e227f87fbecfbbfc735815989a09e6cfcdc4aa88690b27ab8acf100dc727fa3a

Analysis

max time kernel
148s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
23/07/2024, 03:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e227f87fbecfbbfc735815989a09e6cfcdc4aa88690b27ab8acf100dc727fa3a.exe
Size

192KB
MD5

5900b58b06d50fdfecc5626d808d76c9
SHA1

22743bf15ddeceb2a54958c5b22d2b642c8e0bc7
SHA256

e227f87fbecfbbfc735815989a09e6cfcdc4aa88690b27ab8acf100dc727fa3a
SHA512

75bf0381889c44db655d8f8505c430bb7aa0862890a25e205a3abdc95931bd68606b418546c5e5e68b0b74b3b6cfd6be8cd7b2ad97be42e2b60581b22a55561e
SSDEEP

3072:uiBjWjiIhk8cnnA/jeRZ2qOQpq3HNr5GnV54c4NthaeKU3d5vEiLqsC6vxfdwtP4:uMjHIhiRgqO+uNk54t3haeTFLel6ZfoQ

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lebkhc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mmlpoqpg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cabfga32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dejacond.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mmpijp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ojjolnaq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmdkch32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Qmkadgpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cmgjgcgo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	e227f87fbecfbbfc735815989a09e6cfcdc4aa88690b27ab8acf100dc727fa3a.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpoefk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Anmjcieo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Chcddk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Deokon32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Danecp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dkkcge32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmlcbbcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lphoelqn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mlefklpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pflplnlg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Anadoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Agjhgngj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qffbbldm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfbkeh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Deokon32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lebkhc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Agglboim.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dhfajjoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dhmgki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bcjlcn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cjmgfgdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mlampmdo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mlefklpj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njnpppkn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ojjolnaq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Agglboim.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nilcjp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnhjohkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Njnpppkn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nloiakho.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjinkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ojaelm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pcbmka32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qnjnnj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Aqncedbp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aeniabfd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Acjclpcf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ajhddjfn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bganhm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bjokdipf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mchhggno.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nggjdc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajhddjfn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Balpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dodbbdbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pnonbk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Aeniabfd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bmbplc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cdcoim32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmefhako.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mchhggno.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ndaggimg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bnhjohkb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Delnin32.exe

Executes dropped EXE 64 IoCs

pid	Process
1400	Lebkhc32.exe
4372	Lphoelqn.exe
3316	Mgagbf32.exe
2816	Mmlpoqpg.exe
3884	Mchhggno.exe
1272	Megdccmb.exe
4208	Mlampmdo.exe
4332	Mgfqmfde.exe
2016	Mmpijp32.exe
2336	Mpoefk32.exe
1508	Mgimcebb.exe
4240	Migjoaaf.exe
3516	Mlefklpj.exe
3064	Mdmnlj32.exe
400	Nilcjp32.exe
2456	Ndaggimg.exe
2720	Njnpppkn.exe
1944	Nphhmj32.exe
2484	Njqmepik.exe
1612	Nloiakho.exe
1044	Nfgmjqop.exe
1956	Njciko32.exe
2852	Nggjdc32.exe
2684	Njefqo32.exe
716	Olfobjbg.exe
2432	Ojjolnaq.exe
1500	Opdghh32.exe
4908	Ognpebpj.exe
2924	Odapnf32.exe
1452	Ofcmfodb.exe
208	Oddmdf32.exe
3232	Ojaelm32.exe
4980	Pdfjifjo.exe
3644	Pfhfan32.exe
1032	Pnonbk32.exe
2704	Pdifoehl.exe
3448	Pggbkagp.exe
3492	Pmdkch32.exe
4776	Pdkcde32.exe
5004	Pflplnlg.exe
1936	Pmfhig32.exe
1348	Pcppfaka.exe
2812	Pnfdcjkg.exe
3260	Pcbmka32.exe
1528	Qmkadgpo.exe
3620	Qceiaa32.exe
712	Qnjnnj32.exe
224	Qffbbldm.exe
3528	Anmjcieo.exe
2304	Acjclpcf.exe
4624	Afhohlbj.exe
2868	Aqncedbp.exe
2796	Agglboim.exe
3092	Anadoi32.exe
1668	Aqppkd32.exe
3824	Agjhgngj.exe
4396	Ajhddjfn.exe
3948	Aeniabfd.exe
4892	Anfmjhmd.exe
1340	Accfbokl.exe
5084	Bjmnoi32.exe
976	Bnhjohkb.exe
2284	Bagflcje.exe
2940	Bganhm32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Megdccmb.exe	Mchhggno.exe
File created	C:\Windows\SysWOW64\Pcppfaka.exe	Pmfhig32.exe
File opened for modification	C:\Windows\SysWOW64\Bjmnoi32.exe	Accfbokl.exe
File created	C:\Windows\SysWOW64\Cdfkolkf.exe	Ceckcp32.exe
File opened for modification	C:\Windows\SysWOW64\Cegdnopg.exe	Cmqmma32.exe
File opened for modification	C:\Windows\SysWOW64\Dhhnpjmh.exe	Dejacond.exe
File opened for modification	C:\Windows\SysWOW64\Agjhgngj.exe	Aqppkd32.exe
File opened for modification	C:\Windows\SysWOW64\Mgfqmfde.exe	Mlampmdo.exe
File created	C:\Windows\SysWOW64\Gcdmai32.dll	Odapnf32.exe
File created	C:\Windows\SysWOW64\Acjclpcf.exe	Anmjcieo.exe
File opened for modification	C:\Windows\SysWOW64\Bganhm32.exe	Bagflcje.exe
File created	C:\Windows\SysWOW64\Eokchkmi.dll	Cegdnopg.exe
File created	C:\Windows\SysWOW64\Amfoeb32.dll	Dmgbnq32.exe
File created	C:\Windows\SysWOW64\Oddmdf32.exe	Ofcmfodb.exe
File opened for modification	C:\Windows\SysWOW64\Pdfjifjo.exe	Ojaelm32.exe
File opened for modification	C:\Windows\SysWOW64\Pflplnlg.exe	Pdkcde32.exe
File created	C:\Windows\SysWOW64\Hmcjlfqa.dll	Anmjcieo.exe
File created	C:\Windows\SysWOW64\Aqppkd32.exe	Anadoi32.exe
File created	C:\Windows\SysWOW64\Bhhdil32.exe	Beihma32.exe
File opened for modification	C:\Windows\SysWOW64\Cajlhqjp.exe	Cnkplejl.exe
File created	C:\Windows\SysWOW64\Nloiakho.exe	Njqmepik.exe
File created	C:\Windows\SysWOW64\Dodbbdbb.exe	Dfnjafap.exe
File created	C:\Windows\SysWOW64\Kngpec32.dll	Doilmc32.exe
File created	C:\Windows\SysWOW64\Dhmgki32.exe	Deokon32.exe
File created	C:\Windows\SysWOW64\Hleecc32.dll	Mchhggno.exe
File created	C:\Windows\SysWOW64\Gijlad32.dll	Megdccmb.exe
File created	C:\Windows\SysWOW64\Mgfqmfde.exe	Mlampmdo.exe
File created	C:\Windows\SysWOW64\Qmkadgpo.exe	Pcbmka32.exe
File created	C:\Windows\SysWOW64\Ghekjiam.dll	Cdcoim32.exe
File created	C:\Windows\SysWOW64\Pjngmo32.dll	Cfdhkhjj.exe
File created	C:\Windows\SysWOW64\Danecp32.exe	Dopigd32.exe
File opened for modification	C:\Windows\SysWOW64\Dmllipeg.exe	Doilmc32.exe
File created	C:\Windows\SysWOW64\Mgagbf32.exe	Lphoelqn.exe
File created	C:\Windows\SysWOW64\Nilcjp32.exe	Mdmnlj32.exe
File created	C:\Windows\SysWOW64\Qceiaa32.exe	Qmkadgpo.exe
File created	C:\Windows\SysWOW64\Bjokdipf.exe	Bganhm32.exe
File created	C:\Windows\SysWOW64\Ifndpaoq.dll	Njqmepik.exe
File opened for modification	C:\Windows\SysWOW64\Pdifoehl.exe	Pnonbk32.exe
File created	C:\Windows\SysWOW64\Ffcnippo.dll	Aqppkd32.exe
File opened for modification	C:\Windows\SysWOW64\Mgagbf32.exe	Lphoelqn.exe
File created	C:\Windows\SysWOW64\Kjiccacq.dll	Migjoaaf.exe
File opened for modification	C:\Windows\SysWOW64\Acjclpcf.exe	Anmjcieo.exe
File opened for modification	C:\Windows\SysWOW64\Dmgbnq32.exe	Dodbbdbb.exe
File opened for modification	C:\Windows\SysWOW64\Nloiakho.exe	Njqmepik.exe
File created	C:\Windows\SysWOW64\Nggjdc32.exe	Njciko32.exe
File opened for modification	C:\Windows\SysWOW64\Afhohlbj.exe	Acjclpcf.exe
File created	C:\Windows\SysWOW64\Bjmnoi32.exe	Accfbokl.exe
File opened for modification	C:\Windows\SysWOW64\Cmlcbbcj.exe	Cjmgfgdf.exe
File created	C:\Windows\SysWOW64\Ohmoom32.dll	Dmjocp32.exe
File created	C:\Windows\SysWOW64\Lplhdc32.dll	Mgimcebb.exe
File created	C:\Windows\SysWOW64\Ohjdgn32.dll	Olfobjbg.exe
File created	C:\Windows\SysWOW64\Afhohlbj.exe	Acjclpcf.exe
File created	C:\Windows\SysWOW64\Ljbncc32.dll	Aeniabfd.exe
File created	C:\Windows\SysWOW64\Ndkqipob.dll	Cmgjgcgo.exe
File opened for modification	C:\Windows\SysWOW64\Cjmgfgdf.exe	Cfbkeh32.exe
File created	C:\Windows\SysWOW64\Dhhnpjmh.exe	Dejacond.exe
File opened for modification	C:\Windows\SysWOW64\Anmjcieo.exe	Qffbbldm.exe
File opened for modification	C:\Windows\SysWOW64\Beihma32.exe	Bmbplc32.exe
File created	C:\Windows\SysWOW64\Ceehho32.exe	Cajlhqjp.exe
File opened for modification	C:\Windows\SysWOW64\Dhocqigp.exe	Daekdooc.exe
File created	C:\Windows\SysWOW64\Pnonbk32.exe	Pfhfan32.exe
File opened for modification	C:\Windows\SysWOW64\Qceiaa32.exe	Qmkadgpo.exe
File created	C:\Windows\SysWOW64\Gfghpl32.dll	Dhocqigp.exe
File created	C:\Windows\SysWOW64\Jekpanpa.dll	Cajlhqjp.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5852	5524	WerFault.exe	210

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bnhjohkb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cjinkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cdcoim32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cnkplejl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Lebkhc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mmlpoqpg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mchhggno.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Pdifoehl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fmjkjk32.dll"	Cjmgfgdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jffggf32.dll"	Ceckcp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eokchkmi.dll"	Cegdnopg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dkkcge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ojaelm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Qceiaa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ldfgeigq.dll"	Accfbokl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ceqnmpfo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mgagbf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmcjho32.dll"	Njciko32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ldamee32.dll"	Oddmdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bagflcje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Balpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Danecp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	e227f87fbecfbbfc735815989a09e6cfcdc4aa88690b27ab8acf100dc727fa3a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ndaggimg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Igjnojdk.dll"	Pdfjifjo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbmhofmq.dll"	Pdkcde32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkejdahi.dll"	Afhohlbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hhmkaf32.dll"	Mmlpoqpg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cmlihfed.dll"	Mpoefk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Nfgmjqop.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Pdkcde32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gijlad32.dll"	Megdccmb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Nloiakho.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ofcmfodb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bjmnoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bhhdil32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dmjocp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dmjocp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Odgdacjh.dll"	Mdmnlj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkmlea32.dll"	Qffbbldm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mgbpghdn.dll"	Anfmjhmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iphcjp32.dll"	Bffkij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfghpl32.dll"	Dhocqigp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mmlpoqpg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Chmhoe32.dll"	Ojjolnaq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cmgjgcgo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcbdhp32.dll"	Dhmgki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cmlcbbcj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dejacond.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Migjoaaf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ocljjj32.dll"	Nfgmjqop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Afhohlbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfihel32.dll"	Belebq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gblnkg32.dll"	Bmbplc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dmgbnq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Daekdooc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ojjolnaq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Acjclpcf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjjdjk32.dll"	Balpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jpcnha32.dll"	Bjddphlq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mmpijp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cmgjgcgo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dopigd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cfbkeh32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1520 wrote to memory of 1400	1520	e227f87fbecfbbfc735815989a09e6cfcdc4aa88690b27ab8acf100dc727fa3a.exe	84
PID 1520 wrote to memory of 1400	1520	e227f87fbecfbbfc735815989a09e6cfcdc4aa88690b27ab8acf100dc727fa3a.exe	84
PID 1520 wrote to memory of 1400	1520	e227f87fbecfbbfc735815989a09e6cfcdc4aa88690b27ab8acf100dc727fa3a.exe	84
PID 1400 wrote to memory of 4372	1400	Lebkhc32.exe	85
PID 1400 wrote to memory of 4372	1400	Lebkhc32.exe	85
PID 1400 wrote to memory of 4372	1400	Lebkhc32.exe	85
PID 4372 wrote to memory of 3316	4372	Lphoelqn.exe	86
PID 4372 wrote to memory of 3316	4372	Lphoelqn.exe	86
PID 4372 wrote to memory of 3316	4372	Lphoelqn.exe	86
PID 3316 wrote to memory of 2816	3316	Mgagbf32.exe	87
PID 3316 wrote to memory of 2816	3316	Mgagbf32.exe	87
PID 3316 wrote to memory of 2816	3316	Mgagbf32.exe	87
PID 2816 wrote to memory of 3884	2816	Mmlpoqpg.exe	88
PID 2816 wrote to memory of 3884	2816	Mmlpoqpg.exe	88
PID 2816 wrote to memory of 3884	2816	Mmlpoqpg.exe	88
PID 3884 wrote to memory of 1272	3884	Mchhggno.exe	89
PID 3884 wrote to memory of 1272	3884	Mchhggno.exe	89
PID 3884 wrote to memory of 1272	3884	Mchhggno.exe	89
PID 1272 wrote to memory of 4208	1272	Megdccmb.exe	91
PID 1272 wrote to memory of 4208	1272	Megdccmb.exe	91
PID 1272 wrote to memory of 4208	1272	Megdccmb.exe	91
PID 4208 wrote to memory of 4332	4208	Mlampmdo.exe	92
PID 4208 wrote to memory of 4332	4208	Mlampmdo.exe	92
PID 4208 wrote to memory of 4332	4208	Mlampmdo.exe	92
PID 4332 wrote to memory of 2016	4332	Mgfqmfde.exe	93
PID 4332 wrote to memory of 2016	4332	Mgfqmfde.exe	93
PID 4332 wrote to memory of 2016	4332	Mgfqmfde.exe	93
PID 2016 wrote to memory of 2336	2016	Mmpijp32.exe	94
PID 2016 wrote to memory of 2336	2016	Mmpijp32.exe	94
PID 2016 wrote to memory of 2336	2016	Mmpijp32.exe	94
PID 2336 wrote to memory of 1508	2336	Mpoefk32.exe	96
PID 2336 wrote to memory of 1508	2336	Mpoefk32.exe	96
PID 2336 wrote to memory of 1508	2336	Mpoefk32.exe	96
PID 1508 wrote to memory of 4240	1508	Mgimcebb.exe	97
PID 1508 wrote to memory of 4240	1508	Mgimcebb.exe	97
PID 1508 wrote to memory of 4240	1508	Mgimcebb.exe	97
PID 4240 wrote to memory of 3516	4240	Migjoaaf.exe	98
PID 4240 wrote to memory of 3516	4240	Migjoaaf.exe	98
PID 4240 wrote to memory of 3516	4240	Migjoaaf.exe	98
PID 3516 wrote to memory of 3064	3516	Mlefklpj.exe	99
PID 3516 wrote to memory of 3064	3516	Mlefklpj.exe	99
PID 3516 wrote to memory of 3064	3516	Mlefklpj.exe	99
PID 3064 wrote to memory of 400	3064	Mdmnlj32.exe	100
PID 3064 wrote to memory of 400	3064	Mdmnlj32.exe	100
PID 3064 wrote to memory of 400	3064	Mdmnlj32.exe	100
PID 400 wrote to memory of 2456	400	Nilcjp32.exe	102
PID 400 wrote to memory of 2456	400	Nilcjp32.exe	102
PID 400 wrote to memory of 2456	400	Nilcjp32.exe	102
PID 2456 wrote to memory of 2720	2456	Ndaggimg.exe	104
PID 2456 wrote to memory of 2720	2456	Ndaggimg.exe	104
PID 2456 wrote to memory of 2720	2456	Ndaggimg.exe	104
PID 2720 wrote to memory of 1944	2720	Njnpppkn.exe	105
PID 2720 wrote to memory of 1944	2720	Njnpppkn.exe	105
PID 2720 wrote to memory of 1944	2720	Njnpppkn.exe	105
PID 1944 wrote to memory of 2484	1944	Nphhmj32.exe	106
PID 1944 wrote to memory of 2484	1944	Nphhmj32.exe	106
PID 1944 wrote to memory of 2484	1944	Nphhmj32.exe	106
PID 2484 wrote to memory of 1612	2484	Njqmepik.exe	107
PID 2484 wrote to memory of 1612	2484	Njqmepik.exe	107
PID 2484 wrote to memory of 1612	2484	Njqmepik.exe	107
PID 1612 wrote to memory of 1044	1612	Nloiakho.exe	108
PID 1612 wrote to memory of 1044	1612	Nloiakho.exe	108
PID 1612 wrote to memory of 1044	1612	Nloiakho.exe	108
PID 1044 wrote to memory of 1956	1044	Nfgmjqop.exe	109

C:\Users\Admin\AppData\Local\Temp\e227f87fbecfbbfc735815989a09e6cfcdc4aa88690b27ab8acf100dc727fa3a.exe
"C:\Users\Admin\AppData\Local\Temp\e227f87fbecfbbfc735815989a09e6cfcdc4aa88690b27ab8acf100dc727fa3a.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1520
- C:\Windows\SysWOW64\Lebkhc32.exe
  C:\Windows\system32\Lebkhc32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1400
- - C:\Windows\SysWOW64\Lphoelqn.exe
    C:\Windows\system32\Lphoelqn.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious use of WriteProcessMemory
    PID:4372
  - - C:\Windows\SysWOW64\Mgagbf32.exe
      C:\Windows\system32\Mgagbf32.exe
      4⤵
      Executes dropped EXE
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:3316
    - - C:\Windows\SysWOW64\Mmlpoqpg.exe
        
        C:\Windows\system32\Mmlpoqpg.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2816
      - C:\Windows\SysWOW64\Mchhggno.exe
        
        C:\Windows\system32\Mchhggno.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3884
        
        C:\Windows\SysWOW64\Megdccmb.exe
        
        C:\Windows\system32\Megdccmb.exe
        7⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1272
        
        C:\Windows\SysWOW64\Mlampmdo.exe
        
        C:\Windows\system32\Mlampmdo.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4208
        
        C:\Windows\SysWOW64\Mgfqmfde.exe
        
        C:\Windows\system32\Mgfqmfde.exe
        9⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4332
        
        C:\Windows\SysWOW64\Mmpijp32.exe
        
        C:\Windows\system32\Mmpijp32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2016
        
        C:\Windows\SysWOW64\Mpoefk32.exe
        
        C:\Windows\system32\Mpoefk32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2336
        
        C:\Windows\SysWOW64\Mgimcebb.exe
        
        C:\Windows\system32\Mgimcebb.exe
        12⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1508
        
        C:\Windows\SysWOW64\Migjoaaf.exe
        
        C:\Windows\system32\Migjoaaf.exe
        13⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4240
        
        C:\Windows\SysWOW64\Mlefklpj.exe
        
        C:\Windows\system32\Mlefklpj.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3516
        
        C:\Windows\SysWOW64\Mdmnlj32.exe
        
        C:\Windows\system32\Mdmnlj32.exe
        15⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3064
        
        C:\Windows\SysWOW64\Nilcjp32.exe
        
        C:\Windows\system32\Nilcjp32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:400
        
        C:\Windows\SysWOW64\Ndaggimg.exe
        
        C:\Windows\system32\Ndaggimg.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2456
        
        C:\Windows\SysWOW64\Njnpppkn.exe
        
        C:\Windows\system32\Njnpppkn.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2720
        
        C:\Windows\SysWOW64\Nphhmj32.exe
        
        C:\Windows\system32\Nphhmj32.exe
        19⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1944
        
        C:\Windows\SysWOW64\Njqmepik.exe
        
        C:\Windows\system32\Njqmepik.exe
        20⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2484
        
        C:\Windows\SysWOW64\Nloiakho.exe
        
        C:\Windows\system32\Nloiakho.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1612
        
        C:\Windows\SysWOW64\Nfgmjqop.exe
        
        C:\Windows\system32\Nfgmjqop.exe
        22⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1044
        
        C:\Windows\SysWOW64\Njciko32.exe
        
        C:\Windows\system32\Njciko32.exe
        23⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1956
        
        C:\Windows\SysWOW64\Nggjdc32.exe
        
        C:\Windows\system32\Nggjdc32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2852
        
        C:\Windows\SysWOW64\Njefqo32.exe
        
        C:\Windows\system32\Njefqo32.exe
        25⤵
        Executes dropped EXE
        
        PID:2684
        
        C:\Windows\SysWOW64\Olfobjbg.exe
        
        C:\Windows\system32\Olfobjbg.exe
        26⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:716
        
        C:\Windows\SysWOW64\Ojjolnaq.exe
        
        C:\Windows\system32\Ojjolnaq.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2432
        
        C:\Windows\SysWOW64\Opdghh32.exe
        
        C:\Windows\system32\Opdghh32.exe
        28⤵
        Executes dropped EXE
        
        PID:1500
        
        C:\Windows\SysWOW64\Ognpebpj.exe
        
        C:\Windows\system32\Ognpebpj.exe
        29⤵
        Executes dropped EXE
        
        PID:4908
        
        C:\Windows\SysWOW64\Odapnf32.exe
        
        C:\Windows\system32\Odapnf32.exe
        30⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2924
        
        C:\Windows\SysWOW64\Ofcmfodb.exe
        
        C:\Windows\system32\Ofcmfodb.exe
        31⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1452
        
        C:\Windows\SysWOW64\Oddmdf32.exe
        
        C:\Windows\system32\Oddmdf32.exe
        32⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:208
        
        C:\Windows\SysWOW64\Ojaelm32.exe
        
        C:\Windows\system32\Ojaelm32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3232
        
        C:\Windows\SysWOW64\Pdfjifjo.exe
        
        C:\Windows\system32\Pdfjifjo.exe
        34⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4980
        
        C:\Windows\SysWOW64\Pfhfan32.exe
        
        C:\Windows\system32\Pfhfan32.exe
        35⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3644
        
        C:\Windows\SysWOW64\Pnonbk32.exe
        
        C:\Windows\system32\Pnonbk32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1032
        
        C:\Windows\SysWOW64\Pdifoehl.exe
        
        C:\Windows\system32\Pdifoehl.exe
        37⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2704
        
        C:\Windows\SysWOW64\Pggbkagp.exe
        
        C:\Windows\system32\Pggbkagp.exe
        38⤵
        Executes dropped EXE
        
        PID:3448
        
        C:\Windows\SysWOW64\Pmdkch32.exe
        
        C:\Windows\system32\Pmdkch32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3492
        
        C:\Windows\SysWOW64\Pdkcde32.exe
        
        C:\Windows\system32\Pdkcde32.exe
        40⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4776
        
        C:\Windows\SysWOW64\Pflplnlg.exe
        
        C:\Windows\system32\Pflplnlg.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:5004
        
        C:\Windows\SysWOW64\Pmfhig32.exe
        
        C:\Windows\system32\Pmfhig32.exe
        42⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1936
        
        C:\Windows\SysWOW64\Pcppfaka.exe
        
        C:\Windows\system32\Pcppfaka.exe
        43⤵
        Executes dropped EXE
        
        PID:1348
        
        C:\Windows\SysWOW64\Pnfdcjkg.exe
        
        C:\Windows\system32\Pnfdcjkg.exe
        44⤵
        Executes dropped EXE
        
        PID:2812
        
        C:\Windows\SysWOW64\Pcbmka32.exe
        
        C:\Windows\system32\Pcbmka32.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3260
        
        C:\Windows\SysWOW64\Qmkadgpo.exe
        
        C:\Windows\system32\Qmkadgpo.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1528
        
        C:\Windows\SysWOW64\Qceiaa32.exe
        
        C:\Windows\system32\Qceiaa32.exe
        47⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3620
        
        C:\Windows\SysWOW64\Qnjnnj32.exe
        
        C:\Windows\system32\Qnjnnj32.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:712
        
        C:\Windows\SysWOW64\Qffbbldm.exe
        
        C:\Windows\system32\Qffbbldm.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:224
        
        C:\Windows\SysWOW64\Anmjcieo.exe
        
        C:\Windows\system32\Anmjcieo.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3528
        
        C:\Windows\SysWOW64\Acjclpcf.exe
        
        C:\Windows\system32\Acjclpcf.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2304
        
        C:\Windows\SysWOW64\Afhohlbj.exe
        
        C:\Windows\system32\Afhohlbj.exe
        52⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4624
        
        C:\Windows\SysWOW64\Aqncedbp.exe
        
        C:\Windows\system32\Aqncedbp.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2868
        
        C:\Windows\SysWOW64\Agglboim.exe
        
        C:\Windows\system32\Agglboim.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2796
        
        C:\Windows\SysWOW64\Anadoi32.exe
        
        C:\Windows\system32\Anadoi32.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3092
        
        C:\Windows\SysWOW64\Aqppkd32.exe
        
        C:\Windows\system32\Aqppkd32.exe
        56⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1668
        
        C:\Windows\SysWOW64\Agjhgngj.exe
        
        C:\Windows\system32\Agjhgngj.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3824
        
        C:\Windows\SysWOW64\Ajhddjfn.exe
        
        C:\Windows\system32\Ajhddjfn.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4396
        
        C:\Windows\SysWOW64\Aeniabfd.exe
        
        C:\Windows\system32\Aeniabfd.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3948
        
        C:\Windows\SysWOW64\Anfmjhmd.exe
        
        C:\Windows\system32\Anfmjhmd.exe
        60⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4892
        
        C:\Windows\SysWOW64\Accfbokl.exe
        
        C:\Windows\system32\Accfbokl.exe
        61⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1340
        
        C:\Windows\SysWOW64\Bjmnoi32.exe
        
        C:\Windows\system32\Bjmnoi32.exe
        62⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:5084
        
        C:\Windows\SysWOW64\Bnhjohkb.exe
        
        C:\Windows\system32\Bnhjohkb.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:976
        
        C:\Windows\SysWOW64\Bagflcje.exe
        
        C:\Windows\system32\Bagflcje.exe
        64⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2284
        
        C:\Windows\SysWOW64\Bganhm32.exe
        
        C:\Windows\system32\Bganhm32.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2940
        
        C:\Windows\SysWOW64\Bjokdipf.exe
        
        C:\Windows\system32\Bjokdipf.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4428
        
        C:\Windows\SysWOW64\Bffkij32.exe
        
        C:\Windows\system32\Bffkij32.exe
        67⤵
        Modifies registry class
        
        PID:4876
        
        C:\Windows\SysWOW64\Balpgb32.exe
        
        C:\Windows\system32\Balpgb32.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:2232
        
        C:\Windows\SysWOW64\Bcjlcn32.exe
        
        C:\Windows\system32\Bcjlcn32.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4680
        
        C:\Windows\SysWOW64\Bjddphlq.exe
        
        C:\Windows\system32\Bjddphlq.exe
        70⤵
        Modifies registry class
        
        PID:3964
        
        C:\Windows\SysWOW64\Bmbplc32.exe
        
        C:\Windows\system32\Bmbplc32.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:1960
        
        C:\Windows\SysWOW64\Beihma32.exe
        
        C:\Windows\system32\Beihma32.exe
        72⤵
        Drops file in System32 directory
        
        PID:2400
        
        C:\Windows\SysWOW64\Bhhdil32.exe
        
        C:\Windows\system32\Bhhdil32.exe
        73⤵
        Modifies registry class
        
        PID:2656
        
        C:\Windows\SysWOW64\Bjfaeh32.exe
        
        C:\Windows\system32\Bjfaeh32.exe
        74⤵
        
        PID:4316
        
        C:\Windows\SysWOW64\Bmemac32.exe
        
        C:\Windows\system32\Bmemac32.exe
        75⤵
        
        PID:4056
        
        C:\Windows\SysWOW64\Belebq32.exe
        
        C:\Windows\system32\Belebq32.exe
        76⤵
        Modifies registry class
        
        PID:2040
        
        C:\Windows\SysWOW64\Chjaol32.exe
        
        C:\Windows\system32\Chjaol32.exe
        77⤵
        
        PID:3520
        
        C:\Windows\SysWOW64\Cjinkg32.exe
        
        C:\Windows\system32\Cjinkg32.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:3320
        
        C:\Windows\SysWOW64\Cmgjgcgo.exe
        
        C:\Windows\system32\Cmgjgcgo.exe
        79⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:4668
        
        C:\Windows\SysWOW64\Cabfga32.exe
        
        C:\Windows\system32\Cabfga32.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1040
        
        C:\Windows\SysWOW64\Cmiflbel.exe
        
        C:\Windows\system32\Cmiflbel.exe
        81⤵
        
        PID:5184
        
        C:\Windows\SysWOW64\Ceqnmpfo.exe
        
        C:\Windows\system32\Ceqnmpfo.exe
        82⤵
        Modifies registry class
        
        PID:5240
        
        C:\Windows\SysWOW64\Cdcoim32.exe
        
        C:\Windows\system32\Cdcoim32.exe
        83⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5284
        
        C:\Windows\SysWOW64\Cfbkeh32.exe
        
        C:\Windows\system32\Cfbkeh32.exe
        84⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5332
        
        C:\Windows\SysWOW64\Cjmgfgdf.exe
        
        C:\Windows\system32\Cjmgfgdf.exe
        85⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5380
        
        C:\Windows\SysWOW64\Cmlcbbcj.exe
        
        C:\Windows\system32\Cmlcbbcj.exe
        86⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5424
        
        C:\Windows\SysWOW64\Ceckcp32.exe
        
        C:\Windows\system32\Ceckcp32.exe
        87⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5464
        
        C:\Windows\SysWOW64\Cdfkolkf.exe
        
        C:\Windows\system32\Cdfkolkf.exe
        88⤵
        
        PID:5508
        
        C:\Windows\SysWOW64\Cfdhkhjj.exe
        
        C:\Windows\system32\Cfdhkhjj.exe
        89⤵
        Drops file in System32 directory
        
        PID:5552
        
        C:\Windows\SysWOW64\Cnkplejl.exe
        
        C:\Windows\system32\Cnkplejl.exe
        90⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5596
        
        C:\Windows\SysWOW64\Cajlhqjp.exe
        
        C:\Windows\system32\Cajlhqjp.exe
        91⤵
        Drops file in System32 directory
        
        PID:5636
        
        C:\Windows\SysWOW64\Ceehho32.exe
        
        C:\Windows\system32\Ceehho32.exe
        92⤵
        
        PID:5684
        
        C:\Windows\SysWOW64\Chcddk32.exe
        
        C:\Windows\system32\Chcddk32.exe
        93⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5728
        
        C:\Windows\SysWOW64\Cmqmma32.exe
        
        C:\Windows\system32\Cmqmma32.exe
        94⤵
        Drops file in System32 directory
        
        PID:5768
        
        C:\Windows\SysWOW64\Cegdnopg.exe
        
        C:\Windows\system32\Cegdnopg.exe
        95⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5804
        
        C:\Windows\SysWOW64\Dhfajjoj.exe
        
        C:\Windows\system32\Dhfajjoj.exe
        96⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5876
        
        C:\Windows\SysWOW64\Dfiafg32.exe
        
        C:\Windows\system32\Dfiafg32.exe
        97⤵
        
        PID:5932
        
        C:\Windows\SysWOW64\Dopigd32.exe
        
        C:\Windows\system32\Dopigd32.exe
        98⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5976
        
        C:\Windows\SysWOW64\Danecp32.exe
        
        C:\Windows\system32\Danecp32.exe
        99⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6024
        
        C:\Windows\SysWOW64\Dejacond.exe
        
        C:\Windows\system32\Dejacond.exe
        100⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6068
        
        C:\Windows\SysWOW64\Dhhnpjmh.exe
        
        C:\Windows\system32\Dhhnpjmh.exe
        101⤵
        
        PID:6108
        
        C:\Windows\SysWOW64\Djgjlelk.exe
        
        C:\Windows\system32\Djgjlelk.exe
        102⤵
        
        PID:312
        
        C:\Windows\SysWOW64\Dmefhako.exe
        
        C:\Windows\system32\Dmefhako.exe
        103⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5192
        
        C:\Windows\SysWOW64\Delnin32.exe
        
        C:\Windows\system32\Delnin32.exe
        104⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5292
        
        C:\Windows\SysWOW64\Ddonekbl.exe
        
        C:\Windows\system32\Ddonekbl.exe
        105⤵
        
        PID:5364
        
        C:\Windows\SysWOW64\Dfnjafap.exe
        
        C:\Windows\system32\Dfnjafap.exe
        106⤵
        Drops file in System32 directory
        
        PID:5404
        
        C:\Windows\SysWOW64\Dodbbdbb.exe
        
        C:\Windows\system32\Dodbbdbb.exe
        107⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5548
        
        C:\Windows\SysWOW64\Dmgbnq32.exe
        
        C:\Windows\system32\Dmgbnq32.exe
        108⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5208
        
        C:\Windows\SysWOW64\Deokon32.exe
        
        C:\Windows\system32\Deokon32.exe
        109⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5672
        
        C:\Windows\SysWOW64\Dhmgki32.exe
        
        C:\Windows\system32\Dhmgki32.exe
        110⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5752
        
        C:\Windows\SysWOW64\Dkkcge32.exe
        
        C:\Windows\system32\Dkkcge32.exe
        111⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5856
        
        C:\Windows\SysWOW64\Dmjocp32.exe
        
        C:\Windows\system32\Dmjocp32.exe
        112⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5952
        
        C:\Windows\SysWOW64\Daekdooc.exe
        
        C:\Windows\system32\Daekdooc.exe
        113⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6056
        
        C:\Windows\SysWOW64\Dhocqigp.exe
        
        C:\Windows\system32\Dhocqigp.exe
        114⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5168
        
        C:\Windows\SysWOW64\Dgbdlf32.exe
        
        C:\Windows\system32\Dgbdlf32.exe
        115⤵
        
        PID:5896
        
        C:\Windows\SysWOW64\Doilmc32.exe
        
        C:\Windows\system32\Doilmc32.exe
        116⤵
        Drops file in System32 directory
        
        PID:5376
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        117⤵
        
        PID:5524
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5524 -s 228
        118⤵
        Program crash
        
        PID:5852

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 5524 -ip 5524
1⤵
PID:5680

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aeniabfd.exe

Filesize
192KB

MD5
0e3f0ad3e207a8983bec7d4a4ed5ea41

SHA1
99879d5e60a5437257fb829c4b8a3aeb9497a094

SHA256
983d2215ad883c2e8daf23540ae13b1f0be91f2bfb41d085e2cf4dd6fb9c1580

SHA512
043f2974922625f1d0f250f5432f3a0c6b4139f8748de01fcfa0d2530e2614f2ead9f990647d93b45f8bf623968bbe0ea8ffa956924029a46e2765ef79bb198c

Download Submit
C:\Windows\SysWOW64\Aqncedbp.exe

Filesize
192KB

MD5
9fa0270b4d448b98c399fbe715d8feb6

SHA1
03e97f0999eee2d90dedb8af88a5857db401c814

SHA256
bab6d6c08bb5cab79cef7921190e8c0c1b44ce507ded302799752cad45a8a61c

SHA512
580f6490d6098bcf5645b75f6c7be8e3fdd718aca0aaf262d280d9476024b71469803953e3184de571ef6259aca4fe15c9e0dea7e71277a4113b0b21d747e357

Download Submit
C:\Windows\SysWOW64\Bagflcje.exe

Filesize
192KB

MD5
982e42daf22870e7185927de30e1c43a

SHA1
09d86665e73f91573e0484c8dc0bc496b66abdce

SHA256
c0d12e5e2834b9538e1b339b545104926d72e14c7839fcf583af8a5eff8c060f

SHA512
a7d0df70bc4668ac9d46c08d4c15c742c50360382e4425d52666e70ba6cdafd8c3cfe0025ea472e5b4216891a3fd4cfbabf2d8af74fb329ffd57e5efbe8a93b8

Download Submit
C:\Windows\SysWOW64\Ceehho32.exe

Filesize
192KB

MD5
b43ac1984c8ddeafa8a4e10c315115b6

SHA1
ccc574e8da9fe1c762aba3cbea3f920d66f0fd6b

SHA256
226f23b9148c188164cbd9e93b5ad8c71c60f5c88fba2b2b117931498858d2f5

SHA512
8d143b174e40c347ac10a10787e6bb250ee7537dd0d54bfd823849d82056b6222013de1fed05f7838d35aad9e7caeb97d0c250254c1e4e65e55fbcfb34f593de

Download Submit
C:\Windows\SysWOW64\Hhmkaf32.dll

Filesize
7KB

MD5
f7c5f7fa20b3b4a5a83bf3a979271124

SHA1
d228945d8a7b9af577aefb8eec618df0276a3e67

SHA256
8b68a761f124f279dd79b84f6edae105b20ca095e6dd836cc87c6d3f22f18484

SHA512
5b70f9b88205c2bde0246841db680c5664d994fa858bbfe9b8205187a190fc103ca61db713f51077c8e1a5794820241d7735d7de87a154abee6563354564b708

Download Submit
C:\Windows\SysWOW64\Lebkhc32.exe

Filesize
192KB

MD5
dae555315386b2d95ebeccc3d9ad9e95

SHA1
40f0b941d0272563b524e8438b111043bcfc6fc6

SHA256
c44597b2e42b9f1f294c7cf9c7981b359cc660a3f17968faf7629947eb95c853

SHA512
2da8d9e80a291ca6af66bb0c398ad59b3cbf06e8189b40484d849b25cd733209057eb3e5962443d97f9d4289f76e39d2c34340846321670d29cba7b1e34ec2e2

Download Submit
C:\Windows\SysWOW64\Lphoelqn.exe

Filesize
192KB

MD5
2462508839af89499a3148c4895909e5

SHA1
a5f0155359584a4e621c169c25f93d07ffb4789e

SHA256
c05570fd7793badf83e420fdeb92c39112a1c30a5e526264de7b60e9627e8011

SHA512
165e834ddccb4d2db3c1e47f3f01b68c9830280190bf80a18d1f04cec92aa5cf521394696c411709f5bf3f01ee9da2ccc3a31dce1b2f3dc25c50ba038b59f4f9

Download Submit
C:\Windows\SysWOW64\Mchhggno.exe

Filesize
192KB

MD5
9497ae9eaa87d7964db171d21bf7af37

SHA1
cd7cc0bcfd98e09f6bd76b76bda9f8847214a3fb

SHA256
3c7cd14a123a8558395ebc11bebfc5ff3e243a84cf8881ea381d7c7169aae85c

SHA512
f8acbdb32750078ef1ad95d07c40c7504945eb7dd7a0478661a7265492136adb13a4745a28f2e538c981164503c2e67f98d27c596c019ec8e2227094f2849b65

Download Submit
C:\Windows\SysWOW64\Mdmnlj32.exe

Filesize
192KB

MD5
62cd246bd147d7f4a9f00b228d4e651f

SHA1
47ff3475a9006bcdbe3288ed35ef2689adf4100f

SHA256
6cc9d8d3acff00b18ceba70805b9cdeb2db0e1a9ee45500fd85a62c827a8d259

SHA512
65c7dd9a717024e422f0aa3e703dea58847313e3a632d6d81bdb1fb8f3efeae46fcaa21843d7f273f4f9a3eaadefc2964f2a6897302c0f4c3dd48514dfc4bb8a

Download Submit
C:\Windows\SysWOW64\Megdccmb.exe

Filesize
192KB

MD5
204ed388806b61a4097b46bc647ae0a7

SHA1
610ab357cc6016972eb70da91a49ada1529016f7

SHA256
6c908d11b998dc2e734c2cb511a506852c440f09aec1274ff3dcdef444043d85

SHA512
432810a7f2cf1bf41f7af0a42d6606f904629a34dce8ee6199e144a34f5a43e82fbd99a2471287b33d673efa62b4ed63587e7b82f76a35a0c7c442c4eef556ee

Download Submit
C:\Windows\SysWOW64\Mgagbf32.exe

Filesize
192KB

MD5
45940e3d3b447b995ad079018dd094df

SHA1
af852d4e97d2ce09c5f713101c7ae1cb3fc380d2

SHA256
bce262155e7f387703798b16f52e847c9b2deb025e2d8f0b0aeed4f030b0b9a3

SHA512
a363b407c122772ea05bf1a611ade949a5686aae95de99cb3cbe34afe6cba3e2ce848eea71d091763ce3ff5d296b84a7bffae6903886761b3323285e3aeb66c7

Download Submit
C:\Windows\SysWOW64\Mgfqmfde.exe

Filesize
192KB

MD5
99311a77e621bef759a8a1806213d048

SHA1
c396b64cca2e93ea6b98af07f22c0491bf766e4f

SHA256
c4c99451bd67b53c5f7deb78419f51cc9c1f37af2cfd518db718bd5b8185fe23

SHA512
287c7bc4eda81cc365ba58377f90861afcbee8e2c1e5d5a15b8dbf8f47f07d48d6cb1641850dafbf57380aff82da46e151087100beb5d889eefd9c0ec7ba2ce7

Download Submit
C:\Windows\SysWOW64\Mgimcebb.exe

Filesize
192KB

MD5
4467df05c7c7a533acd04b2b6c490406

SHA1
d8a485a138c9bc8fd26c97c33e75e82b52013a5c

SHA256
e73feeb638580f757fb20bd9464c3009341721e2710535c6a43c084578e40354

SHA512
eefb7833a14bb1a59d012ddfe51095cd4058c954291bdc95acac3ab84ca88dbd5689b4e51712953676e7277ad0c932308bc987d889f4a7f8b9630c29491d3ed0

Download Submit
C:\Windows\SysWOW64\Migjoaaf.exe

Filesize
192KB

MD5
f335062ee994f076a2feac093df61ff3

SHA1
820f74af354716053beb9f55e8ab315f5716513a

SHA256
c9c077594df030ebd7799745603d69655764f28cdcf6c55da8f9045b224fdddf

SHA512
10cba91a07e8f376d8c8f81ced7c7963e8776e5ccdde836e8a05d11e8a71a4e68e1dd543ad8813a421186efacb352baca178ea28884783dc04f049cb9e06f25c

Download Submit
C:\Windows\SysWOW64\Mlampmdo.exe

Filesize
192KB

MD5
c01c04d08ad7929a8bc4125114f63576

SHA1
15ec9209949fc57561e0429fc487afb126fd3192

SHA256
feb36f4f764ad15f4c8b677ab7810aedcdcf658439e5180ade4181717da33e77

SHA512
2b2c334e43f7383560dcaa97f08a14702e39d3a81d6d05afaf2e5e03fe02817519e405adad44f94285ce2ce9715a0c6628e851d37c69dc6e74841aaabdb57acd

Download Submit
C:\Windows\SysWOW64\Mlefklpj.exe

Filesize
192KB

MD5
1befb1fa597e0fc9a3d0b33ee0e7b969

SHA1
d025d8146da89a859b3a0080b74ee93fb2c89808

SHA256
0d0b02ad1109286618bc43cf9110b9a0358f6cc207eab3d182108b59c3df04a9

SHA512
94a95593eea4406e450aa05c2d0e20667c4ac715cba278933fc3e06345a8bf63bdd2c914aab846c3002bd360d4c00f1cf4e2265dee5a2c7b5ab0cfb57d3f6227

Download Submit
C:\Windows\SysWOW64\Mmlpoqpg.exe

Filesize
192KB

MD5
ff99db14f1bd2fb5e3d9f5f427a3c966

SHA1
b444b301cc8906104dc4bb7b523a394b83c052fc

SHA256
9b3293f605cb213ab445f2c54e169f223f8bf7caf6f800a5cdcce32fc77ff712

SHA512
37eb4228f1e5264ecaacfd2dee073462dd0a650c80c92121b1021fc5c8f9ace083b4b8383ffbea9eff3968ac6fd1f398dbc104432930918cf77db49777245fe7

Download Submit
C:\Windows\SysWOW64\Mmpijp32.exe

Filesize
192KB

MD5
03dddc39c3bdd81b541d754bb29771f7

SHA1
ac6a9ae497ffcbbaea29efbe0d2f9e51e9690cd6

SHA256
66c70646951c9254a7a8f23f4e463fe756891fc70c369be090bb6da4fbd8fa75

SHA512
88319b97e042e4837f40150a769ed0659e3124be426cc2e9f05786918b1e2efe23a6d415451b3f6665b937426c4834392322f7dfdcae758664c22fe8db59c83f

Download Submit
C:\Windows\SysWOW64\Mpoefk32.exe

Filesize
192KB

MD5
70902c741d09e76845c5ced9ae4d99b8

SHA1
a369920f27895fe198b9f38e6e5210edb2c5a71e

SHA256
a6a701070523e506b1eaf101b7d566245cd000489503b2c853929bba53542acd

SHA512
64adf92a1f9281c10f56cbe5ef83e24c1f34ca9f24b235df074eca3d45c3c166647f342ef2a6bbd1d0bda09e0a3baae1839278af3502c7866168fe1f413c3964

Download Submit
C:\Windows\SysWOW64\Ndaggimg.exe

Filesize
192KB

MD5
8e1cfd723893ed683e02dbc51618910d

SHA1
cbabcf0901f98a5377dce27a46da275cea9a446e

SHA256
9035af504a4518f29d0b0f5b55f4ce880c98bdb9794c726cb5e657605fcaea3e

SHA512
dc0e92bd3623ccf9ee4482efd28666d66837d3f46f7fd33ed04bd6d53e57207b627463516bd8dedb2fe8f8ebcf609f210ffafee5c50c05933c623eb446218020

Download Submit
C:\Windows\SysWOW64\Nfgmjqop.exe

Filesize
192KB

MD5
7d967c1ff3a4be950269fd4797980257

SHA1
4afa877707831c4d92dbc58b470f7dd547378dd8

SHA256
64663b93fdce7dc055a12d815931ec257ccd83ea6797c556818d6b0c0373a294

SHA512
4c77cd6537dacc379c9de332bc1700f2c9e044db19646c977f9344da44768c9872817c1878903259d61ecb202095de201ece3b5ff0e0a8cbd2e4c22937c14b1b

Download Submit
C:\Windows\SysWOW64\Nggjdc32.exe

Filesize
192KB

MD5
face269b0f3c24fa37c8b2eafb70a134

SHA1
19241f9499ded38be6e0bab474d3dba079e160ab

SHA256
767e3d7edc060e505fbea4e48d1288c6c7570a5d84c2e1b07d7d6dda754fc193

SHA512
e7912d884c2ffc74fa063043c653c478735e974776568799d942b05e1739106c44cb325d050fa0569bb328fbfbccbff7e17f13a850b56709ea9ce16a17d4a888

Download Submit
C:\Windows\SysWOW64\Nilcjp32.exe

Filesize
192KB

MD5
3cff5ac1f4b384475afb34b88712368b

SHA1
a4a06380292278f0d7baaaa07b7f66631e4e6a80

SHA256
8905e6ee9d79847e632c1cb9c70bdec645a03d143d1ab41a3757b14bb52c36e6

SHA512
064221f293cdbe13dfa09a0ce00a141282f89a0efba1b44b57743c62bf03839d92ba667f76d675504ffd6016d6b41080fc550f19ef03763fcfc16f9ed93ef09b

Download Submit
C:\Windows\SysWOW64\Njciko32.exe

Filesize
192KB

MD5
f60b66c0a590ba40a45060135f53f70d

SHA1
d3285cc3f7ffc8e5090e4cc16bbe5ebd67d800b8

SHA256
aa7d6db6ad7b209ed6acc07b0c0c198396e0178cbf81b0133d10b2126c309741

SHA512
d716079065767814e47bbaeb0e0814e8fdf322bcd5575f78baa9013fe8f1b064de3c23775a08705e2407a5b58b78c3f35ee7d3fed9d2d1cad21863c43f5b54fb

Download Submit
C:\Windows\SysWOW64\Njefqo32.exe

Filesize
192KB

MD5
f9af2af14e3fdcf23e4fdd061525b809

SHA1
23ff0494f7b6fa56d25debc2692e6236d3cf58ad

SHA256
7e5a9a017d35e6b21bdc6ced463ab1fedc2b43f5635ee605df5800965bd9aa3e

SHA512
23ac18b043764a8c0e0db389b318a4cac1ae5d939383e02a04a33f8d91be336f010d12abbc6d10f2d47fae75f9dbd863e0be0c939df06757be6627b4992d9ec5

Download Submit
C:\Windows\SysWOW64\Njnpppkn.exe

Filesize
192KB

MD5
c373d93d104a0b33a27fd63943aa7855

SHA1
3b90d955f8a4f7045650c40e381e5e4a8b19e023

SHA256
db0560f421ffdfb75dae0208f8801202a69c96fad593abddb94ee7971da4656e

SHA512
c8123d68edb38dc2219540411eecbd4b89b520bf616566d557642a728bb1aa1ba1400449eded416cfa5fef2ad73eec96742a95c3f6ab8e8ddc370a57433b8787

Download Submit
C:\Windows\SysWOW64\Njqmepik.exe

Filesize
192KB

MD5
46677b605113e8bd5ea0dd64f7c0ea78

SHA1
ea70c38c2da47924ec54c566accf543c37e1542a

SHA256
89ae7fbddbeceb40578b59625acd30c630bc8d7240f980bdbd32d48bb57e9c78

SHA512
4894ee4ae2a2cda8ce03b9a6e61add0e7b652b2431938a3d98d71394d38e2025b6bdc15dd1a70027191ea084a702458d16d90c5b1ed291cceedfdecc4bb44df6

Download Submit
C:\Windows\SysWOW64\Nloiakho.exe

Filesize
192KB

MD5
0a0bab11f14db8f43b0008a873b864ef

SHA1
4016556eff105f63229106587ac24eeebe97db77

SHA256
9cbac60168ee63195e504b70fabcf6a951b960d1e74575868219b7e66c735375

SHA512
32da43040af3cbe52825b903b00f39f5d2a085f3829b1e33991bcec6669ac59f2c6328c9fab45ef0d5fc49abbb42d7fc26f5aa064883686d7e6da9ebb8018b66

Download Submit
C:\Windows\SysWOW64\Nphhmj32.exe

Filesize
192KB

MD5
a966d21364964d10ee74934942ae6b18

SHA1
15af7bd8d1dd82f372f58591c47d65443cb3f90e

SHA256
6646ca21af3146ae84040732702c2d62dac269faea4575434bd41af770370b5f

SHA512
d8c090f65bad83097d3e8ac360cb807c1eff7c71c4e3408d1dab0d6218a86900a55c99717b08f14471bc7e74959f27521b41b69565bfb0b9d1873cd4f4ca2bf6

Download Submit
C:\Windows\SysWOW64\Odapnf32.exe

Filesize
192KB

MD5
f5394b8e1bf775b32d7e1f58c1701b78

SHA1
926cc3afb7314e964403ca4790507797d025bd69

SHA256
ecb3024c80f550dd962ea8e1408efff1119ec14814ca598abbc358caf8524c41

SHA512
b7064d9eba02d0bcee1f252e105a4ed5ce2b4b0b29a928b8863ca411ab2a6fb450b60d9bbe7e73ecf91022e48405f17b2e291d048d3b4eb6fe4b9e551a41b1b1

Download Submit
C:\Windows\SysWOW64\Oddmdf32.exe

Filesize
192KB

MD5
8bf7eb1b9594f74ff7ae33cfa0d348a2

SHA1
e7ccbb67b6b41b52ce54d17428dc0d8c6173b9d0

SHA256
b2f94585a57c53b4626489eb80bbb582a15a6e6a6024464f47e1c889e7a63bdd

SHA512
d05e4e7475aedd8c59f187e18f9d8949448c752d300ba6186b92b5f42825de5711a6b915d0c59c260541e1535708a10b3371b74de7651f88a8f883ba2000d1ee

Download Submit
C:\Windows\SysWOW64\Ofcmfodb.exe

Filesize
192KB

MD5
2b9fa3785921d7c6f96345308b14d652

SHA1
8451af82f5bb398c38def709d05d8d7100212626

SHA256
bb85f27cec6ba197311bac99abc96d4eac94470f658c34656f79d862fb6d750d

SHA512
a7fcc45504b097d5bac816cc8e792c1ab6401a02d5e84ff16dabe0d50bbd1739a341560197fdc6a0a662c69f0ebce3ab7b26d681a6561cecb80eecbc2e8c2f7a

Download Submit
C:\Windows\SysWOW64\Ofcmfodb.exe

Filesize
192KB

MD5
bdf233da56087103c2bf348a3a5a6d9e

SHA1
deea46b40da7c2959f4d142626b377f82dd385e4

SHA256
376b40a6ff7fc32cf8bcd622a9d0a700410255e68dddd826a4b6a97cda602ddc

SHA512
82a3d89445080c54edcf289063645e1a1970f6e86964fd8ecb5216765c92c220ef5b4a1ec80e05dc5dd93ea6fa02b7ff8edeedd363df390999e821c92293cc4c

Download Submit
C:\Windows\SysWOW64\Ognpebpj.exe

Filesize
192KB

MD5
401f8db33ad154dbccfa70469c7138cd

SHA1
e5cef4fd5b5d14e2ffce0cd8131be8d2b1c2a714

SHA256
7b408996bb8bdf61c9e441f3f4ac1715ca06b1140f3e65ed93d7f11c8425e274

SHA512
06e6918bdd0bf645b603e52d82a19b5e5e76f5ef741b7ac12b747b27ad8b3fc2de23e4109290dea45ac58781a1785c27d781664ae3351965cfb561f0b7478240

Download Submit
C:\Windows\SysWOW64\Ojaelm32.exe

Filesize
192KB

MD5
4ed8122eaa424a45ffa4e33df976de14

SHA1
913d179ede8197963761706aab243eaa44b8880d

SHA256
0805fa52c35c658a86bc876a4f5e8ffc7bc6782665c796dc17f90d926609a2b9

SHA512
317bffe64bfeea795e213cca349ac2b72007306e5ebfc4fe18b5aadfc41fc77e837acea0e3697a431ba4e78cf486a120f1a010eccba00164fabe3a8598f9ad5b

Download Submit
C:\Windows\SysWOW64\Ojjolnaq.exe

Filesize
192KB

MD5
56e973737fbd34ea1d1da505a1487707

SHA1
fa431349e4755cf8987747c98669aab14873b48c

SHA256
e3692c21e5333d105574dc8ca228699f5a981f3124d4d9a75c383b5e530bb8bd

SHA512
2d9f8f9034b8f12cf077c6850b01b3d1719b11bf99bc2d10e3e30c87b9431a9e4de730edd4d80717575ca6c663d0f210cb94c697e1bcf628d80c3ab6fa4e5f29

Download Submit
C:\Windows\SysWOW64\Olfobjbg.exe

Filesize
192KB

MD5
f282883829fd45e7777093b8ce17a9dd

SHA1
92bcb1c02eaad128a076a4e09fcbe633b343f010

SHA256
018f14a62a6dcb301f7b02137b5956bfc01ff192a136c65fbf60e5428f11ac82

SHA512
ab2cb5d9e51089de082f0568dc225addfd705f21520810d78cda5b6f3a58fa7152eff4a882655da70313d1d038d26f827785ba8538fc0652dcaf98afd0a6ac79

Download Submit
C:\Windows\SysWOW64\Opdghh32.exe

Filesize
192KB

MD5
cc416853ecefbc17187b8bded3386268

SHA1
feceb0a5119b49775c5ef236c1b84fc440eb1452

SHA256
a932ab079df156fb4b44a1571fdc7dce753b2dabce1aeaae103f38a6b0aa0450

SHA512
316a8005d9caffe22ff1d33cf40dfeb1eab2ca2c1ed8b4424ccecebeb8fe22a91f6aa8870695e6969a294937c0ffe9ce2c09a030a0a69e2991641cb37ff57ddf

Download Submit
C:\Windows\SysWOW64\Qnjnnj32.exe

Filesize
192KB

MD5
13f921f0513f146a2e994d5d026c9fd7

SHA1
8b95d50deae37c8c59b5420b013e43f0441d1311

SHA256
2f4e5a06883c856b5621f09736a3851994cb24e0cbeeb2d224766d3c35114e85

SHA512
50014e19248d5472dbb88fe7bb67941b7fceeaabc1ee9a0e082849673317fe04fcdb316c128ee7e9c40109d8a1bc38a65702824705afdf25b702b38417a76c67

Download Submit
memory/208-264-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/208-334-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/224-384-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/400-126-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/400-211-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/712-444-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/712-377-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/716-292-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/716-212-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1032-362-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1032-295-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1044-178-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1044-263-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1272-134-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1272-47-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1348-346-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1400-93-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1400-7-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1452-256-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1452-327-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1500-231-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1500-306-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1508-94-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1520-85-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1520-0-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1528-363-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1528-429-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1612-174-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1668-434-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1936-335-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1936-403-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1944-239-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1944-153-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1956-190-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2016-165-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2016-72-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2304-401-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2336-86-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2432-299-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2432-222-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2456-135-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2456-220-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2484-166-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2684-285-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2684-203-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2704-300-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2704-369-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2720-230-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2720-143-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2796-420-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2812-353-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2816-32-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2816-116-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2852-200-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2868-410-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2924-324-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2924-248-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3064-202-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3064-117-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3092-423-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3232-273-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3232-345-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3260-356-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3260-422-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3316-107-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3316-24-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3448-376-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3448-307-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3492-383-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3492-314-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3516-108-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3516-199-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3528-390-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3620-436-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3620-370-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3644-286-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3644-355-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3824-437-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3884-44-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3884-125-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4208-142-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4208-56-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4240-105-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4332-152-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4332-64-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4372-102-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4372-15-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4396-448-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4624-404-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4776-326-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4908-313-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4908-240-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4980-279-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4980-352-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/5004-396-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/5004-328-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads