cc8c09fc76867020e425263907e92eb0586a3a4c6136b62aa94bb47ed5d34215

Analysis

max time kernel
63s
max time network
139s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
19/04/2024, 03:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cc8c09fc76867020e425263907e92eb0586a3a4c6136b62aa94bb47ed5d34215.exe
Size

59KB
MD5

b288dcb4cb92e26d742d7c31c3b299ca
SHA1

7e22d431e40e26f18abf61c7fb3f4ace54ba13b0
SHA256

cc8c09fc76867020e425263907e92eb0586a3a4c6136b62aa94bb47ed5d34215
SHA512

9975c0b7ab4bea6c174cdbbc7532c1fa3b850129028733aa26d2b3dd0a58e271d1231783c04951cb87db662e7a188752b9dfba74381848a1d43e95afac78dbd9
SSDEEP

768:bOQ/99SzqZa/SbHcIt4K2jFI77/IoOKpFZZ/1H5Kcs5nf1fZMEBFELvkVgFRo:bOQ/fAuR5/goOKvRMXNCyVso

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Afockelf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bagmdllg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nbbeml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ampaho32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pmbegqjk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oophlo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bagmdllg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cienon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dcffnbee.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pplhhm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pakdbp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qbajeg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pbekii32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Omdieb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ppdbgncl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aadghn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bdlfjh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nmfmde32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nimmifgo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pjaleemj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pblajhje.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Caqpkjcl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dgbanq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ojcpdg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aaiqcnhg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Banjnm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pfhmjf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmkofa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Apeknk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aplaoj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ccmcgcmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Caqpkjcl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dinael32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ojnfihmo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pplhhm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pjaleemj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bboffejp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nfldgk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qjffpe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Objkmkjj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bdocph32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bbhildae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cpogkhnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pcpnhl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Abfdpfaj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajohfcpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cpacqg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	cc8c09fc76867020e425263907e92eb0586a3a4c6136b62aa94bb47ed5d34215.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pfojdh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qbonoghb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ckpamabg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nmcpoedn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aiplmq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Adepji32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ampaho32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ckidcpjl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ommceclc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pakdbp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmbegqjk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmidnm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cgklmacf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ccblbb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pmphaaln.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aabkbono.exe

Executes dropped EXE 64 IoCs

pid	Process
1968	Njedbjej.exe
2656	Nmcpoedn.exe
4724	Ncmhko32.exe
3704	Nfldgk32.exe
4268	Nmfmde32.exe
1912	Nodiqp32.exe
2224	Nbbeml32.exe
1052	Nimmifgo.exe
2364	Nqcejcha.exe
3108	Ncbafoge.exe
1856	Nfqnbjfi.exe
4872	Niojoeel.exe
3556	Ooibkpmi.exe
1544	Ofckhj32.exe
4556	Ojnfihmo.exe
2752	Ommceclc.exe
4480	Ookoaokf.exe
2256	Objkmkjj.exe
2384	Ojqcnhkl.exe
3096	Oqklkbbi.exe
4640	Ocihgnam.exe
8	Ojcpdg32.exe
2668	Oifppdpd.exe
3124	Oophlo32.exe
728	Obnehj32.exe
1180	Ojemig32.exe
2788	Omdieb32.exe
3460	Opbean32.exe
4824	Ojhiogdd.exe
548	Omfekbdh.exe
3956	Ppdbgncl.exe
672	Pcpnhl32.exe
996	Pfojdh32.exe
3316	Pmhbqbae.exe
4924	Pcbkml32.exe
2420	Pbekii32.exe
3748	Pjlcjf32.exe
4000	Pmkofa32.exe
3912	Ppikbm32.exe
4764	Pfccogfc.exe
4916	Piapkbeg.exe
1000	Pplhhm32.exe
3608	Pcgdhkem.exe
4632	Pjaleemj.exe
2676	Pmphaaln.exe
3404	Pakdbp32.exe
4904	Pblajhje.exe
2136	Pfhmjf32.exe
3968	Pmbegqjk.exe
3564	Qppaclio.exe
760	Qbonoghb.exe
4648	Qjffpe32.exe
972	Qiiflaoo.exe
4168	Qapnmopa.exe
4704	Qbajeg32.exe
1848	Qjhbfd32.exe
5100	Aabkbono.exe
1708	Apeknk32.exe
2884	Afockelf.exe
592	Aadghn32.exe
4920	Apggckbf.exe
4940	Abfdpfaj.exe
3112	Aiplmq32.exe
684	Aagdnn32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Chjjqebm.dll	Ppikbm32.exe
File created	C:\Windows\SysWOW64\Qahlom32.dll	Dgbanq32.exe
File created	C:\Windows\SysWOW64\Jlojif32.dll	Cgiohbfi.exe
File created	C:\Windows\SysWOW64\Dgbanq32.exe	Dcffnbee.exe
File created	C:\Windows\SysWOW64\Kebkgjkg.dll	Nqcejcha.exe
File created	C:\Windows\SysWOW64\Ooibkpmi.exe	Niojoeel.exe
File opened for modification	C:\Windows\SysWOW64\Ajohfcpj.exe	Abhqefpg.exe
File created	C:\Windows\SysWOW64\Njonjm32.dll	Ajaelc32.exe
File created	C:\Windows\SysWOW64\Ijgiemgc.dll	Bjhkmbho.exe
File created	C:\Windows\SysWOW64\Cldaec32.dll	Afockelf.exe
File created	C:\Windows\SysWOW64\Bdcmkgmm.exe	Bphqji32.exe
File opened for modification	C:\Windows\SysWOW64\Calfpk32.exe	Cienon32.exe
File created	C:\Windows\SysWOW64\Ocihgnam.exe	Oqklkbbi.exe
File created	C:\Windows\SysWOW64\Kpqgeihg.dll	Pbekii32.exe
File opened for modification	C:\Windows\SysWOW64\Pfccogfc.exe	Ppikbm32.exe
File created	C:\Windows\SysWOW64\Hlhmjl32.dll	Pfccogfc.exe
File created	C:\Windows\SysWOW64\Qppaclio.exe	Pmbegqjk.exe
File opened for modification	C:\Windows\SysWOW64\Ppdbgncl.exe	Omfekbdh.exe
File created	C:\Windows\SysWOW64\Bpedeiff.exe	Bmggingc.exe
File opened for modification	C:\Windows\SysWOW64\Cdaile32.exe	Cpfmlghd.exe
File created	C:\Windows\SysWOW64\Acajpc32.dll	Dphiaffa.exe
File opened for modification	C:\Windows\SysWOW64\Ccmcgcmp.exe	Cpogkhnl.exe
File created	C:\Windows\SysWOW64\Ojqcnhkl.exe	Objkmkjj.exe
File created	C:\Windows\SysWOW64\Ojcpdg32.exe	Ocihgnam.exe
File created	C:\Windows\SysWOW64\Pencqe32.dll	Pplhhm32.exe
File created	C:\Windows\SysWOW64\Bmggingc.exe	Bjhkmbho.exe
File created	C:\Windows\SysWOW64\Bcominjm.dll	Bpjmph32.exe
File created	C:\Windows\SysWOW64\Leldmdbk.dll	Bmggingc.exe
File created	C:\Windows\SysWOW64\Niojoeel.exe	Nfqnbjfi.exe
File created	C:\Windows\SysWOW64\Ppikbm32.exe	Pmkofa32.exe
File created	C:\Windows\SysWOW64\Piapkbeg.exe	Pfccogfc.exe
File created	C:\Windows\SysWOW64\Gohlkq32.dll	Pmbegqjk.exe
File opened for modification	C:\Windows\SysWOW64\Bmdkcnie.exe	Bjfogbjb.exe
File opened for modification	C:\Windows\SysWOW64\Bboffejp.exe	Bdlfjh32.exe
File created	C:\Windows\SysWOW64\Fnihje32.dll	Bdlfjh32.exe
File created	C:\Windows\SysWOW64\Eiahpo32.dll	Ccmcgcmp.exe
File created	C:\Windows\SysWOW64\Qidpon32.dll	Nfldgk32.exe
File created	C:\Windows\SysWOW64\Klndfknp.dll	Nbbeml32.exe
File created	C:\Windows\SysWOW64\Kngmnjok.dll	Qiiflaoo.exe
File opened for modification	C:\Windows\SysWOW64\Qjhbfd32.exe	Qbajeg32.exe
File created	C:\Windows\SysWOW64\Ajbfciej.dll	Apggckbf.exe
File created	C:\Windows\SysWOW64\Cienon32.exe	Cgfbbb32.exe
File created	C:\Windows\SysWOW64\Ciihjmcj.exe	Cgklmacf.exe
File opened for modification	C:\Windows\SysWOW64\Dcffnbee.exe	Dphiaffa.exe
File created	C:\Windows\SysWOW64\Pbekii32.exe	Pcbkml32.exe
File created	C:\Windows\SysWOW64\Pfccogfc.exe	Ppikbm32.exe
File created	C:\Windows\SysWOW64\Qapnmopa.exe	Qiiflaoo.exe
File opened for modification	C:\Windows\SysWOW64\Bdocph32.exe	Bmdkcnie.exe
File created	C:\Windows\SysWOW64\Bpjmph32.exe	Bagmdllg.exe
File opened for modification	C:\Windows\SysWOW64\Nimmifgo.exe	Nbbeml32.exe
File created	C:\Windows\SysWOW64\Bpldbefn.dll	Ommceclc.exe
File created	C:\Windows\SysWOW64\Omdieb32.exe	Ojemig32.exe
File opened for modification	C:\Windows\SysWOW64\Ampaho32.exe	Ajaelc32.exe
File opened for modification	C:\Windows\SysWOW64\Bagmdllg.exe	Bmladm32.exe
File opened for modification	C:\Windows\SysWOW64\Cgfbbb32.exe	Cpljehpo.exe
File opened for modification	C:\Windows\SysWOW64\Cgklmacf.exe	Cpacqg32.exe
File created	C:\Windows\SysWOW64\Lodabb32.dll	Oifppdpd.exe
File created	C:\Windows\SysWOW64\Obnehj32.exe	Oophlo32.exe
File opened for modification	C:\Windows\SysWOW64\Pbekii32.exe	Pcbkml32.exe
File opened for modification	C:\Windows\SysWOW64\Ppikbm32.exe	Pmkofa32.exe
File created	C:\Windows\SysWOW64\Dilcjbag.dll	Bpedeiff.exe
File created	C:\Windows\SysWOW64\Ommceclc.exe	Ojnfihmo.exe
File opened for modification	C:\Windows\SysWOW64\Omdieb32.exe	Ojemig32.exe
File opened for modification	C:\Windows\SysWOW64\Opbean32.exe	Omdieb32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5992	5916	WerFault.exe	213

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hejeak32.dll"	Pmkofa32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pcgdhkem.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gnhekleo.dll"	Afhfaddk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cpfmlghd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Caqpkjcl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gejqna32.dll"	Ojcpdg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lodabb32.dll"	Oifppdpd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Enfhldel.dll"	Qapnmopa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aagdnn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Efoomp32.dll"	Abjmkf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bpjmph32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Adppeapp.dll"	Ckpamabg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ckpamabg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	cc8c09fc76867020e425263907e92eb0586a3a4c6136b62aa94bb47ed5d34215.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dkjfaikb.dll"	Objkmkjj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ojhiogdd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pjlcjf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qapnmopa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fhcbhh32.dll"	Qbajeg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Labnlj32.dll"	Bbhildae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dcffnbee.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ncmhko32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nfldgk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ildolk32.dll"	Nmfmde32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lcckiibj.dll"	Ajohfcpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ojnfihmo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pmkofa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dhlbgmif.dll"	Pcgdhkem.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gohlkq32.dll"	Pmbegqjk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Apeknk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Apggckbf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cpacqg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Omdieb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cdolgfbp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Naagioah.dll"	cc8c09fc76867020e425263907e92eb0586a3a4c6136b62aa94bb47ed5d34215.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nimmifgo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Obnehj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pcpnhl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Anlkecaj.dll"	Pcbkml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Banjnm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nepmal32.dll"	Cpacqg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Omdieb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ppdbgncl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cgiohbfi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cigkdmel.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Oifppdpd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Piapkbeg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amoppdld.dll"	Bkmeha32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cgfbbb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Caqpkjcl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cienon32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	cc8c09fc76867020e425263907e92eb0586a3a4c6136b62aa94bb47ed5d34215.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nfldgk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nodiqp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qckcba32.dll"	Ppdbgncl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qjhbfd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Abhqefpg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ijgiemgc.dll"	Bjhkmbho.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hpfohk32.dll"	Nimmifgo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ppikbm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pmbegqjk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bmdkcnie.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ckidcpjl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cpfmlghd.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1700 wrote to memory of 1968	1700	cc8c09fc76867020e425263907e92eb0586a3a4c6136b62aa94bb47ed5d34215.exe	88
PID 1700 wrote to memory of 1968	1700	cc8c09fc76867020e425263907e92eb0586a3a4c6136b62aa94bb47ed5d34215.exe	88
PID 1700 wrote to memory of 1968	1700	cc8c09fc76867020e425263907e92eb0586a3a4c6136b62aa94bb47ed5d34215.exe	88
PID 1968 wrote to memory of 2656	1968	Njedbjej.exe	89
PID 1968 wrote to memory of 2656	1968	Njedbjej.exe	89
PID 1968 wrote to memory of 2656	1968	Njedbjej.exe	89
PID 2656 wrote to memory of 4724	2656	Nmcpoedn.exe	90
PID 2656 wrote to memory of 4724	2656	Nmcpoedn.exe	90
PID 2656 wrote to memory of 4724	2656	Nmcpoedn.exe	90
PID 4724 wrote to memory of 3704	4724	Ncmhko32.exe	91
PID 4724 wrote to memory of 3704	4724	Ncmhko32.exe	91
PID 4724 wrote to memory of 3704	4724	Ncmhko32.exe	91
PID 3704 wrote to memory of 4268	3704	Nfldgk32.exe	92
PID 3704 wrote to memory of 4268	3704	Nfldgk32.exe	92
PID 3704 wrote to memory of 4268	3704	Nfldgk32.exe	92
PID 4268 wrote to memory of 1912	4268	Nmfmde32.exe	93
PID 4268 wrote to memory of 1912	4268	Nmfmde32.exe	93
PID 4268 wrote to memory of 1912	4268	Nmfmde32.exe	93
PID 1912 wrote to memory of 2224	1912	Nodiqp32.exe	94
PID 1912 wrote to memory of 2224	1912	Nodiqp32.exe	94
PID 1912 wrote to memory of 2224	1912	Nodiqp32.exe	94
PID 2224 wrote to memory of 1052	2224	Nbbeml32.exe	95
PID 2224 wrote to memory of 1052	2224	Nbbeml32.exe	95
PID 2224 wrote to memory of 1052	2224	Nbbeml32.exe	95
PID 1052 wrote to memory of 2364	1052	Nimmifgo.exe	96
PID 1052 wrote to memory of 2364	1052	Nimmifgo.exe	96
PID 1052 wrote to memory of 2364	1052	Nimmifgo.exe	96
PID 2364 wrote to memory of 3108	2364	Nqcejcha.exe	97
PID 2364 wrote to memory of 3108	2364	Nqcejcha.exe	97
PID 2364 wrote to memory of 3108	2364	Nqcejcha.exe	97
PID 3108 wrote to memory of 1856	3108	Ncbafoge.exe	98
PID 3108 wrote to memory of 1856	3108	Ncbafoge.exe	98
PID 3108 wrote to memory of 1856	3108	Ncbafoge.exe	98
PID 1856 wrote to memory of 4872	1856	Nfqnbjfi.exe	99
PID 1856 wrote to memory of 4872	1856	Nfqnbjfi.exe	99
PID 1856 wrote to memory of 4872	1856	Nfqnbjfi.exe	99
PID 4872 wrote to memory of 3556	4872	Niojoeel.exe	100
PID 4872 wrote to memory of 3556	4872	Niojoeel.exe	100
PID 4872 wrote to memory of 3556	4872	Niojoeel.exe	100
PID 3556 wrote to memory of 1544	3556	Ooibkpmi.exe	101
PID 3556 wrote to memory of 1544	3556	Ooibkpmi.exe	101
PID 3556 wrote to memory of 1544	3556	Ooibkpmi.exe	101
PID 1544 wrote to memory of 4556	1544	Ofckhj32.exe	102
PID 1544 wrote to memory of 4556	1544	Ofckhj32.exe	102
PID 1544 wrote to memory of 4556	1544	Ofckhj32.exe	102
PID 4556 wrote to memory of 2752	4556	Ojnfihmo.exe	103
PID 4556 wrote to memory of 2752	4556	Ojnfihmo.exe	103
PID 4556 wrote to memory of 2752	4556	Ojnfihmo.exe	103
PID 2752 wrote to memory of 4480	2752	Ommceclc.exe	104
PID 2752 wrote to memory of 4480	2752	Ommceclc.exe	104
PID 2752 wrote to memory of 4480	2752	Ommceclc.exe	104
PID 4480 wrote to memory of 2256	4480	Ookoaokf.exe	105
PID 4480 wrote to memory of 2256	4480	Ookoaokf.exe	105
PID 4480 wrote to memory of 2256	4480	Ookoaokf.exe	105
PID 2256 wrote to memory of 2384	2256	Objkmkjj.exe	106
PID 2256 wrote to memory of 2384	2256	Objkmkjj.exe	106
PID 2256 wrote to memory of 2384	2256	Objkmkjj.exe	106
PID 2384 wrote to memory of 3096	2384	Ojqcnhkl.exe	107
PID 2384 wrote to memory of 3096	2384	Ojqcnhkl.exe	107
PID 2384 wrote to memory of 3096	2384	Ojqcnhkl.exe	107
PID 3096 wrote to memory of 4640	3096	Oqklkbbi.exe	108
PID 3096 wrote to memory of 4640	3096	Oqklkbbi.exe	108
PID 3096 wrote to memory of 4640	3096	Oqklkbbi.exe	108
PID 4640 wrote to memory of 8	4640	Ocihgnam.exe	109

C:\Users\Admin\AppData\Local\Temp\cc8c09fc76867020e425263907e92eb0586a3a4c6136b62aa94bb47ed5d34215.exe
"C:\Users\Admin\AppData\Local\Temp\cc8c09fc76867020e425263907e92eb0586a3a4c6136b62aa94bb47ed5d34215.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1700
- C:\Windows\SysWOW64\Njedbjej.exe
  C:\Windows\system32\Njedbjej.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1968
- - C:\Windows\SysWOW64\Nmcpoedn.exe
    C:\Windows\system32\Nmcpoedn.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2656
  - - C:\Windows\SysWOW64\Ncmhko32.exe
      C:\Windows\system32\Ncmhko32.exe
      4⤵
      Executes dropped EXE
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:4724
    - - C:\Windows\SysWOW64\Nfldgk32.exe
        
        C:\Windows\system32\Nfldgk32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3704
      - C:\Windows\SysWOW64\Nmfmde32.exe
        
        C:\Windows\system32\Nmfmde32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4268
        
        C:\Windows\SysWOW64\Nodiqp32.exe
        
        C:\Windows\system32\Nodiqp32.exe
        7⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1912
        
        C:\Windows\SysWOW64\Nbbeml32.exe
        
        C:\Windows\system32\Nbbeml32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2224
        
        C:\Windows\SysWOW64\Nimmifgo.exe
        
        C:\Windows\system32\Nimmifgo.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1052
        
        C:\Windows\SysWOW64\Nqcejcha.exe
        
        C:\Windows\system32\Nqcejcha.exe
        10⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2364
        
        C:\Windows\SysWOW64\Ncbafoge.exe
        
        C:\Windows\system32\Ncbafoge.exe
        11⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3108
        
        C:\Windows\SysWOW64\Nfqnbjfi.exe
        
        C:\Windows\system32\Nfqnbjfi.exe
        12⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1856
        
        C:\Windows\SysWOW64\Niojoeel.exe
        
        C:\Windows\system32\Niojoeel.exe
        13⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4872
        
        C:\Windows\SysWOW64\Ooibkpmi.exe
        
        C:\Windows\system32\Ooibkpmi.exe
        14⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3556
        
        C:\Windows\SysWOW64\Ofckhj32.exe
        
        C:\Windows\system32\Ofckhj32.exe
        15⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1544
        
        C:\Windows\SysWOW64\Ojnfihmo.exe
        
        C:\Windows\system32\Ojnfihmo.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4556
        
        C:\Windows\SysWOW64\Ommceclc.exe
        
        C:\Windows\system32\Ommceclc.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2752
        
        C:\Windows\SysWOW64\Ookoaokf.exe
        
        C:\Windows\system32\Ookoaokf.exe
        18⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4480
        
        C:\Windows\SysWOW64\Objkmkjj.exe
        
        C:\Windows\system32\Objkmkjj.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2256
        
        C:\Windows\SysWOW64\Ojqcnhkl.exe
        
        C:\Windows\system32\Ojqcnhkl.exe
        20⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2384
        
        C:\Windows\SysWOW64\Oqklkbbi.exe
        
        C:\Windows\system32\Oqklkbbi.exe
        21⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3096
        
        C:\Windows\SysWOW64\Ocihgnam.exe
        
        C:\Windows\system32\Ocihgnam.exe
        22⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4640
        
        C:\Windows\SysWOW64\Ojcpdg32.exe
        
        C:\Windows\system32\Ojcpdg32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:8
        
        C:\Windows\SysWOW64\Oifppdpd.exe
        
        C:\Windows\system32\Oifppdpd.exe
        24⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2668
        
        C:\Windows\SysWOW64\Oophlo32.exe
        
        C:\Windows\system32\Oophlo32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3124
        
        C:\Windows\SysWOW64\Obnehj32.exe
        
        C:\Windows\system32\Obnehj32.exe
        26⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:728
        
        C:\Windows\SysWOW64\Ojemig32.exe
        
        C:\Windows\system32\Ojemig32.exe
        27⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1180
        
        C:\Windows\SysWOW64\Omdieb32.exe
        
        C:\Windows\system32\Omdieb32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2788
        
        C:\Windows\SysWOW64\Opbean32.exe
        
        C:\Windows\system32\Opbean32.exe
        29⤵
        Executes dropped EXE
        
        PID:3460
        
        C:\Windows\SysWOW64\Ojhiogdd.exe
        
        C:\Windows\system32\Ojhiogdd.exe
        30⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4824
        
        C:\Windows\SysWOW64\Omfekbdh.exe
        
        C:\Windows\system32\Omfekbdh.exe
        31⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:548
        
        C:\Windows\SysWOW64\Ppdbgncl.exe
        
        C:\Windows\system32\Ppdbgncl.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3956
        
        C:\Windows\SysWOW64\Pcpnhl32.exe
        
        C:\Windows\system32\Pcpnhl32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:672
        
        C:\Windows\SysWOW64\Pfojdh32.exe
        
        C:\Windows\system32\Pfojdh32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:996
        
        C:\Windows\SysWOW64\Pmhbqbae.exe
        
        C:\Windows\system32\Pmhbqbae.exe
        35⤵
        Executes dropped EXE
        
        PID:3316
        
        C:\Windows\SysWOW64\Pcbkml32.exe
        
        C:\Windows\system32\Pcbkml32.exe
        36⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4924
        
        C:\Windows\SysWOW64\Pbekii32.exe
        
        C:\Windows\system32\Pbekii32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2420
        
        C:\Windows\SysWOW64\Pjlcjf32.exe
        
        C:\Windows\system32\Pjlcjf32.exe
        38⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3748
        
        C:\Windows\SysWOW64\Pmkofa32.exe
        
        C:\Windows\system32\Pmkofa32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4000
        
        C:\Windows\SysWOW64\Ppikbm32.exe
        
        C:\Windows\system32\Ppikbm32.exe
        40⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3912
        
        C:\Windows\SysWOW64\Pfccogfc.exe
        
        C:\Windows\system32\Pfccogfc.exe
        41⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4764
        
        C:\Windows\SysWOW64\Piapkbeg.exe
        
        C:\Windows\system32\Piapkbeg.exe
        42⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4916
        
        C:\Windows\SysWOW64\Pplhhm32.exe
        
        C:\Windows\system32\Pplhhm32.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1000
        
        C:\Windows\SysWOW64\Pcgdhkem.exe
        
        C:\Windows\system32\Pcgdhkem.exe
        44⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3608
        
        C:\Windows\SysWOW64\Pjaleemj.exe
        
        C:\Windows\system32\Pjaleemj.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4632
        
        C:\Windows\SysWOW64\Pmphaaln.exe
        
        C:\Windows\system32\Pmphaaln.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2676
        
        C:\Windows\SysWOW64\Pakdbp32.exe
        
        C:\Windows\system32\Pakdbp32.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3404
        
        C:\Windows\SysWOW64\Pblajhje.exe
        
        C:\Windows\system32\Pblajhje.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4904
        
        C:\Windows\SysWOW64\Pfhmjf32.exe
        
        C:\Windows\system32\Pfhmjf32.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2136
        
        C:\Windows\SysWOW64\Pmbegqjk.exe
        
        C:\Windows\system32\Pmbegqjk.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3968
        
        C:\Windows\SysWOW64\Qppaclio.exe
        
        C:\Windows\system32\Qppaclio.exe
        51⤵
        Executes dropped EXE
        
        PID:3564
        
        C:\Windows\SysWOW64\Qbonoghb.exe
        
        C:\Windows\system32\Qbonoghb.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:760
        
        C:\Windows\SysWOW64\Qjffpe32.exe
        
        C:\Windows\system32\Qjffpe32.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4648
        
        C:\Windows\SysWOW64\Qiiflaoo.exe
        
        C:\Windows\system32\Qiiflaoo.exe
        54⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:972
        
        C:\Windows\SysWOW64\Qapnmopa.exe
        
        C:\Windows\system32\Qapnmopa.exe
        55⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4168
        
        C:\Windows\SysWOW64\Qbajeg32.exe
        
        C:\Windows\system32\Qbajeg32.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4704
        
        C:\Windows\SysWOW64\Qjhbfd32.exe
        
        C:\Windows\system32\Qjhbfd32.exe
        57⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1848
        
        C:\Windows\SysWOW64\Aabkbono.exe
        
        C:\Windows\system32\Aabkbono.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:5100
        
        C:\Windows\SysWOW64\Apeknk32.exe
        
        C:\Windows\system32\Apeknk32.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1708
        
        C:\Windows\SysWOW64\Afockelf.exe
        
        C:\Windows\system32\Afockelf.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2884
        
        C:\Windows\SysWOW64\Aadghn32.exe
        
        C:\Windows\system32\Aadghn32.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:592
        
        C:\Windows\SysWOW64\Apggckbf.exe
        
        C:\Windows\system32\Apggckbf.exe
        62⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4920
        
        C:\Windows\SysWOW64\Abfdpfaj.exe
        
        C:\Windows\system32\Abfdpfaj.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4940
        
        C:\Windows\SysWOW64\Aiplmq32.exe
        
        C:\Windows\system32\Aiplmq32.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3112
        
        C:\Windows\SysWOW64\Aagdnn32.exe
        
        C:\Windows\system32\Aagdnn32.exe
        65⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:684
        
        C:\Windows\SysWOW64\Adepji32.exe
        
        C:\Windows\system32\Adepji32.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4140
        
        C:\Windows\SysWOW64\Abhqefpg.exe
        
        C:\Windows\system32\Abhqefpg.exe
        67⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1896
        
        C:\Windows\SysWOW64\Ajohfcpj.exe
        
        C:\Windows\system32\Ajohfcpj.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4412
        
        C:\Windows\SysWOW64\Amnebo32.exe
        
        C:\Windows\system32\Amnebo32.exe
        69⤵
        
        PID:3588
        
        C:\Windows\SysWOW64\Aaiqcnhg.exe
        
        C:\Windows\system32\Aaiqcnhg.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2664
        
        C:\Windows\SysWOW64\Aplaoj32.exe
        
        C:\Windows\system32\Aplaoj32.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5028
        
        C:\Windows\SysWOW64\Abjmkf32.exe
        
        C:\Windows\system32\Abjmkf32.exe
        72⤵
        Modifies registry class
        
        PID:4416
        
        C:\Windows\SysWOW64\Ajaelc32.exe
        
        C:\Windows\system32\Ajaelc32.exe
        73⤵
        Drops file in System32 directory
        
        PID:4608
        
        C:\Windows\SysWOW64\Ampaho32.exe
        
        C:\Windows\system32\Ampaho32.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2360
        
        C:\Windows\SysWOW64\Aalmimfd.exe
        
        C:\Windows\system32\Aalmimfd.exe
        75⤵
        
        PID:3972
        
        C:\Windows\SysWOW64\Adjjeieh.exe
        
        C:\Windows\system32\Adjjeieh.exe
        76⤵
        
        PID:3612
        
        C:\Windows\SysWOW64\Afhfaddk.exe
        
        C:\Windows\system32\Afhfaddk.exe
        77⤵
        Modifies registry class
        
        PID:468
        
        C:\Windows\SysWOW64\Bigbmpco.exe
        
        C:\Windows\system32\Bigbmpco.exe
        78⤵
        
        PID:3760
        
        C:\Windows\SysWOW64\Banjnm32.exe
        
        C:\Windows\system32\Banjnm32.exe
        79⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:1780
        
        C:\Windows\SysWOW64\Bdlfjh32.exe
        
        C:\Windows\system32\Bdlfjh32.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:2852
        
        C:\Windows\SysWOW64\Bboffejp.exe
        
        C:\Windows\system32\Bboffejp.exe
        81⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:440
        
        C:\Windows\SysWOW64\Bjfogbjb.exe
        
        C:\Windows\system32\Bjfogbjb.exe
        82⤵
        Drops file in System32 directory
        
        PID:2412
        
        C:\Windows\SysWOW64\Bmdkcnie.exe
        
        C:\Windows\system32\Bmdkcnie.exe
        83⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4784
        
        C:\Windows\SysWOW64\Bdocph32.exe
        
        C:\Windows\system32\Bdocph32.exe
        84⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:224
        
        C:\Windows\SysWOW64\Bjhkmbho.exe
        
        C:\Windows\system32\Bjhkmbho.exe
        85⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4776
        
        C:\Windows\SysWOW64\Bmggingc.exe
        
        C:\Windows\system32\Bmggingc.exe
        86⤵
        Drops file in System32 directory
        
        PID:4360
        
        C:\Windows\SysWOW64\Bpedeiff.exe
        
        C:\Windows\system32\Bpedeiff.exe
        87⤵
        Drops file in System32 directory
        
        PID:436
        
        C:\Windows\SysWOW64\Bbdpad32.exe
        
        C:\Windows\system32\Bbdpad32.exe
        88⤵
        
        PID:5132
        
        C:\Windows\SysWOW64\Bkkhbb32.exe
        
        C:\Windows\system32\Bkkhbb32.exe
        89⤵
        
        PID:5172
        
        C:\Windows\SysWOW64\Bmidnm32.exe
        
        C:\Windows\system32\Bmidnm32.exe
        90⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5216
        
        C:\Windows\SysWOW64\Bphqji32.exe
        
        C:\Windows\system32\Bphqji32.exe
        91⤵
        Drops file in System32 directory
        
        PID:5256
        
        C:\Windows\SysWOW64\Bdcmkgmm.exe
        
        C:\Windows\system32\Bdcmkgmm.exe
        92⤵
        
        PID:5308
        
        C:\Windows\SysWOW64\Bkmeha32.exe
        
        C:\Windows\system32\Bkmeha32.exe
        93⤵
        Modifies registry class
        
        PID:5368
        
        C:\Windows\SysWOW64\Bmladm32.exe
        
        C:\Windows\system32\Bmladm32.exe
        94⤵
        Drops file in System32 directory
        
        PID:5412
        
        C:\Windows\SysWOW64\Bagmdllg.exe
        
        C:\Windows\system32\Bagmdllg.exe
        95⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5448
        
        C:\Windows\SysWOW64\Bpjmph32.exe
        
        C:\Windows\system32\Bpjmph32.exe
        96⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5488
        
        C:\Windows\SysWOW64\Bbhildae.exe
        
        C:\Windows\system32\Bbhildae.exe
        97⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5532
        
        C:\Windows\SysWOW64\Ckpamabg.exe
        
        C:\Windows\system32\Ckpamabg.exe
        98⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5580
        
        C:\Windows\SysWOW64\Cmnnimak.exe
        
        C:\Windows\system32\Cmnnimak.exe
        99⤵
        
        PID:5624
        
        C:\Windows\SysWOW64\Cpljehpo.exe
        
        C:\Windows\system32\Cpljehpo.exe
        100⤵
        Drops file in System32 directory
        
        PID:5664
        
        C:\Windows\SysWOW64\Cgfbbb32.exe
        
        C:\Windows\system32\Cgfbbb32.exe
        101⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5700
        
        C:\Windows\SysWOW64\Cienon32.exe
        
        C:\Windows\system32\Cienon32.exe
        102⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5748
        
        C:\Windows\SysWOW64\Calfpk32.exe
        
        C:\Windows\system32\Calfpk32.exe
        103⤵
        
        PID:5788
        
        C:\Windows\SysWOW64\Cpogkhnl.exe
        
        C:\Windows\system32\Cpogkhnl.exe
        104⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5832
        
        C:\Windows\SysWOW64\Ccmcgcmp.exe
        
        C:\Windows\system32\Ccmcgcmp.exe
        105⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5876
        
        C:\Windows\SysWOW64\Cgiohbfi.exe
        
        C:\Windows\system32\Cgiohbfi.exe
        106⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5920
        
        C:\Windows\SysWOW64\Cigkdmel.exe
        
        C:\Windows\system32\Cigkdmel.exe
        107⤵
        Modifies registry class
        
        PID:5960
        
        C:\Windows\SysWOW64\Cpacqg32.exe
        
        C:\Windows\system32\Cpacqg32.exe
        108⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5996
        
        C:\Windows\SysWOW64\Cgklmacf.exe
        
        C:\Windows\system32\Cgklmacf.exe
        109⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6044
        
        C:\Windows\SysWOW64\Ciihjmcj.exe
        
        C:\Windows\system32\Ciihjmcj.exe
        110⤵
        
        PID:6084
        
        C:\Windows\SysWOW64\Caqpkjcl.exe
        
        C:\Windows\system32\Caqpkjcl.exe
        111⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6124
        
        C:\Windows\SysWOW64\Cdolgfbp.exe
        
        C:\Windows\system32\Cdolgfbp.exe
        112⤵
        Modifies registry class
        
        PID:5140
        
        C:\Windows\SysWOW64\Ccblbb32.exe
        
        C:\Windows\system32\Ccblbb32.exe
        113⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5224
        
        C:\Windows\SysWOW64\Ckidcpjl.exe
        
        C:\Windows\system32\Ckidcpjl.exe
        114⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5288
        
        C:\Windows\SysWOW64\Cpfmlghd.exe
        
        C:\Windows\system32\Cpfmlghd.exe
        115⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5376
        
        C:\Windows\SysWOW64\Cdaile32.exe
        
        C:\Windows\system32\Cdaile32.exe
        116⤵
        
        PID:5468
        
        C:\Windows\SysWOW64\Dgpeha32.exe
        
        C:\Windows\system32\Dgpeha32.exe
        117⤵
        
        PID:5568
        
        C:\Windows\SysWOW64\Dinael32.exe
        
        C:\Windows\system32\Dinael32.exe
        118⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5608
        
        C:\Windows\SysWOW64\Dphiaffa.exe
        
        C:\Windows\system32\Dphiaffa.exe
        119⤵
        Drops file in System32 directory
        
        PID:5708
        
        C:\Windows\SysWOW64\Dcffnbee.exe
        
        C:\Windows\system32\Dcffnbee.exe
        120⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5772
        
        C:\Windows\SysWOW64\Dgbanq32.exe
        
        C:\Windows\system32\Dgbanq32.exe
        121⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5812
        
        C:\Windows\SysWOW64\Diqnjl32.exe
        
        C:\Windows\system32\Diqnjl32.exe
        122⤵
        
        PID:5916
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5916 -s 404
        123⤵
        Program crash
        
        PID:5992

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 5916 -ip 5916
1⤵
PID:5940

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Bboffejp.exe

Filesize
59KB

MD5
8f739fb5608975fb4467cde988d66a53

SHA1
b587b16c1a07d5c7e1d6e7f9b242052d7c5fd57e

SHA256
d985366c1fef9f839cbb57414526a783fc85f54799c085112e6d4611fcb01883

SHA512
fe4a629329f722e5dc94b211614b779ff828b8b1de7dea5a65ee2080885f93b6f228fccd55dd7bfa1d2a92a01e44d0f0214e80eba8ea4e1a9543fab16b1ed914

Download Submit
C:\Windows\SysWOW64\Cdaile32.exe

Filesize
59KB

MD5
abee4ab30bf9eca1df7f80c7944d3860

SHA1
f818e4c2d7f8c0dfb1ac08dafb0a31b8974cf98c

SHA256
3e1687c319d269634e932f7efbaf76bdb9c995134e904593aa24554b546f1c4f

SHA512
a563e911a5e41b01166f38e98be8089d54022c53490701bd32589cd9be6c6c9d09bb97f7759a8c773776d33c5a0ce4f43ea109f3b80c3a52b70c8c50f7095fc5

Download Submit
C:\Windows\SysWOW64\Nbbeml32.exe

Filesize
59KB

MD5
b1b65fb3ac861f4c214d7c18b28aaeae

SHA1
9b82fed5009c5087152323850c87e8d09d159232

SHA256
b49c6140e646a3255e894150b205384d49f44b6e92de5c7ebdfb00ace149a156

SHA512
d8c031699ecc6a17187b445102eab2a094d9d3fa009eb9c246db0426005e4561dfec0cfaeaff4fdb9e5ae7440ad2ec92e474aaa1e4776ea4c1549c648fd364f0

Download Submit
C:\Windows\SysWOW64\Ncbafoge.exe

Filesize
59KB

MD5
d26978d790ff5a142638c7cb098af0d9

SHA1
614d38317766f8f8521c150a39b2d1b0da91d76f

SHA256
44d9283d54182b7583513f50f29eb5bd49caf19022d9ae64d564225271a871ff

SHA512
1b425ec4aa517b151a38803f6387c68493154a972b5784fa58a9bac1dd098120cbd306883b269c6801a7acb9a6fcb1decc6033a9b379a1d25391837d6640a403

Download Submit
C:\Windows\SysWOW64\Ncmhko32.exe

Filesize
59KB

MD5
751897cb4521cc2a257ebafb95c1929f

SHA1
19ad456d5979aebbdae76e6d8e655bfb9232bb56

SHA256
eca1540a95bf403f635b3bce9d44a7e0bad11d6b0d21cead94e5498ffa1d3238

SHA512
2c0efc6fceeb4dbd6f6d7ebc1efcc912638f14ab6db68f92a973434f60c2b678f16224180ff5dde47ec717bc5a42593442013d95fc74975cbffb10bcdb2b875b

Download Submit
C:\Windows\SysWOW64\Nfldgk32.exe

Filesize
59KB

MD5
8be831862d5303ba95dd5122017c7b59

SHA1
4cfa298de954362a417b330ddeec863fcc2dfb2f

SHA256
e84cc2e58f594f5d3c55c22989517904af3f90986d4f90020f8f87ad92207168

SHA512
a6eebc908e8d3e7f3766144555f8fb8a6ba8e4db1a00e5f31a6acf0bb1ee79dea11151e278d3b3c9bd6cf55502e7fb2946e2be164149e92762ee601f87318b8e

Download Submit
C:\Windows\SysWOW64\Nfqnbjfi.exe

Filesize
59KB

MD5
d954d6d5869b2928e654dddb986c977c

SHA1
2ebc296ff91c2a993bd8a9a94a78095c0ca10297

SHA256
1fff6e4e40844686ecc60fc1f5cdb0df4b249216d95bcc7263fbd42ca23fe8b4

SHA512
7da07f22af3157e4a99bb95180c1654877c894ab79db430e920b33c53454f882120aedc981218cfc967b258c866958ca691bc62f2ff944cb2a1da3a4dc6f08dd

Download Submit
C:\Windows\SysWOW64\Nimmifgo.exe

Filesize
59KB

MD5
b09d7b8b4ad5e240873e35483baf5527

SHA1
98b8a714483c228fbebaad4e8818126f13b22ae9

SHA256
7ff689f446c57fb43d7b92542ecc97fac55fb8d98264f198ea97d146e5a9f9cf

SHA512
fa5aecd4ffa6cecddc7abd72f292efaeb7d38e8f60a8cfd1f7ee27ce50109110df9bb0796abd6f1902461b30e8466ace0996791c3e1c5015ad6454c46f115141

Download Submit
C:\Windows\SysWOW64\Niojoeel.exe

Filesize
59KB

MD5
7ef4d9b5e2bc05e91ebcc508b2711137

SHA1
e539155de543e3860e64d23d33c3a2954c04c7ed

SHA256
8e72dba656c88c7ea4dc44e3fc5e77ef74ac9966d7a0f6690e4402a5cf792a1a

SHA512
34806c7ad9ed0b3e43d3683af09834fe5d7b422efc1755e737b28b985d745ab1103b6fa10ecf2f033bf0b3a97556797a55a2b0f7163811006f56672b4eeb33bc

Download Submit
C:\Windows\SysWOW64\Njedbjej.exe

Filesize
59KB

MD5
2777326883505d04debf2c8e966e61e6

SHA1
2e01d6555243f09814a777c0e46c06bc1d71cd7e

SHA256
c32294e33187e3e46b6bf8d9acdc1aafa3b5d1e930595ad142f83dca5b30eb20

SHA512
56da84a6a9cfccb3e3f2022c7ddee079ba109a516c35d1de0e8e6a0e29f74e2ce83b1ecd7e3d38e208f5fe482319aaa5e083219880b668abdba99b1f25359260

Download Submit
C:\Windows\SysWOW64\Nmcpoedn.exe

Filesize
59KB

MD5
f6c956336b749b6739d14bac8b584694

SHA1
8550dceea2f3c56ef41f046e0fe83c7d190bae11

SHA256
06bb0aea2482b56af1af7ae4790bba7eea555366710b9993e40019d7d2db0851

SHA512
e28eeedf857a15867d112fb14f6dd3bb3ccce1e05c4da18d7504b8c958ccebc2c61af655e904e4b9dadc5b232b86992a1fec05c837d4011c34f0259dccbc8cb8

Download Submit
C:\Windows\SysWOW64\Nmfmde32.exe

Filesize
59KB

MD5
ac45a1e00ae51d52e381b059511358a6

SHA1
b1f413fb6e4216eae32203e6d041f311db1c0305

SHA256
da0584c99a10a6b54f5dd5440e23d79283a04fce26e789861b3cb459cbbd3c1f

SHA512
4d1e06aa88c739800a9cd4ff917d36735fb6d5b1cc37f87cf17ed5f9f7505bf7039f39aa5d20a021ac0a03ecb0d654321c82645b5752b9db9914c5b58ab9d478

Download Submit
C:\Windows\SysWOW64\Nodiqp32.exe

Filesize
59KB

MD5
462afbf79e5af7ebf8314f7d79897b72

SHA1
185b333a0631970b93eedc629446e07984e85c16

SHA256
8cfae6a3511e193a8e13e7460c899e9cf9adc10cc3563166163920f2bf96be72

SHA512
cb50684e6c040c3e511a01538ff599ce7bdd0310849c04dac57b4c8bd379fa95a8e243a64394c8b668801ca3759b906ad44e2f831fdee8e37d4f38c06195ab89

Download Submit
C:\Windows\SysWOW64\Nqcejcha.exe

Filesize
59KB

MD5
6e3609f53bf345e4e7a936e4e9c39f0b

SHA1
3c2c8f811f73bc44e0405b9188c4f3035eee034d

SHA256
7ac6b9db69ce72fba016b78a6ca170fb21a731f075896b7c1214e03ca67ba736

SHA512
779519e67c8a2647b8eac1942f3db132c901396d35dbc4bee2d0a8eb5aedee27dc42f392018a2ce2fd7e5c63d7d7c857dab1d4f938fa430f5a79e851e6ad8786

Download Submit
C:\Windows\SysWOW64\Objkmkjj.exe

Filesize
59KB

MD5
3bfd548f121a8d733704d728bd7f51e9

SHA1
749cb4e4399667ace2de345a2b10856797685e62

SHA256
fb7bbdae0dd8f350a7c4feba5e4e91a95917839991bcf3769de3059e032180ec

SHA512
c41092692590e993d8fe5dcb9abf5ac294c66545d1633d42992bd6a6e80f25a092881309ad1de96f510e779f8a9ae1ce8fdeda8c2c1d451fd58b43b626a1f1ab

Download Submit
C:\Windows\SysWOW64\Obnehj32.exe

Filesize
59KB

MD5
000ce3d3c637a59d5e36150b0ce896e0

SHA1
d35627f6540026a730695f15dbf729a0f2893277

SHA256
6847bc9950b8d265544ebb1042e07b5df0971e64dfa2da36c604544b108f58a7

SHA512
d15b652f03ec88012b361602284c41fad538d0b10cedb33414dac49a3805d1998793b4b83fb45ca5217d0bf7f24fd6a5536dda323732a684e8444c0a30e9346c

Download Submit
C:\Windows\SysWOW64\Ocihgnam.exe

Filesize
59KB

MD5
dbdbba504beee38c4cedbd3a5e9c95fa

SHA1
0a0c9b891cf30410a1476ba326133e1adb64cce6

SHA256
62199919d30065cd01b451a2bd11e58b40ecc31cccf194ad0967fa1ec5b1139d

SHA512
e8690bb1bc132efe2e757d98883d734eebd49a441fa78a132b73d8cd4dc321c8299e17c9841e14d75e2531e66a41b3be49cdcb55ec23f00ceef5cb97745be58f

Download Submit
C:\Windows\SysWOW64\Ofckhj32.exe

Filesize
59KB

MD5
e845f28b942b05bf535bcdbc48c98331

SHA1
f981b57d4aaa88ec17a4944d1de3aa350e20cf9f

SHA256
28fde78f24af03b2f5c1d777e400d34694d0d55263b561d05e2f828ffa8f04b1

SHA512
ca37250de2a659a721694bab9b7fbe9e6671342f1841aced7493aaa782c17eccca6ef5eb94e0409c549e9ebab42f8284bf9c9bc5197f813bd6eda39f7453e1f8

Download Submit
C:\Windows\SysWOW64\Oifppdpd.exe

Filesize
59KB

MD5
60aa026055413d80f529d6fc2ed8b74c

SHA1
6e2129fd1b820b3909f2316d5f9bd678c41736f7

SHA256
a5d0cf969e1cc13bb9730c0feb52fc8c85265e5409652b99824850b23dd04ce4

SHA512
32fdfc2a7b4d537a01d96ad309ec2a57579c3148898935e2173fe428b7118a170bb24f0c711598367e23d88acd6cc2f8a9cdb86d3e35a24d7754288cf0aab9a3

Download Submit
C:\Windows\SysWOW64\Ojcpdg32.exe

Filesize
59KB

MD5
5b00552bcada8d14a764720027a19153

SHA1
52d09925eb16d4e77e65f801e3b8af129f13566d

SHA256
7f328c40e009c458966d77c1960e0809167ca3f65e9b42287a8f43666f8da4f1

SHA512
de1c189d832f6a9b2cec4f5d4f0b747951ffad284f35ce4c0fdfa083a71ea17b538f2dcd1f2bed9ecf43696f19415c93e4845a8b37e3d978caf4eacc090cf40a

Download Submit
C:\Windows\SysWOW64\Ojemig32.exe

Filesize
59KB

MD5
5ad96024999aa8dee680fedadf5fcda3

SHA1
b08eab13ff0cbab81c801f3cbbbc25c7629755a2

SHA256
21b9c97f936464e3d32c43e29b05bd95beaf1ab426ae286dfa25009e131157f5

SHA512
8ebd0478e648380f71c81cf7acf53c9fe96c652c973e3fe4b1b3ea34fb7f40cdf47810a97f67e29920893b9723a893a0dbe5496f4706a20ef3b84454d0464719

Download Submit
C:\Windows\SysWOW64\Ojhiogdd.exe

Filesize
59KB

MD5
4516b6dd69f007319bd8da07613a1852

SHA1
9eba9a3799106162c43e6a39acd7de371abf046c

SHA256
9a3c5f7a89f8cda4105adc09e640c2d28b7ad27da4c8bcf25d7d8a0cb3f5ce88

SHA512
c77dd4b2700b95b4bbb2e23f7bfda99e59dd1ccbc1a4db9400026b4e7c05e4e51673f8a34be81223ef0f507526153fd8861c4414c71ef2387bb52cb9104293a8

Download Submit
C:\Windows\SysWOW64\Ojnfihmo.exe

Filesize
59KB

MD5
789ac139acc0941bf34c1de317c199d3

SHA1
a562b4a5b6a1450fe0dea65bf6f2879bf7b48ee7

SHA256
464e2605c6fdf076f11b282301f3822864d2d4fb2d77119506aa621b1220ea6b

SHA512
0b6b42bc2d792e8a63aab94143d228ab176fd787057fada6bdfe1ce7d6662f7d9f1783d4c579f882fc3c1a3411375736037da1edb33b9e63046a18e4730190de

Download Submit
C:\Windows\SysWOW64\Ojqcnhkl.exe

Filesize
59KB

MD5
b6032516d41b73fe129c7cee258ef8a4

SHA1
f121d492e535e1b1d08f50d7d4ea3b234391eae9

SHA256
2ad0301b02e9ce831f3ea85b51f7c7488f23b0fe95b200a8d1915eca37024b6f

SHA512
21283d9fa2ba9a91dd9b6b38d297a188af9629e6a9053197fdfa4b980e0bdfb77aad079b062b22c3823170c2a6bfa2d58c40e0248c7b830ac5e955f88afa06af

Download Submit
C:\Windows\SysWOW64\Omdieb32.exe

Filesize
59KB

MD5
77b0f046c3674991b8c264b05c16fc48

SHA1
b2658282ad770ff20ebae0ddf76601e2fa79bced

SHA256
d0bf87fa984766f069b078155cd9e521bc56a6b0a3478d654676268a88ac0331

SHA512
a62f264f463de61a365bc31b7ed00a8bf640ea3fb9a0037a0a5c4021634770eb47eb14249fe08650e0d0a02d5e6c8bb2a3aede1f3d32969f13277369ce1b49ef

Download Submit
C:\Windows\SysWOW64\Omfekbdh.exe

Filesize
59KB

MD5
63f5e51f2d5fce9e23ef7a4387918ab5

SHA1
961b9297c1d7fb997402a6330759a0ef3b1404ce

SHA256
ade5fb69c483150f145f542b4fbe18edbd290c10820a3e3ec6d01d02f924b473

SHA512
b07dd582f200e1210c52a9e6f1a490e752c3405034e266a298034ea245122d1e3b47527d4c39a08d2dd72e537de85f6ad9d72686405bbf897f524bc15f620d63

Download Submit
C:\Windows\SysWOW64\Ommceclc.exe

Filesize
59KB

MD5
cf867652bc0f5ca8708e1fb9801c73ef

SHA1
397146b79c35e177e811744e4a8398ac37374243

SHA256
ffabab2b0de340d844464146f36d43a27ba4371be88b8db29f2396715aa51510

SHA512
4d4be3300ed303fe02729618ac5bec5f6b01cacab5a14d2f34dbb55e925ce28879728bb5bc9b6c48892fcd82f88c0286994c4ad096363061e901f201cace7ea8

Download Submit
C:\Windows\SysWOW64\Ooibkpmi.exe

Filesize
59KB

MD5
aa80c966ce900dfa259096782295f4c3

SHA1
13656175a9756ae721fb7dd6ac9af1dc5f41a337

SHA256
169deab0eaa767346878e743838ada1d8a491408d1854137233799889099cc20

SHA512
0a1898bcc58191e82a1a7c808b7576d12b65138a5cdd68113f90cf3d927095488f39e4e5c7440d6e69ab853ae9c4edd48945ab836e1234d3ad1365f1027882f6

Download Submit
C:\Windows\SysWOW64\Ookoaokf.exe

Filesize
59KB

MD5
ba49d8a2b4e622812653a9f13a59fd3f

SHA1
6ec3009d9a82b9badfd1cba237fd310502430066

SHA256
98282bbdd8817352f472af2995d2323f4a1afb42ca538ace7ac527d4e1d8e832

SHA512
01e079c0e890e5e297953e3140d0e6dc34307713d6f5e3414802c41ec6de123afc34b2b28a30dd9cb5a5b97afcca4ef676d559784138ce695673af76874f8dde

Download Submit
C:\Windows\SysWOW64\Oophlo32.exe

Filesize
59KB

MD5
5d6218e1e4e11739ba18008f4a6f68eb

SHA1
ae12c15e9ab49c67ec7f666b83425eb9408cdd3f

SHA256
a822deef13af7bdd8f2be485c257254a5b34ca70888ca305c12b13dc9fd1a7ec

SHA512
7f1907f7f838edc439feaa9e0c4dc2ead444cae8772dc208e7218f8338b936e9fad287312c73dc4d6e0e7e36c18860c591d1975a31b99ecf3d2eadc2bced54b9

Download Submit
C:\Windows\SysWOW64\Opbean32.exe

Filesize
59KB

MD5
64a56f3cfd8bed83c2a07281d4e9bfcb

SHA1
fbea27fc1309d6d17f717b4c70993a4a556fb234

SHA256
85a97963da0c75d36b101d49ff2e0b986c7c5913e98e81c9906a3714823ad10a

SHA512
d0f2b2b9f909fe0a07d0f4adf9368a844c04346b341ef7a2967e3440526d7325af613eb295c1a950fdba6a1b021148fc16ad458acf37cbd6a524c1abf22c6ba6

Download Submit
C:\Windows\SysWOW64\Oqklkbbi.exe

Filesize
59KB

MD5
072fa99c2a57cb357420a8cf243e46a7

SHA1
da986696f61a57c854ec2b4ac5455de1a487f1c7

SHA256
2d4442b4fea6578831e51eb6b03510b7edc98e31deb981a6b275abf10c9716f0

SHA512
41657d831939e69e0ed230cf5a384eda8e341795c90333fda2d225e4de5ca2247142d4cd383d41b64860dfd695a4e023a121ec61b227d2299d70f89896436eea

Download Submit
C:\Windows\SysWOW64\Pcbkml32.exe

Filesize
59KB

MD5
35ad07f78cedac406eb1fe9944382e57

SHA1
11664bd7b5de62be5d87031e681e19d04b51db58

SHA256
9f829e98cb43ff1a5829a23d9bfd8ca26b97fa9371aeff2da77b10c447d30198

SHA512
6265a2c01d000c7141f10bd68ea22ae41726f5baf08641c9b42d949a93640f9d0bc6f6dcdc5feb7ee57d4a782d16f8343d8cd0c9cd6f42f6559a8609fe3bb79b

Download Submit
C:\Windows\SysWOW64\Pcpnhl32.exe

Filesize
59KB

MD5
36c0d67df9e0e413853ff5891a1d2b58

SHA1
d62efc82efe2ac2378fac234dc4ed0ab25e99bbe

SHA256
56511a857c7aaf8319b121119fdab29a0eca1620a9910b94065fae8d52d72ac6

SHA512
2d69da3c9473f3e29c5b64620b4895ba07649870a1bf8b6fa0c1e7d233d956a53328a459396e233ba330a07b1cbc5abf65ea1e7b997f948fec74766934c18d2d

Download Submit
C:\Windows\SysWOW64\Ppdbgncl.exe

Filesize
59KB

MD5
ec099e7e0dd75847d6929e7da251fd7d

SHA1
03dc0e5fc9ea10414a1b7849e877c61dd04e911d

SHA256
23a4036f221e4cc052b83fcf1084efb380dc1141682724166b5bb17b77e5e67f

SHA512
fdaab64fadb311af65a8cb462bb6e05092f407a009345d32efd21c46ee900b3b9c1f8535008efe3bf762b0bb931868b610a8f8e0319a39051d23cb9de16775e5

Download Submit
memory/8-180-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/548-240-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/592-423-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/672-256-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/728-200-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/972-381-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/996-262-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1000-316-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1052-64-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1180-208-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1544-112-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1700-0-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1708-411-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1848-399-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1856-88-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1912-48-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1968-12-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2136-352-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2224-55-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2256-144-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2364-72-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2384-151-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2420-280-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2656-16-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2668-184-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2676-338-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2752-128-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2788-216-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2884-417-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3096-160-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3108-79-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3112-441-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3124-192-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3316-268-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3404-340-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3460-223-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3556-103-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3564-364-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3608-322-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3704-31-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3748-286-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3912-298-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3956-252-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3968-358-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4000-292-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4140-452-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4168-387-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4268-44-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4480-136-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4556-120-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4632-328-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4640-168-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4648-375-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4704-393-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4724-24-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4764-304-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4824-232-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4872-96-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4904-346-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4916-310-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4920-429-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4924-274-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4940-439-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/5100-405-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads