da848c96a668af12bd3763c0d65c442943dffd318cc843c0931df6ec4b51d417

Analysis

max time kernel
134s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
29-04-2024 02:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

da848c96a668af12bd3763c0d65c442943dffd318cc843c0931df6ec4b51d417.exe
Size

88KB
MD5

e70df5bd9c303d84a905421368dde412
SHA1

6cd7916be82fbe2ed51b69eb8487b80a9b18ad57
SHA256

da848c96a668af12bd3763c0d65c442943dffd318cc843c0931df6ec4b51d417
SHA512

fcb1c4badd0eeb8fbc87b7fc8dafced6d887e8b7eeecb60c82a24f9dd8f14ea4e112ae5aa5a71ee4a3268f560f627af5c01fde715dd2db3e9f122eb743c8d58c
SSDEEP

1536:GUm0tHEMR63pzD0Q8LMn8/H/m2izW+MYMfCyOwhqcaRArUXMwHcjqebXTWCnouyw:GYZu3pvWYU/m2izW+MYMfCyOOqcaRArl

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Onjegled.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bnmcjg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Onjegled.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pdifoehl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cnicfe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Beglgani.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cdabcm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pdpmpdbd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdfkolkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dhocqigp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ofcmfodb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pqknig32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pdpmpdbd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Banllbdn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oddmdf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aadifclh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmgbnq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Accfbokl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddmaok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Acnlgp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Aadifclh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bfdodjhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bmpcfdmg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmdkch32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Anogiicl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmbplc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Adgbpc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bebblb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pjmehkqk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ajkaii32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjpckf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Oddmdf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bcjlcn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ceqnmpfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pmdkch32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qgqeappe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ageolo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bclhhnca.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ageolo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Anogiicl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Deokon32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qnhahj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	da848c96a668af12bd3763c0d65c442943dffd318cc843c0931df6ec4b51d417.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bfhhoi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chcddk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cegdnopg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pgnilpah.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qnhahj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cegdnopg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Delnin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Aeklkchg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Acqimo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cndikf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ofcmfodb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjmgfgdf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnkplejl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dogogcpo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pclgkb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pdkcde32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ajfhnjhq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bebblb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Chokikeb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pcijeb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Adgbpc32.exe

UPX dump on OEP (original entry point) 39 IoCs

resource	yara_rule
behavioral2/files/0x000800000002342a-6.dat	UPX
behavioral2/files/0x0007000000023431-14.dat	UPX
behavioral2/files/0x0007000000023433-23.dat	UPX
behavioral2/files/0x0007000000023435-31.dat	UPX
behavioral2/files/0x0007000000023437-38.dat	UPX
behavioral2/files/0x0007000000023439-46.dat	UPX
behavioral2/files/0x000700000002343b-55.dat	UPX
behavioral2/files/0x000700000002343d-62.dat	UPX
behavioral2/files/0x000700000002343f-70.dat	UPX
behavioral2/files/0x0007000000023441-78.dat	UPX
behavioral2/files/0x0007000000023443-86.dat	UPX
behavioral2/files/0x0007000000023445-94.dat	UPX
behavioral2/files/0x0007000000023447-102.dat	UPX
behavioral2/files/0x0007000000023449-110.dat	UPX
behavioral2/files/0x000700000002344b-118.dat	UPX
behavioral2/files/0x000700000002344d-127.dat	UPX
behavioral2/files/0x000700000002344f-134.dat	UPX
behavioral2/files/0x0007000000023451-142.dat	UPX
behavioral2/files/0x0007000000023453-150.dat	UPX
behavioral2/files/0x0007000000023455-158.dat	UPX
behavioral2/files/0x0007000000023457-166.dat	UPX
behavioral2/files/0x0007000000023459-174.dat	UPX
behavioral2/files/0x000700000002345b-182.dat	UPX
behavioral2/files/0x000800000002342e-190.dat	UPX
behavioral2/files/0x000700000002345e-198.dat	UPX
behavioral2/files/0x0007000000023460-206.dat	UPX
behavioral2/files/0x0007000000023462-214.dat	UPX
behavioral2/files/0x0007000000023464-222.dat	UPX
behavioral2/files/0x0007000000023466-230.dat	UPX
behavioral2/files/0x0007000000023468-237.dat	UPX
behavioral2/files/0x000700000002346a-246.dat	UPX
behavioral2/files/0x000700000002346c-254.dat	UPX
behavioral2/files/0x00070000000234a8-473.dat	UPX
behavioral2/files/0x00070000000234b3-509.dat	UPX
behavioral2/files/0x00070000000234c3-559.dat	UPX
behavioral2/files/0x00070000000234d1-606.dat	UPX
behavioral2/files/0x00070000000234d5-620.dat	UPX
behavioral2/files/0x00070000000234d7-628.dat	UPX
behavioral2/files/0x00070000000234db-641.dat	UPX

Executes dropped EXE 64 IoCs

pid	Process
2440	Ofcmfodb.exe
2288	Onjegled.exe
228	Oqhacgdh.exe
4908	Oddmdf32.exe
4212	Ogbipa32.exe
3948	Pnlaml32.exe
1788	Pqknig32.exe
1432	Pcijeb32.exe
2764	Pfhfan32.exe
3984	Pmannhhj.exe
2528	Pdifoehl.exe
2832	Pclgkb32.exe
1540	Pfjcgn32.exe
1992	Pmdkch32.exe
460	Pdkcde32.exe
4820	Pdpmpdbd.exe
408	Pgnilpah.exe
860	Pjmehkqk.exe
4752	Qnhahj32.exe
364	Qdbiedpa.exe
2748	Qgqeappe.exe
1816	Qnjnnj32.exe
396	Qqijje32.exe
5016	Qgcbgo32.exe
5012	Ajanck32.exe
4468	Adgbpc32.exe
1684	Ageolo32.exe
4500	Anogiicl.exe
1636	Aqncedbp.exe
5008	Aclpap32.exe
4988	Ajfhnjhq.exe
1028	Aeklkchg.exe
2424	Acnlgp32.exe
1556	Afmhck32.exe
1272	Andqdh32.exe
2624	Acqimo32.exe
4792	Aglemn32.exe
388	Ajkaii32.exe
1496	Anfmjhmd.exe
588	Aadifclh.exe
4204	Accfbokl.exe
4028	Bfabnjjp.exe
2540	Bnhjohkb.exe
4564	Bagflcje.exe
5064	Bebblb32.exe
3032	Bganhm32.exe
3628	Bfdodjhm.exe
4636	Bnkgeg32.exe
4392	Baicac32.exe
3472	Beeoaapl.exe
1792	Bgcknmop.exe
3480	Bffkij32.exe
1552	Bnmcjg32.exe
4876	Bmpcfdmg.exe
1164	Beglgani.exe
5068	Bcjlcn32.exe
2648	Bfhhoi32.exe
2404	Bmbplc32.exe
5040	Banllbdn.exe
1756	Bclhhnca.exe
1168	Bjfaeh32.exe
4608	Bnbmefbg.exe
116	Belebq32.exe
3160	Bcoenmao.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Qopkop32.dll	Bebblb32.exe
File opened for modification	C:\Windows\SysWOW64\Bfhhoi32.exe	Bcjlcn32.exe
File created	C:\Windows\SysWOW64\Cjpckf32.exe	Cdfkolkf.exe
File created	C:\Windows\SysWOW64\Hdhpgj32.dll	Ddjejl32.exe
File created	C:\Windows\SysWOW64\Hgaoidec.dll	Pgnilpah.exe
File created	C:\Windows\SysWOW64\Ghekgcil.dll	Ageolo32.exe
File opened for modification	C:\Windows\SysWOW64\Bebblb32.exe	Bagflcje.exe
File opened for modification	C:\Windows\SysWOW64\Cegdnopg.exe	Cjbpaf32.exe
File created	C:\Windows\SysWOW64\Hfanhp32.dll	Cegdnopg.exe
File created	C:\Windows\SysWOW64\Nokpao32.dll	Dhocqigp.exe
File created	C:\Windows\SysWOW64\Pjmehkqk.exe	Pgnilpah.exe
File created	C:\Windows\SysWOW64\Qihfjd32.dll	Bmbplc32.exe
File created	C:\Windows\SysWOW64\Bilonkon.dll	Cajlhqjp.exe
File opened for modification	C:\Windows\SysWOW64\Qnjnnj32.exe	Qgqeappe.exe
File created	C:\Windows\SysWOW64\Pjngmo32.dll	Cjpckf32.exe
File created	C:\Windows\SysWOW64\Hpoddikd.dll	Acnlgp32.exe
File created	C:\Windows\SysWOW64\Acqimo32.exe	Andqdh32.exe
File opened for modification	C:\Windows\SysWOW64\Bfabnjjp.exe	Accfbokl.exe
File created	C:\Windows\SysWOW64\Baicac32.exe	Bnkgeg32.exe
File created	C:\Windows\SysWOW64\Aoglcqao.dll	Cdabcm32.exe
File created	C:\Windows\SysWOW64\Cnkplejl.exe	Cjpckf32.exe
File opened for modification	C:\Windows\SysWOW64\Qdbiedpa.exe	Qnhahj32.exe
File opened for modification	C:\Windows\SysWOW64\Qgqeappe.exe	Qdbiedpa.exe
File created	C:\Windows\SysWOW64\Bnbmefbg.exe	Bjfaeh32.exe
File created	C:\Windows\SysWOW64\Dnieoofh.dll	Ceqnmpfo.exe
File created	C:\Windows\SysWOW64\Maickled.dll	Chokikeb.exe
File opened for modification	C:\Windows\SysWOW64\Ddmaok32.exe	Dmcibama.exe
File created	C:\Windows\SysWOW64\Lbabpnmn.dll	Dfpgffpm.exe
File opened for modification	C:\Windows\SysWOW64\Ajfhnjhq.exe	Aclpap32.exe
File created	C:\Windows\SysWOW64\Jijjfldq.dll	Bnmcjg32.exe
File created	C:\Windows\SysWOW64\Bfabnjjp.exe	Accfbokl.exe
File created	C:\Windows\SysWOW64\Bgcknmop.exe	Beeoaapl.exe
File created	C:\Windows\SysWOW64\Belebq32.exe	Bnbmefbg.exe
File created	C:\Windows\SysWOW64\Ddmaok32.exe	Dmcibama.exe
File created	C:\Windows\SysWOW64\Kahdohfm.dll	Dogogcpo.exe
File created	C:\Windows\SysWOW64\Pdkcde32.exe	Pmdkch32.exe
File created	C:\Windows\SysWOW64\Hmphmhjc.dll	Pjmehkqk.exe
File created	C:\Windows\SysWOW64\Igjnojdk.dll	Pcijeb32.exe
File created	C:\Windows\SysWOW64\Qgqeappe.exe	Qdbiedpa.exe
File opened for modification	C:\Windows\SysWOW64\Dmefhako.exe	Dfknkg32.exe
File opened for modification	C:\Windows\SysWOW64\Delnin32.exe	Dmefhako.exe
File created	C:\Windows\SysWOW64\Oqhacgdh.exe	Onjegled.exe
File created	C:\Windows\SysWOW64\Hdoemjgn.dll	Pfhfan32.exe
File opened for modification	C:\Windows\SysWOW64\Aadifclh.exe	Anfmjhmd.exe
File created	C:\Windows\SysWOW64\Beglgani.exe	Bmpcfdmg.exe
File opened for modification	C:\Windows\SysWOW64\Bclhhnca.exe	Banllbdn.exe
File created	C:\Windows\SysWOW64\Cndikf32.exe	Cfmajipb.exe
File created	C:\Windows\SysWOW64\Dhmgki32.exe	Deokon32.exe
File opened for modification	C:\Windows\SysWOW64\Pmannhhj.exe	Pfhfan32.exe
File opened for modification	C:\Windows\SysWOW64\Pdifoehl.exe	Pmannhhj.exe
File created	C:\Windows\SysWOW64\Fpnnia32.dll	Bgcknmop.exe
File created	C:\Windows\SysWOW64\Jpcnha32.dll	Bfhhoi32.exe
File created	C:\Windows\SysWOW64\Chmndlge.exe	Cdabcm32.exe
File created	C:\Windows\SysWOW64\Cmiflbel.exe	Chmndlge.exe
File opened for modification	C:\Windows\SysWOW64\Acqimo32.exe	Andqdh32.exe
File created	C:\Windows\SysWOW64\Pmgmnjcj.dll	Bfdodjhm.exe
File created	C:\Windows\SysWOW64\Aglemn32.exe	Acqimo32.exe
File created	C:\Windows\SysWOW64\Bfdodjhm.exe	Bganhm32.exe
File created	C:\Windows\SysWOW64\Ckmllpik.dll	Cjmgfgdf.exe
File opened for modification	C:\Windows\SysWOW64\Cdfkolkf.exe	Cnicfe32.exe
File created	C:\Windows\SysWOW64\Elocna32.dll	Pnlaml32.exe
File created	C:\Windows\SysWOW64\Efmolq32.dll	Adgbpc32.exe
File created	C:\Windows\SysWOW64\Oahicipe.dll	Aglemn32.exe
File created	C:\Windows\SysWOW64\Ljbncc32.dll	Ajkaii32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5980	5888	WerFault.exe	186

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Adgbpc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Aqncedbp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bmbplc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cogflbdn.dll"	Ddmaok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dhmgki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qhbepcmd.dll"	Pdifoehl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pclgkb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hppdbdbc.dll"	Ofcmfodb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ickfifmb.dll"	Aclpap32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ajkaii32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bfabnjjp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cfmajipb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cnicfe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Djdmffnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mfilim32.dll"	Pfjcgn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pmdkch32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cabfga32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Chcddk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Beglgani.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cegdnopg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kjpgii32.dll"	Ogbipa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pcijeb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gdeahgnm.dll"	Ajfhnjhq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bfhhoi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dmefhako.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmdjdl32.dll"	Dhmgki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ofcmfodb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pfjcgn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jpcmfk32.dll"	Pdkcde32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Afmhck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bcoenmao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amfoeb32.dll"	Dmgbnq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}	da848c96a668af12bd3763c0d65c442943dffd318cc843c0931df6ec4b51d417.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bnkgeg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cmiflbel.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pdifoehl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Andqdh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihidlk32.dll"	Baicac32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bcjlcn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pjmehkqk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Anogiicl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjlogcip.dll"	Banllbdn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Oqhacgdh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pfhfan32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pmannhhj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qeobam32.dll"	Qgcbgo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkejdahi.dll"	Anogiicl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cacamdcd.dll"	Cdfkolkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dfknkg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Deokon32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dogogcpo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pjmehkqk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Maghgl32.dll"	Aeklkchg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bagflcje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pmgmnjcj.dll"	Bfdodjhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jgilhm32.dll"	Chcddk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dmcibama.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elocna32.dll"	Pnlaml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ajanck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bebblb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bmbplc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Qgcbgo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Accfbokl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bnbmefbg.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4872 wrote to memory of 2440	4872	da848c96a668af12bd3763c0d65c442943dffd318cc843c0931df6ec4b51d417.exe	84
PID 4872 wrote to memory of 2440	4872	da848c96a668af12bd3763c0d65c442943dffd318cc843c0931df6ec4b51d417.exe	84
PID 4872 wrote to memory of 2440	4872	da848c96a668af12bd3763c0d65c442943dffd318cc843c0931df6ec4b51d417.exe	84
PID 2440 wrote to memory of 2288	2440	Ofcmfodb.exe	85
PID 2440 wrote to memory of 2288	2440	Ofcmfodb.exe	85
PID 2440 wrote to memory of 2288	2440	Ofcmfodb.exe	85
PID 2288 wrote to memory of 228	2288	Onjegled.exe	86
PID 2288 wrote to memory of 228	2288	Onjegled.exe	86
PID 2288 wrote to memory of 228	2288	Onjegled.exe	86
PID 228 wrote to memory of 4908	228	Oqhacgdh.exe	87
PID 228 wrote to memory of 4908	228	Oqhacgdh.exe	87
PID 228 wrote to memory of 4908	228	Oqhacgdh.exe	87
PID 4908 wrote to memory of 4212	4908	Oddmdf32.exe	88
PID 4908 wrote to memory of 4212	4908	Oddmdf32.exe	88
PID 4908 wrote to memory of 4212	4908	Oddmdf32.exe	88
PID 4212 wrote to memory of 3948	4212	Ogbipa32.exe	89
PID 4212 wrote to memory of 3948	4212	Ogbipa32.exe	89
PID 4212 wrote to memory of 3948	4212	Ogbipa32.exe	89
PID 3948 wrote to memory of 1788	3948	Pnlaml32.exe	90
PID 3948 wrote to memory of 1788	3948	Pnlaml32.exe	90
PID 3948 wrote to memory of 1788	3948	Pnlaml32.exe	90
PID 1788 wrote to memory of 1432	1788	Pqknig32.exe	91
PID 1788 wrote to memory of 1432	1788	Pqknig32.exe	91
PID 1788 wrote to memory of 1432	1788	Pqknig32.exe	91
PID 1432 wrote to memory of 2764	1432	Pcijeb32.exe	92
PID 1432 wrote to memory of 2764	1432	Pcijeb32.exe	92
PID 1432 wrote to memory of 2764	1432	Pcijeb32.exe	92
PID 2764 wrote to memory of 3984	2764	Pfhfan32.exe	93
PID 2764 wrote to memory of 3984	2764	Pfhfan32.exe	93
PID 2764 wrote to memory of 3984	2764	Pfhfan32.exe	93
PID 3984 wrote to memory of 2528	3984	Pmannhhj.exe	94
PID 3984 wrote to memory of 2528	3984	Pmannhhj.exe	94
PID 3984 wrote to memory of 2528	3984	Pmannhhj.exe	94
PID 2528 wrote to memory of 2832	2528	Pdifoehl.exe	95
PID 2528 wrote to memory of 2832	2528	Pdifoehl.exe	95
PID 2528 wrote to memory of 2832	2528	Pdifoehl.exe	95
PID 2832 wrote to memory of 1540	2832	Pclgkb32.exe	96
PID 2832 wrote to memory of 1540	2832	Pclgkb32.exe	96
PID 2832 wrote to memory of 1540	2832	Pclgkb32.exe	96
PID 1540 wrote to memory of 1992	1540	Pfjcgn32.exe	97
PID 1540 wrote to memory of 1992	1540	Pfjcgn32.exe	97
PID 1540 wrote to memory of 1992	1540	Pfjcgn32.exe	97
PID 1992 wrote to memory of 460	1992	Pmdkch32.exe	98
PID 1992 wrote to memory of 460	1992	Pmdkch32.exe	98
PID 1992 wrote to memory of 460	1992	Pmdkch32.exe	98
PID 460 wrote to memory of 4820	460	Pdkcde32.exe	99
PID 460 wrote to memory of 4820	460	Pdkcde32.exe	99
PID 460 wrote to memory of 4820	460	Pdkcde32.exe	99
PID 4820 wrote to memory of 408	4820	Pdpmpdbd.exe	100
PID 4820 wrote to memory of 408	4820	Pdpmpdbd.exe	100
PID 4820 wrote to memory of 408	4820	Pdpmpdbd.exe	100
PID 408 wrote to memory of 860	408	Pgnilpah.exe	101
PID 408 wrote to memory of 860	408	Pgnilpah.exe	101
PID 408 wrote to memory of 860	408	Pgnilpah.exe	101
PID 860 wrote to memory of 4752	860	Pjmehkqk.exe	102
PID 860 wrote to memory of 4752	860	Pjmehkqk.exe	102
PID 860 wrote to memory of 4752	860	Pjmehkqk.exe	102
PID 4752 wrote to memory of 364	4752	Qnhahj32.exe	104
PID 4752 wrote to memory of 364	4752	Qnhahj32.exe	104
PID 4752 wrote to memory of 364	4752	Qnhahj32.exe	104
PID 364 wrote to memory of 2748	364	Qdbiedpa.exe	105
PID 364 wrote to memory of 2748	364	Qdbiedpa.exe	105
PID 364 wrote to memory of 2748	364	Qdbiedpa.exe	105
PID 2748 wrote to memory of 1816	2748	Qgqeappe.exe	107

C:\Users\Admin\AppData\Local\Temp\da848c96a668af12bd3763c0d65c442943dffd318cc843c0931df6ec4b51d417.exe
"C:\Users\Admin\AppData\Local\Temp\da848c96a668af12bd3763c0d65c442943dffd318cc843c0931df6ec4b51d417.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4872
- C:\Windows\SysWOW64\Ofcmfodb.exe
  C:\Windows\system32\Ofcmfodb.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2440
- - C:\Windows\SysWOW64\Onjegled.exe
    C:\Windows\system32\Onjegled.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious use of WriteProcessMemory
    PID:2288
  - - C:\Windows\SysWOW64\Oqhacgdh.exe
      C:\Windows\system32\Oqhacgdh.exe
      4⤵
      Executes dropped EXE
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:228
    - - C:\Windows\SysWOW64\Oddmdf32.exe
        
        C:\Windows\system32\Oddmdf32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4908
      - C:\Windows\SysWOW64\Ogbipa32.exe
        
        C:\Windows\system32\Ogbipa32.exe
        6⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4212
        
        C:\Windows\SysWOW64\Pnlaml32.exe
        
        C:\Windows\system32\Pnlaml32.exe
        7⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3948
        
        C:\Windows\SysWOW64\Pqknig32.exe
        
        C:\Windows\system32\Pqknig32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1788
        
        C:\Windows\SysWOW64\Pcijeb32.exe
        
        C:\Windows\system32\Pcijeb32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1432
        
        C:\Windows\SysWOW64\Pfhfan32.exe
        
        C:\Windows\system32\Pfhfan32.exe
        10⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2764
        
        C:\Windows\SysWOW64\Pmannhhj.exe
        
        C:\Windows\system32\Pmannhhj.exe
        11⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3984
        
        C:\Windows\SysWOW64\Pdifoehl.exe
        
        C:\Windows\system32\Pdifoehl.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2528
        
        C:\Windows\SysWOW64\Pclgkb32.exe
        
        C:\Windows\system32\Pclgkb32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2832
        
        C:\Windows\SysWOW64\Pfjcgn32.exe
        
        C:\Windows\system32\Pfjcgn32.exe
        14⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1540
        
        C:\Windows\SysWOW64\Pmdkch32.exe
        
        C:\Windows\system32\Pmdkch32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1992
        
        C:\Windows\SysWOW64\Pdkcde32.exe
        
        C:\Windows\system32\Pdkcde32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:460
        
        C:\Windows\SysWOW64\Pdpmpdbd.exe
        
        C:\Windows\system32\Pdpmpdbd.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4820
        
        C:\Windows\SysWOW64\Pgnilpah.exe
        
        C:\Windows\system32\Pgnilpah.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:408
        
        C:\Windows\SysWOW64\Pjmehkqk.exe
        
        C:\Windows\system32\Pjmehkqk.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:860
        
        C:\Windows\SysWOW64\Qnhahj32.exe
        
        C:\Windows\system32\Qnhahj32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4752
        
        C:\Windows\SysWOW64\Qdbiedpa.exe
        
        C:\Windows\system32\Qdbiedpa.exe
        21⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:364
        
        C:\Windows\SysWOW64\Qgqeappe.exe
        
        C:\Windows\system32\Qgqeappe.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2748
        
        C:\Windows\SysWOW64\Qnjnnj32.exe
        
        C:\Windows\system32\Qnjnnj32.exe
        23⤵
        Executes dropped EXE
        
        PID:1816
        
        C:\Windows\SysWOW64\Qqijje32.exe
        
        C:\Windows\system32\Qqijje32.exe
        24⤵
        Executes dropped EXE
        
        PID:396
        
        C:\Windows\SysWOW64\Qgcbgo32.exe
        
        C:\Windows\system32\Qgcbgo32.exe
        25⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:5016
        
        C:\Windows\SysWOW64\Ajanck32.exe
        
        C:\Windows\system32\Ajanck32.exe
        26⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:5012
        
        C:\Windows\SysWOW64\Adgbpc32.exe
        
        C:\Windows\system32\Adgbpc32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4468
        
        C:\Windows\SysWOW64\Ageolo32.exe
        
        C:\Windows\system32\Ageolo32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1684
        
        C:\Windows\SysWOW64\Anogiicl.exe
        
        C:\Windows\system32\Anogiicl.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4500
        
        C:\Windows\SysWOW64\Aqncedbp.exe
        
        C:\Windows\system32\Aqncedbp.exe
        30⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1636
        
        C:\Windows\SysWOW64\Aclpap32.exe
        
        C:\Windows\system32\Aclpap32.exe
        31⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5008
        
        C:\Windows\SysWOW64\Ajfhnjhq.exe
        
        C:\Windows\system32\Ajfhnjhq.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4988
        
        C:\Windows\SysWOW64\Aeklkchg.exe
        
        C:\Windows\system32\Aeklkchg.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1028
        
        C:\Windows\SysWOW64\Acnlgp32.exe
        
        C:\Windows\system32\Acnlgp32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2424
        
        C:\Windows\SysWOW64\Afmhck32.exe
        
        C:\Windows\system32\Afmhck32.exe
        35⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1556
        
        C:\Windows\SysWOW64\Andqdh32.exe
        
        C:\Windows\system32\Andqdh32.exe
        36⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1272
        
        C:\Windows\SysWOW64\Acqimo32.exe
        
        C:\Windows\system32\Acqimo32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2624
        
        C:\Windows\SysWOW64\Aglemn32.exe
        
        C:\Windows\system32\Aglemn32.exe
        38⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4792
        
        C:\Windows\SysWOW64\Ajkaii32.exe
        
        C:\Windows\system32\Ajkaii32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:388
        
        C:\Windows\SysWOW64\Anfmjhmd.exe
        
        C:\Windows\system32\Anfmjhmd.exe
        40⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1496
        
        C:\Windows\SysWOW64\Aadifclh.exe
        
        C:\Windows\system32\Aadifclh.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:588
        
        C:\Windows\SysWOW64\Accfbokl.exe
        
        C:\Windows\system32\Accfbokl.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4204
        
        C:\Windows\SysWOW64\Bfabnjjp.exe
        
        C:\Windows\system32\Bfabnjjp.exe
        43⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4028
        
        C:\Windows\SysWOW64\Bnhjohkb.exe
        
        C:\Windows\system32\Bnhjohkb.exe
        44⤵
        Executes dropped EXE
        
        PID:2540
        
        C:\Windows\SysWOW64\Bagflcje.exe
        
        C:\Windows\system32\Bagflcje.exe
        45⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4564
        
        C:\Windows\SysWOW64\Bebblb32.exe
        
        C:\Windows\system32\Bebblb32.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5064
        
        C:\Windows\SysWOW64\Bganhm32.exe
        
        C:\Windows\system32\Bganhm32.exe
        47⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3032
        
        C:\Windows\SysWOW64\Bfdodjhm.exe
        
        C:\Windows\system32\Bfdodjhm.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3628
        
        C:\Windows\SysWOW64\Bnkgeg32.exe
        
        C:\Windows\system32\Bnkgeg32.exe
        49⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4636
        
        C:\Windows\SysWOW64\Baicac32.exe
        
        C:\Windows\system32\Baicac32.exe
        50⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4392
        
        C:\Windows\SysWOW64\Beeoaapl.exe
        
        C:\Windows\system32\Beeoaapl.exe
        51⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3472
        
        C:\Windows\SysWOW64\Bgcknmop.exe
        
        C:\Windows\system32\Bgcknmop.exe
        52⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1792
        
        C:\Windows\SysWOW64\Bffkij32.exe
        
        C:\Windows\system32\Bffkij32.exe
        53⤵
        Executes dropped EXE
        
        PID:3480
        
        C:\Windows\SysWOW64\Bnmcjg32.exe
        
        C:\Windows\system32\Bnmcjg32.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1552
        
        C:\Windows\SysWOW64\Bmpcfdmg.exe
        
        C:\Windows\system32\Bmpcfdmg.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4876
        
        C:\Windows\SysWOW64\Beglgani.exe
        
        C:\Windows\system32\Beglgani.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1164
        
        C:\Windows\SysWOW64\Bcjlcn32.exe
        
        C:\Windows\system32\Bcjlcn32.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5068
        
        C:\Windows\SysWOW64\Bfhhoi32.exe
        
        C:\Windows\system32\Bfhhoi32.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2648
        
        C:\Windows\SysWOW64\Bmbplc32.exe
        
        C:\Windows\system32\Bmbplc32.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2404
        
        C:\Windows\SysWOW64\Banllbdn.exe
        
        C:\Windows\system32\Banllbdn.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5040
        
        C:\Windows\SysWOW64\Bclhhnca.exe
        
        C:\Windows\system32\Bclhhnca.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1756
        
        C:\Windows\SysWOW64\Bjfaeh32.exe
        
        C:\Windows\system32\Bjfaeh32.exe
        62⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1168
        
        C:\Windows\SysWOW64\Bnbmefbg.exe
        
        C:\Windows\system32\Bnbmefbg.exe
        63⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4608
        
        C:\Windows\SysWOW64\Belebq32.exe
        
        C:\Windows\system32\Belebq32.exe
        64⤵
        Executes dropped EXE
        
        PID:116
        
        C:\Windows\SysWOW64\Bcoenmao.exe
        
        C:\Windows\system32\Bcoenmao.exe
        65⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3160
        
        C:\Windows\SysWOW64\Cfmajipb.exe
        
        C:\Windows\system32\Cfmajipb.exe
        66⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:3664
        
        C:\Windows\SysWOW64\Cndikf32.exe
        
        C:\Windows\system32\Cndikf32.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4796
        
        C:\Windows\SysWOW64\Cabfga32.exe
        
        C:\Windows\system32\Cabfga32.exe
        68⤵
        Modifies registry class
        
        PID:976
        
        C:\Windows\SysWOW64\Cdabcm32.exe
        
        C:\Windows\system32\Cdabcm32.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:3648
        
        C:\Windows\SysWOW64\Chmndlge.exe
        
        C:\Windows\system32\Chmndlge.exe
        70⤵
        Drops file in System32 directory
        
        PID:1132
        
        C:\Windows\SysWOW64\Cmiflbel.exe
        
        C:\Windows\system32\Cmiflbel.exe
        71⤵
        Modifies registry class
        
        PID:4980
        
        C:\Windows\SysWOW64\Ceqnmpfo.exe
        
        C:\Windows\system32\Ceqnmpfo.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:2312
        
        C:\Windows\SysWOW64\Chokikeb.exe
        
        C:\Windows\system32\Chokikeb.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:3024
        
        C:\Windows\SysWOW64\Cjmgfgdf.exe
        
        C:\Windows\system32\Cjmgfgdf.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4104
        
        C:\Windows\SysWOW64\Cnicfe32.exe
        
        C:\Windows\system32\Cnicfe32.exe
        75⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:4836
        
        C:\Windows\SysWOW64\Cdfkolkf.exe
        
        C:\Windows\system32\Cdfkolkf.exe
        76⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:1012
        
        C:\Windows\SysWOW64\Cjpckf32.exe
        
        C:\Windows\system32\Cjpckf32.exe
        77⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:2088
        
        C:\Windows\SysWOW64\Cnkplejl.exe
        
        C:\Windows\system32\Cnkplejl.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4016
        
        C:\Windows\SysWOW64\Cajlhqjp.exe
        
        C:\Windows\system32\Cajlhqjp.exe
        79⤵
        Drops file in System32 directory
        
        PID:1172
        
        C:\Windows\SysWOW64\Chcddk32.exe
        
        C:\Windows\system32\Chcddk32.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:804
        
        C:\Windows\SysWOW64\Cjbpaf32.exe
        
        C:\Windows\system32\Cjbpaf32.exe
        81⤵
        Drops file in System32 directory
        
        PID:4612
        
        C:\Windows\SysWOW64\Cegdnopg.exe
        
        C:\Windows\system32\Cegdnopg.exe
        82⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:4600
        
        C:\Windows\SysWOW64\Ddjejl32.exe
        
        C:\Windows\system32\Ddjejl32.exe
        83⤵
        Drops file in System32 directory
        
        PID:5132
        
        C:\Windows\SysWOW64\Djdmffnn.exe
        
        C:\Windows\system32\Djdmffnn.exe
        84⤵
        Modifies registry class
        
        PID:5180
        
        C:\Windows\SysWOW64\Dmcibama.exe
        
        C:\Windows\system32\Dmcibama.exe
        85⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5228
        
        C:\Windows\SysWOW64\Ddmaok32.exe
        
        C:\Windows\system32\Ddmaok32.exe
        86⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5268
        
        C:\Windows\SysWOW64\Dfknkg32.exe
        
        C:\Windows\system32\Dfknkg32.exe
        87⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5304
        
        C:\Windows\SysWOW64\Dmefhako.exe
        
        C:\Windows\system32\Dmefhako.exe
        88⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5352
        
        C:\Windows\SysWOW64\Delnin32.exe
        
        C:\Windows\system32\Delnin32.exe
        89⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5396
        
        C:\Windows\SysWOW64\Dhkjej32.exe
        
        C:\Windows\system32\Dhkjej32.exe
        90⤵
        
        PID:5440
        
        C:\Windows\SysWOW64\Dkifae32.exe
        
        C:\Windows\system32\Dkifae32.exe
        91⤵
        
        PID:5484
        
        C:\Windows\SysWOW64\Dmgbnq32.exe
        
        C:\Windows\system32\Dmgbnq32.exe
        92⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5528
        
        C:\Windows\SysWOW64\Deokon32.exe
        
        C:\Windows\system32\Deokon32.exe
        93⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5572
        
        C:\Windows\SysWOW64\Dhmgki32.exe
        
        C:\Windows\system32\Dhmgki32.exe
        94⤵
        Modifies registry class
        
        PID:5616
        
        C:\Windows\SysWOW64\Dfpgffpm.exe
        
        C:\Windows\system32\Dfpgffpm.exe
        95⤵
        Drops file in System32 directory
        
        PID:5668
        
        C:\Windows\SysWOW64\Dogogcpo.exe
        
        C:\Windows\system32\Dogogcpo.exe
        96⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5712
        
        C:\Windows\SysWOW64\Deagdn32.exe
        
        C:\Windows\system32\Deagdn32.exe
        97⤵
        
        PID:5756
        
        C:\Windows\SysWOW64\Dhocqigp.exe
        
        C:\Windows\system32\Dhocqigp.exe
        98⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5800
        
        C:\Windows\SysWOW64\Dknpmdfc.exe
        
        C:\Windows\system32\Dknpmdfc.exe
        99⤵
        
        PID:5844
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        100⤵
        
        PID:5888
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5888 -s 416
        101⤵
        Program crash
        
        PID:5980

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 5888 -ip 5888
1⤵
PID:5956

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aclpap32.exe

Filesize
88KB

MD5
1d891f99a5fadfdb201d25fd68ef6e89

SHA1
ab5cfe87e7544620f18da9f188f391dca8001bd8

SHA256
139fa7cc2f532c233fce00fd354924720cc46c2c8796940080500b0cbb0303ba

SHA512
3c0cb7e418d213713f11d081746ce82d945aea2aa0c242469e6f59a0a456459dd2e683049cdfc9775aa00841251095da284b49d0356795ab1433320fdd895f69

Download Submit
C:\Windows\SysWOW64\Adgbpc32.exe

Filesize
88KB

MD5
d62031f1455e7878937f0ab2791681b0

SHA1
1333d864dc54b4085d4230f52543b4b95adcdd06

SHA256
3d748692d942743967d0f11316b2a5b73257339b40eb56e2bd3e211b0b5c9b94

SHA512
1678a0e9e27f09d5d4b53765855c2ec916a140fdda5031ffb8ddad3c26064392f58237f3ef7128560c5c7f8328dfa2fdf7befaaa00f6527f83cfca757732f62a

Download Submit
C:\Windows\SysWOW64\Aeklkchg.exe

Filesize
88KB

MD5
287bcb30e9995b62fe4b6ebabf921c37

SHA1
7290720e0f806e5694b5c385cdf2f06ad7fed70c

SHA256
89980181a3174fc814a009d6826d8fb6b7072ae444c7c4aee1d7c6f5c5081131

SHA512
0b89db6cbf046931df83d768ec344918eb4ff2d959d820a7875fd0fa03dc102b7a2c8ecc28873240c85abf83c759f0e089c160fc13fe98650c02edd5f181ed2e

Download Submit
C:\Windows\SysWOW64\Ageolo32.exe

Filesize
88KB

MD5
eb8ba20eac462402ff0aff07dac74422

SHA1
9c3eda769d0ff02d2d8da7ba20dfc6cb058efdd3

SHA256
8f6084426164715104b7d982cec5b916bd2f00dc58b1d0e6a1883d207c190693

SHA512
c70b773ccb5fa93799e7c796ae6791a00da317589fa273bf5938b3390ca1a3439ddd52f21e0df6e9ccdeb70fc30fc5e33046b2c30b46a1ae60b403831f2e7256

Download Submit
C:\Windows\SysWOW64\Ajanck32.exe

Filesize
88KB

MD5
e0f4b2f22629154435795f477d1f7674

SHA1
cde8c8122bb20def648b6acdc4b99b15a2e5dcc4

SHA256
9a38bff3373e11922aca20acad5056539c1638175bab4c1ec504e91fbb5ae665

SHA512
ed7c055037997ebd80981ac91ef37cb4f859835d81462e381f2b2f5d9f1d9fccc71d90e049f0d8085e0b50bc66775599549797ff69a7e2bae82adf246e9111c7

Download Submit
C:\Windows\SysWOW64\Ajfhnjhq.exe

Filesize
88KB

MD5
7f41265eb2f432e2339dcd58d75787fb

SHA1
c9930a51d6efe49383fa234aa155b1cc7a94c33f

SHA256
020485ee5333ab11ba3c6023f83e38ce677a56a04c3a480c61e83fae092b03da

SHA512
0b0bf5300809decea3f89c661fd9a1d9fef91d169b1da3457db518271722a126a2ba18500962bf3e08fc7d7f5eac757356162e866b8eb5cd86545eb3f7ab210f

Download Submit
C:\Windows\SysWOW64\Anogiicl.exe

Filesize
88KB

MD5
c78c9c4b4e5b8c0a861eb33132dfb371

SHA1
71a4012edc72ff7a24d7771f79f28dfc13445a82

SHA256
1659c99ec1d8e9c2cd7e22694c7ec56c20d0d9fa81d6278b99fcb589aefee462

SHA512
0ace717c260e86567ef697d6bff23b16355d834069c709954abeb127cde08e353e44333f6ee37eced2dbe5b515073def001f95e6fcf55f996844d8fb4857537b

Download Submit
C:\Windows\SysWOW64\Aqncedbp.exe

Filesize
88KB

MD5
b282d931e55e1146c32290674b9bab0d

SHA1
3b28768dd4adb2e06b9e0984aeb507e05a1d8a8b

SHA256
9734a20faf81f1cf4d687b2a5dd95d6c6ad88d0d1c61241969de7403c1c577a5

SHA512
833db312def995fd9591d250218f266987b87e153867ef26e424ba0d73d2fa4d5df5e3508b46eab3613ce0b1a63b8ded65d4cbabdd063c702db31c4bf3692a11

Download Submit
C:\Windows\SysWOW64\Cdfkolkf.exe

Filesize
88KB

MD5
e75edc59ef27296546dcdea6aab6f8f9

SHA1
a1486fbd1e955aea241fd12fcee97b6de7cf6b5b

SHA256
43d9e8a78384c7604601f804882f9c263acb2aa4eef56f32bed57c1fd60e8ddc

SHA512
61dea6fb52ddfb098e076465c7b3e84855d71bb1862cec03927bfeb926326a7fc33b642cf57d9a6098e807a3316d31aaeabaaed6d5b3cf325ae2e0b7f42762d6

Download Submit
C:\Windows\SysWOW64\Chmndlge.exe

Filesize
88KB

MD5
04499e7222e2e38032725ad013bfe322

SHA1
fffa84abadb32107d21205930587a0c0637c5dab

SHA256
3b8dd6c5d799a42c05ca3bfffd7d15c435ecd01d481d0150e73c5b357d9c98ef

SHA512
a503ecaba772f7db23508248e5b0b121fd150086ccde7cf0a0e6ea881c8b946ccbd06eeabeae5d81940a8643ab6eceb71d24c2ae7420b8fd2c3ff1bd3b616ddc

Download Submit
C:\Windows\SysWOW64\Deokon32.exe

Filesize
88KB

MD5
8fd6e5c9e2da392a2619c6f35c26f480

SHA1
aa4aa880dafde372dde6b8fb57c4a6b704654284

SHA256
16b8f0b4fe43e122ab54b4a494df49021d99cbe9c7916a57bfd348b8ef1774cf

SHA512
442a7770bccf27bad655fe9dee2c67398765a5db04f6a69b0f6c7144565dbd60e1c224c238ee13c4cc3bb35e2a1238bb2ca2ed11f07f3e84f3eb5d75f0d838d9

Download Submit
C:\Windows\SysWOW64\Dhmgki32.exe

Filesize
88KB

MD5
8bd2bd4de87bed65c493d66bca59bd5c

SHA1
dbcd8eda74af4f45bbda59b2577bb94b11445075

SHA256
d14275ec11c289574f5896c28a265d128a18a4b1622ce9342a5064ccf7b7a797

SHA512
e17e25d3311bd71c5c949ae9663f032bfd1e9093bd76643f855542b1d3609f3aab8e35dfc561b32dd8a6a599d832c36a2f7444ee19275fc3a228ca1624f9ce44

Download Submit
C:\Windows\SysWOW64\Djdmffnn.exe

Filesize
88KB

MD5
17900dbe13c0279c59b047a5dc7e9787

SHA1
8399c1508442b8c0b4bd93317dd5f6e395a526be

SHA256
5a6da026fd6616f12ce751e3d81209d5ad262147d9fb1392ce329d56dcca6658

SHA512
d7c5b601f5d13475e6ae0c205ec59f24a715fa81e3e6689abb95ee0ca2c224851020ad9f7b780bdaf2261bab40759bba3bc80e94aa3f4c6bd52a1254e54797fd

Download Submit
C:\Windows\SysWOW64\Dkifae32.exe

Filesize
88KB

MD5
dbb812d12985da8faf2c6bf0b012c2bf

SHA1
ce2d7f4c2a154e91be1b1597f2bdf50fd8c2f5c9

SHA256
5bc7690e5f3c8b22a70648f54d1b81cfe66e88cffb5648b70c3a82edfd235887

SHA512
0ea7d6acc0530d379b9af130c5a88765c3fb6ae988bb22a04be273106a67c01bb4b7b9bb66debf38f5edb3453f21c430ecb79bfacb129a8711cdb2ac0418953d

Download Submit
C:\Windows\SysWOW64\Dogogcpo.exe

Filesize
88KB

MD5
328f6cd08d434d27c50da985d517c1a0

SHA1
75929f43cd00f8e77e59c7b54c92543e5b49ee04

SHA256
91a8f5e54d43ef5ba4dfc6f83efe5d408b46964947551cd1056627102a9545bf

SHA512
8828d8d2659f7e67499825359380fb3b93554adcb76bb48a1c3724e80dbbe77080ccedf8bafceb40b7cd80c64ea10ff7837c277cf5a6bc81fe08265d6df859ef

Download Submit
C:\Windows\SysWOW64\Gqckln32.dll

Filesize
7KB

MD5
d0340a9d3af8294007142f96c2bc9565

SHA1
f7c8e1cdde870498fa7c038934daeafcd96d192e

SHA256
f35dc65f035f3a6a6e27d6a865e9aa6f236dd513abd567f8f5fd33fd3d79334c

SHA512
48776aff34d91e32a0ffd440e7d7effc941526d90e0796c726a821c47ecff9ca618dc72a06ea7414043d209cbbc99008de29dec46d2c4b0914d68e033d3236f6

Download Submit
C:\Windows\SysWOW64\Oddmdf32.exe

Filesize
88KB

MD5
75f607dc4895cea73bd687941428668b

SHA1
a7568332a8b276e64524f7cbda94d3495d456901

SHA256
26a69d28584b25ec776f195dc06f13dfd2a7987baa00f60bccf2a86dae58280a

SHA512
6514b7a92069e3937a7c935b37d67461e7478c2208cd14e390b657cf6fb9b11a4ee88e4e4bc0249697338b51f20296498691a32f098b8a0c0df8708f8e00b823

Download Submit
C:\Windows\SysWOW64\Ofcmfodb.exe

Filesize
88KB

MD5
d48e179415ac4a484e42528a7d4df7e5

SHA1
03b2f5530abe119268e57b6ad2b365343a8eead8

SHA256
6e08c87ba988f54e405af9044984b11d105e560523fb14c51ecd84fceb92b3bb

SHA512
a14e5cd6e5f08efa6a8841cae1ed0e7a7de497ad08a55a7fb89450d268663e169453395ffae90c35fc4db98a35a49530369a194a49f22afa62c09941dc03714f

Download Submit
C:\Windows\SysWOW64\Ogbipa32.exe

Filesize
88KB

MD5
6a21045bcb5723e154de8541947dc065

SHA1
e79d39e11711028b080315a09bfb70e3f2b6598f

SHA256
0f356a17e45fadad79335db0c2359f5996e0f5c17bdd9c6d8f74b41b619c5cec

SHA512
9273bc073684d218c9ee493efc8b472dd7e3594414872d46ef9def190885dbe3839fb12be8a642d495b9f8907f55d97d281f255ce45396847b0a1a6542d00b51

Download Submit
C:\Windows\SysWOW64\Onjegled.exe

Filesize
88KB

MD5
3f49c0846a3bbb9811f9a452e127d142

SHA1
cf3830b68ef5007796d6260b8249d386d69ea1da

SHA256
6097b16a8714f31ee047675d7222f490701c0c9500b075ec63fe2ebbc9bba176

SHA512
7f0471bd925aeef44c20be753a49a786dd590b947edb9bf8eb2bbea8d6c2a26518350364106e2988fff2fcdc0b12ca98e76d93781cf000cdc3d1b307b2a38a40

Download Submit
C:\Windows\SysWOW64\Oqhacgdh.exe

Filesize
88KB

MD5
233ff99dc9a649024d2b50efd5f1aed3

SHA1
61234ef31825b7e3bd50939df23609cd09627478

SHA256
33163ec224d69612770e04c36f3a647443b454a951d4e25fc37502670d7c0ccf

SHA512
e2d1407a41b3c357f55e5f656434dacbcff20bba557f170e65404326242346589f5c752f61e5cfb5e9a0d4521d88667b0ed104c08a8a5e11d2a79c4f63b22630

Download Submit
C:\Windows\SysWOW64\Pcijeb32.exe

Filesize
88KB

MD5
5ff249b394fb1852b02c9b08867443ce

SHA1
49d8350a7d6ed73fc74678100f12b60a38c88cc2

SHA256
76f296f534c5b5bb48ad75042bf9c6c295f2786aeb22d079c868df1eaf5570ec

SHA512
0ea5418a7bb37dc55ca0e603f385d73552dcbc9170d8bc375a496ac801ff4b1c998aac33ecb6ab3e2edf829d0f56d95f673b256f044f4167c1844c3131d5a403

Download Submit
C:\Windows\SysWOW64\Pclgkb32.exe

Filesize
88KB

MD5
cb5f42ad8de6a9df3226dc9c53bfb093

SHA1
3cf296acaebbcc37ff18e5403b61d2ef50369512

SHA256
f5a7146498d6030de93470af5ae21552959e87a0953be83c8fb4bff4c0d30812

SHA512
edf57dc154ce64ceb9335c6285ee2e94e42fd76eac32df1b517704606126a680040a64ef946097377eed53391b6b2e7196d1e9fbb0ae26aa1fba19d92bdf666b

Download Submit
C:\Windows\SysWOW64\Pdifoehl.exe

Filesize
88KB

MD5
3fc23dc41ebc45a52eec01bc6748ef80

SHA1
162f4c8a81791aa75c1e89a15768461e1cfd3909

SHA256
51218187ecb27a55a4d7772f5b1c2c41d45dd6dcdb906a7681987130c6f75643

SHA512
bc63db7805ad171ad33b2929a10b1b8fb553cf76233faf440a2e9a04ff2df5fe098f14c9155f993c3ad7f8fc952f804244adeb1b08cfb58d312c1d26ef94c2b4

Download Submit
C:\Windows\SysWOW64\Pdkcde32.exe

Filesize
88KB

MD5
0e53c9aea6414f077d5d63e773df4586

SHA1
1d4a5fa566f6e0b02bb22558b61c8c7c7fe6f23d

SHA256
b3efcef0cee1e4da4775d22c36e87a1a8bccf6c07d279cfe8e74b589cc4f1482

SHA512
536a5b2a932dded8fbbf98d203b1d996101110441d7ee105891278bf8d4d67dbd07236ed52d07ff6efdd7efb59a4ddff7b4537f3a9476c401937baa326697f9b

Download Submit
C:\Windows\SysWOW64\Pdpmpdbd.exe

Filesize
88KB

MD5
98fbd52484bfbdcb602077d086c14ed6

SHA1
231ba01f4b208d4e0d958a3df25aec72a53f3643

SHA256
d87961ead1123eede45d8f872361a540c2cba521325f2ae82729574adbb17f8e

SHA512
9fe19b3075a5e43739d859f06ddd28f05c5bf777d633479411eb3d5c40855ac0d18445daae94b02cfbde306c899424958a7c34b1807e21039f3449efef617597

Download Submit
C:\Windows\SysWOW64\Pfhfan32.exe

Filesize
88KB

MD5
a07535ac5d459d7175717304c2580cb9

SHA1
6cbbaa1be88cfbe5d9aa7c35b4f9d78ff653144e

SHA256
75c41d69ed37d547616dfa1115b3d93101b0098834b26b6ca8be4ac84172220a

SHA512
28da1c4ab99811601c790ae5034841a05d9870c437db3213e009ae7624374c8878d384865ca4710f1eb169ebfea4841135867e37093784d1020fb0387872d939

Download Submit
C:\Windows\SysWOW64\Pfjcgn32.exe

Filesize
88KB

MD5
2e67f402893f12db275aa2f0c54efbc1

SHA1
dac123e5fe24e7437a6607adc6a34ffa5369acbd

SHA256
7cefd5188ed1e435be29219a3481322b6e0c848c1a89bef267286b25e106a1ae

SHA512
fdb8beeca80bc955135970d1c3068ebdbd24fec083f7371c9787825777b6410b070f61e45f3f46d4356eb41f5a66e2540c4fd7e9e02eeb5f275b0be4952ece43

Download Submit
C:\Windows\SysWOW64\Pgnilpah.exe

Filesize
88KB

MD5
348ad14c54d6b41f3109ee06dcda2a6f

SHA1
284f96e029db3b68ff31bde70b72b83e5400d3e3

SHA256
e005d3109b36bdb8a241b6bb51bd252cec33508b4164029899219ec5ecbb8f55

SHA512
66628003d25da828e75a46002a95144a2c71167d1b98d175cd4b14ddac97bc575c5f8560c9e96d47b0421b12eef996e086f1cefc8be032abf304f958ee639626

Download Submit
C:\Windows\SysWOW64\Pjmehkqk.exe

Filesize
88KB

MD5
fc0dea0c5acc2ff05f84b46054ca70e6

SHA1
948b760fcb6914b584ae1e5dc8d3df88b66882de

SHA256
4de2d9792e93423ee00703fb3f66dd021dfa5b9135892d9f2b7a091d6e16e864

SHA512
e33847dcef62234a61aafeb3c7ad4190049109964b99baaa600f97636a78215d63265d44d2b5d9ba0c92a235f297307cd74112250521e904007d5cbb279b7213

Download Submit
C:\Windows\SysWOW64\Pmannhhj.exe

Filesize
88KB

MD5
10c591b74f7da2e785fdf9d6aad6814d

SHA1
bfb02fbdaf48b07aced8a0983288b70fe1f74b6f

SHA256
9d58a4b794d40e7633af4c21b288c6d4168c610c035049ce4adc6098c15a49ab

SHA512
9c25a499517e4341936aaea765082bae9ce8f7675da7660930269258375d2d5c83f2a7a18ea82fa5ca539e0296234111ededd8d015aa0f8a0746a9b3ec72c440

Download Submit
C:\Windows\SysWOW64\Pmdkch32.exe

Filesize
88KB

MD5
bb36171e8041b01b5630bf7a87c741fc

SHA1
8cdcd98715b003be83011331168b960fea505178

SHA256
4d3132b37e0217efe5b6720b5231e54e3c6e1eef7bf4b12f803ed7c8891f00c5

SHA512
8f7a2c913d9dd6330fd2994b7e22066fa6b2ad3baccc3a8fc1f536a0152efddb9fc93d116e3ce342cd7a01031d02d1bf0943cbe0791037e74569ee384c4a3b52

Download Submit
C:\Windows\SysWOW64\Pnlaml32.exe

Filesize
88KB

MD5
d660b4b933079bfd74aa48ee3f3490b6

SHA1
160fa3ea2d7eef065ede854b6edb7f8321dfe294

SHA256
294a1241c8a86a000d0e095acaa157d3baae6ebe30a18f7eafc8257b30b2064d

SHA512
fc14b59740f8ad9229a6ec9bed980349c6428a4ff4c3ccf9ba3c4727289335334c486aba59c84c017122bba04133c134c5ec30d0f3d450243e0590d3549c77ad

Download Submit
C:\Windows\SysWOW64\Pqknig32.exe

Filesize
88KB

MD5
6d91d2eda0617e11f3187df0535ce360

SHA1
dab79c7433a365ced691aa2e44b1d59eb8d2b38e

SHA256
917f7fe8aca23c1926c93b057b853f2da759415cc66b575db4591eba3157c59e

SHA512
33a08f88a9a9197ae49b5886d5c62df04808b298d35cc6b68713e2a5987dfa85b51089c9d5609c2de5af3b903fd0dda8889da5124accb196cbe36f9bcd42bcc6

Download Submit
C:\Windows\SysWOW64\Qdbiedpa.exe

Filesize
88KB

MD5
85f9d331003e465bf9b6d1c1a7b4aa4a

SHA1
40ddf865506ed429c636b46b8d22c1c926b2d97a

SHA256
cc9fc56995b3b1ecc96dc7d0c9448de605078955d5c15decd8520c2832e437a6

SHA512
713e113ed5821703364d13dd737646296cf6b2c098b855ec890a7e51f2a9551ac7bc6841946d61141137c6e28df4a1001b82b2ee44992298e1babbd3dee21c2c

Download Submit
C:\Windows\SysWOW64\Qgcbgo32.exe

Filesize
88KB

MD5
7bf04622910a514ac02a1c2fa0cdad11

SHA1
cb3bc5b44261b122012aa20f9b916c8c50bb4d2f

SHA256
26addd35da4b6676b805a112a810d29a3544fb0440df3aecd2f88da2f8f221c5

SHA512
63077ab1af166b3b5e1d9b872a684e885c4383383d10a04ac1da4b4c41f6286536cf99d602e90423048c166f1efe1406ce6728c39d181ddecabbda5fee461bc4

Download Submit
C:\Windows\SysWOW64\Qgqeappe.exe

Filesize
88KB

MD5
d9cdca6d1e7bbcd0342f9603101e4324

SHA1
cddf026e7f19488683827c223a63f775a84e99c6

SHA256
ab55208d21f3c8a6a59ce6ec045f5be848c91668d84942c3d8b97b6315e4f820

SHA512
b8dbf21c0e9366df508c77b7f9a9f0d608f5bf49a18cec9178cc1b0fa0ce21d74f79b4020f2f8fa94313f890417c0d9daa8cebe44dbf4144b3378bb7e708548a

Download Submit
C:\Windows\SysWOW64\Qnhahj32.exe

Filesize
88KB

MD5
aa07ade71eb76ccede15f833d8bcb7d9

SHA1
9823962eff3d9f5ebc9af26b26486bcf986cad27

SHA256
9cad8734041ea9502b8cd7ab5970a49d4a7015b20519163f6b0e210b70564cd5

SHA512
45833e84b04109c839897349e2561ba026ffaefc4307e3e3041e4c94656a4893e18460ae831d42ecde3f1900fa73e30b8b9f53dc762b6ba96befd45fae113b2c

Download Submit
C:\Windows\SysWOW64\Qnjnnj32.exe

Filesize
88KB

MD5
bac5cd1919af8e55c5c42eece8843e80

SHA1
ac1a286386ce0f4d2443ae9cadebef5c04cf54f4

SHA256
ef2b02909ca253bfe990087dd3423769e539866dc2f595ee3911ad4458251e8f

SHA512
514a012c66961e85572778c49971eca41628e0411ed722d093bcb157f8ff1a9ba9c296a27039f5510910f6a8a604dc34628e03943c7e2200070f63b428206679

Download Submit
C:\Windows\SysWOW64\Qqijje32.exe

Filesize
88KB

MD5
fbed94f1e12485f191921ca1e9d6f115

SHA1
2c3757f9e55e0370abfff144d2c4ca3563171369

SHA256
92c503faf4605663bea65975e70eafc47da4c59eeced43b29ad8600d582ed166

SHA512
7922ac0204f2c68ff20f5047a13bf09fc314ae0923266a43c0a54cf2caacb624ef12e3a12b2b1cf9f22bc3c70da1add33097a8bbe7498bdb39bac63ef9dc61b1

Download Submit
memory/116-442-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/228-28-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/364-159-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/388-296-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/396-184-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/408-140-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/460-119-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/588-304-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/804-538-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/860-149-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/976-468-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1012-514-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1028-256-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1132-478-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1164-398-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1168-435-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1172-532-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1272-279-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1432-604-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1432-64-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1496-298-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1540-104-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1552-382-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1556-272-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1636-238-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1684-216-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1756-428-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1788-56-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1788-597-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1792-370-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1816-176-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1992-111-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2088-524-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2288-16-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2288-564-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2312-490-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2404-412-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2424-262-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2440-8-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2440-557-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2528-89-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2540-322-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2624-284-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2648-406-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2748-167-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2764-72-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2832-96-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3024-496-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3032-340-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3160-448-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3472-368-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3480-376-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3628-346-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3648-472-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3664-458-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3948-48-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3948-592-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3984-80-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4016-530-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4028-316-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4104-505-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4204-315-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4212-44-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4212-583-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4392-358-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4468-208-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4500-224-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4564-328-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4600-555-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4608-440-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4612-544-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4636-352-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4752-151-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4792-286-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4796-460-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4820-128-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4836-508-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4872-554-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4872-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4876-392-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4908-36-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4980-488-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4988-248-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5008-239-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5012-200-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5016-196-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5040-418-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5064-334-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5068-404-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5132-558-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5180-565-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5228-572-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5268-581-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5304-584-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5352-595-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5396-602-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5440-694-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads