\Windows\SysWOW64\Imdgqfbd.exe
        
        C:\Windows\system32\Imdgqfbd.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3612
        
        C:\Windows\SysWOW64\Ibqpimpl.exe
        
        C:\Windows\system32\Ibqpimpl.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5052
        
        C:\Windows\SysWOW64\Jfaedkdp.exe
        
        C:\Windows\system32\Jfaedkdp.exe
        22⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3160
        
        C:\Windows\SysWOW64\Jpijnqkp.exe
        
        C:\Windows\system32\Jpijnqkp.exe
        23⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4264
        
        C:\Windows\SysWOW64\Jfeopj32.exe
        
        C:\Windows\system32\Jfeopj32.exe
        24⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4824
        
        C:\Windows\SysWOW64\Jcioiood.exe
        
        C:\Windows\system32\Jcioiood.exe
        25⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1760
        
        C:\Windows\SysWOW64\Jcllonma.exe
        
        C:\Windows\system32\Jcllonma.exe
        26⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4860
        
        C:\Windows\SysWOW64\Klgqcqkl.exe
        
        C:\Windows\system32\Klgqcqkl.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4332
        
        C:\Windows\SysWOW64\Kbaipkbi.exe
        
        C:\Windows\system32\Kbaipkbi.exe
        28⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:5040
        
        C:\Windows\SysWOW64\Kbceejpf.exe
        
        C:\Windows\system32\Kbceejpf.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:2268
        
        C:\Windows\SysWOW64\Kmijbcpl.exe
        
        C:\Windows\system32\Kmijbcpl.exe
        30⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:344
        
        C:\Windows\SysWOW64\Kmkfhc32.exe
        
        C:\Windows\system32\Kmkfhc32.exe
        31⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3984
        
        C:\Windows\SysWOW64\Kfckahdj.exe
        
        C:\Windows\system32\Kfckahdj.exe
        32⤵
        Executes dropped EXE
        
        PID:4472
        
        C:\Windows\SysWOW64\Lpnlpnih.exe
        
        C:\Windows\system32\Lpnlpnih.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1868
        
        C:\Windows\SysWOW64\Lpcfkm32.exe
        
        C:\Windows\system32\Lpcfkm32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1404
        
        C:\Windows\SysWOW64\Lgmngglp.exe
        
        C:\Windows\system32\Lgmngglp.exe
        35⤵
        Executes dropped EXE
        
        PID:4064
        
        C:\Windows\SysWOW64\Lljfpnjg.exe
        
        C:\Windows\system32\Lljfpnjg.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2704
        
        C:\Windows\SysWOW64\Lingibiq.exe
        
        C:\Windows\system32\Lingibiq.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3140
        
        C:\Windows\SysWOW64\Medgncoe.exe
        
        C:\Windows\system32\Medgncoe.exe
        38⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2956
        
        C:\Windows\SysWOW64\Mlampmdo.exe
        
        C:\Windows\system32\Mlampmdo.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3088
        
        C:\Windows\SysWOW64\Mckemg32.exe
        
        C:\Windows\system32\Mckemg32.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1408
        
        C:\Windows\SysWOW64\Mmbfpp32.exe
        
        C:\Windows\system32\Mmbfpp32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3108
        
        C:\Windows\SysWOW64\Mcpnhfhf.exe
        
        C:\Windows\system32\Mcpnhfhf.exe
        42⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2212
        
        C:\Windows\SysWOW64\Menjdbgj.exe
        
        C:\Windows\system32\Menjdbgj.exe
        43⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2748
        
        C:\Windows\SysWOW64\Mlhbal32.exe
        
        C:\Windows\system32\Mlhbal32.exe
        44⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:940
        
        C:\Windows\SysWOW64\Ngmgne32.exe
        
        C:\Windows\system32\Ngmgne32.exe
        45⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2544
        
        C:\Windows\SysWOW64\Npfkgjdn.exe
        
        C:\Windows\system32\Npfkgjdn.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4324
        
        C:\Windows\SysWOW64\Ngpccdlj.exe
        
        C:\Windows\system32\Ngpccdlj.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4436
        
        C:\Windows\SysWOW64\Nnjlpo32.exe
        
        C:\Windows\system32\Nnjlpo32.exe
        48⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4808
        
        C:\Windows\SysWOW64\Ncfdie32.exe
        
        C:\Windows\system32\Ncfdie32.exe
        49⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2320
        
        C:\Windows\SysWOW64\Nnlhfn32.exe
        
        C:\Windows\system32\Nnlhfn32.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1936
        
        C:\Windows\SysWOW64\Ndfqbhia.exe
        
        C:\Windows\system32\Ndfqbhia.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4428
        
        C:\Windows\SysWOW64\Nfgmjqop.exe
        
        C:\Windows\system32\Nfgmjqop.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:728
        
        C:\Windows\SysWOW64\Nggjdc32.exe
        
        C:\Windows\system32\Nggjdc32.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3316
        
        C:\Windows\SysWOW64\Njefqo32.exe
        
        C:\Windows\system32\Njefqo32.exe
        54⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4408
        
        C:\Windows\SysWOW64\Oponmilc.exe
        
        C:\Windows\system32\Oponmilc.exe
        55⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2588
        
        C:\Windows\SysWOW64\Ojgbfocc.exe
        
        C:\Windows\system32\Ojgbfocc.exe
        56⤵
        Executes dropped EXE
        
        PID:3768
        
        C:\Windows\SysWOW64\Ocpgod32.exe
        
        C:\Windows\system32\Ocpgod32.exe
        57⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2976
        
        C:\Windows\SysWOW64\Olhlhjpd.exe
        
        C:\Windows\system32\Olhlhjpd.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4084
        
        C:\Windows\SysWOW64\Ocbddc32.exe
        
        C:\Windows\system32\Ocbddc32.exe
        59⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4596
        
        C:\Windows\SysWOW64\Ojllan32.exe
        
        C:\Windows\system32\Ojllan32.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:212
        
        C:\Windows\SysWOW64\Odapnf32.exe
        
        C:\Windows\system32\Odapnf32.exe
        61⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2156
        
        C:\Windows\SysWOW64\Ojoign32.exe
        
        C:\Windows\system32\Ojoign32.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3700
        
        C:\Windows\SysWOW64\Ocgmpccl.exe
        
        C:\Windows\system32\Ocgmpccl.exe
        63⤵
        Executes dropped EXE
        
        PID:2200
        
        C:\Windows\SysWOW64\Pqknig32.exe
        
        C:\Windows\system32\Pqknig32.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2584
        
        C:\Windows\SysWOW64\Pgefeajb.exe
        
        C:\Windows\system32\Pgefeajb.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3660
        
        C:\Windows\SysWOW64\Pmannhhj.exe
        
        C:\Windows\system32\Pmannhhj.exe
        66⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4364
        
        C:\Windows\SysWOW64\Pggbkagp.exe
        
        C:\Windows\system32\Pggbkagp.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2068
        
        C:\Windows\SysWOW64\Pdkcde32.exe
        
        C:\Windows\system32\Pdkcde32.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:1768
        
        C:\Windows\SysWOW64\Pncgmkmj.exe
        
        C:\Windows\system32\Pncgmkmj.exe
        69⤵
        
        PID:4740
        
        C:\Windows\SysWOW64\Pdmpje32.exe
        
        C:\Windows\system32\Pdmpje32.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:780
        
        C:\Windows\SysWOW64\Pgllfp32.exe
        
        C:\Windows\system32\Pgllfp32.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5032
        
        C:\Windows\SysWOW64\Qnhahj32.exe
        
        C:\Windows\system32\Qnhahj32.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5140
        
        C:\Windows\SysWOW64\Qgqeappe.exe
        
        C:\Windows\system32\Qgqeappe.exe
        73⤵
        
        PID:5184
        
        C:\Windows\SysWOW64\Qjoankoi.exe
        
        C:\Windows\system32\Qjoankoi.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5244
        
        C:\Windows\SysWOW64\Qddfkd32.exe
        
        C:\Windows\system32\Qddfkd32.exe
        75⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5292
        
        C:\Windows\SysWOW64\Qffbbldm.exe
        
        C:\Windows\system32\Qffbbldm.exe
        76⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5332
        
        C:\Windows\SysWOW64\Anmjcieo.exe
        
        C:\Windows\system32\Anmjcieo.exe
        77⤵
        Drops file in System32 directory
        
        PID:5376
        
        C:\Windows\SysWOW64\Ageolo32.exe
        
        C:\Windows\system32\Ageolo32.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5416
        
        C:\Windows\SysWOW64\Ajckij32.exe
        
        C:\Windows\system32\Ajckij32.exe
        79⤵
        
        PID:5488
        
        C:\Windows\SysWOW64\Aqncedbp.exe
        
        C:\Windows\system32\Aqncedbp.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5548
        
        C:\Windows\SysWOW64\Agglboim.exe
        
        C:\Windows\system32\Agglboim.exe
        81⤵
        Drops file in System32 directory
        
        PID:5604
        
        C:\Windows\SysWOW64\Ajfhnjhq.exe
        
        C:\Windows\system32\Ajfhnjhq.exe
        82⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5652
        
        C:\Windows\SysWOW64\Acnlgp32.exe
        
        C:\Windows\system32\Acnlgp32.exe
        83⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5700
        
        C:\Windows\SysWOW64\Ajhddjfn.exe
        
        C:\Windows\system32\Ajhddjfn.exe
        84⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5740
        
        C:\Windows\SysWOW64\Aabmqd32.exe
        
        C:\Windows\system32\Aabmqd32.exe
        85⤵
        Modifies registry class
        
        PID:5792
        
        C:\Windows\SysWOW64\Acqimo32.exe
        
        C:\Windows\system32\Acqimo32.exe
        86⤵
        Modifies registry class
        
        PID:5836
        
        C:\Windows\SysWOW64\Afoeiklb.exe
        
        C:\Windows\system32\Afoeiklb.exe
        87⤵
        
        PID:5880
        
        C:\Windows\SysWOW64\Aminee32.exe
        
        C:\Windows\system32\Aminee32.exe
        88⤵
        Modifies registry class
        
        PID:5928
        
        C:\Windows\SysWOW64\Agoabn32.exe
        
        C:\Windows\system32\Agoabn32.exe
        89⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5988
        
        C:\Windows\SysWOW64\Bnhjohkb.exe
        
        C:\Windows\system32\Bnhjohkb.exe
        90⤵
        
        PID:6032
        
        C:\Windows\SysWOW64\Bganhm32.exe
        
        C:\Windows\system32\Bganhm32.exe
        91⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6076
        
        C:\Windows\SysWOW64\Bnkgeg32.exe
        
        C:\Windows\system32\Bnkgeg32.exe
        92⤵
        Drops file in System32 directory
        
        PID:6120
        
        C:\Windows\SysWOW64\Bnmcjg32.exe
        
        C:\Windows\system32\Bnmcjg32.exe
        93⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5156
        
        C:\Windows\SysWOW64\Bcjlcn32.exe
        
        C:\Windows\system32\Bcjlcn32.exe
        94⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5252
        
        C:\Windows\SysWOW64\Bjddphlq.exe
        
        C:\Windows\system32\Bjddphlq.exe
        95⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5328
        
        C:\Windows\SysWOW64\Bclhhnca.exe
        
        C:\Windows\system32\Bclhhnca.exe
        96⤵
        
        PID:5400
        
        C:\Windows\SysWOW64\Bapiabak.exe
        
        C:\Windows\system32\Bapiabak.exe
        97⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5528
        
        C:\Windows\SysWOW64\Chjaol32.exe
        
        C:\Windows\system32\Chjaol32.exe
        98⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5644
        
        C:\Windows\SysWOW64\Cmgjgcgo.exe
        
        C:\Windows\system32\Cmgjgcgo.exe
        99⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5724
        
        C:\Windows\SysWOW64\Cdabcm32.exe
        
        C:\Windows\system32\Cdabcm32.exe
        100⤵
        
        PID:5768
        
        C:\Windows\SysWOW64\Cnffqf32.exe
        
        C:\Windows\system32\Cnffqf32.exe
        101⤵
        Modifies registry class
        
        PID:5848
        
        C:\Windows\SysWOW64\Cdcoim32.exe
        
        C:\Windows\system32\Cdcoim32.exe
        102⤵
        Drops file in System32 directory
        
        PID:5916
        
        C:\Windows\SysWOW64\Cnicfe32.exe
        
        C:\Windows\system32\Cnicfe32.exe
        103⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6024
        
        C:\Windows\SysWOW64\Ceckcp32.exe
        
        C:\Windows\system32\Ceckcp32.exe
        104⤵
        Drops file in System32 directory
        
        PID:6068
        
        C:\Windows\SysWOW64\Cjpckf32.exe
        
        C:\Windows\system32\Cjpckf32.exe
        105⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5148
        
        C:\Windows\SysWOW64\Chcddk32.exe
        
        C:\Windows\system32\Chcddk32.exe
        106⤵
        
        PID:5220
        
        C:\Windows\SysWOW64\Dfiafg32.exe
        
        C:\Windows\system32\Dfiafg32.exe
        107⤵
        Modifies registry class
        
        PID:5408
        
        C:\Windows\SysWOW64\Danecp32.exe
        
        C:\Windows\system32\Danecp32.exe
        108⤵
        Drops file in System32 directory
        
        PID:5572
        
        C:\Windows\SysWOW64\Ddakjkqi.exe
        
        C:\Windows\system32\Ddakjkqi.exe
        109⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5716
        
        C:\Windows\SysWOW64\Dmjocp32.exe
        
        C:\Windows\system32\Dmjocp32.exe
        110⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5812
        
        C:\Windows\SysWOW64\Dgbdlf32.exe
        
        C:\Windows\system32\Dgbdlf32.exe
        111⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5892
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        112⤵
        
        PID:6060
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6060 -s 220
        113⤵
        Program crash
        
        PID:5368

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 6060 -ip 6060
1⤵
PID:6104

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Fdnjgmle.exe

Filesize
400KB

MD5
d8b6e5a046e7c9ff0b8b27955ced340c

SHA1
f15617d7146c76717c7d2552eabd2c114dcb9daf

SHA256
bd80886c960d5e5434369f670a46c72ab68532a6885fb6f1972bafb881614a19

SHA512
050572c6083552fae0eaebe73806e57efc62c4a65ff053357fdec2b17515a2b42be16911c4b382f7cb3d64caf7d9356f8971db4becc06fc5ef35e6fc474fd504

Download Submit
C:\Windows\SysWOW64\Fhgjblfq.exe

Filesize
400KB

MD5
d45f2dae3e7aaa98590e3e940815d7df

SHA1
e9222410f9915821074a948d0894948d38c0724c

SHA256
b7093d55df3835d29faf126b0402cdfbbc01e4a6292b28ef31c89a700eee5dba

SHA512
4339811797b1bc93d38b168484796e190557fdd33ec4462e777fa653ccf96580a7dbeceb691543e40fa9c12983579c00604f76d3c1d26efc1545cadfebdfa2fb

Download Submit
C:\Windows\SysWOW64\Fooeif32.exe

Filesize
400KB

MD5
0a06698cc8db5fd8226a084cf5032349

SHA1
ee8417441fd77b65a90a71bc58075c5448409bc4

SHA256
c46f1db78c152db21abb3a94feed26ccb3e3b2bc5570252515bdd8ac3524dd8a

SHA512
de6d041f0948af9c13a22fa208d307ae24fbb529cefb432f07c2d7f1cd5629b91e621c7a1f1eb346ac8af6a6cbfb682343a6f4c414b88675ce486613135b3010

Download Submit
C:\Windows\SysWOW64\Gbdgfa32.exe

Filesize
400KB

MD5
055124a5671d2523a0503992f6cf3708

SHA1
f0af3fae36096874819b0f9ec8048950cfe3814a

SHA256
580cca1e9e39a5d04f283c3a318a07c38662fb1cdedcd6a77ac19b527cc4a950

SHA512
8aa1492009f8c358bd802f8a2cf8a62819e9ad9eb9d91722eb8dc7fb6d8193f85bf636b394a03442564308d94ac7c571c9fd28223003c104dffd8cf6ca7f276a

Download Submit
C:\Windows\SysWOW64\Gbgdlq32.exe

Filesize
400KB

MD5
9ed7c97d7d7dd0b0869b8d395febca32

SHA1
6935cada68b69b070d8e0ce78aa0fd9b77c2fec1

SHA256
6fd27a8d3581bbf0d0199dacdd8e472afdd4b9107a744bd849ae28c30878b250

SHA512
8da537bd52e22a93fbd477013796afe802397c55035944a90acc455e5b94d80c27a0ec55dedee21abce79c89f5b8d65ec3d725a8177b5459d1703fb6caa63b8c

Download Submit
C:\Windows\SysWOW64\Gdqgmmjb.exe

Filesize
400KB

MD5
739d17106ec6b0e50b1dbcfa27e9266b

SHA1
01cdd9d756c8ff7f1957482dcd1fba69142513cf

SHA256
0bf35d686227e60131ecdbec6172e4cd266d7c9309e86ce41c10ff537ee3f44c

SHA512
31b14c88f4db1a90634a1cf7cefb431f46bc0597baacf8d278093b0141b01a65190512ac3282efc7f089399ca575479e708e25cdf970df5466cbc0b746905180

Download Submit
C:\Windows\SysWOW64\Gjhilj32.dll

Filesize
7KB

MD5
cc645290b2bfb561b6b0cf32ec67e3a7

SHA1
1c15dcf5de79295fefe7cd31623d540bd82fff2f

SHA256
259094b7b10db7a1d2fb83d372b1232f57eae1478beed4fec38c169ab25fa092

SHA512
63b1b3182fa59e09fed1181a310fcaa57c7875f49bb36eb9a0ee438082c1d7cacb3083c451e555ea2a8f5e5518dd49adbf591663efdb6147a4f3b2c87c8ad12d

Download Submit
C:\Windows\SysWOW64\Gmlhii32.exe

Filesize
400KB

MD5
7a1aab11fd8cce25942c45c3cb5878d6

SHA1
5577b628e5ab171d34fe8ce580868b466a41cef1

SHA256
87e58dfbeab3b0a867912664bb2c09402b835efb324bf4e5f5eefa1fd2745c8e

SHA512
0ec8d4a0e4ae392412a5fe158ac3705fdc919386c1bb6dd9f869ec449cdfda5ed367c56423c12d6daa07d893b5a007e77d183729d93e6c23fe7c08bf763e544e

Download Submit
C:\Windows\SysWOW64\Gododflk.exe

Filesize
400KB

MD5
bab911c19ba570a62eb10ca59c568296

SHA1
0388b64def9f09fb4582f673114fb048b3800896

SHA256
9cfec46fa0ca06bbbbd04339796e7724d417d84d436f58a3469507421534afad

SHA512
0098254332b7b1e4045ee1de516878eefc301c5d4c95511f09d735fdc67f00c8f9c7fca76a391d0a90b5de5c0391f1b5a4528b54ebbe5a2bbd1dde93be273e89

Download Submit
C:\Windows\SysWOW64\Gohhpe32.exe

Filesize
400KB

MD5
45626f2cfaf2cdceb2ae5155a195cb24

SHA1
6e8a308a4478bd9ced532bc966462f99c51954fb

SHA256
64c7f517548d86e807527d522baa298384e6999ea79194ec318a897ab9b5d13a

SHA512
4459461001a37d13c630271af2be8b947d9d841d6f6c38458287e92ca6f30cffdab7ef3287c0fc7390c2edd0f542995187bf91d68ba311d0e0efdae19f01c731

Download Submit
C:\Windows\SysWOW64\Hcdmga32.exe

Filesize
400KB

MD5
991930f4c9f1085e30d0ef8e37802c96

SHA1
96b1741c17aa029fcd755d5e96429e27be29306f

SHA256
837bf4fa04ab83399c301a92975e8daaf9cc1ea288aa2bf41f331d0bb6038201

SHA512
9fbb6cf99aae2e9a6311bb2c00d9a4512ee22937f7b3285970fddf5b9504f86b42e096dc914080d6a61d9fff43a2b53c2d5a55f3df064c4feafed62192d06c86

Download Submit
C:\Windows\SysWOW64\Heapdjlp.exe

Filesize
400KB

MD5
acfb492652c81491f8ae74b3d223da05

SHA1
e340a2639d8dd3871e051feef902c2d643cc8d67

SHA256
3e4bd481e80ab2b4759e8cf822839bb2ec40a6022f00c8abfa9a82bcf8acdd8c

SHA512
a05f378540e12226b44c64dd242aa8d643e84a24918687409ac40420aff8f94b160710b02e22524beacdc000a93d7b2b01de44f19e53844cf0a4378003db9f45

Download Submit
C:\Windows\SysWOW64\Hfifmnij.exe

Filesize
400KB

MD5
c039ec5f6f1f2e4fea4332297ab05930

SHA1
da700d98dbd047e7b75916a6b1f85b3474f577bf

SHA256
d39fe365ae60dbfbc549477b2c3ac32540b5eab6645ba7ce0036f9416ebb4cb6

SHA512
b8aa9c90c2ef9b25a23aa38f28c23b4edaf37c5929b2b92a50f262d9eca419568cb37a3ff33f8712e6771b15034c951790bd9171771eb5437cba231dbe1495e6

Download Submit
C:\Windows\SysWOW64\Hkikkeeo.exe

Filesize
400KB

MD5
223f256eb79582cdd26dd23087bfbf57

SHA1
7732a8dc1e2742d71a8b02da4360c43755403d4e

SHA256
d2dcd2c4c6c72eb4ba4e8d3a36d08d9b225756e51fd877c5a1459ee0dda21c16

SHA512
d783015a083004c682d13461bd955952cab1805134f6eefb1105468a28e8c405376aa7fde2e3c1da03d7dc50fb46917e2742d9a8240919818c8ff0a4650012b7

Download Submit
C:\Windows\SysWOW64\Hobkfd32.exe

Filesize
400KB

MD5
53b86d3104a2b9f8a62890e090424fe4

SHA1
7416b9a062ca2d0039b93256d510a12f70a9dc1e

SHA256
a13e2898a2ae182dc2821ae4306462c81101960cf128812d95c843ecc16a83a1

SHA512
d3fb07aeb13e8ea4dc7b88c05a54f42115c328dedcd8baf1fb42387dd4d15b8edd87cec0885cffcf7b003cd6bd113ab418a2c0818bead664ff61af04fd6333dc

Download Submit
C:\Windows\SysWOW64\Ibnccmbo.exe

Filesize
400KB

MD5
69c7e72d422f93b6cda573154fd4838f

SHA1
76ffe90c6d4eb9c64e48833065d07868408d8084

SHA256
3f36fce9004ec4ffc37a90084fd0f3e2408f65147103a570b3ac6dbe85531322

SHA512
932326dba9ea4c99ec16c1620a9f4d3a542389e716ac236385baeffdc511540a3960026caf5dc30619dfb19444942d14131b2f4fb27e97d23e20b18ada105fcc

Download Submit
C:\Windows\SysWOW64\Ibqpimpl.exe

Filesize
400KB

MD5
2f0d21d853f199e3f967e683ed61a35b

SHA1
8445a59c16a659387cbbc9d72955d0c6a29ab791

SHA256
c28e607df23a955c9febc532d91e6d1ef4bfcb0bfc0a974e568b9d3d9d4904a3

SHA512
cf1405467cee2694e64d04264d6eaea4f3cf865def04470cf34382533a3fca4ec9c01d43d0dc45fa51dcf2930ef16340f4eccf20c1a6e610417a21e1e62e6aa0

Download Submit
C:\Windows\SysWOW64\Icgjmapi.exe

Filesize
400KB

MD5
04afa6715a93c4443716c2dec6dfacf7

SHA1
a76773052fc4c7c289fabeef5167ff1cefdc9ba0

SHA256
9dfa22ba839c2ac0ce802774ad7030c5712c5dd2a8c1430cb509552f0af068ac

SHA512
48010e6f477553f38ec743757426ef73e7759edfd76cedb2acb3c7dbf3e890661dbf995cabc359c0955e899e414bdfe640561c0ebc98ae762443f67ec0f7184f

Download Submit
C:\Windows\SysWOW64\Icgjmapi.exe

Filesize
400KB

MD5
86fd4defa326c78d388cc598d95a4075

SHA1
c3964bf7d71b2c10f3684db359c9ffd6d5e047cc

SHA256
1970a41bc26bd347522413360507ffe64d20f2c7abaa8a7feb5b617d5b03c157

SHA512
9e5cfd682fbbd1bfb81cd784a39bd8f74a0539a5cfe1a0775e22fd1bac8481c4d47424d4c726d24d17179d35304837dc3ccd1b628e002e20cfad2377a42655fc

Download Submit
C:\Windows\SysWOW64\Imakkfdg.exe

Filesize
400KB

MD5
89a934013c1226414d4f1f1f3840a669

SHA1
6dd06acbd3b50e1b2dbb02ceff916d7f540ca337

SHA256
ec401d4e3253310d07fcbc70d6b217f6de996cc9c97fd55943b65ed83ed2fc72

SHA512
d9d98d6a7f77c169ccf2b307329ccdf57c3b484d5e1977a7c5f4a5ffc45a7134eb4645bcaa0ee171c845bf4f3980bb155d032f23649da3d111d9d3cccdd479c3

Download Submit
C:\Windows\SysWOW64\Imdgqfbd.exe

Filesize
400KB

MD5
99f53c39240c5183fddc7e38c4ea8c48

SHA1
e7c2b58577e810516ada87ba02047ae25e974339

SHA256
ab9dc5112fb3954d01938149c26c27c50c42819b95c0cc3859da84df58d9492b

SHA512
679361a19b297b10db5c5549ab2d3ab9c91aa40cfa544b278cf63e0716393fa7bf04f75b03345cd74962b36cca16354345f781c3f391eb94914adba83b7a1fa1

Download Submit
C:\Windows\SysWOW64\Ipnjab32.exe

Filesize
400KB

MD5
3f18ef0fab736c6ce407aa6d31cf33d4

SHA1
d6e932d56085a41680817b087bd062eee9af6c41

SHA256
1cad8239273bfda24fe69f009f2b743651bf199ffcec33c0016d23077af7b2dc

SHA512
8df9783c280e440c3d7af62430c410438cdb385f301bf325ad326088524a6c683ddbfc44855f76aea8304b0ea8673930492174dff0afcd2c9d03b0d27779da13

Download Submit
C:\Windows\SysWOW64\Jcioiood.exe

Filesize
400KB

MD5
7e3d2e78e002db52add4c65a2256f97b

SHA1
bbddbadbca620c628eb866d459c6cb5f72c0409a

SHA256
b959548b037f4f24ee937e0df398edf0bc2ebb2b0bdef4ca217f87ad20ff1ea4

SHA512
b6a4b978a5dfd2916cd26a561a1b7b1e9c303109a4915c8a8cbe1498853051ea5baab8a45bdd82dba7db9384eadb2f709da1efdb7f11eb7978b158d4e34dea03

Download Submit
C:\Windows\SysWOW64\Jcllonma.exe

Filesize
400KB

MD5
254b8b19d447324855f27259488dca35

SHA1
d507e3bc91379668ef4cc930a2b024d87b920502

SHA256
1addf12409022ecdd65e30b05bb9d9fd886875fc3ad8588c6a0c2603f6906b63

SHA512
8dc3dec1933c76589269723dfa8b94c934d76451cba9551cae9655863dcfba5f91035028476d86d229fda558802748646ba511eeff8cdd966605c98aeb2e3ee4

Download Submit
C:\Windows\SysWOW64\Jfaedkdp.exe

Filesize
81KB

MD5
30a4fed251f95e5ee587fc8cd6a703e0

SHA1
80e69579c123ca6b7b009a25f494381fb776157f

SHA256
15dc57cda4fec5bf1b559a98618a6f2cc1a55a94bc16232ccbb39089bcd91eae

SHA512
da5f1f0803d6d4b03a6558add76c53ad648557ddce1013e60c577138b6baf1aa0e46c58bac6a8d3526c233c52022f80801ce6fea01e8c71dcaf6e9643e0d640c

Download Submit
C:\Windows\SysWOW64\Jfaedkdp.exe

Filesize
400KB

MD5
23d726eb50da279ed8c86c8cb18d127c

SHA1
56dc1bd065b16a9e5784d5dab008ae48437fa497

SHA256
2fefc719a9e5dde96b0bba07c28bf108f9ff4ee595018ba1de31cb31172f49ab

SHA512
068191d1bea13eacf456e6fb89eaac53c91d418d7f90df5a9431916ecb4840d8f169cfef4964c3a153a215f66905109f24279b91c639a989f784fafd2405438f

Download Submit
C:\Windows\SysWOW64\Jfeopj32.exe

Filesize
400KB

MD5
54c2f0cfb77dd8ba146e52de0fa77aaa

SHA1
663037937887972330badfbf3a77b7137d9a0dda

SHA256
6988a98a0705de1224ec5e2de65728691fc170373c88862b86eb0448af2f9ea2

SHA512
5fd6900bb196506d10e673407322566bd0c9d69b7f44de20666e08a550c8d476a81eb953f0fa3aecccecf4d8539a6622ba29e3f67b078a9c248da18d18217818

Download Submit
C:\Windows\SysWOW64\Jpijnqkp.exe

Filesize
256KB

MD5
02e76fea05d2cab8489d13fa398b6538

SHA1
b7457aad3f76cf3cdba5b860a9358e3d6ecbcb94

SHA256
2e1805042094a56cb040b8ee2131914feabdaca97d28b41ea640d2823c206c13

SHA512
eebf1ec46530e5f2535c029704c0db427dc7860a162e6fb2698e21942498167acb3201485a2a9d601d4c56cc50edbd3b2ea79456ff722fd9d9a10411370676f9

Download Submit
C:\Windows\SysWOW64\Jpijnqkp.exe

Filesize
400KB

MD5
681c69cb5e04bef6480110525a91f665

SHA1
cc0c6f5bf205730e035bf376eb6b8d5752b8c988

SHA256
4047a12c0f8bdd49f73a3b87cfbcaa09be5ac59041e5a83317448fb3ca3a2d6a

SHA512
c3fdc6f0f65b00ee5f61abfc414c8e06cad182a4922b2ba0a19fcdded8e183b0d4ceb4fb0ae04d2d78fc07041953b7a0140b52303ccf0adebb42310e6147de82

Download Submit
C:\Windows\SysWOW64\Kbaipkbi.exe

Filesize
400KB

MD5
838a3bf9682d608498332dc578e08d06

SHA1
d54f9edf340a168c0942b5f657680631cc5e851d

SHA256
05b38f0f50b653f4fddd7934dd86c123c44881d811e3351d246771fdc4ea10f2

SHA512
38ea097236dfd9ac33e4b775beec667de14579cd281c93b67bf009a3ecdc3bd5b0bc241c8f0a9dfca76ea5139b8ec54c5eb97319ec8fd01e9f258cd9c220f8b0

Download Submit
C:\Windows\SysWOW64\Kfckahdj.exe

Filesize
400KB

MD5
dc6669c5ea30b0896ac5db5adbff6289

SHA1
5d0dcffc287e827d006639b1c96efcd248e7a1e5

SHA256
670ca42c84142a667816ad0e803e8fc1c41320ea2e8db875b090d48cdeccc738

SHA512
16812c40ebe0759c393b801fa264f25d20b38cd91e87b921495cf122aa001af55988e0d3604ff7e04867a0df8b170a34a9aef08a5f7f06dbd75cfecb6023184e

Download Submit
C:\Windows\SysWOW64\Klgqcqkl.exe

Filesize
400KB

MD5
7bf139d9b321a825d7eb784ff160737b

SHA1
73d3e24caea2cb923180b9dba4271c5133fd714e

SHA256
c54186b55c001ee5eee80a74e1bc3c9c1ee9cf489642a4f1a209ade79c035131

SHA512
92e7c6b322241642d1237f9db386f4b91e74566beab1052ec277f79589b5887da1dd902e8ad4be9bd76701feb64b9f83bdabcef1d925bf4672e131a5d778ca86

Download Submit
C:\Windows\SysWOW64\Kmijbcpl.exe

Filesize
400KB

MD5
10dafbe29dfbf836daa915c2084c9743

SHA1
fd5900242e254936ae8018b568e2ae11239c5593

SHA256
95c83bfd624f6750e4b4c07732bb2132280de074d361f0e09d01aef9ac51cb13

SHA512
7be9abdb12bfae7315b9e37e734256217f07e9f41d2d315c1c8ade1d064f7a2d76cca69d97b4a213afd2d9128fd12606b972091c4eaeabf541036d4926e2f53c

Download Submit
C:\Windows\SysWOW64\Kmkfhc32.exe

Filesize
400KB

MD5
5cb7130e3e750e32563d403e318ce615

SHA1
c41be40c0cf88b83ca14701e42817b9ba025bde1

SHA256
5531465030a175d87fbc5551ec81e85ac4b0698f846f77c3be652eeb20b4f7a8

SHA512
6d2c2e158b77fdc0e624597b8dddc0c77ba83f9d73641a122eacc4ad51950d52f4751198fcd6a372998878c52f67cda008686c3fd6080530e3c750343f3214cf

Download Submit
C:\Windows\SysWOW64\Lgmngglp.exe

Filesize
400KB

MD5
c09215565ffa810d87b38b3d20359060

SHA1
9a345c79e108a278355af02bca2e89f54471d857

SHA256
e6744f2d35e2de529dd76f6f7cd851aecda099a6ec783013f94bf30e543c8b33

SHA512
612a962dbec42696f761c323d336210bb2aba424dcf67c327a4e82cf3fed840085aad284941817a041080c56df07b8a4266e1bee1b14ded2a0c8b1c25df33a94

Download Submit
C:\Windows\SysWOW64\Lpcfkm32.exe

Filesize
400KB

MD5
3a2e4650d48dcf425f4874189c468c64

SHA1
e15543a913c6f3f2af749a747ab05da828d4c2be

SHA256
6d928cb5cb34b8489bce8c46dba1b24adb2958fc44b2bfa6eb000c828054635d

SHA512
ae55c1a707735143d8f64b72452c86851dbe109c46162e1b82db8ad1e2f526deb0e9eb74b903ec8dc3cb1ec02a8903d7382c1f359b6a3a0d8814b91c0f3deb0b

Download Submit
C:\Windows\SysWOW64\Lpnlpnih.exe

Filesize
400KB

MD5
72ddf9bbc37900584f93e9bc03a8e9ee

SHA1
6a4172be863958bc87b01a5bea9fdcc769771a35

SHA256
e52d8d5779f018e5a8935bfd18686f96362ddbe2a5604f5b058d0735c899a48c

SHA512
1855d1fba3cd1d51292400c33225e82b39987c88b93c29a5a7dfc7135a97c1da9d53e7fc9c005cefe201c72994ecd7401f0043e53bdd8a8c07f770de65ccd058

Download Submit
C:\Windows\SysWOW64\Ojgbfocc.exe

Filesize
400KB

MD5
1155828d1c3761e27c28f259cdd45ffa

SHA1
783f6a5775e55cd284d02057866faa099789d380

SHA256
c917d42b92cdcd72eff7276c9ec9da28d7fad9c4665d9d434addf56e450542e7

SHA512
eec1f974972b7beba96c338a3d65610413b70c0a93dd5548d9c9c1438428870185c2a2c4ae5cdade5c88525920deb73858ee86f3ba2f1e4722c70dd4fe33d6af

Download Submit
C:\Windows\SysWOW64\Ojllan32.exe

Filesize
400KB

MD5
51bc370f2e5c7f166183553fde084ea5

SHA1
42366ad5b44543cdb20e5b1bce3008d080cd9984

SHA256
80e9cb5f0be8723723ebed4102eb86c9d06db75df8c9c191bd65b07effa38fd4

SHA512
69947992f6e502b84fb0b79e59c49023bcb3725021b780e0347064475b2012ca3e8379286cc826b54d096dd15baf1222eae2fa8520d4b72bd6b454f2bc127e43

Download Submit
C:\Windows\SysWOW64\Pdkcde32.exe

Filesize
400KB

MD5
316dc5e3fabb481b5196acabd8005fbc

SHA1
6c6497dbd8c9ab66c18610fa9a5d051fceab139e

SHA256
272c614c9b90f74dcf7e7330d3cf1a2f2f0250fc75b7506070d6b3c4be07e5ca

SHA512
7ab2ba1beb98c391c694609277d57f450d8c20b88141bc18003032d1b3c5c6168a95a6a61a2ab4518673bb919ad4499d4dbb03b3f6eb04ed8ef414fbfd850f3c

Download Submit
C:\Windows\SysWOW64\Qnhahj32.exe

Filesize
400KB

MD5
d3bd95ddd68e5e8ead15985f60c9d946

SHA1
919add1463dd70d68d613664c4ef3f2c3d4d9003

SHA256
a3b5d5268cde95ca5ec4390ab3a404e7d2c88c105dd0bfd390493d1585d3a7bc

SHA512
02d2156301fa484076d189214584c51b4f1c4f30ab0bc054c987f611b41e704d2247dbbe4a4f4e7d13e143a87869ee4324cda95bc09ae033817cd1601ae614c8

Download Submit
memory/212-413-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/344-223-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/728-365-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/940-322-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1328-68-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1404-255-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1408-293-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1620-111-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1700-104-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1760-191-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1852-24-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1868-248-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1936-355-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2084-80-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2156-419-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2200-431-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2212-305-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2268-216-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2320-347-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2356-144-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2544-323-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2584-437-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2588-383-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2636-87-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2704-269-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2748-315-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2752-96-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2956-281-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2976-395-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3068-8-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3088-287-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3108-299-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3132-120-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3140-275-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3160-168-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3316-371-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3548-136-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3572-128-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3612-152-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3700-425-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3708-42-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3768-389-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3780-32-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3844-16-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3848-0-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3984-231-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4064-263-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4084-401-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4264-175-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4288-49-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4324-329-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4332-212-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4408-381-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4428-359-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4436-335-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4472-239-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4596-407-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4600-60-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4696-72-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4808-345-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4824-183-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4860-199-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5040-215-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5052-164-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads