4939fc016cff0be04e102005b29555fcbf5364f4892cd409940f60dba6bb8e9b

Analysis

max time kernel
149s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
22/07/2024, 21:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4939fc016cff0be04e102005b29555fcbf5364f4892cd409940f60dba6bb8e9b.exe
Size

55KB
MD5

4c4b6116418d3e56e16f1bb25c1718cf
SHA1

ee633a24c49d1610f535f46668d25024d3b5b75e
SHA256

4939fc016cff0be04e102005b29555fcbf5364f4892cd409940f60dba6bb8e9b
SHA512

1db706ea26851ddcdc8c249ad6d17c9a18223aa6b08133d07374579940d014f7eda7c417264316271204219e758397c18322ab1f9e6d7932c1ebbd8bd8451c95
SSDEEP

768:kqZTMDadYxfzR6Kcu7mFITazRNuMB3SAUQTMDAZXfEWY/3RKftrCd222VP6dCD2w:l2dVXT6flhd468WIia222VsI2LK

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nckndeni.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qceiaa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aqncedbp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aabmqd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bapiabak.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Olkhmi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pgllfp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qceiaa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cffdpghg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Npmagine.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjokdipf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnkplejl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ojgbfocc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qnhahj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aclpap32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Njefqo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ofnckp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qffbbldm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ngbpidjh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Njqmepik.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pdfjifjo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pdfjifjo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qnhahj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qnjnnj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Anogiicl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddakjkqi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhocqigp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nlmllkja.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Opdghh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnbmefbg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddjejl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ngpccdlj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nebdoa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Npjebj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Afhohlbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dopigd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Odapnf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pdmpje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qddfkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bfkedibe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dkkcge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pgllfp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nckndeni.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pncgmkmj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bfabnjjp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjinkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhmgki32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pggbkagp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjinkg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dopigd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Deagdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhocqigp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pgnilpah.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qddfkd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Caebma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Npmagine.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ogpmjb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Balpgb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnpppgdj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjbpaf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dkifae32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Anmjcieo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdabcm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddjejl32.exe

Executes dropped EXE 64 IoCs

pid	Process
2972	Nngokoej.exe
3384	Npfkgjdn.exe
260	Ngpccdlj.exe
1524	Nebdoa32.exe
1396	Nlmllkja.exe
3984	Ngbpidjh.exe
976	Njqmepik.exe
3820	Npjebj32.exe
4136	Ngdmod32.exe
4476	Njciko32.exe
1516	Npmagine.exe
5084	Nckndeni.exe
3980	Njefqo32.exe
1128	Olcbmj32.exe
3944	Ocnjidkf.exe
3896	Ojgbfocc.exe
2460	Olfobjbg.exe
3948	Ocpgod32.exe
4444	Ofnckp32.exe
4100	Oneklm32.exe
3104	Opdghh32.exe
1044	Ocbddc32.exe
4420	Ofqpqo32.exe
4056	Olkhmi32.exe
3808	Odapnf32.exe
4528	Ogpmjb32.exe
1084	Onjegled.exe
4372	Oqhacgdh.exe
4860	Ogbipa32.exe
3832	Ofeilobp.exe
3476	Pmoahijl.exe
564	Pdfjifjo.exe
4616	Pgefeajb.exe
4780	Pfhfan32.exe
1224	Pnonbk32.exe
2708	Pqmjog32.exe
5000	Pggbkagp.exe
4168	Pjeoglgc.exe
2704	Pqpgdfnp.exe
2232	Pdkcde32.exe
2200	Pgioqq32.exe
1476	Pjhlml32.exe
4112	Pncgmkmj.exe
4772	Pdmpje32.exe
1916	Pgllfp32.exe
1668	Pnfdcjkg.exe
4032	Pdpmpdbd.exe
1032	Pgnilpah.exe
4400	Qnhahj32.exe
4076	Qqfmde32.exe
4408	Qceiaa32.exe
1132	Qfcfml32.exe
4152	Qnjnnj32.exe
224	Qddfkd32.exe
4512	Qffbbldm.exe
4672	Anmjcieo.exe
4448	Aqkgpedc.exe
1112	Afhohlbj.exe
4896	Anogiicl.exe
2072	Aqncedbp.exe
4012	Aclpap32.exe
2016	Aqppkd32.exe
4336	Ajhddjfn.exe
4912	Aabmqd32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Ajhddjfn.exe	Aqppkd32.exe
File created	C:\Windows\SysWOW64\Fjbodfcj.dll	Accfbokl.exe
File created	C:\Windows\SysWOW64\Olfdahne.dll	Cfpnph32.exe
File created	C:\Windows\SysWOW64\Hcjccj32.dll	Dfiafg32.exe
File opened for modification	C:\Windows\SysWOW64\Opdghh32.exe	Oneklm32.exe
File created	C:\Windows\SysWOW64\Olkhmi32.exe	Ofqpqo32.exe
File created	C:\Windows\SysWOW64\Qnhahj32.exe	Pgnilpah.exe
File created	C:\Windows\SysWOW64\Eiojlkkj.dll	Aqncedbp.exe
File created	C:\Windows\SysWOW64\Nokpao32.dll	Dhocqigp.exe
File opened for modification	C:\Windows\SysWOW64\Dhocqigp.exe	Dddhpjof.exe
File opened for modification	C:\Windows\SysWOW64\Pjhlml32.exe	Pgioqq32.exe
File opened for modification	C:\Windows\SysWOW64\Qqfmde32.exe	Qnhahj32.exe
File created	C:\Windows\SysWOW64\Kbejge32.dll	Bjokdipf.exe
File created	C:\Windows\SysWOW64\Kmfjodai.dll	Dopigd32.exe
File created	C:\Windows\SysWOW64\Dodbbdbb.exe	Dkifae32.exe
File opened for modification	C:\Windows\SysWOW64\Aqncedbp.exe	Anogiicl.exe
File opened for modification	C:\Windows\SysWOW64\Accfbokl.exe	Aadifclh.exe
File created	C:\Windows\SysWOW64\Pjngmo32.dll	Ceckcp32.exe
File opened for modification	C:\Windows\SysWOW64\Dobfld32.exe	Djgjlelk.exe
File created	C:\Windows\SysWOW64\Ngdmod32.exe	Npjebj32.exe
File created	C:\Windows\SysWOW64\Gcgnkd32.dll	Njciko32.exe
File created	C:\Windows\SysWOW64\Dfiafg32.exe	Ddjejl32.exe
File created	C:\Windows\SysWOW64\Aglemn32.exe	Aabmqd32.exe
File opened for modification	C:\Windows\SysWOW64\Bapiabak.exe	Bnbmefbg.exe
File opened for modification	C:\Windows\SysWOW64\Cagobalc.exe	Cfbkeh32.exe
File opened for modification	C:\Windows\SysWOW64\Nngokoej.exe	4939fc016cff0be04e102005b29555fcbf5364f4892cd409940f60dba6bb8e9b.exe
File opened for modification	C:\Windows\SysWOW64\Bnpppgdj.exe	Bgehcmmm.exe
File opened for modification	C:\Windows\SysWOW64\Cdabcm32.exe	Cmgjgcgo.exe
File created	C:\Windows\SysWOW64\Bchomn32.exe	Bjokdipf.exe
File created	C:\Windows\SysWOW64\Nnjaqjfh.dll	Bnpppgdj.exe
File created	C:\Windows\SysWOW64\Dhkjej32.exe	Delnin32.exe
File created	C:\Windows\SysWOW64\Qjkmdp32.dll	Npfkgjdn.exe
File created	C:\Windows\SysWOW64\Gqckln32.dll	Oqhacgdh.exe
File created	C:\Windows\SysWOW64\Oicmfmok.dll	Aqppkd32.exe
File opened for modification	C:\Windows\SysWOW64\Aglemn32.exe	Aabmqd32.exe
File opened for modification	C:\Windows\SysWOW64\Bcoenmao.exe	Bapiabak.exe
File created	C:\Windows\SysWOW64\Njciko32.exe	Ngdmod32.exe
File opened for modification	C:\Windows\SysWOW64\Qceiaa32.exe	Qqfmde32.exe
File opened for modification	C:\Windows\SysWOW64\Qfcfml32.exe	Qceiaa32.exe
File created	C:\Windows\SysWOW64\Jlklhm32.dll	Aclpap32.exe
File opened for modification	C:\Windows\SysWOW64\Pjeoglgc.exe	Pggbkagp.exe
File created	C:\Windows\SysWOW64\Pjhlml32.exe	Pgioqq32.exe
File created	C:\Windows\SysWOW64\Pkejdahi.dll	Anogiicl.exe
File created	C:\Windows\SysWOW64\Igjnojdk.dll	Pgefeajb.exe
File created	C:\Windows\SysWOW64\Lqnjfo32.dll	Qnhahj32.exe
File created	C:\Windows\SysWOW64\Agjbpg32.dll	Dmcibama.exe
File opened for modification	C:\Windows\SysWOW64\Djgjlelk.exe	Dhhnpjmh.exe
File created	C:\Windows\SysWOW64\Bmpcfdmg.exe	Bchomn32.exe
File opened for modification	C:\Windows\SysWOW64\Caebma32.exe	Cfpnph32.exe
File opened for modification	C:\Windows\SysWOW64\Cjbpaf32.exe	Cffdpghg.exe
File created	C:\Windows\SysWOW64\Donfhp32.dll	Ocbddc32.exe
File created	C:\Windows\SysWOW64\Pdfjifjo.exe	Pmoahijl.exe
File created	C:\Windows\SysWOW64\Pqmjog32.exe	Pnonbk32.exe
File created	C:\Windows\SysWOW64\Popodg32.dll	Pqmjog32.exe
File created	C:\Windows\SysWOW64\Bgehcmmm.exe	Balpgb32.exe
File created	C:\Windows\SysWOW64\Caebma32.exe	Cfpnph32.exe
File created	C:\Windows\SysWOW64\Dmcibama.exe	Dopigd32.exe
File created	C:\Windows\SysWOW64\Dhmgki32.exe	Ddakjkqi.exe
File created	C:\Windows\SysWOW64\Fpkknm32.dll	Npjebj32.exe
File opened for modification	C:\Windows\SysWOW64\Qffbbldm.exe	Qddfkd32.exe
File created	C:\Windows\SysWOW64\Ehfnmfki.dll	Anmjcieo.exe
File created	C:\Windows\SysWOW64\Alcidkmm.dll	Djgjlelk.exe
File created	C:\Windows\SysWOW64\Dhocqigp.exe	Dddhpjof.exe
File created	C:\Windows\SysWOW64\Jlingkpe.dll	Nebdoa32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5296	6128	WerFault.exe	207

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aclpap32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nnjaqjfh.dll"	Bnpppgdj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cnnlaehj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpdaoioe.dll"	Ddakjkqi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pnfdcjkg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkejdahi.dll"	Anogiicl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bhicommo.dll"	Cmgjgcgo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dmjocp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Npmagine.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Odapnf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qceiaa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnieoofh.dll"	Caebma32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cagobalc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nckndeni.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pggbkagp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aqppkd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aglemn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhocqigp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ocpgod32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aqppkd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pjeoglgc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gokgpogl.dll"	Qceiaa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Papbpdoi.dll"	Qfcfml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qddfkd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bfkedibe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cnnlaehj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Njqmepik.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Oneklm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pjngmo32.dll"	Ceckcp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pgioqq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bfabnjjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bapiabak.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ddakjkqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pgnilpah.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bnbmefbg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ehfnmfki.dll"	Anmjcieo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdjinlko.dll"	Pmoahijl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qffbbldm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aqncedbp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cmgjgcgo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ngpccdlj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ojgbfocc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Anmjcieo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kboeke32.dll"	Aqkgpedc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlklhm32.dll"	Aclpap32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogfilp32.dll"	Bcoenmao.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dodbbdbb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pdfjifjo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qnjnnj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cffdpghg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amjknl32.dll"	Deagdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dknpmdfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Djnkap32.dll"	Qqfmde32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cjinkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Olfobjbg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pdmpje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Accfbokl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mkfdhbpg.dll"	Bfkedibe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dfiafg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oammoc32.dll"	Dodbbdbb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nlmllkja.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Olfobjbg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Daconoae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bobiobnp.dll"	Dkkcge32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1492 wrote to memory of 2972	1492	4939fc016cff0be04e102005b29555fcbf5364f4892cd409940f60dba6bb8e9b.exe	84
PID 1492 wrote to memory of 2972	1492	4939fc016cff0be04e102005b29555fcbf5364f4892cd409940f60dba6bb8e9b.exe	84
PID 1492 wrote to memory of 2972	1492	4939fc016cff0be04e102005b29555fcbf5364f4892cd409940f60dba6bb8e9b.exe	84
PID 2972 wrote to memory of 3384	2972	Nngokoej.exe	85
PID 2972 wrote to memory of 3384	2972	Nngokoej.exe	85
PID 2972 wrote to memory of 3384	2972	Nngokoej.exe	85
PID 3384 wrote to memory of 260	3384	Npfkgjdn.exe	86
PID 3384 wrote to memory of 260	3384	Npfkgjdn.exe	86
PID 3384 wrote to memory of 260	3384	Npfkgjdn.exe	86
PID 260 wrote to memory of 1524	260	Ngpccdlj.exe	88
PID 260 wrote to memory of 1524	260	Ngpccdlj.exe	88
PID 260 wrote to memory of 1524	260	Ngpccdlj.exe	88
PID 1524 wrote to memory of 1396	1524	Nebdoa32.exe	89
PID 1524 wrote to memory of 1396	1524	Nebdoa32.exe	89
PID 1524 wrote to memory of 1396	1524	Nebdoa32.exe	89
PID 1396 wrote to memory of 3984	1396	Nlmllkja.exe	90
PID 1396 wrote to memory of 3984	1396	Nlmllkja.exe	90
PID 1396 wrote to memory of 3984	1396	Nlmllkja.exe	90
PID 3984 wrote to memory of 976	3984	Ngbpidjh.exe	91
PID 3984 wrote to memory of 976	3984	Ngbpidjh.exe	91
PID 3984 wrote to memory of 976	3984	Ngbpidjh.exe	91
PID 976 wrote to memory of 3820	976	Njqmepik.exe	92
PID 976 wrote to memory of 3820	976	Njqmepik.exe	92
PID 976 wrote to memory of 3820	976	Njqmepik.exe	92
PID 3820 wrote to memory of 4136	3820	Npjebj32.exe	93
PID 3820 wrote to memory of 4136	3820	Npjebj32.exe	93
PID 3820 wrote to memory of 4136	3820	Npjebj32.exe	93
PID 4136 wrote to memory of 4476	4136	Ngdmod32.exe	94
PID 4136 wrote to memory of 4476	4136	Ngdmod32.exe	94
PID 4136 wrote to memory of 4476	4136	Ngdmod32.exe	94
PID 4476 wrote to memory of 1516	4476	Njciko32.exe	95
PID 4476 wrote to memory of 1516	4476	Njciko32.exe	95
PID 4476 wrote to memory of 1516	4476	Njciko32.exe	95
PID 1516 wrote to memory of 5084	1516	Npmagine.exe	96
PID 1516 wrote to memory of 5084	1516	Npmagine.exe	96
PID 1516 wrote to memory of 5084	1516	Npmagine.exe	96
PID 5084 wrote to memory of 3980	5084	Nckndeni.exe	98
PID 5084 wrote to memory of 3980	5084	Nckndeni.exe	98
PID 5084 wrote to memory of 3980	5084	Nckndeni.exe	98
PID 3980 wrote to memory of 1128	3980	Njefqo32.exe	99
PID 3980 wrote to memory of 1128	3980	Njefqo32.exe	99
PID 3980 wrote to memory of 1128	3980	Njefqo32.exe	99
PID 1128 wrote to memory of 3944	1128	Olcbmj32.exe	100
PID 1128 wrote to memory of 3944	1128	Olcbmj32.exe	100
PID 1128 wrote to memory of 3944	1128	Olcbmj32.exe	100
PID 3944 wrote to memory of 3896	3944	Ocnjidkf.exe	101
PID 3944 wrote to memory of 3896	3944	Ocnjidkf.exe	101
PID 3944 wrote to memory of 3896	3944	Ocnjidkf.exe	101
PID 3896 wrote to memory of 2460	3896	Ojgbfocc.exe	102
PID 3896 wrote to memory of 2460	3896	Ojgbfocc.exe	102
PID 3896 wrote to memory of 2460	3896	Ojgbfocc.exe	102
PID 2460 wrote to memory of 3948	2460	Olfobjbg.exe	103
PID 2460 wrote to memory of 3948	2460	Olfobjbg.exe	103
PID 2460 wrote to memory of 3948	2460	Olfobjbg.exe	103
PID 3948 wrote to memory of 4444	3948	Ocpgod32.exe	104
PID 3948 wrote to memory of 4444	3948	Ocpgod32.exe	104
PID 3948 wrote to memory of 4444	3948	Ocpgod32.exe	104
PID 4444 wrote to memory of 4100	4444	Ofnckp32.exe	106
PID 4444 wrote to memory of 4100	4444	Ofnckp32.exe	106
PID 4444 wrote to memory of 4100	4444	Ofnckp32.exe	106
PID 4100 wrote to memory of 3104	4100	Oneklm32.exe	108
PID 4100 wrote to memory of 3104	4100	Oneklm32.exe	108
PID 4100 wrote to memory of 3104	4100	Oneklm32.exe	108
PID 3104 wrote to memory of 1044	3104	Opdghh32.exe	109

C:\Users\Admin\AppData\Local\Temp\4939fc016cff0be04e102005b29555fcbf5364f4892cd409940f60dba6bb8e9b.exe
"C:\Users\Admin\AppData\Local\Temp\4939fc016cff0be04e102005b29555fcbf5364f4892cd409940f60dba6bb8e9b.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1492
- C:\Windows\SysWOW64\Nngokoej.exe
  C:\Windows\system32\Nngokoej.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2972
- - C:\Windows\SysWOW64\Npfkgjdn.exe
    C:\Windows\system32\Npfkgjdn.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious use of WriteProcessMemory
    PID:3384
  - - C:\Windows\SysWOW64\Ngpccdlj.exe
      C:\Windows\system32\Ngpccdlj.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:260
    - - C:\Windows\SysWOW64\Nebdoa32.exe
        
        C:\Windows\system32\Nebdoa32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1524
      - C:\Windows\SysWOW64\Nlmllkja.exe
        
        C:\Windows\system32\Nlmllkja.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1396
        
        C:\Windows\SysWOW64\Ngbpidjh.exe
        
        C:\Windows\system32\Ngbpidjh.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3984
        
        C:\Windows\SysWOW64\Njqmepik.exe
        
        C:\Windows\system32\Njqmepik.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:976
        
        C:\Windows\SysWOW64\Npjebj32.exe
        
        C:\Windows\system32\Npjebj32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3820
        
        C:\Windows\SysWOW64\Ngdmod32.exe
        
        C:\Windows\system32\Ngdmod32.exe
        10⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4136
        
        C:\Windows\SysWOW64\Njciko32.exe
        
        C:\Windows\system32\Njciko32.exe
        11⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4476
        
        C:\Windows\SysWOW64\Npmagine.exe
        
        C:\Windows\system32\Npmagine.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1516
        
        C:\Windows\SysWOW64\Nckndeni.exe
        
        C:\Windows\system32\Nckndeni.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5084
        
        C:\Windows\SysWOW64\Njefqo32.exe
        
        C:\Windows\system32\Njefqo32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3980
        
        C:\Windows\SysWOW64\Olcbmj32.exe
        
        C:\Windows\system32\Olcbmj32.exe
        15⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1128
        
        C:\Windows\SysWOW64\Ocnjidkf.exe
        
        C:\Windows\system32\Ocnjidkf.exe
        16⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3944
        
        C:\Windows\SysWOW64\Ojgbfocc.exe
        
        C:\Windows\system32\Ojgbfocc.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3896
        
        C:\Windows\SysWOW64\Olfobjbg.exe
        
        C:\Windows\system32\Olfobjbg.exe
        18⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2460
        
        C:\Windows\SysWOW64\Ocpgod32.exe
        
        C:\Windows\system32\Ocpgod32.exe
        19⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3948
        
        C:\Windows\SysWOW64\Ofnckp32.exe
        
        C:\Windows\system32\Ofnckp32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4444
        
        C:\Windows\SysWOW64\Oneklm32.exe
        
        C:\Windows\system32\Oneklm32.exe
        21⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4100
        
        C:\Windows\SysWOW64\Opdghh32.exe
        
        C:\Windows\system32\Opdghh32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3104
        
        C:\Windows\SysWOW64\Ocbddc32.exe
        
        C:\Windows\system32\Ocbddc32.exe
        23⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1044
        
        C:\Windows\SysWOW64\Ofqpqo32.exe
        
        C:\Windows\system32\Ofqpqo32.exe
        24⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4420
        
        C:\Windows\SysWOW64\Olkhmi32.exe
        
        C:\Windows\system32\Olkhmi32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4056
        
        C:\Windows\SysWOW64\Odapnf32.exe
        
        C:\Windows\system32\Odapnf32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3808
        
        C:\Windows\SysWOW64\Ogpmjb32.exe
        
        C:\Windows\system32\Ogpmjb32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4528
        
        C:\Windows\SysWOW64\Onjegled.exe
        
        C:\Windows\system32\Onjegled.exe
        28⤵
        Executes dropped EXE
        
        PID:1084
        
        C:\Windows\SysWOW64\Oqhacgdh.exe
        
        C:\Windows\system32\Oqhacgdh.exe
        29⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4372
        
        C:\Windows\SysWOW64\Ogbipa32.exe
        
        C:\Windows\system32\Ogbipa32.exe
        30⤵
        Executes dropped EXE
        
        PID:4860
        
        C:\Windows\SysWOW64\Ofeilobp.exe
        
        C:\Windows\system32\Ofeilobp.exe
        31⤵
        Executes dropped EXE
        
        PID:3832
        
        C:\Windows\SysWOW64\Pmoahijl.exe
        
        C:\Windows\system32\Pmoahijl.exe
        32⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3476
        
        C:\Windows\SysWOW64\Pdfjifjo.exe
        
        C:\Windows\system32\Pdfjifjo.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:564
        
        C:\Windows\SysWOW64\Pgefeajb.exe
        
        C:\Windows\system32\Pgefeajb.exe
        34⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4616
        
        C:\Windows\SysWOW64\Pfhfan32.exe
        
        C:\Windows\system32\Pfhfan32.exe
        35⤵
        Executes dropped EXE
        
        PID:4780
        
        C:\Windows\SysWOW64\Pnonbk32.exe
        
        C:\Windows\system32\Pnonbk32.exe
        36⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1224
        
        C:\Windows\SysWOW64\Pqmjog32.exe
        
        C:\Windows\system32\Pqmjog32.exe
        37⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2708
        
        C:\Windows\SysWOW64\Pggbkagp.exe
        
        C:\Windows\system32\Pggbkagp.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5000
        
        C:\Windows\SysWOW64\Pjeoglgc.exe
        
        C:\Windows\system32\Pjeoglgc.exe
        39⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4168
        
        C:\Windows\SysWOW64\Pqpgdfnp.exe
        
        C:\Windows\system32\Pqpgdfnp.exe
        40⤵
        Executes dropped EXE
        
        PID:2704
        
        C:\Windows\SysWOW64\Pdkcde32.exe
        
        C:\Windows\system32\Pdkcde32.exe
        41⤵
        Executes dropped EXE
        
        PID:2232
        
        C:\Windows\SysWOW64\Pgioqq32.exe
        
        C:\Windows\system32\Pgioqq32.exe
        42⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2200
        
        C:\Windows\SysWOW64\Pjhlml32.exe
        
        C:\Windows\system32\Pjhlml32.exe
        43⤵
        Executes dropped EXE
        
        PID:1476
        
        C:\Windows\SysWOW64\Pncgmkmj.exe
        
        C:\Windows\system32\Pncgmkmj.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4112
        
        C:\Windows\SysWOW64\Pdmpje32.exe
        
        C:\Windows\system32\Pdmpje32.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4772
        
        C:\Windows\SysWOW64\Pgllfp32.exe
        
        C:\Windows\system32\Pgllfp32.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1916
        
        C:\Windows\SysWOW64\Pnfdcjkg.exe
        
        C:\Windows\system32\Pnfdcjkg.exe
        47⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1668
        
        C:\Windows\SysWOW64\Pdpmpdbd.exe
        
        C:\Windows\system32\Pdpmpdbd.exe
        48⤵
        Executes dropped EXE
        
        PID:4032
        
        C:\Windows\SysWOW64\Pgnilpah.exe
        
        C:\Windows\system32\Pgnilpah.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1032
        
        C:\Windows\SysWOW64\Qnhahj32.exe
        
        C:\Windows\system32\Qnhahj32.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4400
        
        C:\Windows\SysWOW64\Qqfmde32.exe
        
        C:\Windows\system32\Qqfmde32.exe
        51⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4076
        
        C:\Windows\SysWOW64\Qceiaa32.exe
        
        C:\Windows\system32\Qceiaa32.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4408
        
        C:\Windows\SysWOW64\Qfcfml32.exe
        
        C:\Windows\system32\Qfcfml32.exe
        53⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1132
        
        C:\Windows\SysWOW64\Qnjnnj32.exe
        
        C:\Windows\system32\Qnjnnj32.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4152
        
        C:\Windows\SysWOW64\Qddfkd32.exe
        
        C:\Windows\system32\Qddfkd32.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:224
        
        C:\Windows\SysWOW64\Qffbbldm.exe
        
        C:\Windows\system32\Qffbbldm.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4512
        
        C:\Windows\SysWOW64\Anmjcieo.exe
        
        C:\Windows\system32\Anmjcieo.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4672
        
        C:\Windows\SysWOW64\Aqkgpedc.exe
        
        C:\Windows\system32\Aqkgpedc.exe
        58⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4448
        
        C:\Windows\SysWOW64\Afhohlbj.exe
        
        C:\Windows\system32\Afhohlbj.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1112
        
        C:\Windows\SysWOW64\Anogiicl.exe
        
        C:\Windows\system32\Anogiicl.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4896
        
        C:\Windows\SysWOW64\Aqncedbp.exe
        
        C:\Windows\system32\Aqncedbp.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2072
        
        C:\Windows\SysWOW64\Aclpap32.exe
        
        C:\Windows\system32\Aclpap32.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4012
        
        C:\Windows\SysWOW64\Aqppkd32.exe
        
        C:\Windows\system32\Aqppkd32.exe
        63⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2016
        
        C:\Windows\SysWOW64\Ajhddjfn.exe
        
        C:\Windows\system32\Ajhddjfn.exe
        64⤵
        Executes dropped EXE
        
        PID:4336
        
        C:\Windows\SysWOW64\Aabmqd32.exe
        
        C:\Windows\system32\Aabmqd32.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4912
        
        C:\Windows\SysWOW64\Aglemn32.exe
        
        C:\Windows\system32\Aglemn32.exe
        66⤵
        Modifies registry class
        
        PID:1580
        
        C:\Windows\SysWOW64\Ajkaii32.exe
        
        C:\Windows\system32\Ajkaii32.exe
        67⤵
        
        PID:2356
        
        C:\Windows\SysWOW64\Aadifclh.exe
        
        C:\Windows\system32\Aadifclh.exe
        68⤵
        Drops file in System32 directory
        
        PID:2428
        
        C:\Windows\SysWOW64\Accfbokl.exe
        
        C:\Windows\system32\Accfbokl.exe
        69⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:2928
        
        C:\Windows\SysWOW64\Bfabnjjp.exe
        
        C:\Windows\system32\Bfabnjjp.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:1612
        
        C:\Windows\SysWOW64\Bcebhoii.exe
        
        C:\Windows\system32\Bcebhoii.exe
        71⤵
        
        PID:4052
        
        C:\Windows\SysWOW64\Bjokdipf.exe
        
        C:\Windows\system32\Bjokdipf.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:1364
        
        C:\Windows\SysWOW64\Bchomn32.exe
        
        C:\Windows\system32\Bchomn32.exe
        73⤵
        Drops file in System32 directory
        
        PID:712
        
        C:\Windows\SysWOW64\Bmpcfdmg.exe
        
        C:\Windows\system32\Bmpcfdmg.exe
        74⤵
        
        PID:3032
        
        C:\Windows\SysWOW64\Balpgb32.exe
        
        C:\Windows\system32\Balpgb32.exe
        75⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:3920
        
        C:\Windows\SysWOW64\Bgehcmmm.exe
        
        C:\Windows\system32\Bgehcmmm.exe
        76⤵
        Drops file in System32 directory
        
        PID:2196
        
        C:\Windows\SysWOW64\Bnpppgdj.exe
        
        C:\Windows\system32\Bnpppgdj.exe
        77⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:1652
        
        C:\Windows\SysWOW64\Bfkedibe.exe
        
        C:\Windows\system32\Bfkedibe.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:848
        
        C:\Windows\SysWOW64\Bnbmefbg.exe
        
        C:\Windows\system32\Bnbmefbg.exe
        79⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:4916
        
        C:\Windows\SysWOW64\Bapiabak.exe
        
        C:\Windows\system32\Bapiabak.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:4500
        
        C:\Windows\SysWOW64\Bcoenmao.exe
        
        C:\Windows\system32\Bcoenmao.exe
        81⤵
        Modifies registry class
        
        PID:1040
        
        C:\Windows\SysWOW64\Cjinkg32.exe
        
        C:\Windows\system32\Cjinkg32.exe
        82⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:3488
        
        C:\Windows\SysWOW64\Cmgjgcgo.exe
        
        C:\Windows\system32\Cmgjgcgo.exe
        83⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5128
        
        C:\Windows\SysWOW64\Cdabcm32.exe
        
        C:\Windows\system32\Cdabcm32.exe
        84⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5172
        
        C:\Windows\SysWOW64\Cfpnph32.exe
        
        C:\Windows\system32\Cfpnph32.exe
        85⤵
        Drops file in System32 directory
        
        PID:5216
        
        C:\Windows\SysWOW64\Caebma32.exe
        
        C:\Windows\system32\Caebma32.exe
        86⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5260
        
        C:\Windows\SysWOW64\Chokikeb.exe
        
        C:\Windows\system32\Chokikeb.exe
        87⤵
        
        PID:5308
        
        C:\Windows\SysWOW64\Cfbkeh32.exe
        
        C:\Windows\system32\Cfbkeh32.exe
        88⤵
        Drops file in System32 directory
        
        PID:5348
        
        C:\Windows\SysWOW64\Cagobalc.exe
        
        C:\Windows\system32\Cagobalc.exe
        89⤵
        Modifies registry class
        
        PID:5396
        
        C:\Windows\SysWOW64\Ceckcp32.exe
        
        C:\Windows\system32\Ceckcp32.exe
        90⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5440
        
        C:\Windows\SysWOW64\Cnkplejl.exe
        
        C:\Windows\system32\Cnkplejl.exe
        91⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5484
        
        C:\Windows\SysWOW64\Cajlhqjp.exe
        
        C:\Windows\system32\Cajlhqjp.exe
        92⤵
        
        PID:5528
        
        C:\Windows\SysWOW64\Cdhhdlid.exe
        
        C:\Windows\system32\Cdhhdlid.exe
        93⤵
        
        PID:5584
        
        C:\Windows\SysWOW64\Cffdpghg.exe
        
        C:\Windows\system32\Cffdpghg.exe
        94⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5632
        
        C:\Windows\SysWOW64\Cjbpaf32.exe
        
        C:\Windows\system32\Cjbpaf32.exe
        95⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5680
        
        C:\Windows\SysWOW64\Cnnlaehj.exe
        
        C:\Windows\system32\Cnnlaehj.exe
        96⤵
        Modifies registry class
        
        PID:5716
        
        C:\Windows\SysWOW64\Calhnpgn.exe
        
        C:\Windows\system32\Calhnpgn.exe
        97⤵
        
        PID:5768
        
        C:\Windows\SysWOW64\Ddjejl32.exe
        
        C:\Windows\system32\Ddjejl32.exe
        98⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5816
        
        C:\Windows\SysWOW64\Dfiafg32.exe
        
        C:\Windows\system32\Dfiafg32.exe
        99⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5864
        
        C:\Windows\SysWOW64\Dopigd32.exe
        
        C:\Windows\system32\Dopigd32.exe
        100⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5900
        
        C:\Windows\SysWOW64\Dmcibama.exe
        
        C:\Windows\system32\Dmcibama.exe
        101⤵
        Drops file in System32 directory
        
        PID:5940
        
        C:\Windows\SysWOW64\Danecp32.exe
        
        C:\Windows\system32\Danecp32.exe
        102⤵
        
        PID:5988
        
        C:\Windows\SysWOW64\Dhhnpjmh.exe
        
        C:\Windows\system32\Dhhnpjmh.exe
        103⤵
        Drops file in System32 directory
        
        PID:6032
        
        C:\Windows\SysWOW64\Djgjlelk.exe
        
        C:\Windows\system32\Djgjlelk.exe
        104⤵
        Drops file in System32 directory
        
        PID:6072
        
        C:\Windows\SysWOW64\Dobfld32.exe
        
        C:\Windows\system32\Dobfld32.exe
        105⤵
        
        PID:6112
        
        C:\Windows\SysWOW64\Daqbip32.exe
        
        C:\Windows\system32\Daqbip32.exe
        106⤵
        
        PID:5136
        
        C:\Windows\SysWOW64\Delnin32.exe
        
        C:\Windows\system32\Delnin32.exe
        107⤵
        Drops file in System32 directory
        
        PID:5196
        
        C:\Windows\SysWOW64\Dhkjej32.exe
        
        C:\Windows\system32\Dhkjej32.exe
        108⤵
        
        PID:5268
        
        C:\Windows\SysWOW64\Dkifae32.exe
        
        C:\Windows\system32\Dkifae32.exe
        109⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5328
        
        C:\Windows\SysWOW64\Dodbbdbb.exe
        
        C:\Windows\system32\Dodbbdbb.exe
        110⤵
        Modifies registry class
        
        PID:5388
        
        C:\Windows\SysWOW64\Daconoae.exe
        
        C:\Windows\system32\Daconoae.exe
        111⤵
        Modifies registry class
        
        PID:5472
        
        C:\Windows\SysWOW64\Ddakjkqi.exe
        
        C:\Windows\system32\Ddakjkqi.exe
        112⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:3140
        
        C:\Windows\SysWOW64\Dhmgki32.exe
        
        C:\Windows\system32\Dhmgki32.exe
        113⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5620
        
        C:\Windows\SysWOW64\Dkkcge32.exe
        
        C:\Windows\system32\Dkkcge32.exe
        114⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5704
        
        C:\Windows\SysWOW64\Dmjocp32.exe
        
        C:\Windows\system32\Dmjocp32.exe
        115⤵
        Modifies registry class
        
        PID:5760
        
        C:\Windows\SysWOW64\Deagdn32.exe
        
        C:\Windows\system32\Deagdn32.exe
        116⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5848
        
        C:\Windows\SysWOW64\Dddhpjof.exe
        
        C:\Windows\system32\Dddhpjof.exe
        117⤵
        Drops file in System32 directory
        
        PID:5924
        
        C:\Windows\SysWOW64\Dhocqigp.exe
        
        C:\Windows\system32\Dhocqigp.exe
        118⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5972
        
        C:\Windows\SysWOW64\Dknpmdfc.exe
        
        C:\Windows\system32\Dknpmdfc.exe
        119⤵
        Modifies registry class
        
        PID:6068
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        120⤵
        
        PID:6128
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6128 -s 404
        121⤵
        Program crash
        
        PID:5296

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 6128 -ip 6128
1⤵
PID:5252

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aclpap32.exe

Filesize
55KB

MD5
b9e1ebbdf4eff16bf6f5cdf1c57fd347

SHA1
9f0d33e0447d075ee7b6f87d1e5ea114a37b9fc3

SHA256
57dae95efec6f344be27f90c1553512068af481631ff0c8cf243272dbfc4c80c

SHA512
b97aca716adb55a1112414dba0e9745fe649ae75fbc23ba4d19bea50c4491b93fd34d4f19937e2868386a45f96d6d3d2644725da779bcb0798513d4d2858cf58

Download Submit
C:\Windows\SysWOW64\Afhohlbj.exe

Filesize
55KB

MD5
8a958d49833744d20ed2290b2f3cbaf2

SHA1
26b7c6d600910b82379db6b5918b3456c60cd003

SHA256
688542b14f858636055dae2e28edafe6d677a9120662a2ebfbf75fe3d0fe2d6a

SHA512
2ff83b4003efe62aac47e4d57365ae828529ff9e6bb993cdd60040b51a80a34e0a81c25f29d5a252ca5901ff2723e0b76c7157915cb36aad9a14dd9e957ec386

Download Submit
C:\Windows\SysWOW64\Aglemn32.exe

Filesize
55KB

MD5
d7a7adc796ee59f1fc34212b8a037d07

SHA1
b677b97645f5d84d5a93228112c75abde6335dfe

SHA256
8df33c6071f6552b249558a1034312b688f6f3391a7933dee3829310d32d9a3e

SHA512
a32806b91faa71379a8a870be3129920eb7c25884fcd26cf03289ef32ed60423d45dc7d7c22caa33dd0f6a88170e767338b6ffab1b8f3c0caf17b3a9efdc562d

Download Submit
C:\Windows\SysWOW64\Bchomn32.exe

Filesize
55KB

MD5
a23c24b56962a08a93c5e148751c5a37

SHA1
c8d1f7b0085d4b8979831233159eda0cdc598431

SHA256
aa869c6bca58f377ccfe35de16b3c28d8820884bcf9f3f7a8662acaaad5a614e

SHA512
c0e922b7f1e5bcd512980ecdde8e5460b1c0e154262dbc32e3d6f229888096ffdd03e4101a8aff23e05975157b57e2d0732a2cb77cdcd34115ae8913f6e0a1d4

Download Submit
C:\Windows\SysWOW64\Bfabnjjp.exe

Filesize
55KB

MD5
72bd211b1829d77584f7a84757386615

SHA1
c1aa0efdef64b6b283aa7a316d1c5c9f766e7695

SHA256
7a2e710a7c2a688f2b6df38716e77336afdb621a565fd5786b166b83bc74471a

SHA512
17b9d5a4ad7fec0dad1945a25319dbed27e86af38b211447aad83dfeb90117631126a240e56ca534b8f9ae9b9cc4929d270901a510acc4cd566cbf0e7421c8f2

Download Submit
C:\Windows\SysWOW64\Bnpppgdj.exe

Filesize
55KB

MD5
bae7a2b97f58dfb78cf19833afed6380

SHA1
0139464514475148c9f5f7a4da9b1a8b35353989

SHA256
b2f4d369e7933035c706cbc5d9046a1471a76fab3f0d87d7498f6858cb516fe2

SHA512
d8f1ce6f91672c58f08f40e50f6e043e68424327d45fe04e1757365c4e00bcf4bc371d831061d2c45e3eeea828f3ce3c688556c0dd38c34fb8f3fac3ec702b5d

Download Submit
C:\Windows\SysWOW64\Danecp32.exe

Filesize
55KB

MD5
93fb6172450161107b21d5cf8e488394

SHA1
5ad88a58f4a2649fb69a359ae5365fb26d04fc32

SHA256
3a3a464b1d88d2b3302c9a34c4f9f8d375a6c4eb49212c227f66359acc28be4f

SHA512
bad4041170a62c7871611004845846da9ad71bffd5f04a8fbf48a756ff47d17695752ca01663ba604f9992564fbff0527fb411820d3b5fdea2e7c943913623ae

Download Submit
C:\Windows\SysWOW64\Dknpmdfc.exe

Filesize
55KB

MD5
766456bbbbc772ff604d85c0835bcf56

SHA1
16296a58e4804c559d189f61ece6c55bc2bbca2e

SHA256
5175a943626784f6d7c59e2d42b5c65907cf8e8cc44903c89151fe3f5bd43da3

SHA512
5a36de46eaa3e80931aaf7f0f6cacb6dcd0e88c006f93887485838fd8037ce30787205b4ae08cbd9d8a5264ad854e8d9b0ccae1c0b9604a1fd2f84adaa521ec6

Download Submit
C:\Windows\SysWOW64\Nckndeni.exe

Filesize
55KB

MD5
361e93880d23e4c30353937e266f57b4

SHA1
89e2cc42a327abc30a27da0b5282d14c351e16a1

SHA256
1da1a08091d467996131993f740d8531166514d3c7b16f817697874e67338203

SHA512
f6162b44e3f86a312925ea81875c99bbcefc28657a19b2fc1c766d7b566c676cde0a82659c5741daff049c2a541fbcb4581d76d06fb01a6d74f59775d79bb22c

Download Submit
C:\Windows\SysWOW64\Nebdoa32.exe

Filesize
55KB

MD5
06d0255396e383e3d66157596a0ecb65

SHA1
899f7d769435924a022963b197ac6849acd6ff2e

SHA256
ae496b49ee26f332e27f6299de23def83cc97adee5250d0edef8c337ffe2fcbc

SHA512
a30725d3caf414910277db9af9086174e5b8db6f989acb981fa2fa147daea8e3f17882fc8f9c9b435e36a372883556200804ebef8146e56bda036e45368c97a7

Download Submit
C:\Windows\SysWOW64\Ngbpidjh.exe

Filesize
55KB

MD5
406665a639ca3415e97d1ca59d8c056c

SHA1
ad865810b3a052f0ed75160f5afed0d02b04a19e

SHA256
9b965af7d5889f3905397b703280a7394b5e39bf2ac3145fc6519af6b2dcd8f6

SHA512
720b98944f808dfec1eb8e3ea34e9c973a0932498c39bc65851ff12e034a06e6b1bfff38356ed6786401dbaed8d4c03f43d39fc8976af15b493ae10df1f78e9a

Download Submit
C:\Windows\SysWOW64\Ngdmod32.exe

Filesize
55KB

MD5
05d6eea8928e62975d7278a0cb2c7840

SHA1
37b197eca73971313fc1b5bcc1ac061015ca49b0

SHA256
c8ebf2be15db1e447b3d6057a50cd27e21c4ad03c06f5045a8fb5a5ba41fba24

SHA512
ce0bfb81839112cd366151796296356c95a19b8eebebe555beec4fcd3bb79ad6ba42096a9830b1b5471ad0eb0e2f92de856b52a7274cb363c8bbada928c717d2

Download Submit
C:\Windows\SysWOW64\Ngpccdlj.exe

Filesize
55KB

MD5
4d7fb2d1c5361410d069286852e6ac1d

SHA1
c73fe6b4a5488071f6431e6afd9fce13a3670acb

SHA256
da6d4f6705cff83f379dc357c6466860b7a09e58f44e30afacb8b95f904c0647

SHA512
e2e8e352d1cabcd54d396f666c0dc1977aa40469fc0cc92a4aa67aa624d8261c43dede24055aa3ca0bc295b541d3dcd5049642572dcac9b681f6c1bcdf2fd488

Download Submit
C:\Windows\SysWOW64\Njciko32.exe

Filesize
55KB

MD5
7f4c9e1301bf1b9760a801b9f8d988a3

SHA1
f6ff73a82200d183b6e7193d02377f4b92c3c2a3

SHA256
be5c84c91c661c30aafb42057a7f704245ac4752efca72d5b7ee76ed9940c7bd

SHA512
60480ed4e9282bbc8280e1468289b3f13f58f08e56825320ac015ea5e8b8a33b0459b751bad06e257b6879d6d1d6529db24562d882dedf431a5184766c393511

Download Submit
C:\Windows\SysWOW64\Njefqo32.exe

Filesize
55KB

MD5
782bb7aeb9aeed3ce6071d953e74bd98

SHA1
8c7ace6e733a1d23798321aa23a2f2b83f044aa9

SHA256
9aeee7b348cb765a462df639387d16971eb2d738562484ca42f698dcbbb61a62

SHA512
0364398462946c41d3c7d8b77528d6552ab932528f52ecb8a6b228d0e2501c1a1addd77e70f288b2cdaf506f1afb6f5dbf7ea76269435ca9f7b59583ef8630fe

Download Submit
C:\Windows\SysWOW64\Njqmepik.exe

Filesize
55KB

MD5
acff384d89c680aba9474868b132889b

SHA1
5f70857d5a7d3e52655b7bd0b78225c886987de4

SHA256
095fc2876051f51138563cec6bfb98f08591a54025c7b8ab393e8e7e9c97a221

SHA512
4096f20215d84bc06da2d6cfa5315f3d24290476f6a6ef06dab1ee9f9a4ca00750fc332420fa8fcca477c0bb84c496b89f640817d1be987659d1f979100a33ec

Download Submit
C:\Windows\SysWOW64\Nlmllkja.exe

Filesize
55KB

MD5
36220032097d1c1c73c05320c982aae6

SHA1
f229f60b025d497ea213c040a785a7d96553649a

SHA256
8fdc30263aca85ae1fe30d29f1a859f70baad1d9c774d081293cf29e5841ac3d

SHA512
199493aeabb6943262d1ef0c52277fb6c62d366e390952ddc565ede2467a4b4d9fa651d089988b44f383ca0ccd367ea5c8677cb86d2f712b886a3f8054a95be3

Download Submit
C:\Windows\SysWOW64\Nngokoej.exe

Filesize
55KB

MD5
a78b29541a2f581242bedec6f4028ec1

SHA1
f7ae6bdd383fe6d8f056ce180eb2baf2204dd5bd

SHA256
c4209bd7419d8a6cda9cd8cb0b747a16dff6d890d3e973e7cbc702bf7da1c083

SHA512
8d78a5b61c7b24c68c45bf5c4c5344c14192f6276fb24d95970012abf356ba80994d86e9c9cfe5a51f961530f4b3c8413a5bebebce27f1236f66a3bcc1c5dc5b

Download Submit
C:\Windows\SysWOW64\Npfkgjdn.exe

Filesize
55KB

MD5
b24b5066bb3b60fa14eb6ea8c191b80f

SHA1
653f8f246181f44b9e5c96367555a86c1eeb222f

SHA256
3f00b8b2cdb27d5747a77288cbd0148f5d167053fcf14c1638a4c4919878594f

SHA512
254def4d48158aec1c29e81b8fcf466f2916df38fe4872de73ab93c989c5a9c4be080877c513b6fac59ea3407d52aa5ea7004202a021d4e789a69bbb8de8d5a4

Download Submit
C:\Windows\SysWOW64\Npjebj32.exe

Filesize
55KB

MD5
f7706aa70e5731eef30a62cee5713f37

SHA1
53188d55458a57bfbe2d76a2f6a48eb1e3199e9d

SHA256
0420974ced6983b1586a05110ee5d08ded4e162448dca1ee4b3fca9f287bfcb5

SHA512
d8d06f3d027414cca11936633bf981030e6078da0a674acc7d38b9a019a4cf9587d4a0fa580eee2826f1e1416ff76395f9ec250adfdc3776398a02ceddb03132

Download Submit
C:\Windows\SysWOW64\Npmagine.exe

Filesize
55KB

MD5
8823905126e99a5c52fffd04bb485d74

SHA1
d74ddf622b60c242614b40a542996d31c1af6258

SHA256
ea036564bab217784558323a071562c17fadfe24fde89b95b4b9cbc6c7cb49b3

SHA512
950d7a7f20707f53f6a921a0c330439f737a1765f7885cbb1e1889471de180f90979827988de11d4c6d5c53a993921b1c7cb9fc281dbc4a3989d68897f35b857

Download Submit
C:\Windows\SysWOW64\Ocbddc32.exe

Filesize
55KB

MD5
2b82b6859331ba3c4f3cdeb2f40314f9

SHA1
b752947e076a129dc09235130038cbbba6a4a8fa

SHA256
23e1ec2ec29c8a9c67c64bb04b0643b9417ef91ea7bdee4022ec2b457d8f990b

SHA512
cf2517148f5e3e683ebf0d6a17e9a30cb55b52f4392bd9832496bd5b60a5f70771ae1f4abd82867a387929b461e7782f31c5b421244e92298bc126686d7f0ea6

Download Submit
C:\Windows\SysWOW64\Ocnjidkf.exe

Filesize
55KB

MD5
be0538e46b255d13d66408f97ec0aafa

SHA1
5757e0ecafb291a97a0f1845d694f78d7eb37d53

SHA256
be4e34af299f554d9655d225fd62e6ca9a83d3361785908eeb446907978dddcc

SHA512
dc4ce057f4fcef31bfa03a12265e64a9ca01a57029d6043ebb74ce01c1b8305fdca82c58fd3f38fa58dc96fc78ac17b0c49226f3d7f6e3ffd25310eb93668b6d

Download Submit
C:\Windows\SysWOW64\Ocpgod32.exe

Filesize
55KB

MD5
6118b1f05ca501e56e0e59b7a614f73c

SHA1
a0e49f29b39011a88a0b7135b2e7c9bb6fd347ae

SHA256
55b7160b9b1fbf8c56c97b4fc209957295216083dd6271d4b40356cbcff92ef2

SHA512
e5d1fa8b63704b83ed5d4673fd1fbf8562730a53082571c9dc7a49de72a4f814bfddef46bb618a66b3349bdfb50b62dac966de3e6935ac6ba370a8277942bf5b

Download Submit
C:\Windows\SysWOW64\Odapnf32.exe

Filesize
55KB

MD5
b26fc42a58bc8f6f8ab18f88205b4294

SHA1
6c8660200bb6ad65e512a398fef7b2e4351f11c9

SHA256
3293f43fd580e0e326efed7aaf103a395d1bc01a83b7ddc51c39c203e1570df7

SHA512
3d664ab2f75df301b300d71210705201c3577eb58b092f848375a4aa6a09f88cc64f9dcf65320195aef87740f23babdae2b1fc6c541e2539da40e505a21cac5a

Download Submit
C:\Windows\SysWOW64\Ofeilobp.exe

Filesize
55KB

MD5
f90750a1d3b1b5478bfc2eff92514a51

SHA1
a2d866d87948de4904b14482fa7ada22c0055028

SHA256
c568ecfc2d267ab4769b788c42043a8acfb8a8f1931452258075d8fde49a5fea

SHA512
75b8eadecd59d355f561de1c6bddf641d5d0d615255b942fe071044936a8668f5aa20ad063494ad7eb83fdb09d595adb8b75243d27ad24fba203b48aeb4752cb

Download Submit
C:\Windows\SysWOW64\Ofnckp32.exe

Filesize
55KB

MD5
66dd29401e7152fe96916d903f73ccaa

SHA1
11d23005f55c1c8bc2ca149b1e5affbee36fb947

SHA256
7947868efe1779fca84a0227af02b8cb94aae8fe7c2bec5c90b958dca3f51358

SHA512
ed6dac895469d071bf960709f40b7908e09aad529e71bb56c4eac2d7039d86a57b3cd9ff24ffb56b608f8cd204b6d901561f9742cb7cab07874bd6d95d33a321

Download Submit
C:\Windows\SysWOW64\Ofqpqo32.exe

Filesize
55KB

MD5
fee33b330ebb8bfd28231f5a341a1774

SHA1
014af8ef40abecbec4af14220783bae31a2b2ca8

SHA256
d9878278655d6cd3a0dbc4c8c54c874a6df145519bfd5cdc4e58b2eb3612df90

SHA512
1adba4ab978316133d97e59cf122c818ec208e03cb0f3b908955150146999b792f63e4f09d4755a899f9b0f2a7cb40ac7a2892d5d6e9c96b8de158baff61e279

Download Submit
C:\Windows\SysWOW64\Ogbipa32.exe

Filesize
55KB

MD5
a1d552e7b684a8c2d66d508d72cc13d9

SHA1
135c6e234fcbda5addda89913a017e6abc6f4382

SHA256
5dc08f3b2fda7b3222cddf9b621bd7aa6c19dde1699099c436caf90717e11c68

SHA512
08bdcca43fa5f04ca897eb88f01a51e07f9169664242bb28594df3d74dfbb0b39f24ef2095dd387ecc8c7399af35ea67661a1a99117b73c214e6b69fbc22f1dd

Download Submit
C:\Windows\SysWOW64\Ogpmjb32.exe

Filesize
55KB

MD5
e93a5a10638ac65bed3476986c3d2294

SHA1
0735085b712acb3d5e88b6dbe260d4d3f43120c7

SHA256
87798ad5bf9d7c0ab8395ee18486780af734651528a273bc0903b83340ba06ea

SHA512
0fcb9fb2af0d8392de609aedacf0ff5bff51cd829743d22d9d89829102a89ead8ec7e669b8caee22be7aeffbebf7d6614497586adbb91e8218f644f94eaee3af

Download Submit
C:\Windows\SysWOW64\Ojgbfocc.exe

Filesize
55KB

MD5
b68ce11bf4715910263927565b0f99a9

SHA1
adde21a357b0ffe03e613484299b6040782721df

SHA256
ed510600a60aa999e64af741ffe8fb6cce7183a1a7bafb4689aa9d75f0e0d6fb

SHA512
d2072808554a658756c1dfde24473db9ab871d9ac10d043650fe364dd143a0822eab36225543bf3977175f46c8e9441bdbc1f4c2816f2599b62aa838186e34f2

Download Submit
C:\Windows\SysWOW64\Olcbmj32.exe

Filesize
55KB

MD5
6e3e1968ace68a4ddf371e98b99d3547

SHA1
61e650ffad9bc7cfacd8b9ea15e0cc47e17903d5

SHA256
70ad008e12b3a983198feac8739f43f2220cb38a1424e26975d398fe643c81fc

SHA512
1202b944a20f08cd068d3f83848ee8db08199eca4b4bcac004888b3817ffa45127a52edd79367873662414cb44a3a6ff99ed0ea8b54e2f15b78c751ab3a01932

Download Submit
C:\Windows\SysWOW64\Olfobjbg.exe

Filesize
55KB

MD5
b6d6a1aff6e2650da45c0d1cbbe197fa

SHA1
f0b37a9e8eec180f4ce7fbf6cc29f6d5368b0dc4

SHA256
6854bc3ecadaf36fe5cd856239e68192fdcf11766afa59c33a5fe49c6df89641

SHA512
624fc4d0d0c26e18ce31454cc226766c082c4831d3e25777e51e06ffe6da83ebef4a6a1277e3dc381ea0e2f4870691e3f8c6a0d5e6e9356c58e7ef7c551630ff

Download Submit
C:\Windows\SysWOW64\Olkhmi32.exe

Filesize
55KB

MD5
eb76328317f3c7e20768ce8027d96ac3

SHA1
b73ec04d0e4966d16aae19b620655d513229991d

SHA256
72b64a5bc7387da2e1e4ebcac4bc75cf182d5e65d7b5684692edf748b5ac02c4

SHA512
a90aaa5d3df5194dad17c0e5c6a6b01abd26109fed6ad6a6a313c1b2d3174c66eb686133b39d366bcf81536ccef654811868936a5195e4242df6962e1fbf1bec

Download Submit
C:\Windows\SysWOW64\Oneklm32.exe

Filesize
55KB

MD5
3b6573974cf6346803e57f3ec7d40cfc

SHA1
a6715bde93d766dd39927991a83ffd4fd4c450d5

SHA256
c3bd13eb02542cd09ad3379baec12ed70485100c2e933e9c17899302edb496fc

SHA512
a77fe3845da52747a9c533c3651aaf7363ca3c8fadde59fa7a394586096aabb27e58f29e7d643db6a96debc9ac840e291584fa4e22560181cac91ebf0871210e

Download Submit
C:\Windows\SysWOW64\Onjegled.exe

Filesize
55KB

MD5
63ddee380c6d6f526216c8310dfe87c0

SHA1
ed3e38523cc9ae4b04892799fa5b397a82e50c05

SHA256
d6f4eda665506f03af8b276c986ebba96f87c2dd105cf7d789bc38ad33abae32

SHA512
5eff804fd5cfc17739217cabc99a8279926a1a462b3968c471c3e828cb9b5ba04e85ae4d0840d7ffb4b58a530af5143981269af05bb6c489877ed141eaafd7f5

Download Submit
C:\Windows\SysWOW64\Opdghh32.exe

Filesize
55KB

MD5
7c652b40b33e4d843f2e2ab8d1c6e8c9

SHA1
50aac925d7527ba14fdee7a0bfebee0e315bfae2

SHA256
b083e2f78e037f079084148a109c4403511459ca8719962c296a0e205a999846

SHA512
b820813b0f37b9375483e1b519615a97f7dfc5398c8990982b870b2d699a14d36063d28d6087b0205514056b19b9c8cdf02c6f8525fd418085072206903de79a

Download Submit
C:\Windows\SysWOW64\Oqhacgdh.exe

Filesize
55KB

MD5
d3a9342bd023dd4c38d36a4e6b4b7e15

SHA1
f2c3bd3780fa2e52434a9af74ef3dc3f3da2bdbc

SHA256
bcc25a2c4487160245d707a02d48bdcb0dc4bfaad1a0fab4a9e34c47aafc83a7

SHA512
46bdf710d7d11e49a2c77f394c87a3ad5eb7808d428e157582b03a431334d18b9621085b0fc8897b3fca072d582a2e2f7fcb73916e7a743a6c3830e4f21767d0

Download Submit
C:\Windows\SysWOW64\Pdfjifjo.exe

Filesize
55KB

MD5
48537225bf7eabcb154ceba181222745

SHA1
f4b5d097be9f36bd58b03a3a96aa43894505c619

SHA256
462838dc74c7bba63d50ef0514845f39009e95eb66d27867b32d80d05621b322

SHA512
d7e0b7256bb876ecfb59a4b23f718777313fef06742e256f32268ea3222c0576bbd0d1aa661413a57855e2a7d0e0d26d12557a0d44f4239d6311470e829d650b

Download Submit
C:\Windows\SysWOW64\Pdpmpdbd.exe

Filesize
55KB

MD5
f23164b4505bb6c3ea8310f3f4a4581a

SHA1
63bf997ea70cce9616d45088691ce3387c4151e2

SHA256
1949e8c92a572c77046e9cc8f803f14e406515a6ddb958bb1206d608c668acac

SHA512
bce1c10a90acf5c7db9cb31de138eb1d7606a1a4622310bbb4f55246da37072b7bf82efed422dad4369dc026696fdd920897eef0bf0479b0d8632911efdca3db

Download Submit
C:\Windows\SysWOW64\Pgllfp32.exe

Filesize
55KB

MD5
e8c3e7c3cd58266b2b693a1382d44c24

SHA1
dbe3dbb43d80f2ec32d765478015599f7aa40704

SHA256
020851823114507223c40edb867de1f1651ffb3a3a2a415c130dbfb6e0351b69

SHA512
1382b9a29e63db023e7b03225547b28d93c4f792e1165f57263da2533c804b9eda340ea5e11f8901358a37c9c3c363158dda365162df0ed96dd0fc5b16bdb9ee

Download Submit
C:\Windows\SysWOW64\Pmoahijl.exe

Filesize
55KB

MD5
517e57ff25b921cd2f76e763acfaf607

SHA1
5fbd7964a6c6a815aea3573949a640f30645ead4

SHA256
6e85ac780cf4a557c1f0ae88396f8dfe088bcc23d223a5127a47f1cb8d11296b

SHA512
4406b15a307644b18a8b37117418c265efe6f2b7a1d9fcca95fe0dbc30860e5be077fdda945a586c53997276931a9773336f7baf87ef47af40772cd99dfecbbd

Download Submit
C:\Windows\SysWOW64\Pqmjog32.exe

Filesize
55KB

MD5
447c8f2b927405f2a4e04e3ad7bcfa5b

SHA1
e3c5eefafb68a7cc25c2e57a266b4351e9aa218f

SHA256
e00caeb83ec207aca706815a08ecf7d27b279f41347e1d77f802ad41a20e00b5

SHA512
c0122063de0d31da968d299c968c2ec7d0fc73f68f50ba0eb65e9c0acb71bb1e29d20370556d82ec763a209d2616f55eaff29d24826a7bd5d37809fc6cb2402f

Download Submit
memory/224-389-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/260-566-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/260-25-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/564-261-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/712-497-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/848-527-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/976-57-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/976-594-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1032-353-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1040-550-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1044-177-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1084-216-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1112-417-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1128-112-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1132-377-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1224-275-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1364-491-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1396-40-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1396-580-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1476-317-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1492-5-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/1492-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1492-539-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1516-89-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1524-573-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1524-33-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1580-455-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1612-479-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1652-521-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1668-341-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1916-335-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2016-437-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2072-425-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2196-515-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2200-315-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2232-309-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2356-465-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2428-471-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2460-141-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2704-299-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2708-281-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2928-473-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2972-13-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2972-552-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3032-503-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3104-169-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3384-559-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3384-16-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3476-248-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3488-557-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3808-206-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3820-65-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3832-241-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3896-129-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3920-509-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3944-121-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3948-149-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3980-105-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3984-591-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3984-48-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4012-431-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4032-347-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4052-485-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4056-193-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4076-365-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4100-160-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4112-323-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4136-73-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4152-383-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4168-293-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4336-443-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4372-225-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4400-359-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4408-371-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4420-185-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4444-153-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4448-407-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4476-81-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4500-542-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4512-395-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4528-208-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4616-263-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4672-401-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4772-329-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4780-269-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4860-233-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4896-423-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4912-904-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4912-449-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4916-533-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5000-291-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5084-97-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5128-560-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5172-571-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5196-833-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5216-574-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5216-868-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5260-581-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5308-592-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads