4eccd42624c7491f749d876e66ef9f000feed621d3429371e68b1131ed1d52a0

Analysis

max time kernel
141s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
11-03-2024 21:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4eccd42624c7491f749d876e66ef9f000feed621d3429371e68b1131ed1d52a0.exe
Size

78KB
MD5

9d89547b8c18c67675d8190f63b3efe5
SHA1

563ddf5b7757ed87639d804a04f66cd3219f602f
SHA256

4eccd42624c7491f749d876e66ef9f000feed621d3429371e68b1131ed1d52a0
SHA512

e51dc36c9c1b3947bed326a85cedcd2fb64062bc12b6aeb99c295303052d2b8fad06e73beb35f5b34fb9ae0aee4b02432f2b08e235efcfe81a1a73a5d83be0d6
SSDEEP

1536:+RUjhFi9zpmIFcgJ/inRiVIyN+zL20gJi1ie:+R0hojFFcEiRiVHgzL20WKt

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pgefeajb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjmnoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Olfobjbg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qffbbldm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Baicac32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dknpmdfc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oponmilc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmgjgcgo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ceckcp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Beihma32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qcgffqei.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmqmma32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ognpebpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dddhpjof.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aminee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Npmagine.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ojaelm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pdkcde32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Amgapeea.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dopigd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Npjebj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddonekbl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Anmjcieo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pfolbmje.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ceqnmpfo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ceckcp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhfajjoj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ogbipa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pgnilpah.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qqijje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aeiofcji.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Npjebj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dejacond.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bganhm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnmcjg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfdhkhjj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ogbipa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmemac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bfdodjhm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pdpmpdbd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bebblb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ogpmjb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qqijje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cfdhkhjj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngdmod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dgbdlf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pfolbmje.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Odapnf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aqncedbp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bebblb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Beihma32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ogkcpbam.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ambgef32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bcoenmao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Djdmffnn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmjocp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pdkcde32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pdmpje32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aeiofcji.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Agjhgngj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bnmcjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ojgbfocc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dejacond.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Odocigqg.exe

Executes dropped EXE 64 IoCs

pid	Process
2492	Njqmepik.exe
3548	Npjebj32.exe
3080	Ndfqbhia.exe
3880	Ngdmod32.exe
4524	Nnneknob.exe
1136	Npmagine.exe
1696	Nggjdc32.exe
4472	Njefqo32.exe
2780	Oponmilc.exe
1144	Ocnjidkf.exe
2180	Ojgbfocc.exe
4112	Olfobjbg.exe
2480	Odmgcgbi.exe
2816	Ogkcpbam.exe
5028	Ojjolnaq.exe
4520	Odocigqg.exe
3616	Ognpebpj.exe
220	Odapnf32.exe
4948	Ogpmjb32.exe
1564	Ojoign32.exe
1076	Oqhacgdh.exe
3996	Ogbipa32.exe
380	Ojaelm32.exe
3568	Pqknig32.exe
2520	Pgefeajb.exe
3876	Pjcbbmif.exe
3708	Pdifoehl.exe
3644	Pggbkagp.exe
4420	Pjeoglgc.exe
724	Pmdkch32.exe
3084	Pdkcde32.exe
1520	Pflplnlg.exe
216	Pdmpje32.exe
3116	Pfolbmje.exe
2288	Pnfdcjkg.exe
2032	Pdpmpdbd.exe
2300	Pgnilpah.exe
3688	Qmkadgpo.exe
1852	Qdbiedpa.exe
2740	Qnjnnj32.exe
752	Qqijje32.exe
2864	Qcgffqei.exe
4928	Qffbbldm.exe
2260	Anmjcieo.exe
3408	Acjclpcf.exe
3432	Afhohlbj.exe
4864	Ambgef32.exe
2356	Aqncedbp.exe
436	Aeiofcji.exe
2112	Agglboim.exe
4500	Afjlnk32.exe
940	Amddjegd.exe
1760	Aeklkchg.exe
4840	Agjhgngj.exe
1832	Amgapeea.exe
4092	Aeniabfd.exe
5104	Acqimo32.exe
4196	Aminee32.exe
4396	Aepefb32.exe
2160	Agoabn32.exe
924	Bjmnoi32.exe
2328	Bebblb32.exe
1992	Bganhm32.exe
3336	Bfdodjhm.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Anmjcieo.exe	Qffbbldm.exe
File created	C:\Windows\SysWOW64\Fmjkjk32.dll	Cnicfe32.exe
File created	C:\Windows\SysWOW64\Ngdmod32.exe	Ndfqbhia.exe
File opened for modification	C:\Windows\SysWOW64\Nggjdc32.exe	Npmagine.exe
File created	C:\Windows\SysWOW64\Bclhhnca.exe	Beihma32.exe
File created	C:\Windows\SysWOW64\Njqmepik.exe	4eccd42624c7491f749d876e66ef9f000feed621d3429371e68b1131ed1d52a0.exe
File opened for modification	C:\Windows\SysWOW64\Ndfqbhia.exe	Npjebj32.exe
File created	C:\Windows\SysWOW64\Ogkcpbam.exe	Odmgcgbi.exe
File opened for modification	C:\Windows\SysWOW64\Ogbipa32.exe	Oqhacgdh.exe
File created	C:\Windows\SysWOW64\Blfiei32.dll	Pdmpje32.exe
File created	C:\Windows\SysWOW64\Acqimo32.exe	Aeniabfd.exe
File created	C:\Windows\SysWOW64\Aepefb32.exe	Aminee32.exe
File created	C:\Windows\SysWOW64\Bganhm32.exe	Bebblb32.exe
File opened for modification	C:\Windows\SysWOW64\Njqmepik.exe	4eccd42624c7491f749d876e66ef9f000feed621d3429371e68b1131ed1d52a0.exe
File created	C:\Windows\SysWOW64\Beihma32.exe	Banllbdn.exe
File created	C:\Windows\SysWOW64\Omocan32.dll	Chmndlge.exe
File opened for modification	C:\Windows\SysWOW64\Chcddk32.exe	Ceehho32.exe
File opened for modification	C:\Windows\SysWOW64\Ddakjkqi.exe	Daconoae.exe
File created	C:\Windows\SysWOW64\Dmjapi32.dll	Bffkij32.exe
File opened for modification	C:\Windows\SysWOW64\Odmgcgbi.exe	Olfobjbg.exe
File created	C:\Windows\SysWOW64\Ojjolnaq.exe	Ogkcpbam.exe
File created	C:\Windows\SysWOW64\Dejacond.exe	Danecp32.exe
File created	C:\Windows\SysWOW64\Oponmilc.exe	Njefqo32.exe
File created	C:\Windows\SysWOW64\Pdmpje32.exe	Pflplnlg.exe
File opened for modification	C:\Windows\SysWOW64\Qdbiedpa.exe	Qmkadgpo.exe
File created	C:\Windows\SysWOW64\Jjlogcip.dll	Beihma32.exe
File created	C:\Windows\SysWOW64\Jekpanpa.dll	Cmnpgb32.exe
File opened for modification	C:\Windows\SysWOW64\Calhnpgn.exe	Cmqmma32.exe
File created	C:\Windows\SysWOW64\Nggjdc32.exe	Npmagine.exe
File opened for modification	C:\Windows\SysWOW64\Pdpmpdbd.exe	Pnfdcjkg.exe
File created	C:\Windows\SysWOW64\Qnjnnj32.exe	Qdbiedpa.exe
File created	C:\Windows\SysWOW64\Balpgb32.exe	Bnmcjg32.exe
File opened for modification	C:\Windows\SysWOW64\Olfobjbg.exe	Ojgbfocc.exe
File created	C:\Windows\SysWOW64\Odapnf32.exe	Ognpebpj.exe
File created	C:\Windows\SysWOW64\Aoqimi32.dll	Qcgffqei.exe
File opened for modification	C:\Windows\SysWOW64\Baicac32.exe	Bnkgeg32.exe
File created	C:\Windows\SysWOW64\Bneljh32.dll	Bnkgeg32.exe
File created	C:\Windows\SysWOW64\Najmlf32.dll	Oponmilc.exe
File opened for modification	C:\Windows\SysWOW64\Bfhhoi32.exe	Bcjlcn32.exe
File created	C:\Windows\SysWOW64\Mogqfgka.dll	Bclhhnca.exe
File created	C:\Windows\SysWOW64\Bebblb32.exe	Bjmnoi32.exe
File opened for modification	C:\Windows\SysWOW64\Odocigqg.exe	Ojjolnaq.exe
File created	C:\Windows\SysWOW64\Pmdkch32.exe	Pjeoglgc.exe
File created	C:\Windows\SysWOW64\Mfilim32.dll	Pjeoglgc.exe
File created	C:\Windows\SysWOW64\Pfolbmje.exe	Pdmpje32.exe
File opened for modification	C:\Windows\SysWOW64\Cmnpgb32.exe	Cjpckf32.exe
File created	C:\Windows\SysWOW64\Dopigd32.exe	Djdmffnn.exe
File opened for modification	C:\Windows\SysWOW64\Ocnjidkf.exe	Oponmilc.exe
File created	C:\Windows\SysWOW64\Lcnhho32.dll	Odmgcgbi.exe
File created	C:\Windows\SysWOW64\Kmfiloih.dll	Aminee32.exe
File opened for modification	C:\Windows\SysWOW64\Bffkij32.exe	Bchomn32.exe
File opened for modification	C:\Windows\SysWOW64\Bnmcjg32.exe	Bffkij32.exe
File created	C:\Windows\SysWOW64\Ceckcp32.exe	Cmlcbbcj.exe
File created	C:\Windows\SysWOW64\Mnodjf32.dll	Ocnjidkf.exe
File created	C:\Windows\SysWOW64\Kkbljp32.dll	Pjcbbmif.exe
File opened for modification	C:\Windows\SysWOW64\Qmkadgpo.exe	Pgnilpah.exe
File opened for modification	C:\Windows\SysWOW64\Agglboim.exe	Aeiofcji.exe
File created	C:\Windows\SysWOW64\Aeniabfd.exe	Amgapeea.exe
File opened for modification	C:\Windows\SysWOW64\Cnicfe32.exe	Ceqnmpfo.exe
File created	C:\Windows\SysWOW64\Ddonekbl.exe	Daqbip32.exe
File created	C:\Windows\SysWOW64\Dknpmdfc.exe	Dgbdlf32.exe
File created	C:\Windows\SysWOW64\Beapme32.dll	Odocigqg.exe
File opened for modification	C:\Windows\SysWOW64\Cjkjpgfi.exe	Chmndlge.exe
File created	C:\Windows\SysWOW64\Okgoadbf.dll	Cnnlaehj.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5928	5788	WerFault.exe	207

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Oqhacgdh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pdpmpdbd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aeklkchg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bchomn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Odocigqg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Agjhgngj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bjmnoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bclhhnca.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jekpanpa.dll"	Cmnpgb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Daconoae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eohipl32.dll"	Njqmepik.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ndfqbhia.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Naekcf32.dll"	Ognpebpj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pfolbmje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Acjclpcf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hhqeiena.dll"	Bfhhoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ceehho32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfghpl32.dll"	Dddhpjof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbdhjm32.dll"	4eccd42624c7491f749d876e66ef9f000feed621d3429371e68b1131ed1d52a0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ocnjidkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dmjapi32.dll"	Bffkij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dgbdlf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Njefqo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ogkcpbam.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pfolbmje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mbpfgbfp.dll"	Afjlnk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bnkgeg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cdfkolkf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dejacond.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cjkjpgfi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mnodjf32.dll"	Ocnjidkf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ojaelm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pggbkagp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mfilim32.dll"	Pjeoglgc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdbnaa32.dll"	Qqijje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bffkij32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bclhhnca.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Calhnpgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Daconoae.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pdmpje32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Afhohlbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bjmnoi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bmemac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhkjej32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dddhpjof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ejfenk32.dll"	Pqknig32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aqncedbp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bfhhoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmnbeadp.dll"	Bmemac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cnicfe32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Danecp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Daekdooc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mogqfgka.dll"	Bclhhnca.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ojaelm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pdifoehl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Popodg32.dll"	Pdifoehl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pnfdcjkg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjpabk32.dll"	Pgnilpah.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Afhohlbj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Agoabn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gcgnkd32.dll"	Nnneknob.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohjdgn32.dll"	Ogkcpbam.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Oqhacgdh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ldfgeigq.dll"	Agoabn32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4836 wrote to memory of 2492	4836	4eccd42624c7491f749d876e66ef9f000feed621d3429371e68b1131ed1d52a0.exe	88
PID 4836 wrote to memory of 2492	4836	4eccd42624c7491f749d876e66ef9f000feed621d3429371e68b1131ed1d52a0.exe	88
PID 4836 wrote to memory of 2492	4836	4eccd42624c7491f749d876e66ef9f000feed621d3429371e68b1131ed1d52a0.exe	88
PID 2492 wrote to memory of 3548	2492	Njqmepik.exe	89
PID 2492 wrote to memory of 3548	2492	Njqmepik.exe	89
PID 2492 wrote to memory of 3548	2492	Njqmepik.exe	89
PID 3548 wrote to memory of 3080	3548	Npjebj32.exe	90
PID 3548 wrote to memory of 3080	3548	Npjebj32.exe	90
PID 3548 wrote to memory of 3080	3548	Npjebj32.exe	90
PID 3080 wrote to memory of 3880	3080	Ndfqbhia.exe	91
PID 3080 wrote to memory of 3880	3080	Ndfqbhia.exe	91
PID 3080 wrote to memory of 3880	3080	Ndfqbhia.exe	91
PID 3880 wrote to memory of 4524	3880	Ngdmod32.exe	92
PID 3880 wrote to memory of 4524	3880	Ngdmod32.exe	92
PID 3880 wrote to memory of 4524	3880	Ngdmod32.exe	92
PID 4524 wrote to memory of 1136	4524	Nnneknob.exe	93
PID 4524 wrote to memory of 1136	4524	Nnneknob.exe	93
PID 4524 wrote to memory of 1136	4524	Nnneknob.exe	93
PID 1136 wrote to memory of 1696	1136	Npmagine.exe	94
PID 1136 wrote to memory of 1696	1136	Npmagine.exe	94
PID 1136 wrote to memory of 1696	1136	Npmagine.exe	94
PID 1696 wrote to memory of 4472	1696	Nggjdc32.exe	95
PID 1696 wrote to memory of 4472	1696	Nggjdc32.exe	95
PID 1696 wrote to memory of 4472	1696	Nggjdc32.exe	95
PID 4472 wrote to memory of 2780	4472	Njefqo32.exe	96
PID 4472 wrote to memory of 2780	4472	Njefqo32.exe	96
PID 4472 wrote to memory of 2780	4472	Njefqo32.exe	96
PID 2780 wrote to memory of 1144	2780	Oponmilc.exe	97
PID 2780 wrote to memory of 1144	2780	Oponmilc.exe	97
PID 2780 wrote to memory of 1144	2780	Oponmilc.exe	97
PID 1144 wrote to memory of 2180	1144	Ocnjidkf.exe	98
PID 1144 wrote to memory of 2180	1144	Ocnjidkf.exe	98
PID 1144 wrote to memory of 2180	1144	Ocnjidkf.exe	98
PID 2180 wrote to memory of 4112	2180	Ojgbfocc.exe	99
PID 2180 wrote to memory of 4112	2180	Ojgbfocc.exe	99
PID 2180 wrote to memory of 4112	2180	Ojgbfocc.exe	99
PID 4112 wrote to memory of 2480	4112	Olfobjbg.exe	100
PID 4112 wrote to memory of 2480	4112	Olfobjbg.exe	100
PID 4112 wrote to memory of 2480	4112	Olfobjbg.exe	100
PID 2480 wrote to memory of 2816	2480	Odmgcgbi.exe	101
PID 2480 wrote to memory of 2816	2480	Odmgcgbi.exe	101
PID 2480 wrote to memory of 2816	2480	Odmgcgbi.exe	101
PID 2816 wrote to memory of 5028	2816	Ogkcpbam.exe	102
PID 2816 wrote to memory of 5028	2816	Ogkcpbam.exe	102
PID 2816 wrote to memory of 5028	2816	Ogkcpbam.exe	102
PID 5028 wrote to memory of 4520	5028	Ojjolnaq.exe	103
PID 5028 wrote to memory of 4520	5028	Ojjolnaq.exe	103
PID 5028 wrote to memory of 4520	5028	Ojjolnaq.exe	103
PID 4520 wrote to memory of 3616	4520	Odocigqg.exe	104
PID 4520 wrote to memory of 3616	4520	Odocigqg.exe	104
PID 4520 wrote to memory of 3616	4520	Odocigqg.exe	104
PID 3616 wrote to memory of 220	3616	Ognpebpj.exe	105
PID 3616 wrote to memory of 220	3616	Ognpebpj.exe	105
PID 3616 wrote to memory of 220	3616	Ognpebpj.exe	105
PID 220 wrote to memory of 4948	220	Odapnf32.exe	106
PID 220 wrote to memory of 4948	220	Odapnf32.exe	106
PID 220 wrote to memory of 4948	220	Odapnf32.exe	106
PID 4948 wrote to memory of 1564	4948	Ogpmjb32.exe	107
PID 4948 wrote to memory of 1564	4948	Ogpmjb32.exe	107
PID 4948 wrote to memory of 1564	4948	Ogpmjb32.exe	107
PID 1564 wrote to memory of 1076	1564	Ojoign32.exe	108
PID 1564 wrote to memory of 1076	1564	Ojoign32.exe	108
PID 1564 wrote to memory of 1076	1564	Ojoign32.exe	108
PID 1076 wrote to memory of 3996	1076	Oqhacgdh.exe	109

C:\Users\Admin\AppData\Local\Temp\4eccd42624c7491f749d876e66ef9f000feed621d3429371e68b1131ed1d52a0.exe
"C:\Users\Admin\AppData\Local\Temp\4eccd42624c7491f749d876e66ef9f000feed621d3429371e68b1131ed1d52a0.exe"
1⤵
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4836
- C:\Windows\SysWOW64\Njqmepik.exe
  C:\Windows\system32\Njqmepik.exe
  2⤵
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2492
- - C:\Windows\SysWOW64\Npjebj32.exe
    C:\Windows\system32\Npjebj32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious use of WriteProcessMemory
    PID:3548
  - - C:\Windows\SysWOW64\Ndfqbhia.exe
      C:\Windows\system32\Ndfqbhia.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:3080
    - - C:\Windows\SysWOW64\Ngdmod32.exe
        
        C:\Windows\system32\Ngdmod32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3880
      - C:\Windows\SysWOW64\Nnneknob.exe
        
        C:\Windows\system32\Nnneknob.exe
        6⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4524
        
        C:\Windows\SysWOW64\Npmagine.exe
        
        C:\Windows\system32\Npmagine.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1136
        
        C:\Windows\SysWOW64\Nggjdc32.exe
        
        C:\Windows\system32\Nggjdc32.exe
        8⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1696
        
        C:\Windows\SysWOW64\Njefqo32.exe
        
        C:\Windows\system32\Njefqo32.exe
        9⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4472
        
        C:\Windows\SysWOW64\Oponmilc.exe
        
        C:\Windows\system32\Oponmilc.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2780
        
        C:\Windows\SysWOW64\Ocnjidkf.exe
        
        C:\Windows\system32\Ocnjidkf.exe
        11⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1144
        
        C:\Windows\SysWOW64\Ojgbfocc.exe
        
        C:\Windows\system32\Ojgbfocc.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2180
        
        C:\Windows\SysWOW64\Olfobjbg.exe
        
        C:\Windows\system32\Olfobjbg.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4112
        
        C:\Windows\SysWOW64\Odmgcgbi.exe
        
        C:\Windows\system32\Odmgcgbi.exe
        14⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2480
        
        C:\Windows\SysWOW64\Ogkcpbam.exe
        
        C:\Windows\system32\Ogkcpbam.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2816
        
        C:\Windows\SysWOW64\Ojjolnaq.exe
        
        C:\Windows\system32\Ojjolnaq.exe
        16⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:5028
        
        C:\Windows\SysWOW64\Odocigqg.exe
        
        C:\Windows\system32\Odocigqg.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4520
        
        C:\Windows\SysWOW64\Ognpebpj.exe
        
        C:\Windows\system32\Ognpebpj.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3616
        
        C:\Windows\SysWOW64\Odapnf32.exe
        
        C:\Windows\system32\Odapnf32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:220
        
        C:\Windows\SysWOW64\Ogpmjb32.exe
        
        C:\Windows\system32\Ogpmjb32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4948
        
        C:\Windows\SysWOW64\Ojoign32.exe
        
        C:\Windows\system32\Ojoign32.exe
        21⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1564
        
        C:\Windows\SysWOW64\Oqhacgdh.exe
        
        C:\Windows\system32\Oqhacgdh.exe
        22⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1076
        
        C:\Windows\SysWOW64\Ogbipa32.exe
        
        C:\Windows\system32\Ogbipa32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3996
        
        C:\Windows\SysWOW64\Ojaelm32.exe
        
        C:\Windows\system32\Ojaelm32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:380
        
        C:\Windows\SysWOW64\Pqknig32.exe
        
        C:\Windows\system32\Pqknig32.exe
        25⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3568
        
        C:\Windows\SysWOW64\Pgefeajb.exe
        
        C:\Windows\system32\Pgefeajb.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2520
        
        C:\Windows\SysWOW64\Pjcbbmif.exe
        
        C:\Windows\system32\Pjcbbmif.exe
        27⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3876
        
        C:\Windows\SysWOW64\Pdifoehl.exe
        
        C:\Windows\system32\Pdifoehl.exe
        28⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3708
        
        C:\Windows\SysWOW64\Pggbkagp.exe
        
        C:\Windows\system32\Pggbkagp.exe
        29⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3644
        
        C:\Windows\SysWOW64\Pjeoglgc.exe
        
        C:\Windows\system32\Pjeoglgc.exe
        30⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4420
        
        C:\Windows\SysWOW64\Pmdkch32.exe
        
        C:\Windows\system32\Pmdkch32.exe
        31⤵
        Executes dropped EXE
        
        PID:724
        
        C:\Windows\SysWOW64\Pdkcde32.exe
        
        C:\Windows\system32\Pdkcde32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3084
        
        C:\Windows\SysWOW64\Pflplnlg.exe
        
        C:\Windows\system32\Pflplnlg.exe
        33⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1520
        
        C:\Windows\SysWOW64\Pdmpje32.exe
        
        C:\Windows\system32\Pdmpje32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:216
        
        C:\Windows\SysWOW64\Pfolbmje.exe
        
        C:\Windows\system32\Pfolbmje.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3116
        
        C:\Windows\SysWOW64\Pnfdcjkg.exe
        
        C:\Windows\system32\Pnfdcjkg.exe
        36⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2288
        
        C:\Windows\SysWOW64\Pdpmpdbd.exe
        
        C:\Windows\system32\Pdpmpdbd.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2032
        
        C:\Windows\SysWOW64\Pgnilpah.exe
        
        C:\Windows\system32\Pgnilpah.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2300
        
        C:\Windows\SysWOW64\Qmkadgpo.exe
        
        C:\Windows\system32\Qmkadgpo.exe
        39⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3688
        
        C:\Windows\SysWOW64\Qdbiedpa.exe
        
        C:\Windows\system32\Qdbiedpa.exe
        40⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1852
        
        C:\Windows\SysWOW64\Qnjnnj32.exe
        
        C:\Windows\system32\Qnjnnj32.exe
        41⤵
        Executes dropped EXE
        
        PID:2740
        
        C:\Windows\SysWOW64\Qqijje32.exe
        
        C:\Windows\system32\Qqijje32.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:752
        
        C:\Windows\SysWOW64\Qcgffqei.exe
        
        C:\Windows\system32\Qcgffqei.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2864
        
        C:\Windows\SysWOW64\Qffbbldm.exe
        
        C:\Windows\system32\Qffbbldm.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4928
        
        C:\Windows\SysWOW64\Anmjcieo.exe
        
        C:\Windows\system32\Anmjcieo.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2260
        
        C:\Windows\SysWOW64\Acjclpcf.exe
        
        C:\Windows\system32\Acjclpcf.exe
        46⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3408
        
        C:\Windows\SysWOW64\Afhohlbj.exe
        
        C:\Windows\system32\Afhohlbj.exe
        47⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3432
        
        C:\Windows\SysWOW64\Ambgef32.exe
        
        C:\Windows\system32\Ambgef32.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4864
        
        C:\Windows\SysWOW64\Aqncedbp.exe
        
        C:\Windows\system32\Aqncedbp.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2356
        
        C:\Windows\SysWOW64\Aeiofcji.exe
        
        C:\Windows\system32\Aeiofcji.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:436
        
        C:\Windows\SysWOW64\Agglboim.exe
        
        C:\Windows\system32\Agglboim.exe
        51⤵
        Executes dropped EXE
        
        PID:2112
        
        C:\Windows\SysWOW64\Afjlnk32.exe
        
        C:\Windows\system32\Afjlnk32.exe
        52⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4500
        
        C:\Windows\SysWOW64\Amddjegd.exe
        
        C:\Windows\system32\Amddjegd.exe
        53⤵
        Executes dropped EXE
        
        PID:940
        
        C:\Windows\SysWOW64\Aeklkchg.exe
        
        C:\Windows\system32\Aeklkchg.exe
        54⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1760
        
        C:\Windows\SysWOW64\Agjhgngj.exe
        
        C:\Windows\system32\Agjhgngj.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4840
        
        C:\Windows\SysWOW64\Amgapeea.exe
        
        C:\Windows\system32\Amgapeea.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1832
        
        C:\Windows\SysWOW64\Aeniabfd.exe
        
        C:\Windows\system32\Aeniabfd.exe
        57⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4092
        
        C:\Windows\SysWOW64\Acqimo32.exe
        
        C:\Windows\system32\Acqimo32.exe
        58⤵
        Executes dropped EXE
        
        PID:5104
        
        C:\Windows\SysWOW64\Aminee32.exe
        
        C:\Windows\system32\Aminee32.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4196
        
        C:\Windows\SysWOW64\Aepefb32.exe
        
        C:\Windows\system32\Aepefb32.exe
        60⤵
        Executes dropped EXE
        
        PID:4396
        
        C:\Windows\SysWOW64\Agoabn32.exe
        
        C:\Windows\system32\Agoabn32.exe
        61⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2160
        
        C:\Windows\SysWOW64\Bjmnoi32.exe
        
        C:\Windows\system32\Bjmnoi32.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:924
        
        C:\Windows\SysWOW64\Bebblb32.exe
        
        C:\Windows\system32\Bebblb32.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2328
        
        C:\Windows\SysWOW64\Bganhm32.exe
        
        C:\Windows\system32\Bganhm32.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1992
        
        C:\Windows\SysWOW64\Bfdodjhm.exe
        
        C:\Windows\system32\Bfdodjhm.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3336
        
        C:\Windows\SysWOW64\Bnkgeg32.exe
        
        C:\Windows\system32\Bnkgeg32.exe
        66⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4548
        
        C:\Windows\SysWOW64\Baicac32.exe
        
        C:\Windows\system32\Baicac32.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4468
        
        C:\Windows\SysWOW64\Bchomn32.exe
        
        C:\Windows\system32\Bchomn32.exe
        68⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:3680
        
        C:\Windows\SysWOW64\Bffkij32.exe
        
        C:\Windows\system32\Bffkij32.exe
        69⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:3668
        
        C:\Windows\SysWOW64\Bnmcjg32.exe
        
        C:\Windows\system32\Bnmcjg32.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:1624
        
        C:\Windows\SysWOW64\Balpgb32.exe
        
        C:\Windows\system32\Balpgb32.exe
        71⤵
        
        PID:4052
        
        C:\Windows\SysWOW64\Bcjlcn32.exe
        
        C:\Windows\system32\Bcjlcn32.exe
        72⤵
        Drops file in System32 directory
        
        PID:1084
        
        C:\Windows\SysWOW64\Bfhhoi32.exe
        
        C:\Windows\system32\Bfhhoi32.exe
        73⤵
        Modifies registry class
        
        PID:740
        
        C:\Windows\SysWOW64\Bjddphlq.exe
        
        C:\Windows\system32\Bjddphlq.exe
        74⤵
        
        PID:628
        
        C:\Windows\SysWOW64\Banllbdn.exe
        
        C:\Windows\system32\Banllbdn.exe
        75⤵
        Drops file in System32 directory
        
        PID:1940
        
        C:\Windows\SysWOW64\Beihma32.exe
        
        C:\Windows\system32\Beihma32.exe
        76⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:788
        
        C:\Windows\SysWOW64\Bclhhnca.exe
        
        C:\Windows\system32\Bclhhnca.exe
        77⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:2076
        
        C:\Windows\SysWOW64\Bmemac32.exe
        
        C:\Windows\system32\Bmemac32.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4856
        
        C:\Windows\SysWOW64\Bcoenmao.exe
        
        C:\Windows\system32\Bcoenmao.exe
        79⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2680
        
        C:\Windows\SysWOW64\Chjaol32.exe
        
        C:\Windows\system32\Chjaol32.exe
        80⤵
        
        PID:1884
        
        C:\Windows\SysWOW64\Cmgjgcgo.exe
        
        C:\Windows\system32\Cmgjgcgo.exe
        81⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5040
        
        C:\Windows\SysWOW64\Cenahpha.exe
        
        C:\Windows\system32\Cenahpha.exe
        82⤵
        
        PID:2812
        
        C:\Windows\SysWOW64\Chmndlge.exe
        
        C:\Windows\system32\Chmndlge.exe
        83⤵
        Drops file in System32 directory
        
        PID:2012
        
        C:\Windows\SysWOW64\Cjkjpgfi.exe
        
        C:\Windows\system32\Cjkjpgfi.exe
        84⤵
        Modifies registry class
        
        PID:2708
        
        C:\Windows\SysWOW64\Cmiflbel.exe
        
        C:\Windows\system32\Cmiflbel.exe
        85⤵
        
        PID:2056
        
        C:\Windows\SysWOW64\Ceqnmpfo.exe
        
        C:\Windows\system32\Ceqnmpfo.exe
        86⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5140
        
        C:\Windows\SysWOW64\Cnicfe32.exe
        
        C:\Windows\system32\Cnicfe32.exe
        87⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5188
        
        C:\Windows\SysWOW64\Cmlcbbcj.exe
        
        C:\Windows\system32\Cmlcbbcj.exe
        88⤵
        Drops file in System32 directory
        
        PID:5228
        
        C:\Windows\SysWOW64\Ceckcp32.exe
        
        C:\Windows\system32\Ceckcp32.exe
        89⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5276
        
        C:\Windows\SysWOW64\Cdfkolkf.exe
        
        C:\Windows\system32\Cdfkolkf.exe
        90⤵
        Modifies registry class
        
        PID:5320
        
        C:\Windows\SysWOW64\Cfdhkhjj.exe
        
        C:\Windows\system32\Cfdhkhjj.exe
        91⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5368
        
        C:\Windows\SysWOW64\Cjpckf32.exe
        
        C:\Windows\system32\Cjpckf32.exe
        92⤵
        Drops file in System32 directory
        
        PID:5416
        
        C:\Windows\SysWOW64\Cmnpgb32.exe
        
        C:\Windows\system32\Cmnpgb32.exe
        93⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5456
        
        C:\Windows\SysWOW64\Ceehho32.exe
        
        C:\Windows\system32\Ceehho32.exe
        94⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5516
        
        C:\Windows\SysWOW64\Chcddk32.exe
        
        C:\Windows\system32\Chcddk32.exe
        95⤵
        
        PID:5560
        
        C:\Windows\SysWOW64\Cnnlaehj.exe
        
        C:\Windows\system32\Cnnlaehj.exe
        96⤵
        Drops file in System32 directory
        
        PID:5604
        
        C:\Windows\SysWOW64\Cmqmma32.exe
        
        C:\Windows\system32\Cmqmma32.exe
        97⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5640
        
        C:\Windows\SysWOW64\Calhnpgn.exe
        
        C:\Windows\system32\Calhnpgn.exe
        98⤵
        Modifies registry class
        
        PID:5692
        
        C:\Windows\SysWOW64\Dhfajjoj.exe
        
        C:\Windows\system32\Dhfajjoj.exe
        99⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5740
        
        C:\Windows\SysWOW64\Djdmffnn.exe
        
        C:\Windows\system32\Djdmffnn.exe
        100⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5780
        
        C:\Windows\SysWOW64\Dopigd32.exe
        
        C:\Windows\system32\Dopigd32.exe
        101⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5820
        
        C:\Windows\SysWOW64\Danecp32.exe
        
        C:\Windows\system32\Danecp32.exe
        102⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5860
        
        C:\Windows\SysWOW64\Dejacond.exe
        
        C:\Windows\system32\Dejacond.exe
        103⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5896
        
        C:\Windows\SysWOW64\Dfknkg32.exe
        
        C:\Windows\system32\Dfknkg32.exe
        104⤵
        
        PID:5940
        
        C:\Windows\SysWOW64\Dobfld32.exe
        
        C:\Windows\system32\Dobfld32.exe
        105⤵
        
        PID:5984
        
        C:\Windows\SysWOW64\Daqbip32.exe
        
        C:\Windows\system32\Daqbip32.exe
        106⤵
        Drops file in System32 directory
        
        PID:6028
        
        C:\Windows\SysWOW64\Ddonekbl.exe
        
        C:\Windows\system32\Ddonekbl.exe
        107⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6072
        
        C:\Windows\SysWOW64\Dhkjej32.exe
        
        C:\Windows\system32\Dhkjej32.exe
        108⤵
        Modifies registry class
        
        PID:6112
        
        C:\Windows\SysWOW64\Dkifae32.exe
        
        C:\Windows\system32\Dkifae32.exe
        109⤵
        
        PID:5132
        
        C:\Windows\SysWOW64\Dmgbnq32.exe
        
        C:\Windows\system32\Dmgbnq32.exe
        110⤵
        
        PID:5204
        
        C:\Windows\SysWOW64\Daconoae.exe
        
        C:\Windows\system32\Daconoae.exe
        111⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5308
        
        C:\Windows\SysWOW64\Ddakjkqi.exe
        
        C:\Windows\system32\Ddakjkqi.exe
        112⤵
        
        PID:5376
        
        C:\Windows\SysWOW64\Dmjocp32.exe
        
        C:\Windows\system32\Dmjocp32.exe
        113⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5428
        
        C:\Windows\SysWOW64\Daekdooc.exe
        
        C:\Windows\system32\Daekdooc.exe
        114⤵
        Modifies registry class
        
        PID:5504
        
        C:\Windows\SysWOW64\Dddhpjof.exe
        
        C:\Windows\system32\Dddhpjof.exe
        115⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5568
        
        C:\Windows\SysWOW64\Dgbdlf32.exe
        
        C:\Windows\system32\Dgbdlf32.exe
        116⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5648
        
        C:\Windows\SysWOW64\Dknpmdfc.exe
        
        C:\Windows\system32\Dknpmdfc.exe
        117⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5716
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        118⤵
        
        PID:5788
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5788 -s 220
        119⤵
        Program crash
        
        PID:5928

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 5788 -ip 5788
1⤵
PID:5884

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Bchomn32.exe

Filesize
78KB

MD5
e9514ae66484f70cae250672facb04c9

SHA1
62aa04da9a4a9612df9cdecf2230ecabae7f6c9c

SHA256
9fed0f93e2f8894ee2b8531faed7869ef1857096ae86fa246b4f228b21c75346

SHA512
9cf9b38c321b0f4832aaf86c7bfcb5b6a2dd6d2434d68e05551290037ddee18907d251df181b44b149b2e3f52b5758d02b409bc52fa1cab51b1260a137d63c6e

Download Submit
C:\Windows\SysWOW64\Ceqnmpfo.exe

Filesize
78KB

MD5
8065c60bc8296ffa1f310abc70535a42

SHA1
c4d2e25e763c1399e81234ae29f9b407bf581c10

SHA256
75e8e86cc9fb941a0571b570b8f1650410017706d243980d8a73829f75e8add5

SHA512
cb67a40405d48777b7d556958fa2ac9bf9b069e70b01cf4ef8ebac1f17bec238e7f3556e6af25871e89b809a39bb44576f70b66c972fd7e18b97d28dcb069ea3

Download Submit
C:\Windows\SysWOW64\Cmgjgcgo.exe

Filesize
78KB

MD5
1169c9f12e32b098bb2bcb15efe6d702

SHA1
49c5b4712c47eddb98874178e5ff4a59431f88cf

SHA256
589f90e01f1888d1e6f9827ac183b7f4621bb2b8ac5d5e7e590f6807b3516ea2

SHA512
e1e74894a8864d460b31c1f3d5d4a548f9e04b3d2b27571271c018f8dff4ebd8b9f6e8f318fe66dca04b7dbed156dd3f02d0c8d297803632cd8eb18a1df93648

Download Submit
C:\Windows\SysWOW64\Ndfqbhia.exe

Filesize
78KB

MD5
32e57b1a19501f97c281a16e9ca34800

SHA1
d28482f7a6f9a199dd474de6d0ed09b6f85aae18

SHA256
00190b833e22e087a2906c24e6f030df1d4eed168555a5f7178e3259a6997ecf

SHA512
862eb64be804af87724d0161125b96a0e3b8247e46a4ea30b2f91db79784cb3c4e3a111701c25c476737bb8601cacaa2aa43dd93ad178f19201830e5cc2f8098

Download Submit
C:\Windows\SysWOW64\Ngdmod32.exe

Filesize
78KB

MD5
eb48d2e059f34cb338ce93eaaab893e5

SHA1
466a0b1148c703f2ef404e64fc7f3b072d31bd83

SHA256
37280bb7d590c74091035adb8c7118f01e73115717e9e797f6bdf83181b4cc43

SHA512
da90ae02e24b3d0921b8f91a8cd594a8d59e6199290308412e3ea4d8286e9671762951878ef97cde27991738d665a2ac037636a1df089a46f50e7537517ff90d

Download Submit
C:\Windows\SysWOW64\Nggjdc32.exe

Filesize
78KB

MD5
b0d3d3f072074bb7f508e788f140553c

SHA1
d93dad0b684bbc9a0f097b1b394c84abd3afe834

SHA256
682f3369a731f93e53e6eabe072b179f0223f0a16bff4c4616b2294b8b4b9380

SHA512
bc2a13af81aa7f04c8a9c26172a94e3e3a964a52de61458e067826ac2a70eb5daee1bf2dad70b0637af2562fcc21be1afa3967d9b43b4dfbe28cd894fc763329

Download Submit
C:\Windows\SysWOW64\Njefqo32.exe

Filesize
78KB

MD5
239f521b1a8e6ba16f829254cc7012eb

SHA1
9dd497778f266ba15627944f74ed194aeed2bd1b

SHA256
e715bf79a8c765d58ca3a0ca7cecc6ffb612d0555670876254ba0681830c8436

SHA512
5db8e0cfa493f2958f58c913c5d67a00ad741eeb3b9b12153aca92a035c82dda9b4f0bd74d4126daa8a22b03a146b177723eb0aa1047c2b5603f4806325451e0

Download Submit
C:\Windows\SysWOW64\Njqmepik.exe

Filesize
78KB

MD5
155b55eb07ad9fc3e59f16283d215e31

SHA1
7d96671950d83f78037d3127b9e2d4b4b922ea1b

SHA256
c94f591c8d56bf4e1bbcc53e22864a9d8c4cfb3c277901993f8191ab9872ab1d

SHA512
dce19aee2a0d5cbdd5fd8f7221e97ce1eb79358efb792ef94a0cbcbc00589adb6ad04fa25a0a361c20f02a7c7068305282e72164c1abbfa722a4b4b1f7f6965c

Download Submit
C:\Windows\SysWOW64\Nnneknob.exe

Filesize
78KB

MD5
1ae757dd3de589b7526c92e2c2cdd950

SHA1
30ae6a675724d32039d4cdde0ea16479d61019f5

SHA256
15a78ded70e4ca42048dd2a29acaff2f2da0bf857749a71de007e335a55337c4

SHA512
7d0dc2526e6180b66b526d6a65d65efc3179885d215a6daaddd87d15bed619b9567e117e1fb14ef164088f9896290bad1285c71036eb08627324a630b6c636f4

Download Submit
C:\Windows\SysWOW64\Npjebj32.exe

Filesize
78KB

MD5
9f55f8dfd189b8b9e683b75283b99a4f

SHA1
7f42177e66117ca0d22c8b8126e0e64e4f64a66a

SHA256
e056d2a049bd93c023365a7c5c3fd8f139aae25872a3d7cd800c4f6d1f63abd0

SHA512
99d25118c89e1dcab918d6283da2d0ee395fce5ed99e7ab96d130e0be925d7f022adca09aef48e9494ca27aa60e19f50947afea511348ba5f086d7cc1d779353

Download Submit
C:\Windows\SysWOW64\Npmagine.exe

Filesize
78KB

MD5
64e6604579cb3f688192b1ea3c9f9696

SHA1
05082cd4f60bfa3b4bc4154c720e25d02a47e82b

SHA256
cc088695a0c23492c5a480d8e33cf7f7d84117c236cb01501f12f384f5ee3d70

SHA512
9fd2ba2427c6e22c5de64186f88b31c2f0af6c290ba63cd2ae3e36a9566e1bfee426b0ed2c1832f9da8afff8a21e146eec97089f2bfda3445da90d6d7309ff60

Download Submit
C:\Windows\SysWOW64\Ocnjidkf.exe

Filesize
78KB

MD5
6e909adddb5e4963bd595fa99fb7637a

SHA1
b72bb09e3859006969aa5854475b5f459cff675b

SHA256
985936191df9238320c618562abf3cb68fbc6a2e002b3ce8710b8bf2084f706d

SHA512
6edef5f2eb6641c21ea1c7beeeadf40652edfa11d6ca710a1ae6a44facfbab12d1f5162ded8ab56b3f63adb3099a3a1d403d646b23e3569184de0f40eb571068

Download Submit
C:\Windows\SysWOW64\Odapnf32.exe

Filesize
78KB

MD5
1f774764dbffb60737cc05cda0455a76

SHA1
bf3aab9644f6a7fc98b69cf9bee0c1bfb49c633c

SHA256
23ab0becb41e797ee361ff6c9131f5d8c4677c78dd4c140c07322ef2db9d2720

SHA512
58ccad45b7eac73bc43d3175feb7682960a2ad6aa5b1bd28829ef42aa48c81a1d1a7eafb14fed32485c0254c81e3382183b38262381d46b00490fa08583a2952

Download Submit
C:\Windows\SysWOW64\Odmgcgbi.exe

Filesize
78KB

MD5
328683951de3150dfa4b603a94fd1991

SHA1
b935d8f3331fda399982e207f265819dd1c30d64

SHA256
cc66f3ad39a12c1621a4cdea48e8effe1dc967447259c2c5264ff6c987e36c23

SHA512
e3a62e9f051145378ca851998dba61826963d52563637f337ffb42eaacd0e0e3afd4152d1c3633147132b12786b8fcdd3972dfcce1542226a74528de67ce623e

Download Submit
C:\Windows\SysWOW64\Odocigqg.exe

Filesize
78KB

MD5
f4140d6b9af305344de4c8558c44c33f

SHA1
d67f51e630be19755ec9a7188323407aeedd6564

SHA256
917055e62a48c0c4e2bf250a4a95fb6b2786e9b1485c25891d5f4a5c6f503d8e

SHA512
b7899f408c83c6e97a19f794b52c5fe0f8158deb6d6e76027b21dde9b007c30768777cc1f0f7640fcefe311e9cec8303e020146d9bf6af0776ec5d301b995ab9

Download Submit
C:\Windows\SysWOW64\Ogbipa32.exe

Filesize
78KB

MD5
e1a368a94153583c7d27226b3a471f7a

SHA1
742bd112ca38827c89f6477ce39ec5bfcee558de

SHA256
da36ccf7399ed68043435cf394da3fe91bf13246a66b49efec8889de38698fdc

SHA512
dcb0aa49000a6eb196966cb945febafb911f70fb1bf4747fe71671cd7b0311358988ed09ebee2f2978b762effef80dd80818ac2f91273a6cfe4df22b3c00467c

Download Submit
C:\Windows\SysWOW64\Ogkcpbam.exe

Filesize
78KB

MD5
417465f1a76f057475bb4e495adb49d4

SHA1
87e61785b3cf1bc9712f1f64bb4ad5a28f89a131

SHA256
47e7a4c3edd5f72e29237eb46c31a00c9bf16b06c9b76197444bf0fd68b2fd27

SHA512
80223c0dacbef4626051d90ad6591ec65043aea7417c50d2bf517fc6642907ac1bdc8bcfcf871056aa3eb25a96c31e87ff6f2b1d427fa437fc1465aca85c1009

Download Submit
C:\Windows\SysWOW64\Ognpebpj.exe

Filesize
78KB

MD5
57ca68d8e75493a5486e1ac159e43b80

SHA1
d2dfef28b23392dcc72fde085a4c355694860ff2

SHA256
3ff7bf9224c96744ebb824b71d8a3be5b054ec306319e31045822b2f6c5c6721

SHA512
d15c56370cfa825eb58ca0c94d22874bc5a8aa765147686a4ad49f1a9321a50231b3d9a209eeb9101a95e3601a82a3f7bbd22cd700db30583220da66d2912154

Download Submit
C:\Windows\SysWOW64\Ogpmjb32.exe

Filesize
78KB

MD5
f6a7afbaab8c01ab4c2a42ca862aebe8

SHA1
b9367658e42f577b119b36a5a7fc1c0c2fbd1cf5

SHA256
f7563974536e6e615ba25ef81ee23f1fef92bd05d2efbb1840e8aff128627927

SHA512
1a7d6b06a7c90ba460dd87999d8edcc9cc2c173614ea291d0030e5d95b26e67a75a6e3e6035c5f49d3d92d0601fa360956b3bbb0807f035a812dd335fce73709

Download Submit
C:\Windows\SysWOW64\Ojaelm32.exe

Filesize
78KB

MD5
10a9e9d5bb115691daf3dd6509daff98

SHA1
b42828c301133d7ce116d7cef9b32b33170e2107

SHA256
531219f36d259c2607a9bcdccb325501306db18a61f345405a4ea73e8eb6897d

SHA512
02192aba478aa81beeeb1bcb9530e4586831bf5ea809bd4fd68ae53f92f59ca3f95da44165ed556d2ca9e99f548c6335b68b2c447fd9d8cf8c2d4fbec9e5e9c1

Download Submit
C:\Windows\SysWOW64\Ojgbfocc.exe

Filesize
78KB

MD5
98db47919dc42059a8b26a9b2ef681b5

SHA1
92dd6a60c9bf51fdf957cfb6cc9862f754f8a53a

SHA256
9de42ad843850693ae8bdbd2e33b23fabf36cfef529df7b0a0457e73da67cdea

SHA512
73eba8d43abae0f26070ce2741c8fe49011bcd4025521f002a29a24fc927005373d48cd3ac284c8cb0f217c991bd07c6fc736888721215441125d2b176056c65

Download Submit
C:\Windows\SysWOW64\Ojjolnaq.exe

Filesize
78KB

MD5
5f7604fb175d01d8addb2eb968294464

SHA1
163950cbbafcb44c4b708f40cc472dccffa502ce

SHA256
40cac0efe5f822ea14f7b1fe52758ee9ae0cc4e99bd9e1ff99f08346d84ab405

SHA512
9da9b5ad7075289c014a7b5566cb2d914e4fa97c0a6fc308e95e839c660b52da3c91eb875905730534e8b1f370b82267004dce6bd047f03f0d8e0bcbbf4fd444

Download Submit
C:\Windows\SysWOW64\Ojoign32.exe

Filesize
78KB

MD5
570bf635cd8693d77562bd776272c904

SHA1
55a1b8bf68dc8faf6ae5b37c748726096d6b3fab

SHA256
03278c326d93628cbec4f5a6d09acd2e2c7163a1a910ea30a097e274b2cb254e

SHA512
ebfb721f6ad5ac6d2525fcfce5b4a28d8cdaef595409e2b914c6379ac0fa1784033ae3a930f934de4ad1c4b4f7ff2b8cf57adc1bfc422836d9652e92ed9a6056

Download Submit
C:\Windows\SysWOW64\Olfobjbg.exe

Filesize
78KB

MD5
ce9b8224463ce8ee018de0dd0def52f4

SHA1
68e65cc3e61328a1cd577ca61badd661a83ef49d

SHA256
6eb724d94feaf1dc5948956d6d69d873d04519ec6239e74f8a005f49939af9f1

SHA512
4a6534350bfeadce061384e2e18e5ea69a489725cbe5ae9ab7e9b141bd7b0da93c330103a8038f5981cba4a05130506f01d92aca18dc8be6ed7a96da14e1f5de

Download Submit
C:\Windows\SysWOW64\Oponmilc.exe

Filesize
78KB

MD5
1e0507b93c304d54e8816faa87270987

SHA1
a472f282b4f7552fe5673086f1c925aad4b8130e

SHA256
574ae306604ccec8bc819f56a832136d73cec4c720e077af985778655c995e6b

SHA512
96cc2a81451b0ca95211929e52eb20c6c77d24c2363f315f6ee245863b85113aa0642b3835cfe584b8d9ae98377fefb3342ab0eb95df939f9393d271841e2904

Download Submit
C:\Windows\SysWOW64\Oqhacgdh.exe

Filesize
78KB

MD5
308564080a7ef6ff04994abaaa3767be

SHA1
6a5d659c53ae2067fc6a90315e07a6dcdb9274d5

SHA256
f648298fad4a0f5098296202b264125b059374cb0ff973e85402ac34b17f9cb2

SHA512
1d2f7c1faf47d9450f7b2cca8dcaa89bb2c5fd74433311cb2c4a6cb3d28808acd6f9a977ebdd2d984c37116eebf7d775d2c288b6bdab6cb2ee955ac505fde20f

Download Submit
C:\Windows\SysWOW64\Pdifoehl.exe

Filesize
78KB

MD5
d1f130384c1751cef20a01158a4cb2db

SHA1
b6e0345f4c12e9b6f97299741090b9334ad2c48d

SHA256
861be4e91ca533d4dc362f4cb842f67b7301eff51246d9a5b6374f9a89eac7ac

SHA512
41a29aabcce0404ff0856448c47b4c2591e72048d5988307ed8c2980abbd506ffdb97bdb19e09835a5f767fade6a86c923a27cb43db13943c4e8447d6c8eaf00

Download Submit
C:\Windows\SysWOW64\Pdkcde32.exe

Filesize
78KB

MD5
d45139b667de7a20ea9d493088ec438c

SHA1
d2e10b2506fadc276721d67dd1587bc715abbf1b

SHA256
1c3c596796c2cf60f80484dd424455c453ad1d83eaeb0cdb0891337c2669cf5c

SHA512
a3f579274f7adde877d18be51d6fb1d406227cf7a79639b41569fba02e1912c8521d6c500d4a053395d1bba6ecb468b4afe6d8f50ccfe0a2f2619ab6dcf24807

Download Submit
C:\Windows\SysWOW64\Pflplnlg.exe

Filesize
78KB

MD5
3b933a1bcfe20a442af5ca9deb4593e4

SHA1
c195c386bfa24c80ce0fefd7a66f56f24a6bb3f7

SHA256
e4216acc6a50040e2dd0367891f0aa08f902902326b565a5340c1043771b05c1

SHA512
90f5dbc8e4a6df42654396189e360dc0a8b186463e25ca550b5144baf82a138de97ccdcbc24b6299d826c592a2d60c278e0ad7ed956b6a10ed267816a0f50e7a

Download Submit
C:\Windows\SysWOW64\Pgefeajb.exe

Filesize
78KB

MD5
470fe9c910fb96763d1cd64be7501141

SHA1
c25d273d866460e7a1ecee82cb39207899d1491d

SHA256
2620143f48deed37552fda0371dc6b3e5156b15e1a5ceff8a6448573fa06a0ac

SHA512
9b0da55c4ecfbbe455f7bdf2f2710dc0193576e8a11342faccf7d049a091c6b059b598eb9dcdf564063eeb3f6495b140b8adb213f070da96605393a4c2db61fd

Download Submit
C:\Windows\SysWOW64\Pggbkagp.exe

Filesize
78KB

MD5
df8d114843f7ebf485fd4598da2a3c96

SHA1
72399b62bba963f2a15a4e8bdcdf557cb2c0aa6d

SHA256
6ca17942aef86b8ce3b4b9f15f101f8bd1b6fc874073984a48fe5eb4e1b1fedf

SHA512
de8a94203a087233424fffa9081445a41fdce1e51cb868977e065a4345c636fbefb85ddda63e99fc2440b371148957afc7f9cc9f308c303dab7c042ef5e05e77

Download Submit
C:\Windows\SysWOW64\Pjcbbmif.exe

Filesize
78KB

MD5
05d2608f528472d9ca6d39f502874909

SHA1
28b60c5810f2f77a9e573854a04581297bb19b32

SHA256
b6f84ccfd47fe8ef7714b1194afaa71380e7107001a10aa6b0600289510f6b88

SHA512
8d23d7812dd05ba14feb5135f1d0bc2f99f40b1c27f3fea198bd80edca83c55bcf8b86775527d2cf81083f426d3aca6850f5a4133c99742edd13b7d32da92c8c

Download Submit
C:\Windows\SysWOW64\Pjeoglgc.exe

Filesize
78KB

MD5
094dcd0344177cabfce9293d2d6645bb

SHA1
27b849223fe40d81c3544e83d8a0aa8f587a28ff

SHA256
8fb88b9abb5287a002279915ca64cf1e9405b388bb68c53bd21abde3f933fd3f

SHA512
4942b48be7be93edaad6aa6abbd5f3cb597b9067eca1a1255ca19a3d7f68a3a9e5b17428736bac6cc1e8505eca464f9ee9851084d2dc9ce32ecb493148ac5e3b

Download Submit
C:\Windows\SysWOW64\Pmdkch32.exe

Filesize
78KB

MD5
c6e628f9cd45ecf48abfd8a3608c759e

SHA1
fd3305fc02d72ae3ec87d01b0a53cc9ec56fe2c4

SHA256
03432bfd978813587404533961a160839bd3045ab7ade15706d0c0c2ded45b89

SHA512
8f291764e9c6d893d7366a7eb32121a44fa74fba542a1d3c27591f4aac7e38478ec820b2526d8eb9fa39e2ae364b49e2a43fb0108174126536f59bde3125ceec

Download Submit
C:\Windows\SysWOW64\Pqknig32.exe

Filesize
78KB

MD5
6a8a7f71fedaf00eb29a302d3689ebb6

SHA1
f778ee692c5d9eb9243f5ceb66c09d1e61dde02d

SHA256
7b9bb999050b0da54205cb5a69c10f7d7bf133e2c8954f43b197acace66fec2b

SHA512
2cf7ef614101e6acc491352e50d59eb46f624df98b59fca48940ed64807e3e0ab7473af648c99dafb3bf87e5a099456c9e713d8393df060d4acaab7da63e733c

Download Submit
C:\Windows\SysWOW64\Qffbbldm.exe

Filesize
78KB

MD5
50bb7d5472745412373a7fbf47b2a59d

SHA1
2fd0ade29b9f5e6542e34e8c11d18810e5f50bbb

SHA256
931964bc7f217dd8f2a43b0985fd27099f35bcf0810c6d0a4538af8cc9ada2cf

SHA512
f0cac354151d12607c4fc8875751d1ce5c21d5d65a8ca9d3a516888ee5b07c32bfe87f2590885bc404fb21ca4c1f0526dcc497132a55348353bb2f547fddbfbd

Download Submit
memory/216-342-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/216-278-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/220-157-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/380-198-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/724-322-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/724-254-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/752-330-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1076-176-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1076-266-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1136-133-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1136-52-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1144-82-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1144-172-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1520-272-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1520-329-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1564-173-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1696-141-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1696-57-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1852-316-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2032-302-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2180-96-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2288-290-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2300-303-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2480-193-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2480-107-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2492-13-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2492-93-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2520-217-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2740-328-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2780-78-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2816-116-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2816-202-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2864-336-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3080-29-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3084-267-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3116-284-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3548-21-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3568-207-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3616-143-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3616-228-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3644-237-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3644-309-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3688-315-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3708-234-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3876-220-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3876-296-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3880-33-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3880-114-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3996-271-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3996-185-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4112-103-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4420-251-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4472-64-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4472-151-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4520-138-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4524-123-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4524-41-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4836-0-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4836-73-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4836-5-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4948-160-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4948-245-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/5028-124-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/5028-211-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads