ceb6999177a08983e7b20a2b5065bf7ba6238c7e9531807f66016808d4ce22f8

Analysis

max time kernel
142s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
13-03-2024 23:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ceb6999177a08983e7b20a2b5065bf7ba6238c7e9531807f66016808d4ce22f8.exe
Size

104KB
MD5

f2fdaf5d4cdf2933ca0f5f82496b109b
SHA1

dd75040d87d4957288e760696b6afbecc49d9d4e
SHA256

ceb6999177a08983e7b20a2b5065bf7ba6238c7e9531807f66016808d4ce22f8
SHA512

71d9aa5a5c3425a2d32adfd96beeec2fea446c0a9fcb390742698a153ae4bd9ee7922eb5838afc572a71c568054f2a0d2da5208aee15b634608cb3df4f0782be
SSDEEP

3072:zlw0aMmJN+pI4ZN4UiJe5Hx7cEGrhkngpDvchkqbAIQ:ZIH+pIM5Hx4brq2Ah

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcdciiec.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Opeiadfg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lhgkgijg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mbgeqmjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Qjffpe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Aagdnn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmjmekgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	ceb6999177a08983e7b20a2b5065bf7ba6238c7e9531807f66016808d4ce22f8.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kjblje32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dkhgod32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Galoohke.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pccahbmn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ppahmb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ekjded32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ekonpckp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Fkhpfbce.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jhkbdmbg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kcmmhj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dkhgod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ghojbq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qjffpe32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bagmdllg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lnldla32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kofdhd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nckkfp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Npepkf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nceefd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kekbjo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lcclncbh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cigkdmel.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjggal32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Hlepcdoa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Iplkpa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hifmmb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lhgkgijg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mbgeqmjp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ojqcnhkl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cmnnimak.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ifomll32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lflbkcll.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hioflcbj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hnlodjpa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kiikpnmj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lakfeodm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ppikbm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oikjkc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Imgicgca.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ihmfco32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kpnjah32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bagmdllg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmnnimak.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Loofnccf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mhldbh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dmjmekgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Opclldhj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcclncbh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bdocph32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cpacqg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gpgind32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mjlhgaqp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hbenoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mjlalkmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kjblje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mqdcnl32.exe

Executes dropped EXE 64 IoCs

pid	Process
964	Gpgind32.exe
1116	Hlepcdoa.exe
2792	Imgicgca.exe
2208	Ifomll32.exe
2628	Igajal32.exe
524	Iplkpa32.exe
2316	Joahqn32.exe
1532	Jpaekqhh.exe
4760	Jngbjd32.exe
4840	Jebfng32.exe
1088	Kjblje32.exe
2344	Keimof32.exe
4588	Kcmmhj32.exe
4344	Kcpjnjii.exe
3128	Kpcjgnhb.exe
820	Lcdciiec.exe
4412	Lnldla32.exe
2324	Ljceqb32.exe
5084	Lfjfecno.exe
5016	Lflbkcll.exe
3796	Mqdcnl32.exe
3520	Mjlhgaqp.exe
2556	Mfchlbfd.exe
3828	Mjaabq32.exe
3288	Mgeakekd.exe
3912	Nggnadib.exe
5064	Ncnofeof.exe
2544	Npepkf32.exe
3996	Nceefd32.exe
3976	Ocgbld32.exe
2056	Oakbehfe.exe
900	Oanokhdb.exe
2704	Opclldhj.exe
1960	Opeiadfg.exe
4676	Pccahbmn.exe
2892	Phajna32.exe
3120	Phcgcqab.exe
2016	Ppahmb32.exe
456	Qdaniq32.exe
2272	Apjkcadp.exe
1432	Akpoaj32.exe
3804	Aopemh32.exe
972	Bklomh32.exe
4976	Chdialdl.exe
5124	Ckebcg32.exe
5164	Cdmfllhn.exe
5212	Cdpcal32.exe
5260	Cnjdpaki.exe
5300	Ddgibkpc.exe
5340	Dggbcf32.exe
5380	Dkhgod32.exe
5420	Ekjded32.exe
5464	Edbiniff.exe
5504	Ekonpckp.exe
5548	Ekajec32.exe
5588	Fgjhpcmo.exe
5636	Fkhpfbce.exe
5676	Fqeioiam.exe
5716	Fbdehlip.exe
5760	Fkmjaa32.exe
5812	Galoohke.exe
5856	Gbnhoj32.exe
5896	Gpaihooo.exe
5928	Gijmad32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Efmnhl32.dll	Lfjfecno.exe
File created	C:\Windows\SysWOW64\Chgnfq32.dll	Lcclncbh.exe
File created	C:\Windows\SysWOW64\Aaeidf32.dll	Lhnhajba.exe
File opened for modification	C:\Windows\SysWOW64\Pciqnk32.exe	Pfepdg32.exe
File created	C:\Windows\SysWOW64\Pipeabep.dll	Cdmfllhn.exe
File created	C:\Windows\SysWOW64\Hioflcbj.exe	Hbenoi32.exe
File opened for modification	C:\Windows\SysWOW64\Mjaabq32.exe	Mfchlbfd.exe
File created	C:\Windows\SysWOW64\Cdpcal32.exe	Cdmfllhn.exe
File created	C:\Windows\SysWOW64\Eciqfjec.dll	Hifmmb32.exe
File created	C:\Windows\SysWOW64\Ppikbm32.exe	Oikjkc32.exe
File created	C:\Windows\SysWOW64\Bppgif32.dll	Kcmmhj32.exe
File created	C:\Windows\SysWOW64\Bkfmmb32.dll	Mqjbddpl.exe
File opened for modification	C:\Windows\SysWOW64\Lhqefjpo.exe	Lcclncbh.exe
File opened for modification	C:\Windows\SysWOW64\Ljceqb32.exe	Lnldla32.exe
File opened for modification	C:\Windows\SysWOW64\Dggbcf32.exe	Ddgibkpc.exe
File created	C:\Windows\SysWOW64\Edbiniff.exe	Ekjded32.exe
File created	C:\Windows\SysWOW64\Lcfidb32.exe	Lhqefjpo.exe
File created	C:\Windows\SysWOW64\Hkdoio32.dll	Igajal32.exe
File opened for modification	C:\Windows\SysWOW64\Jngbjd32.exe	Jpaekqhh.exe
File created	C:\Windows\SysWOW64\Cpiijfll.dll	Ihmfco32.exe
File opened for modification	C:\Windows\SysWOW64\Kocgbend.exe	Kekbjo32.exe
File created	C:\Windows\SysWOW64\Cnjdpaki.exe	Cdpcal32.exe
File created	C:\Windows\SysWOW64\Kofdhd32.exe	Kiikpnmj.exe
File created	C:\Windows\SysWOW64\Bklomh32.exe	Aopemh32.exe
File opened for modification	C:\Windows\SysWOW64\Ekjded32.exe	Dkhgod32.exe
File created	C:\Windows\SysWOW64\Diqnjl32.exe	Dmjmekgn.exe
File created	C:\Windows\SysWOW64\Gcgplk32.dll	Apjkcadp.exe
File opened for modification	C:\Windows\SysWOW64\Jbccge32.exe	Jhkbdmbg.exe
File created	C:\Windows\SysWOW64\Gcilohid.dll	Pfepdg32.exe
File created	C:\Windows\SysWOW64\Cmnnimak.exe	Bagmdllg.exe
File opened for modification	C:\Windows\SysWOW64\Igajal32.exe	Ifomll32.exe
File created	C:\Windows\SysWOW64\Hkfoel32.dll	Opclldhj.exe
File created	C:\Windows\SysWOW64\Coppbe32.dll	Hbenoi32.exe
File created	C:\Windows\SysWOW64\Npepkf32.exe	Ncnofeof.exe
File created	C:\Windows\SysWOW64\Hifmmb32.exe	Hlblcn32.exe
File opened for modification	C:\Windows\SysWOW64\Ppikbm32.exe	Oikjkc32.exe
File created	C:\Windows\SysWOW64\Ogajpp32.dll	Cmnnimak.exe
File created	C:\Windows\SysWOW64\Ekfjcc32.dll	Imgicgca.exe
File created	C:\Windows\SysWOW64\Cdmfllhn.exe	Ckebcg32.exe
File created	C:\Windows\SysWOW64\Plpodked.dll	Mbgeqmjp.exe
File opened for modification	C:\Windows\SysWOW64\Nijqcf32.exe	Nckkfp32.exe
File created	C:\Windows\SysWOW64\Jngbjd32.exe	Jpaekqhh.exe
File created	C:\Windows\SysWOW64\Dccfkp32.dll	Aibibp32.exe
File opened for modification	C:\Windows\SysWOW64\Gbnhoj32.exe	Galoohke.exe
File created	C:\Windows\SysWOW64\Iiopca32.exe	Ihpcinld.exe
File opened for modification	C:\Windows\SysWOW64\Iiopca32.exe	Ihpcinld.exe
File created	C:\Windows\SysWOW64\Bjfogbjb.exe	Bboffejp.exe
File created	C:\Windows\SysWOW64\Jlojif32.dll	Cmpjoloh.exe
File created	C:\Windows\SysWOW64\Jpaekqhh.exe	Joahqn32.exe
File created	C:\Windows\SysWOW64\Ncnofeof.exe	Nggnadib.exe
File opened for modification	C:\Windows\SysWOW64\Aopemh32.exe	Akpoaj32.exe
File created	C:\Windows\SysWOW64\Ajbfciej.dll	Qjhbfd32.exe
File opened for modification	C:\Windows\SysWOW64\Iplkpa32.exe	Igajal32.exe
File created	C:\Windows\SysWOW64\Ihpcinld.exe	Ihmfco32.exe
File created	C:\Windows\SysWOW64\Fnihje32.dll	Bmbnnn32.exe
File created	C:\Windows\SysWOW64\Nlbkmokh.dll	Edbiniff.exe
File created	C:\Windows\SysWOW64\Cidcnbjk.dll	Fkhpfbce.exe
File opened for modification	C:\Windows\SysWOW64\Cdpcal32.exe	Cdmfllhn.exe
File created	C:\Windows\SysWOW64\Mmdaih32.dll	Kocgbend.exe
File created	C:\Windows\SysWOW64\Lakfeodm.exe	Lhcali32.exe
File created	C:\Windows\SysWOW64\Ilphdlqh.exe	Iiopca32.exe
File created	C:\Windows\SysWOW64\Gmbjqfjb.dll	Npepkf32.exe
File created	C:\Windows\SysWOW64\Ekajec32.exe	Ekonpckp.exe
File opened for modification	C:\Windows\SysWOW64\Hioflcbj.exe	Hbenoi32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
6724	6532	WerFault.exe	233

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pnjiffif.dll"	Ilphdlqh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cmpjoloh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mglpdp32.dll"	Jebfng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Jebfng32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ljceqb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Fqeioiam.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ceknlgnl.dll"	Gijmad32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ppikbm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Chdialdl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ajbfciej.dll"	Qjhbfd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cmpjoloh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Jngbjd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfchag32.dll"	Bfaigclq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bfaigclq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kpqfid32.dll"	Galoohke.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cgdgna32.dll"	Ifomll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Jebfng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gdmpga32.dll"	Oanokhdb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Fgjhpcmo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Igajal32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ppahmb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cbqfhb32.dll"	Lhqefjpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Hlppno32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Klkfenfk.dll"	ceb6999177a08983e7b20a2b5065bf7ba6238c7e9531807f66016808d4ce22f8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aooold32.dll"	Ljceqb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hejeak32.dll"	Oikjkc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Apjkcadp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Aibibp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bmbnnn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cpacqg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Joahqn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Keimof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ihpcinld.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Khbiello.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Lhgkgijg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ejphhm32.dll"	Qdaniq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Haclqq32.dll"	Gbnhoj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Jngbjd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Gpgind32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ebdoljdi.dll"	Mhldbh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Nckkfp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bbdpad32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bagmdllg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Oanokhdb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Gijmad32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mjlhgaqp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ghojbq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bmbnnn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Galoohke.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Hbenoi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Nijqcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lhdbgapf.dll"	Opeiadfg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gcgplk32.dll"	Apjkcadp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Fbdehlip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fhcbhh32.dll"	Qjffpe32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Fgjhpcmo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Kekbjo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Llgdkbfj.dll"	Nckkfp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ihmfco32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Kplmliko.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Efmnhl32.dll"	Lfjfecno.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ncnofeof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qahlom32.dll"	Dmjmekgn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Pciqnk32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3984 wrote to memory of 964	3984	ceb6999177a08983e7b20a2b5065bf7ba6238c7e9531807f66016808d4ce22f8.exe	95
PID 3984 wrote to memory of 964	3984	ceb6999177a08983e7b20a2b5065bf7ba6238c7e9531807f66016808d4ce22f8.exe	95
PID 3984 wrote to memory of 964	3984	ceb6999177a08983e7b20a2b5065bf7ba6238c7e9531807f66016808d4ce22f8.exe	95
PID 964 wrote to memory of 1116	964	Gpgind32.exe	97
PID 964 wrote to memory of 1116	964	Gpgind32.exe	97
PID 964 wrote to memory of 1116	964	Gpgind32.exe	97
PID 1116 wrote to memory of 2792	1116	Hlepcdoa.exe	98
PID 1116 wrote to memory of 2792	1116	Hlepcdoa.exe	98
PID 1116 wrote to memory of 2792	1116	Hlepcdoa.exe	98
PID 2792 wrote to memory of 2208	2792	Imgicgca.exe	99
PID 2792 wrote to memory of 2208	2792	Imgicgca.exe	99
PID 2792 wrote to memory of 2208	2792	Imgicgca.exe	99
PID 2208 wrote to memory of 2628	2208	Ifomll32.exe	100
PID 2208 wrote to memory of 2628	2208	Ifomll32.exe	100
PID 2208 wrote to memory of 2628	2208	Ifomll32.exe	100
PID 2628 wrote to memory of 524	2628	Igajal32.exe	102
PID 2628 wrote to memory of 524	2628	Igajal32.exe	102
PID 2628 wrote to memory of 524	2628	Igajal32.exe	102
PID 524 wrote to memory of 2316	524	Iplkpa32.exe	103
PID 524 wrote to memory of 2316	524	Iplkpa32.exe	103
PID 524 wrote to memory of 2316	524	Iplkpa32.exe	103
PID 2316 wrote to memory of 1532	2316	Joahqn32.exe	105
PID 2316 wrote to memory of 1532	2316	Joahqn32.exe	105
PID 2316 wrote to memory of 1532	2316	Joahqn32.exe	105
PID 1532 wrote to memory of 4760	1532	Jpaekqhh.exe	106
PID 1532 wrote to memory of 4760	1532	Jpaekqhh.exe	106
PID 1532 wrote to memory of 4760	1532	Jpaekqhh.exe	106
PID 4760 wrote to memory of 4840	4760	Jngbjd32.exe	107
PID 4760 wrote to memory of 4840	4760	Jngbjd32.exe	107
PID 4760 wrote to memory of 4840	4760	Jngbjd32.exe	107
PID 4840 wrote to memory of 1088	4840	Jebfng32.exe	108
PID 4840 wrote to memory of 1088	4840	Jebfng32.exe	108
PID 4840 wrote to memory of 1088	4840	Jebfng32.exe	108
PID 1088 wrote to memory of 2344	1088	Kjblje32.exe	109
PID 1088 wrote to memory of 2344	1088	Kjblje32.exe	109
PID 1088 wrote to memory of 2344	1088	Kjblje32.exe	109
PID 2344 wrote to memory of 4588	2344	Keimof32.exe	110
PID 2344 wrote to memory of 4588	2344	Keimof32.exe	110
PID 2344 wrote to memory of 4588	2344	Keimof32.exe	110
PID 4588 wrote to memory of 4344	4588	Kcmmhj32.exe	111
PID 4588 wrote to memory of 4344	4588	Kcmmhj32.exe	111
PID 4588 wrote to memory of 4344	4588	Kcmmhj32.exe	111
PID 4344 wrote to memory of 3128	4344	Kcpjnjii.exe	112
PID 4344 wrote to memory of 3128	4344	Kcpjnjii.exe	112
PID 4344 wrote to memory of 3128	4344	Kcpjnjii.exe	112
PID 3128 wrote to memory of 820	3128	Kpcjgnhb.exe	114
PID 3128 wrote to memory of 820	3128	Kpcjgnhb.exe	114
PID 3128 wrote to memory of 820	3128	Kpcjgnhb.exe	114
PID 820 wrote to memory of 4412	820	Lcdciiec.exe	115
PID 820 wrote to memory of 4412	820	Lcdciiec.exe	115
PID 820 wrote to memory of 4412	820	Lcdciiec.exe	115
PID 4412 wrote to memory of 2324	4412	Lnldla32.exe	116
PID 4412 wrote to memory of 2324	4412	Lnldla32.exe	116
PID 4412 wrote to memory of 2324	4412	Lnldla32.exe	116
PID 2324 wrote to memory of 5084	2324	Ljceqb32.exe	117
PID 2324 wrote to memory of 5084	2324	Ljceqb32.exe	117
PID 2324 wrote to memory of 5084	2324	Ljceqb32.exe	117
PID 5084 wrote to memory of 5016	5084	Lfjfecno.exe	118
PID 5084 wrote to memory of 5016	5084	Lfjfecno.exe	118
PID 5084 wrote to memory of 5016	5084	Lfjfecno.exe	118
PID 5016 wrote to memory of 3796	5016	Lflbkcll.exe	120
PID 5016 wrote to memory of 3796	5016	Lflbkcll.exe	120
PID 5016 wrote to memory of 3796	5016	Lflbkcll.exe	120
PID 3796 wrote to memory of 3520	3796	Mqdcnl32.exe	121

C:\Users\Admin\AppData\Local\Temp\ceb6999177a08983e7b20a2b5065bf7ba6238c7e9531807f66016808d4ce22f8.exe
"C:\Users\Admin\AppData\Local\Temp\ceb6999177a08983e7b20a2b5065bf7ba6238c7e9531807f66016808d4ce22f8.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3984
- C:\Windows\SysWOW64\Gpgind32.exe
  C:\Windows\system32\Gpgind32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:964
- - C:\Windows\SysWOW64\Hlepcdoa.exe
    C:\Windows\system32\Hlepcdoa.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:1116
  - - C:\Windows\SysWOW64\Imgicgca.exe
      C:\Windows\system32\Imgicgca.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious use of WriteProcessMemory
      PID:2792
    - - C:\Windows\SysWOW64\Ifomll32.exe
        
        C:\Windows\system32\Ifomll32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2208
      - C:\Windows\SysWOW64\Igajal32.exe
        
        C:\Windows\system32\Igajal32.exe
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2628
        
        C:\Windows\SysWOW64\Iplkpa32.exe
        
        C:\Windows\system32\Iplkpa32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:524
        
        C:\Windows\SysWOW64\Joahqn32.exe
        
        C:\Windows\system32\Joahqn32.exe
        8⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2316
        
        C:\Windows\SysWOW64\Jpaekqhh.exe
        
        C:\Windows\system32\Jpaekqhh.exe
        9⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1532
        
        C:\Windows\SysWOW64\Jngbjd32.exe
        
        C:\Windows\system32\Jngbjd32.exe
        10⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4760
        
        C:\Windows\SysWOW64\Jebfng32.exe
        
        C:\Windows\system32\Jebfng32.exe
        11⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4840
        
        C:\Windows\SysWOW64\Kjblje32.exe
        
        C:\Windows\system32\Kjblje32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1088
        
        C:\Windows\SysWOW64\Keimof32.exe
        
        C:\Windows\system32\Keimof32.exe
        13⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2344
        
        C:\Windows\SysWOW64\Kcmmhj32.exe
        
        C:\Windows\system32\Kcmmhj32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4588
        
        C:\Windows\SysWOW64\Kcpjnjii.exe
        
        C:\Windows\system32\Kcpjnjii.exe
        15⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4344
        
        C:\Windows\SysWOW64\Kpcjgnhb.exe
        
        C:\Windows\system32\Kpcjgnhb.exe
        16⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3128
        
        C:\Windows\SysWOW64\Lcdciiec.exe
        
        C:\Windows\system32\Lcdciiec.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:820
        
        C:\Windows\SysWOW64\Lnldla32.exe
        
        C:\Windows\system32\Lnldla32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4412
        
        C:\Windows\SysWOW64\Ljceqb32.exe
        
        C:\Windows\system32\Ljceqb32.exe
        19⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2324
        
        C:\Windows\SysWOW64\Lfjfecno.exe
        
        C:\Windows\system32\Lfjfecno.exe
        20⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5084
        
        C:\Windows\SysWOW64\Lflbkcll.exe
        
        C:\Windows\system32\Lflbkcll.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:5016
        
        C:\Windows\SysWOW64\Mqdcnl32.exe
        
        C:\Windows\system32\Mqdcnl32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3796
        
        C:\Windows\SysWOW64\Mjlhgaqp.exe
        
        C:\Windows\system32\Mjlhgaqp.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3520
        
        C:\Windows\SysWOW64\Mfchlbfd.exe
        
        C:\Windows\system32\Mfchlbfd.exe
        24⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2556
        
        C:\Windows\SysWOW64\Mjaabq32.exe
        
        C:\Windows\system32\Mjaabq32.exe
        25⤵
        Executes dropped EXE
        
        PID:3828
        
        C:\Windows\SysWOW64\Mgeakekd.exe
        
        C:\Windows\system32\Mgeakekd.exe
        26⤵
        Executes dropped EXE
        
        PID:3288
        
        C:\Windows\SysWOW64\Nggnadib.exe
        
        C:\Windows\system32\Nggnadib.exe
        27⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3912
        
        C:\Windows\SysWOW64\Ncnofeof.exe
        
        C:\Windows\system32\Ncnofeof.exe
        28⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5064
        
        C:\Windows\SysWOW64\Npepkf32.exe
        
        C:\Windows\system32\Npepkf32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2544
        
        C:\Windows\SysWOW64\Nceefd32.exe
        
        C:\Windows\system32\Nceefd32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3996
        
        C:\Windows\SysWOW64\Ocgbld32.exe
        
        C:\Windows\system32\Ocgbld32.exe
        31⤵
        Executes dropped EXE
        
        PID:3976
        
        C:\Windows\SysWOW64\Oakbehfe.exe
        
        C:\Windows\system32\Oakbehfe.exe
        32⤵
        Executes dropped EXE
        
        PID:2056
        
        C:\Windows\SysWOW64\Oanokhdb.exe
        
        C:\Windows\system32\Oanokhdb.exe
        33⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:900
        
        C:\Windows\SysWOW64\Opclldhj.exe
        
        C:\Windows\system32\Opclldhj.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2704
        
        C:\Windows\SysWOW64\Opeiadfg.exe
        
        C:\Windows\system32\Opeiadfg.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1960
        
        C:\Windows\SysWOW64\Pccahbmn.exe
        
        C:\Windows\system32\Pccahbmn.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4676
        
        C:\Windows\SysWOW64\Phajna32.exe
        
        C:\Windows\system32\Phajna32.exe
        37⤵
        Executes dropped EXE
        
        PID:2892
        
        C:\Windows\SysWOW64\Phcgcqab.exe
        
        C:\Windows\system32\Phcgcqab.exe
        38⤵
        Executes dropped EXE
        
        PID:3120
        
        C:\Windows\SysWOW64\Ppahmb32.exe
        
        C:\Windows\system32\Ppahmb32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2016
        
        C:\Windows\SysWOW64\Qdaniq32.exe
        
        C:\Windows\system32\Qdaniq32.exe
        40⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:456
        
        C:\Windows\SysWOW64\Apjkcadp.exe
        
        C:\Windows\system32\Apjkcadp.exe
        41⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2272
        
        C:\Windows\SysWOW64\Akpoaj32.exe
        
        C:\Windows\system32\Akpoaj32.exe
        42⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1432
        
        C:\Windows\SysWOW64\Aopemh32.exe
        
        C:\Windows\system32\Aopemh32.exe
        43⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3804
        
        C:\Windows\SysWOW64\Bklomh32.exe
        
        C:\Windows\system32\Bklomh32.exe
        44⤵
        Executes dropped EXE
        
        PID:972
        
        C:\Windows\SysWOW64\Chdialdl.exe
        
        C:\Windows\system32\Chdialdl.exe
        45⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4976
        
        C:\Windows\SysWOW64\Ckebcg32.exe
        
        C:\Windows\system32\Ckebcg32.exe
        46⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5124
        
        C:\Windows\SysWOW64\Cdmfllhn.exe
        
        C:\Windows\system32\Cdmfllhn.exe
        47⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5164
        
        C:\Windows\SysWOW64\Cdpcal32.exe
        
        C:\Windows\system32\Cdpcal32.exe
        48⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5212
        
        C:\Windows\SysWOW64\Cnjdpaki.exe
        
        C:\Windows\system32\Cnjdpaki.exe
        49⤵
        Executes dropped EXE
        
        PID:5260
        
        C:\Windows\SysWOW64\Ddgibkpc.exe
        
        C:\Windows\system32\Ddgibkpc.exe
        50⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5300
        
        C:\Windows\SysWOW64\Dggbcf32.exe
        
        C:\Windows\system32\Dggbcf32.exe
        51⤵
        Executes dropped EXE
        
        PID:5340
        
        C:\Windows\SysWOW64\Dkhgod32.exe
        
        C:\Windows\system32\Dkhgod32.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5380
        
        C:\Windows\SysWOW64\Ekjded32.exe
        
        C:\Windows\system32\Ekjded32.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5420
        
        C:\Windows\SysWOW64\Edbiniff.exe
        
        C:\Windows\system32\Edbiniff.exe
        54⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5464
        
        C:\Windows\SysWOW64\Ekonpckp.exe
        
        C:\Windows\system32\Ekonpckp.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5504
        
        C:\Windows\SysWOW64\Ekajec32.exe
        
        C:\Windows\system32\Ekajec32.exe
        56⤵
        Executes dropped EXE
        
        PID:5548
        
        C:\Windows\SysWOW64\Fgjhpcmo.exe
        
        C:\Windows\system32\Fgjhpcmo.exe
        57⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:5588
        
        C:\Windows\SysWOW64\Fkhpfbce.exe
        
        C:\Windows\system32\Fkhpfbce.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5636
        
        C:\Windows\SysWOW64\Fqeioiam.exe
        
        C:\Windows\system32\Fqeioiam.exe
        59⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:5676
        
        C:\Windows\SysWOW64\Fbdehlip.exe
        
        C:\Windows\system32\Fbdehlip.exe
        60⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:5716
        
        C:\Windows\SysWOW64\Fkmjaa32.exe
        
        C:\Windows\system32\Fkmjaa32.exe
        61⤵
        Executes dropped EXE
        
        PID:5760
        
        C:\Windows\SysWOW64\Galoohke.exe
        
        C:\Windows\system32\Galoohke.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5812
        
        C:\Windows\SysWOW64\Gbnhoj32.exe
        
        C:\Windows\system32\Gbnhoj32.exe
        63⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:5856
        
        C:\Windows\SysWOW64\Gpaihooo.exe
        
        C:\Windows\system32\Gpaihooo.exe
        64⤵
        Executes dropped EXE
        
        PID:5896
        
        C:\Windows\SysWOW64\Gijmad32.exe
        
        C:\Windows\system32\Gijmad32.exe
        65⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:5928
        
        C:\Windows\SysWOW64\Gaebef32.exe
        
        C:\Windows\system32\Gaebef32.exe
        66⤵
        
        PID:5988
        
        C:\Windows\SysWOW64\Ghojbq32.exe
        
        C:\Windows\system32\Ghojbq32.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6028
        
        C:\Windows\SysWOW64\Hbenoi32.exe
        
        C:\Windows\system32\Hbenoi32.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6068
        
        C:\Windows\SysWOW64\Hioflcbj.exe
        
        C:\Windows\system32\Hioflcbj.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6108
        
        C:\Windows\SysWOW64\Hnlodjpa.exe
        
        C:\Windows\system32\Hnlodjpa.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4620
        
        C:\Windows\SysWOW64\Hlppno32.exe
        
        C:\Windows\system32\Hlppno32.exe
        71⤵
        Modifies registry class
        
        PID:5180
        
        C:\Windows\SysWOW64\Hlblcn32.exe
        
        C:\Windows\system32\Hlblcn32.exe
        72⤵
        Drops file in System32 directory
        
        PID:5236
        
        C:\Windows\SysWOW64\Hifmmb32.exe
        
        C:\Windows\system32\Hifmmb32.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5336
        
        C:\Windows\SysWOW64\Ihmfco32.exe
        
        C:\Windows\system32\Ihmfco32.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5404
        
        C:\Windows\SysWOW64\Ihpcinld.exe
        
        C:\Windows\system32\Ihpcinld.exe
        75⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5472
        
        C:\Windows\SysWOW64\Iiopca32.exe
        
        C:\Windows\system32\Iiopca32.exe
        76⤵
        Drops file in System32 directory
        
        PID:5524
        
        C:\Windows\SysWOW64\Ilphdlqh.exe
        
        C:\Windows\system32\Ilphdlqh.exe
        77⤵
        Modifies registry class
        
        PID:5624
        
        C:\Windows\SysWOW64\Jidinqpb.exe
        
        C:\Windows\system32\Jidinqpb.exe
        78⤵
        
        PID:5684
        
        C:\Windows\SysWOW64\Jblmgf32.exe
        
        C:\Windows\system32\Jblmgf32.exe
        79⤵
        
        PID:5744
        
        C:\Windows\SysWOW64\Jhkbdmbg.exe
        
        C:\Windows\system32\Jhkbdmbg.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:2868
        
        C:\Windows\SysWOW64\Jbccge32.exe
        
        C:\Windows\system32\Jbccge32.exe
        81⤵
        
        PID:5864
        
        C:\Windows\SysWOW64\Khbiello.exe
        
        C:\Windows\system32\Khbiello.exe
        82⤵
        Modifies registry class
        
        PID:5924
        
        C:\Windows\SysWOW64\Kplmliko.exe
        
        C:\Windows\system32\Kplmliko.exe
        83⤵
        Modifies registry class
        
        PID:5964
        
        C:\Windows\SysWOW64\Kpnjah32.exe
        
        C:\Windows\system32\Kpnjah32.exe
        84⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6076
        
        C:\Windows\SysWOW64\Kekbjo32.exe
        
        C:\Windows\system32\Kekbjo32.exe
        85⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6132
        
        C:\Windows\SysWOW64\Kocgbend.exe
        
        C:\Windows\system32\Kocgbend.exe
        86⤵
        Drops file in System32 directory
        
        PID:4500
        
        C:\Windows\SysWOW64\Kiikpnmj.exe
        
        C:\Windows\system32\Kiikpnmj.exe
        87⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5824
        
        C:\Windows\SysWOW64\Kofdhd32.exe
        
        C:\Windows\system32\Kofdhd32.exe
        88⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5436
        
        C:\Windows\SysWOW64\Lhnhajba.exe
        
        C:\Windows\system32\Lhnhajba.exe
        89⤵
        Drops file in System32 directory
        
        PID:5620
        
        C:\Windows\SysWOW64\Lcclncbh.exe
        
        C:\Windows\system32\Lcclncbh.exe
        90⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5696
        
        C:\Windows\SysWOW64\Lhqefjpo.exe
        
        C:\Windows\system32\Lhqefjpo.exe
        91⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5836
        
        C:\Windows\SysWOW64\Lcfidb32.exe
        
        C:\Windows\system32\Lcfidb32.exe
        92⤵
        
        PID:5448
        
        C:\Windows\SysWOW64\Lhcali32.exe
        
        C:\Windows\system32\Lhcali32.exe
        93⤵
        Drops file in System32 directory
        
        PID:6052
        
        C:\Windows\SysWOW64\Lakfeodm.exe
        
        C:\Windows\system32\Lakfeodm.exe
        94⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5196
        
        C:\Windows\SysWOW64\Loofnccf.exe
        
        C:\Windows\system32\Loofnccf.exe
        95⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5372
        
        C:\Windows\SysWOW64\Lhgkgijg.exe
        
        C:\Windows\system32\Lhgkgijg.exe
        96⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5568
        
        C:\Windows\SysWOW64\Mjggal32.exe
        
        C:\Windows\system32\Mjggal32.exe
        97⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1408
        
        C:\Windows\SysWOW64\Mhldbh32.exe
        
        C:\Windows\system32\Mhldbh32.exe
        98⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5952
        
        C:\Windows\SysWOW64\Mjlalkmd.exe
        
        C:\Windows\system32\Mjlalkmd.exe
        99⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6088
        
        C:\Windows\SysWOW64\Mbgeqmjp.exe
        
        C:\Windows\system32\Mbgeqmjp.exe
        100⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5348
        
        C:\Windows\SysWOW64\Mcfbkpab.exe
        
        C:\Windows\system32\Mcfbkpab.exe
        101⤵
        
        PID:5460
        
        C:\Windows\SysWOW64\Mqjbddpl.exe
        
        C:\Windows\system32\Mqjbddpl.exe
        102⤵
        Drops file in System32 directory
        
        PID:6056
        
        C:\Windows\SysWOW64\Nckkfp32.exe
        
        C:\Windows\system32\Nckkfp32.exe
        103⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:4320
        
        C:\Windows\SysWOW64\Nijqcf32.exe
        
        C:\Windows\system32\Nijqcf32.exe
        104⤵
        Modifies registry class
        
        PID:5980
        
        C:\Windows\SysWOW64\Ojqcnhkl.exe
        
        C:\Windows\system32\Ojqcnhkl.exe
        105⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6020
        
        C:\Windows\SysWOW64\Oifppdpd.exe
        
        C:\Windows\system32\Oifppdpd.exe
        106⤵
        
        PID:6176
        
        C:\Windows\SysWOW64\Oikjkc32.exe
        
        C:\Windows\system32\Oikjkc32.exe
        107⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6220
        
        C:\Windows\SysWOW64\Ppikbm32.exe
        
        C:\Windows\system32\Ppikbm32.exe
        108⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6260
        
        C:\Windows\SysWOW64\Pfccogfc.exe
        
        C:\Windows\system32\Pfccogfc.exe
        109⤵
        
        PID:6308
        
        C:\Windows\SysWOW64\Pfepdg32.exe
        
        C:\Windows\system32\Pfepdg32.exe
        110⤵
        Drops file in System32 directory
        
        PID:6352
        
        C:\Windows\SysWOW64\Pciqnk32.exe
        
        C:\Windows\system32\Pciqnk32.exe
        111⤵
        Modifies registry class
        
        PID:6412
        
        C:\Windows\SysWOW64\Qppaclio.exe
        
        C:\Windows\system32\Qppaclio.exe
        112⤵
        
        PID:6452
        
        C:\Windows\SysWOW64\Qjffpe32.exe
        
        C:\Windows\system32\Qjffpe32.exe
        113⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6500
        
        C:\Windows\SysWOW64\Qjhbfd32.exe
        
        C:\Windows\system32\Qjhbfd32.exe
        114⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6544
        
        C:\Windows\SysWOW64\Abfdpfaj.exe
        
        C:\Windows\system32\Abfdpfaj.exe
        115⤵
        
        PID:6592
        
        C:\Windows\SysWOW64\Aagdnn32.exe
        
        C:\Windows\system32\Aagdnn32.exe
        116⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6628
        
        C:\Windows\SysWOW64\Aibibp32.exe
        
        C:\Windows\system32\Aibibp32.exe
        117⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6696
        
        C:\Windows\SysWOW64\Aalmimfd.exe
        
        C:\Windows\system32\Aalmimfd.exe
        118⤵
        
        PID:6740
        
        C:\Windows\SysWOW64\Bmbnnn32.exe
        
        C:\Windows\system32\Bmbnnn32.exe
        119⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6788
        
        C:\Windows\SysWOW64\Bboffejp.exe
        
        C:\Windows\system32\Bboffejp.exe
        120⤵
        Drops file in System32 directory
        
        PID:6828
        
        C:\Windows\SysWOW64\Bjfogbjb.exe
        
        C:\Windows\system32\Bjfogbjb.exe
        121⤵
        
        PID:6872
        
        C:\Windows\SysWOW64\Bdocph32.exe
        
        C:\Windows\system32\Bdocph32.exe
        122⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6916
        
        C:\Windows\SysWOW64\Bbdpad32.exe
        
        C:\Windows\system32\Bbdpad32.exe
        123⤵
        Modifies registry class
        
        PID:6964
        
        C:\Windows\SysWOW64\Bfaigclq.exe
        
        C:\Windows\system32\Bfaigclq.exe
        124⤵
        Modifies registry class
        
        PID:7012
        
        C:\Windows\SysWOW64\Bagmdllg.exe
        
        C:\Windows\system32\Bagmdllg.exe
        125⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:7080
        
        C:\Windows\SysWOW64\Cmnnimak.exe
        
        C:\Windows\system32\Cmnnimak.exe
        126⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:7136
        
        C:\Windows\SysWOW64\Cmpjoloh.exe
        
        C:\Windows\system32\Cmpjoloh.exe
        127⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6160
        
        C:\Windows\SysWOW64\Cigkdmel.exe
        
        C:\Windows\system32\Cigkdmel.exe
        128⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6232
        
        C:\Windows\SysWOW64\Cpacqg32.exe
        
        C:\Windows\system32\Cpacqg32.exe
        129⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6332
        
        C:\Windows\SysWOW64\Dmjmekgn.exe
        
        C:\Windows\system32\Dmjmekgn.exe
        130⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6448
        
        C:\Windows\SysWOW64\Diqnjl32.exe
        
        C:\Windows\system32\Diqnjl32.exe
        131⤵
        
        PID:6532
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6532 -s 412
        132⤵
        Program crash
        
        PID:6724

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 6532 -ip 6532
1⤵
PID:6612

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4092 --field-trial-handle=2280,i,716736634476467098,11449718822158202904,262144 --variations-seed-version /prefetch:8
1⤵
PID:3204

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Bklomh32.exe

Filesize
104KB

MD5
142b9da6b61d7c35147689bb6a47bb17

SHA1
c69751937d83d8f73c1392bcfb66b24f03b6d531

SHA256
6365e9c7cd2beda3742c55e41d863e2346e65cc15f8baecc8d6537fcc1b83ac1

SHA512
647d2bad47e3b25397b3f5be9505843dcde1fa4493671b91684e809f731cde44789632577ba886abc60deed47674fc38eb18a2340ed956994ba0d1435a59f8d6

Download Submit
C:\Windows\SysWOW64\Cgdgna32.dll

Filesize
7KB

MD5
951e0a841a9e193142268a4a2d6ba545

SHA1
8faa42e4ada9a8a3fca3231b2f5d999f4ebe2dd3

SHA256
b9ba6495f3c73d0f332e0e327f227704ca381b3efc592cb83e690e365a0e4ceb

SHA512
d89f8455c30797440dd2003ec31eebc15888b827871af9a1a1fe8f4f7bec34be229524c701ce36431ee8d6a65365ce15361eec95d77b394c695178fad4563836

Download Submit
C:\Windows\SysWOW64\Gpgind32.exe

Filesize
104KB

MD5
5e20685abd79bd83b2d7822cacd988f6

SHA1
143fa2d26e2ce9796c7b49001d0995656bb651c6

SHA256
c78834bd34a262051d9a405000a585f173148252697e133cc323dbebc7bcb5aa

SHA512
5df0d3a8c5957a78582f349f69ffc5c72c92862d825d27b4ed1cc61423f3f40c0b07e0cf5d5b3312e026d6a2123ba1f8f8082fc03a06bcba0dd35d0da9fd383d

Download Submit
C:\Windows\SysWOW64\Hlepcdoa.exe

Filesize
104KB

MD5
2f9451bcc912e534401d59990e335cbb

SHA1
1808d49bcbbea924e952badb4e4971c6c07a1a21

SHA256
c616691868e2034958ced13deaa190e6bc177583bbbf4dcbc9f8c4e896ca4a7b

SHA512
28a4fc0fb720c532845675394b9747fad3df6942f23eaae2bad298f7fda94dcfb3262cb6f3c23a6252b083989e7d5d35030de1e4af8cbdd67f8ef28b710c90a1

Download Submit
C:\Windows\SysWOW64\Ifomll32.exe

Filesize
104KB

MD5
e6fc6affdba0e1ef6fa81ea8ea98abe1

SHA1
8e73a82097b70c3dd7e68ee4a9d4876a865e0768

SHA256
fe56ca6fd2cc1386e1e5717e12c7a7b9a155199f5cabc38d774052417decf3b4

SHA512
845cf3aca1714f90b0d2e410d788476552c17e62a5e8302a0cd63437562d45253f95707c3f376ae098a882d138988434e32f5695cf97e01298bb64b4f57fee08

Download Submit
C:\Windows\SysWOW64\Igajal32.exe

Filesize
104KB

MD5
54d28ce1041b35a5f9a3a25784e13eff

SHA1
06950d8cf402fd5d413c6d149653bcc997bcb5de

SHA256
19b3cc837057db39f74da97c97f879e85a91191d6168ec8331c182407c9d6fa5

SHA512
043cbbd13e792e0813a6a312bdf70956a73cdcf96901de912e57d0d93bff000a58dd34ac497c56aa6c1cfa64dc1a13840a69f9fa7005b6d59a714a09edbfb266

Download Submit
C:\Windows\SysWOW64\Imgicgca.exe

Filesize
104KB

MD5
5cef94fcb870da68fc5d93fa2d34abba

SHA1
5a3573aca97ebe09ee756e08b8716711ce5a9dc5

SHA256
bbae2f9a071a0696b5e2d3a1ca8a1cc2dc0a06e3f81df00d8bce903a6a766108

SHA512
2373fe1669be5865fd0b3c9adc239b107eaa7f4c28a973917adda891c40d49bc7c223639644f45ae8ddc9aaab6d483bd7f627537184c5d2a87b7d2bc39be0e6d

Download Submit
C:\Windows\SysWOW64\Iplkpa32.exe

Filesize
104KB

MD5
e596a75a339504f580aa1a2733ef2c1a

SHA1
478c219e3fecb16d1966a83f13a3004b485daff7

SHA256
99ef8751441e7122b4c221c991f04ff54cfc66856566973e594fc98a7d1758db

SHA512
a10275a87f3d38860dc1a613bf509d4a1cbef20dfd6c2b71371dead4d2261646bd9e7cea6b4fa12fdefcdd74224f92454ea4d1cd500251ac3001a08faf023e14

Download Submit
C:\Windows\SysWOW64\Jebfng32.exe

Filesize
104KB

MD5
6698fcd6ec5de5d62bf1e760db0b805f

SHA1
68c5c25ed6c0d6fb8f50a4087a780a9f36d1236b

SHA256
3cea4c03ea9e5e42d24557d260c4362faef07d8ffa3ecc9a19cb9d82ec578502

SHA512
7af430e2674c0bfe039bcd32bda576b12f776ebc5774f914501758fa0cad069d4969183a17d6cb79ed866f061dfa5a1f869a8dfcac4f46693fb35969f66dc0c9

Download Submit
C:\Windows\SysWOW64\Jngbjd32.exe

Filesize
104KB

MD5
8d6a24494c5311c60ff05dd353fd4d67

SHA1
4f8ac7ba90b62192077aac4242f0e0f44066089a

SHA256
0f6f5d56229671e6382b2af8bc49458cd778ce8a3eea477cc0778efb27f0624f

SHA512
3f06a38dd35034aa25523b3e51490ef6038dbe2fb099873f1d71f1f6fd4f9b461250cf17d56f2413e4d9cfb54ed237857db1b16a917fb70505f9f37ed7d9377a

Download Submit
C:\Windows\SysWOW64\Joahqn32.exe

Filesize
104KB

MD5
90cda66e091c2ecbef67136a68d9c9d7

SHA1
09c35db7b4554551e9013369f90f8c45e99e9dfa

SHA256
e6ca25bbff819e8bcf08170a04a59b010e07dcf14d132afb8d96ca89a90bcddd

SHA512
00b23c842cd9ded1ddc9b17c9eab30e7f62dd2a071487963767631d8559629d41f9eac390cf746c9aed35d2495a17f0c1b84b50aef41b9bf338908e333625cac

Download Submit
C:\Windows\SysWOW64\Jpaekqhh.exe

Filesize
104KB

MD5
a8c1ca32757fdb1f06a29cf2fc35fd8f

SHA1
890ae9c68b412b0ff7d93fd7a26497c015b68bea

SHA256
7bee28856691f29efc99271e7a2841614942019ba9732ade0ea63b44c05d66c3

SHA512
122ede60df3912c2e50f2e562872d86e0875b8f79ee2230ccf1c1e5361cb4c37b4eb913c75b74c3509cd67b7d8c6a3d055fa4f799140898460b14cdc3df24b03

Download Submit
C:\Windows\SysWOW64\Kcmmhj32.exe

Filesize
104KB

MD5
fff74550eb10e95eb1f65fad9c46f20d

SHA1
68222e633b8846e7ccf090c10506d34906b149c7

SHA256
3f2da75a76e8dd9d5e659fd56aeadc14fe29a863ef7931fada2e7acad70e8282

SHA512
a2225cb86468a5d382b0a3cb8c2a93682eeade8df88870a5821f75e268459ca0e15ee56f9a785e67684e3ca28d4a6c3d433d55cc43a20aaa33f3c5d2f332b98d

Download Submit
C:\Windows\SysWOW64\Kcpjnjii.exe

Filesize
104KB

MD5
723835dd23721d11db7246452f23fa71

SHA1
8c45ba6c54f744ec39fd7d8333189d8fc7a73ad3

SHA256
316f0c4b7363fa37d5bb69fec755d5613acf6524662c6df973b845c87935e141

SHA512
5be65c7efe09aba89a33737698c87082d672b0ac558ba276fcaa7b6bd7cbe1e9cd825b3dad028c1a8a7c7f03021b5c86144d4e0c7ca356d8e94dd07e04a7728d

Download Submit
C:\Windows\SysWOW64\Keimof32.exe

Filesize
104KB

MD5
dc5eef4c4100a0829503b136aaa52f74

SHA1
47b17b899e88ea650bff2639e4a09ffb9a0a5cdb

SHA256
93854534affe63709621c041c92bc793b8b7e469e8580878371be8b19b703f15

SHA512
fd636110c6f02715a555bd4067c8d11a2584afc2210f53eedca8aa35fbc8572981271a1a6c129da1bf2f4722c98b9f3576cc291cbe23df973fb4071b7f1b120f

Download Submit
C:\Windows\SysWOW64\Khbiello.exe

Filesize
104KB

MD5
b9890ad7464529f7da95edea445aa376

SHA1
6a914745f30c54592f2a0a0cbad7968f0448f63c

SHA256
e7488ff624c05aa8d772d3097cc0e83b9a26f3699e90b989340158361497be83

SHA512
30d1e2e683591e6389ce9de751fa5d47e5fa8cd4f3259324134a3bfeef02f71c0c0636ee4e1ee8c65b679a84d0a7d79b6ff61c8c0c8c7e1a0c0677622cc88276

Download Submit
C:\Windows\SysWOW64\Kjblje32.exe

Filesize
104KB

MD5
2cd753b4979c39aa832bcde0210d7fe4

SHA1
9396cf32b181788cca4bdd191ebabb40164efa07

SHA256
3e036f49fdc1f651ae74c53cd2ff282c8aecc1981944aab8101fe2ded504bf11

SHA512
8665a147d8d8cc134b1f79b9c75d906b491bad081e086a5fbe9aca67fd5b575675b135d950ead32130e20e3adc5f65e5b09a61ea169743b413ac5558ca08f8ac

Download Submit
C:\Windows\SysWOW64\Kpcjgnhb.exe

Filesize
104KB

MD5
478cc2c9c5b9f7eca137b88cc1d81ae0

SHA1
b6b0746be5f896401fb646c22c7b482037ca5abb

SHA256
8c751f46fb9aeed0ce47175bdb32adc2d9445d191cc1750b7840f61e8832699b

SHA512
58a8de6dde13c0e00557f40fb33f1555557a8d8cc0fe4fc5b3cdde2299a42df6993119d15992d6d9545f8ecfeb81187a03b598d5f006630d5f4ae7890e6ae734

Download Submit
C:\Windows\SysWOW64\Lcdciiec.exe

Filesize
104KB

MD5
540d3973c0b20068b814851ca2d05b86

SHA1
767b2a1d74b35c11f6dbb5c966e29b18688e3380

SHA256
4a6f74579ec57ec26c990edcfc56077e8c3aa723b9b02ff35115ffeb9f59248f

SHA512
84f08b24e77a98b4d3900c14b163bd78a29e0b396e0b61e5cc61e7f55143958ecdcbaad498179e4dd2864911146bd1a91fe9ce609302a269966aa9416c29028a

Download Submit
C:\Windows\SysWOW64\Lfjfecno.exe

Filesize
104KB

MD5
bbc46c913ed6415e93dc9be98d206076

SHA1
c989ea46e0c08b1b69f9773452c7ca98b777cf22

SHA256
ad40b114eb899c40c58edc82ff3493098667d51d3da3433aaa3995ae04221f26

SHA512
66e3432eba318f674989550cd5d4768ad2946a7828f91bcaa82c97d89995faa0f146e7f5027be691346e130eb5ffce56eacff97eb6b4a3608d3211c3e1994a21

Download Submit
C:\Windows\SysWOW64\Lflbkcll.exe

Filesize
104KB

MD5
c451e955fb796ac7ab4e4ee2fff22ed3

SHA1
e1a1844480deabdb2a8957c99a70807ccafd7835

SHA256
485b9260b10110579238eeeec7644bb55b2c93b27a5feb0a3601668ce953e0e9

SHA512
d80ca8a41ee25cf188cee6a33f5fbfa1ee8074d12b7b1bf3e7b9dbadfd46749d2de8280f89b1827c0eab3420ecca526c46c7de4bbcbf542c20b2028f4c2b8546

Download Submit
C:\Windows\SysWOW64\Ljceqb32.exe

Filesize
104KB

MD5
59ac9e8aff3953724291c8c662ebe451

SHA1
1d098899b3cfd062873a6374ac77bf1517406264

SHA256
90bb5b49283119cc53fc4c42eded8d01f8f944b76add97ec1ed8405650f89293

SHA512
f1389c71eeb82755f8bef5cae5672812ff40cb1914c704e4704e94b36e748609539412ed4ecec37f2ac23dc6f1ffe86ecdcf26c44971bf8f3a2eca38f8517800

Download Submit
C:\Windows\SysWOW64\Lnldla32.exe

Filesize
104KB

MD5
70bbfea20a07869d7dca76f24c227a48

SHA1
2d02050f5fdb38186885c8a7f124badfc5b16389

SHA256
3e570cc4980f39cdd98d82c9c4844e520960378f1199de2c7f538abce86166f1

SHA512
e4ac90e088a1dcf9e6cba07a8cc50fb36bf1965c0bbe29fbe710d5bff5eb00f2f854a35f3cf379db7b005ba8b1a31218803a69d4467824c7b15393f8201491c3

Download Submit
C:\Windows\SysWOW64\Mfchlbfd.exe

Filesize
104KB

MD5
40ebf5c1668f97aaae36ec92ea5663c2

SHA1
6915b89b02fd58dd58d484fea619d22cc3c3f6b8

SHA256
f59fda01dc0551949d8bb76e5549b63d5ebe5bf7098317ad898944a384f7782d

SHA512
970047be8c1dac405285fed99b184f93e57fa596ff78353e92f1b50e3959bb8618b8480cb7f5f92895e2fc080e90e26a021566d16ee557397008bf1ba63d4c42

Download Submit
C:\Windows\SysWOW64\Mgeakekd.exe

Filesize
104KB

MD5
fb82db269b29c035e8420114c82247f8

SHA1
9164b2ada9d3443015ff071bc0c1bba718ad9b50

SHA256
464358494059f87318cead14fe09ec99b979d9e9c7b68fe34eca506eae457074

SHA512
ec64f60422fd12b6bf5b141824a4947fa337045224465f71619ddbeaf06f7bb42a35c315c24120be533a7ccc6642cc71b1ae318f40d853a6e2f3df4967ce38b5

Download Submit
C:\Windows\SysWOW64\Mjaabq32.exe

Filesize
104KB

MD5
e050cc10b389168441e8b52a84d90cce

SHA1
95d63b9b5d9a54c31bf6484921f4bf177b42c8ed

SHA256
5e4724a08c728cfaaf6791a4f315dd0a389bf5c49ca8444631644d05eff470a5

SHA512
0f4035cbf9320033d6e43dd4e936b369f7c6f5700b18331684bbeb602c52d14922f7fb29a1d910cd56892b6b024cb4402be76b556fe23682fb033ba4556e4b2d

Download Submit
C:\Windows\SysWOW64\Mjlhgaqp.exe

Filesize
104KB

MD5
6396bcbb7a44146bc0ff3a19f3bfcf67

SHA1
b8528c2ccf8ff60506989d6b77e72b2d518b7968

SHA256
ec083516c490a914d1e0ff0f8c9c261af71ecfc0a3a8ffe69b97e93c86de727a

SHA512
f92b47437f968b5432b8adb160ba3926dc377b00b743c0e322606f9bb2fba5793e64ff7ef3baf8e95879d8fca700fd1d015d23b2ffb6cd25c0af35a4cce93657

Download Submit
C:\Windows\SysWOW64\Mqdcnl32.exe

Filesize
104KB

MD5
49c1c433e9f7dd834f355641d0a7cb0d

SHA1
4ec390bdd3c3fd0357cc191a00d7cca5fec80d2c

SHA256
28d097335b5fecc34015920014995c7a606b6cb1b99b85a1c06385bcf11b970b

SHA512
0f383339ea0e66ce3901ac49b66906b624319f1b56d53a93ac99edc71a4f133737ddb9cf04cd4f65c2b1899afa0abe6d631063974b2ad1a0a7f57fef8bedbb3b

Download Submit
C:\Windows\SysWOW64\Nceefd32.exe

Filesize
104KB

MD5
06e9d3442d36cf6aa7962c4a2fd56185

SHA1
daa294930cc5c9b8d5876f496f24c34665d71b77

SHA256
f046a8e97cf8821321ec0756eb58ae6387ecad17047f1b15aa1b159576eadf4e

SHA512
f41baff6496cac20f9aee5436ffee71289ca1407cded982e11f0b5625b155ec82546b3274ab01ed0e37aed3da6a1e3c3c50708586ef73c854ce67dcffe7bc390

Download Submit
C:\Windows\SysWOW64\Ncnofeof.exe

Filesize
104KB

MD5
97845a752c4afebde29e35bc56480597

SHA1
9ddc8bd8481d75cd3cb340d6b1a60b246008bc4a

SHA256
f22250de1776b97ae2ba2f9d8eaf2a4d42c4c72debfc273f44a4085a79c9fcbc

SHA512
3324fecf521fe2dfa94596458a90053a5778656c5114618d49d4c8d832765cd6738209344b57ff2febf8105f493a045fee510ae01b6bfb0c93a66f599f24446c

Download Submit
C:\Windows\SysWOW64\Nggnadib.exe

Filesize
104KB

MD5
57705d6c1585a955fc43331a498b54fd

SHA1
1bc03faa0e8492a901c4169cc46ea49920b42e08

SHA256
df5c33da13f5035c7a2b295dc4482d2721bbc141a26224de8e4d83f86df6c7af

SHA512
59336eb5b79f23f0818b2ca523f37e7dbf3a81baca892893ee9d674cb466337a11392a299efe2cd9ddca7f3f4e43111b5ab899ee1442d919e9d35a56d6eb1edd

Download Submit
C:\Windows\SysWOW64\Npepkf32.exe

Filesize
104KB

MD5
e1ec466a584749808913e9c6b243d58a

SHA1
c374db7d77c187132d53a989fb272b46e245e895

SHA256
8f04c0f5cd76e1d093fa56d55df79f60e7e3cd359483b5c0a854cd49674f7a30

SHA512
f6ec281128963a5845fde2ca1db80da743fe0c89e9e206568037f6edc40c3f308b98e030dedc8645e3d059872d25c0f8018e5c2861a77dab6a00e99d63624cee

Download Submit
C:\Windows\SysWOW64\Oakbehfe.exe

Filesize
104KB

MD5
319ea05d156e6137968df248f4edd897

SHA1
c7c93c908789eefd067c2ad0f5ab1bf18e92e7b2

SHA256
a13ff2808674773943a5f6e7e7f183aed842d2d1aa2c26f3a30dca5d95078cb8

SHA512
830bdaf76ce35da4706ca168db8552c35737e3dd60a1a6678761004cfd75f148f996583af8c1083b34c8c78f1804d173a19cc61b640f6d94badeb32924d90ac6

Download Submit
C:\Windows\SysWOW64\Oanokhdb.exe

Filesize
104KB

MD5
4f28e170bd558ae8fc30497934545063

SHA1
0c0b933c246a04bb0e69ce57a1668869664c67b8

SHA256
65e9aab298879990ceb1c43021d2459f32b28e7d37ceb873d1fa25c0903bd14f

SHA512
e79bf4ca9674ffb70e4c7494f49a3a77d5220d742c00c9f8955bc273684964ceea7e67ca8d78f5b7fe10352aa60e9787b3be7c856b6bd001f330298fab2757e6

Download Submit
C:\Windows\SysWOW64\Ocgbld32.exe

Filesize
104KB

MD5
974e6066c695dab7e298a5383937f2c8

SHA1
6b9e63281ec5d970f65986ead0a7cac90bdd4e08

SHA256
76097ae915fc636360895a6b3f2053960399dbf4db88ce3aadf7b1a11c0946e0

SHA512
c0a5b2dbe675938e47df7e7359f2fe9c7f0dc3af9f726d06db2ddb6a5f2d42d6ba85aecc5face784205712f0e954faacbe68268e23955244d0f0056aa65fa6b0

Download Submit
C:\Windows\SysWOW64\Phajna32.exe

Filesize
104KB

MD5
30ef1a3bec76bda2ef0cdda5f25006e3

SHA1
059fa51ef5cd7b78696b360a747ab1cd19286d11

SHA256
5ddf510173e57e127e788f7669d4fef00c92ed88580f2f3ae13357ffbc911621

SHA512
0a8abf2c458331708d85622ab357232415ac097bca87d83a1b0240d7500d7d43fe5f4bf8988fc48bac8c29c93a0fbe40fa5a6d9bf5a895de5f2166ce2441a06b

Download Submit
memory/456-298-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/524-47-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/820-127-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/900-255-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/964-7-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/972-322-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1088-88-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1116-15-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1432-310-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1532-64-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1960-268-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2016-292-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2056-248-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2208-31-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2272-304-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2316-56-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2324-144-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2344-95-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2544-223-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2556-184-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2628-39-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2704-262-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2792-23-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2892-280-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3120-286-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3128-124-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3288-200-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3520-180-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3796-172-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3804-316-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3828-192-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3912-208-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3976-240-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3984-0-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3996-231-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4344-111-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4412-136-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4588-104-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4676-274-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4760-71-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4840-80-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4976-328-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5016-159-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5064-216-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5084-151-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5124-334-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5164-340-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5212-346-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5260-352-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5300-358-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5340-364-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5380-370-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5420-376-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5464-382-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5504-392-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5548-398-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5588-400-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5636-410-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5676-416-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5716-418-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5760-424-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5812-434-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5856-436-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5896-447-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads