eb01b91e7202980f21a4c9b71f758fa74496c7bf3b61dd5927dee9efe3cd2fe8

Analysis

max time kernel
150s
max time network
158s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
13/10/2023, 20:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.a9a3421db86570be59abb29aee7fdb60.exe
Size

448KB
MD5

a9a3421db86570be59abb29aee7fdb60
SHA1

f9da65bebd5b30e8d6cecbae27f49e3e63b7d919
SHA256

eb01b91e7202980f21a4c9b71f758fa74496c7bf3b61dd5927dee9efe3cd2fe8
SHA512

cea2ffd7a04a40ac205688703f9a76ea60141a81455b3213bcda0d5d827ff46d40911fad6dcee882c5dc8c85fa568e5d275f6ee0ae2fb3058df2eb7440f02ec2
SSDEEP

6144:XUtpRvZWSeVyku0aFTcUNJaVyku0aMtfFBDpQKK2Vyku0aFTcUNJaVyku0a:XSXvZWtyHclyWTqKxyHcly

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bcghch32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pimfpc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pbekii32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cgmhcaac.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Eaakpm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fedmqk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dgcihgaj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Omalpc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnindhpg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ocgbld32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjidgkog.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ocdnln32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pbekii32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pafkgphl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Onapdl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gghdaa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hbenoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hlmchoan.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jihbip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdjblf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cgmhcaac.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Edknqiho.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lggldm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ocohmc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bacjdbch.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mofmobmo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Daeifj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmohno32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfglfdkb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnlhncgi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ncbafoge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lcmodajm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cijpahho.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkadfj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dnpdegjp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ahofoogd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aompak32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cbfgkffn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mjidgkog.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ppdbgncl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bqkill32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kifojnol.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mhanngbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nmhijd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qjhbfd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmbgdl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dndnpf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ehpadhll.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Enfckp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ieccbbkn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ckbemgcp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mohidbkl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aoioli32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dqpfmlce.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nfihbk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mjkblhfo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dndnpf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bddcenpi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gnpphljo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cofecami.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Omgmeigd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bihjfnmm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nfihbk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gngeik32.exe

Executes dropped EXE 64 IoCs

pid	Process
3804	Pmannhhj.exe
3436	Pmdkch32.exe
3700	Pncgmkmj.exe
4112	Pdmpje32.exe
4412	Pqdqof32.exe
3584	Dfpgffpm.exe
2152	Doilmc32.exe
3140	Eolhbc32.exe
3756	Eefaomcg.exe
2828	Ekbihd32.exe
1500	Edknqiho.exe
2184	Eaakpm32.exe
3244	Ehkclgmb.exe
2520	Fdbdah32.exe
3116	Fafdkmap.exe
4472	Fedmqk32.exe
1980	Fefjfked.exe
2304	Fnaokmco.exe
4560	Gekcaj32.exe
1560	Aompak32.exe
4128	Ackigjmh.exe
1952	Aihaoqlp.exe
5000	Amfjeobf.exe
4432	Acpbbi32.exe
4960	Bcbohigp.exe
3600	Boipmj32.exe
3856	Bfchidda.exe
1736	Bcghch32.exe
3896	Bjaqpbkh.exe
3692	Bqkill32.exe
4600	Bgeaifia.exe
1932	Bmbiamhi.exe
5064	Bppfmigl.exe
1892	Bfjnjcni.exe
1880	Bihjfnmm.exe
3416	Cgjjdf32.exe
4584	Cikglnkj.exe
4764	Cglgjeci.exe
208	Cadlbk32.exe
1744	Dpckjfgg.exe
3380	Cbphdn32.exe
2612	Cijpahho.exe
4872	Codhnb32.exe
4392	Cofecami.exe
4916	Igigla32.exe
1012	Ldgccb32.exe
1844	Lkalplel.exe
1776	Lmbhgd32.exe
5088	Lggldm32.exe
4524	Lnadagbm.exe
4920	Lkeekk32.exe
3704	Lmgabcge.exe
4264	Mcqjon32.exe
3624	Mjkblhfo.exe
4568	Mminhceb.exe
4208	Mgobel32.exe
3748	Maggnali.exe
2116	Mnkggfkb.exe
492	Mchppmij.exe
2436	Mnmdme32.exe
3016	Mkadfj32.exe
4388	Clchbqoo.exe
1268	Cbpajgmf.exe
4984	Chiigadc.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Fkdjqkoj.dll	Gnpphljo.exe
File opened for modification	C:\Windows\SysWOW64\Hnphoj32.exe	Hhfpbpdo.exe
File opened for modification	C:\Windows\SysWOW64\Iafkld32.exe	Ipdndloi.exe
File created	C:\Windows\SysWOW64\Jhifomdj.exe	Joqafgni.exe
File created	C:\Windows\SysWOW64\Mgfhfd32.dll	Kpqggh32.exe
File created	C:\Windows\SysWOW64\Ogajpp32.dll	Ckbncapd.exe
File created	C:\Windows\SysWOW64\Pegopgia.dll	Enfckp32.exe
File opened for modification	C:\Windows\SysWOW64\Pmannhhj.exe	NEAS.a9a3421db86570be59abb29aee7fdb60.exe
File created	C:\Windows\SysWOW64\Dheibpje.exe	Dfglfdkb.exe
File created	C:\Windows\SysWOW64\Pnfiplog.exe	Ocaebc32.exe
File created	C:\Windows\SysWOW64\Bnlhncgi.exe	Bgbpaipl.exe
File opened for modification	C:\Windows\SysWOW64\Doojec32.exe	Dhdbhifj.exe
File created	C:\Windows\SysWOW64\Dqpfmlce.exe	Doojec32.exe
File opened for modification	C:\Windows\SysWOW64\Ckbemgcp.exe	Cdimqm32.exe
File opened for modification	C:\Windows\SysWOW64\Cgiohbfi.exe	Cdjblf32.exe
File created	C:\Windows\SysWOW64\Dpckjfgg.exe	Cadlbk32.exe
File created	C:\Windows\SysWOW64\Afnqfkij.dll	Dmlkhofd.exe
File opened for modification	C:\Windows\SysWOW64\Enfckp32.exe	Dqbcbkab.exe
File created	C:\Windows\SysWOW64\Eqncnj32.exe	Ehpadhll.exe
File opened for modification	C:\Windows\SysWOW64\Nfqnbjfi.exe	Ncbafoge.exe
File created	C:\Windows\SysWOW64\Bfcklp32.dll	Fkjmlaac.exe
File created	C:\Windows\SysWOW64\Kpqggh32.exe	Kifojnol.exe
File created	C:\Windows\SysWOW64\Cadlbk32.exe	Cglgjeci.exe
File created	C:\Windows\SysWOW64\Klndfj32.exe	Jllhpkfk.exe
File created	C:\Windows\SysWOW64\Mdcajc32.dll	Mokfja32.exe
File opened for modification	C:\Windows\SysWOW64\Ocgbld32.exe	Nmipdk32.exe
File opened for modification	C:\Windows\SysWOW64\Lchfib32.exe	Lojmcdgl.exe
File created	C:\Windows\SysWOW64\Mgobel32.exe	Mminhceb.exe
File created	C:\Windows\SysWOW64\Bgnpek32.dll	Lhqefjpo.exe
File created	C:\Windows\SysWOW64\Fgcjfbed.exe	Fqgedh32.exe
File opened for modification	C:\Windows\SysWOW64\Klndfj32.exe	Jllhpkfk.exe
File opened for modification	C:\Windows\SysWOW64\Mhjhmhhd.exe	Lcmodajm.exe
File created	C:\Windows\SysWOW64\Aobmce32.dll	Fgmdec32.exe
File created	C:\Windows\SysWOW64\Ckbncapd.exe	Cdhffg32.exe
File created	C:\Windows\SysWOW64\Eolhbc32.exe	Doilmc32.exe
File created	C:\Windows\SysWOW64\Dnmhpg32.exe	Dmlkhofd.exe
File created	C:\Windows\SysWOW64\Enkdaepb.exe	Ekmhejao.exe
File opened for modification	C:\Windows\SysWOW64\Lcmodajm.exe	Llcghg32.exe
File created	C:\Windows\SysWOW64\Eoefilfc.dll	Aihaoqlp.exe
File created	C:\Windows\SysWOW64\Cnindhpg.exe	Clgbmp32.exe
File created	C:\Windows\SysWOW64\Edplhjhi.exe	Enfckp32.exe
File opened for modification	C:\Windows\SysWOW64\Fgmdec32.exe	Fbplml32.exe
File opened for modification	C:\Windows\SysWOW64\Qjhbfd32.exe	Qbajeg32.exe
File created	C:\Windows\SysWOW64\Nlphicca.dll	Fafdkmap.exe
File created	C:\Windows\SysWOW64\Lkeekk32.exe	Lnadagbm.exe
File opened for modification	C:\Windows\SysWOW64\Pmdkch32.exe	Pmannhhj.exe
File opened for modification	C:\Windows\SysWOW64\Cnindhpg.exe	Clgbmp32.exe
File created	C:\Windows\SysWOW64\Nmhijd32.exe	Nfnamjhk.exe
File opened for modification	C:\Windows\SysWOW64\Objkmkjj.exe	Ojnfihmo.exe
File created	C:\Windows\SysWOW64\Dblamanm.dll	Pafkgphl.exe
File created	C:\Windows\SysWOW64\Deeiam32.dll	Pmdkch32.exe
File opened for modification	C:\Windows\SysWOW64\Eeelnp32.exe	Enkdaepb.exe
File created	C:\Windows\SysWOW64\Dolmodpi.exe	Ddgibkpc.exe
File created	C:\Windows\SysWOW64\Fbplml32.exe	Foapaa32.exe
File created	C:\Windows\SysWOW64\Ncbafoge.exe	Nmhijd32.exe
File opened for modification	C:\Windows\SysWOW64\Oqoefand.exe	Ofjqihnn.exe
File created	C:\Windows\SysWOW64\Hiebgmkm.dll	Qaqegecm.exe
File created	C:\Windows\SysWOW64\Pafkgphl.exe	Pbekii32.exe
File created	C:\Windows\SysWOW64\Mfnlgh32.dll	Cpcpfg32.exe
File opened for modification	C:\Windows\SysWOW64\Lmgabcge.exe	Lkeekk32.exe
File created	C:\Windows\SysWOW64\Maggnali.exe	Mgobel32.exe
File opened for modification	C:\Windows\SysWOW64\Lkalplel.exe	Ldgccb32.exe
File opened for modification	C:\Windows\SysWOW64\Babcil32.exe	Bdocph32.exe
File opened for modification	C:\Windows\SysWOW64\Eefaomcg.exe	Eolhbc32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
7524	7428	WerFault.exe	369

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oifoah32.dll"	Eqgmmk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mcqjon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bdcmkgmm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbnblldi.dll"	Hecjke32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ljbnfleo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Omalpc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lojmcdgl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bqkill32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bfcjjj32.dll"	Dolmodpi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ffdihjbp.dll"	Hppeim32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pbekii32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bcbohigp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lfiokmkc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cgiohbfi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pneall32.dll"	Pmpolgoi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Chiigadc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Foapaa32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Likhem32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nhegig32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Eolhbc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dolmodpi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fqgedh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fqgedh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ehkljb32.dll"	Igigla32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bnlhncgi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Eghkjdoa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fmbdpnaj.dll"	Gghdaa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fjohgj32.dll"	Koajmepf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Chgnfq32.dll"	Lpepbgbd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mokfja32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bjaqpbkh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cildom32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Maggnali.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fdlkdhnk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Chbfoaba.dll"	Hbenoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Koajmepf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qbajeg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mnmdme32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pmdkch32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mhanngbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mfenglqf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ncmhko32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	NEAS.a9a3421db86570be59abb29aee7fdb60.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Daqfhf32.dll"	Cmbgdl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bbdpad32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dmloej32.dll"	Bihjfnmm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lnadagbm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bklomh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hecjke32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pmmlla32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fnaokmco.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Caageq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Caageq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dlofiddl.dll"	Hifmmb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mlkhbi32.dll"	Ipdndloi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ejhfdb32.dll"	Klndfj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Effkpc32.dll"	Cbpajgmf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cdimqm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gkgmdnki.dll"	Dmohno32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Galoohke.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdlhkf32.dll"	Cocacl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbandhne.dll"	Qmgelf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Phlepppi.dll"	Agimkk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dmdnljan.dll"	Bmbiamhi.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 956 wrote to memory of 3804	956	NEAS.a9a3421db86570be59abb29aee7fdb60.exe	85
PID 956 wrote to memory of 3804	956	NEAS.a9a3421db86570be59abb29aee7fdb60.exe	85
PID 956 wrote to memory of 3804	956	NEAS.a9a3421db86570be59abb29aee7fdb60.exe	85
PID 3804 wrote to memory of 3436	3804	Pmannhhj.exe	87
PID 3804 wrote to memory of 3436	3804	Pmannhhj.exe	87
PID 3804 wrote to memory of 3436	3804	Pmannhhj.exe	87
PID 3436 wrote to memory of 3700	3436	Pmdkch32.exe	88
PID 3436 wrote to memory of 3700	3436	Pmdkch32.exe	88
PID 3436 wrote to memory of 3700	3436	Pmdkch32.exe	88
PID 3700 wrote to memory of 4112	3700	Pncgmkmj.exe	89
PID 3700 wrote to memory of 4112	3700	Pncgmkmj.exe	89
PID 3700 wrote to memory of 4112	3700	Pncgmkmj.exe	89
PID 4112 wrote to memory of 4412	4112	Pdmpje32.exe	90
PID 4112 wrote to memory of 4412	4112	Pdmpje32.exe	90
PID 4112 wrote to memory of 4412	4112	Pdmpje32.exe	90
PID 4412 wrote to memory of 3584	4412	Pqdqof32.exe	91
PID 4412 wrote to memory of 3584	4412	Pqdqof32.exe	91
PID 4412 wrote to memory of 3584	4412	Pqdqof32.exe	91
PID 3584 wrote to memory of 2152	3584	Dfpgffpm.exe	92
PID 3584 wrote to memory of 2152	3584	Dfpgffpm.exe	92
PID 3584 wrote to memory of 2152	3584	Dfpgffpm.exe	92
PID 2152 wrote to memory of 3140	2152	Doilmc32.exe	93
PID 2152 wrote to memory of 3140	2152	Doilmc32.exe	93
PID 2152 wrote to memory of 3140	2152	Doilmc32.exe	93
PID 3140 wrote to memory of 3756	3140	Eolhbc32.exe	94
PID 3140 wrote to memory of 3756	3140	Eolhbc32.exe	94
PID 3140 wrote to memory of 3756	3140	Eolhbc32.exe	94
PID 3756 wrote to memory of 2828	3756	Eefaomcg.exe	95
PID 3756 wrote to memory of 2828	3756	Eefaomcg.exe	95
PID 3756 wrote to memory of 2828	3756	Eefaomcg.exe	95
PID 2828 wrote to memory of 1500	2828	Ekbihd32.exe	96
PID 2828 wrote to memory of 1500	2828	Ekbihd32.exe	96
PID 2828 wrote to memory of 1500	2828	Ekbihd32.exe	96
PID 1500 wrote to memory of 2184	1500	Edknqiho.exe	97
PID 1500 wrote to memory of 2184	1500	Edknqiho.exe	97
PID 1500 wrote to memory of 2184	1500	Edknqiho.exe	97
PID 2184 wrote to memory of 3244	2184	Eaakpm32.exe	98
PID 2184 wrote to memory of 3244	2184	Eaakpm32.exe	98
PID 2184 wrote to memory of 3244	2184	Eaakpm32.exe	98
PID 3244 wrote to memory of 2520	3244	Ehkclgmb.exe	99
PID 3244 wrote to memory of 2520	3244	Ehkclgmb.exe	99
PID 3244 wrote to memory of 2520	3244	Ehkclgmb.exe	99
PID 2520 wrote to memory of 3116	2520	Fdbdah32.exe	100
PID 2520 wrote to memory of 3116	2520	Fdbdah32.exe	100
PID 2520 wrote to memory of 3116	2520	Fdbdah32.exe	100
PID 3116 wrote to memory of 4472	3116	Fafdkmap.exe	101
PID 3116 wrote to memory of 4472	3116	Fafdkmap.exe	101
PID 3116 wrote to memory of 4472	3116	Fafdkmap.exe	101
PID 4472 wrote to memory of 1980	4472	Fedmqk32.exe	102
PID 4472 wrote to memory of 1980	4472	Fedmqk32.exe	102
PID 4472 wrote to memory of 1980	4472	Fedmqk32.exe	102
PID 1980 wrote to memory of 2304	1980	Fefjfked.exe	103
PID 1980 wrote to memory of 2304	1980	Fefjfked.exe	103
PID 1980 wrote to memory of 2304	1980	Fefjfked.exe	103
PID 2304 wrote to memory of 4560	2304	Fnaokmco.exe	104
PID 2304 wrote to memory of 4560	2304	Fnaokmco.exe	104
PID 2304 wrote to memory of 4560	2304	Fnaokmco.exe	104
PID 4560 wrote to memory of 1560	4560	Gekcaj32.exe	105
PID 4560 wrote to memory of 1560	4560	Gekcaj32.exe	105
PID 4560 wrote to memory of 1560	4560	Gekcaj32.exe	105
PID 1560 wrote to memory of 4128	1560	Aompak32.exe	106
PID 1560 wrote to memory of 4128	1560	Aompak32.exe	106
PID 1560 wrote to memory of 4128	1560	Aompak32.exe	106
PID 4128 wrote to memory of 1952	4128	Ackigjmh.exe	107

C:\Users\Admin\AppData\Local\Temp\NEAS.a9a3421db86570be59abb29aee7fdb60.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.a9a3421db86570be59abb29aee7fdb60.exe"
1⤵
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:956
- C:\Windows\SysWOW64\Pmannhhj.exe
  C:\Windows\system32\Pmannhhj.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:3804
- - C:\Windows\SysWOW64\Pmdkch32.exe
    C:\Windows\system32\Pmdkch32.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:3436
  - - C:\Windows\SysWOW64\Pncgmkmj.exe
      C:\Windows\system32\Pncgmkmj.exe
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:3700
    - - C:\Windows\SysWOW64\Pdmpje32.exe
        
        C:\Windows\system32\Pdmpje32.exe
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4112
      - C:\Windows\SysWOW64\Pqdqof32.exe
        
        C:\Windows\system32\Pqdqof32.exe
        6⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4412
        
        C:\Windows\SysWOW64\Dfpgffpm.exe
        
        C:\Windows\system32\Dfpgffpm.exe
        7⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3584
        
        C:\Windows\SysWOW64\Doilmc32.exe
        
        C:\Windows\system32\Doilmc32.exe
        8⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2152
        
        C:\Windows\SysWOW64\Eolhbc32.exe
        
        C:\Windows\system32\Eolhbc32.exe
        9⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3140
        
        C:\Windows\SysWOW64\Eefaomcg.exe
        
        C:\Windows\system32\Eefaomcg.exe
        10⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3756
        
        C:\Windows\SysWOW64\Ekbihd32.exe
        
        C:\Windows\system32\Ekbihd32.exe
        11⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2828
        
        C:\Windows\SysWOW64\Edknqiho.exe
        
        C:\Windows\system32\Edknqiho.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1500
        
        C:\Windows\SysWOW64\Eaakpm32.exe
        
        C:\Windows\system32\Eaakpm32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2184
        
        C:\Windows\SysWOW64\Ehkclgmb.exe
        
        C:\Windows\system32\Ehkclgmb.exe
        14⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3244
        
        C:\Windows\SysWOW64\Fdbdah32.exe
        
        C:\Windows\system32\Fdbdah32.exe
        15⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2520
        
        C:\Windows\SysWOW64\Fafdkmap.exe
        
        C:\Windows\system32\Fafdkmap.exe
        16⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3116
        
        C:\Windows\SysWOW64\Fedmqk32.exe
        
        C:\Windows\system32\Fedmqk32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4472
        
        C:\Windows\SysWOW64\Fefjfked.exe
        
        C:\Windows\system32\Fefjfked.exe
        18⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1980
        
        C:\Windows\SysWOW64\Fnaokmco.exe
        
        C:\Windows\system32\Fnaokmco.exe
        19⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2304
        
        C:\Windows\SysWOW64\Gekcaj32.exe
        
        C:\Windows\system32\Gekcaj32.exe
        20⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4560
        
        C:\Windows\SysWOW64\Aompak32.exe
        
        C:\Windows\system32\Aompak32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1560
        
        C:\Windows\SysWOW64\Ackigjmh.exe
        
        C:\Windows\system32\Ackigjmh.exe
        22⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4128
        
        C:\Windows\SysWOW64\Aihaoqlp.exe
        
        C:\Windows\system32\Aihaoqlp.exe
        23⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1952
        
        C:\Windows\SysWOW64\Amfjeobf.exe
        
        C:\Windows\system32\Amfjeobf.exe
        24⤵
        Executes dropped EXE
        
        PID:5000
        
        C:\Windows\SysWOW64\Acpbbi32.exe
        
        C:\Windows\system32\Acpbbi32.exe
        25⤵
        Executes dropped EXE
        
        PID:4432
        
        C:\Windows\SysWOW64\Bcbohigp.exe
        
        C:\Windows\system32\Bcbohigp.exe
        26⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4960
        
        C:\Windows\SysWOW64\Boipmj32.exe
        
        C:\Windows\system32\Boipmj32.exe
        27⤵
        Executes dropped EXE
        
        PID:3600
        
        C:\Windows\SysWOW64\Bfchidda.exe
        
        C:\Windows\system32\Bfchidda.exe
        28⤵
        Executes dropped EXE
        
        PID:3856
        
        C:\Windows\SysWOW64\Bcghch32.exe
        
        C:\Windows\system32\Bcghch32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1736
        
        C:\Windows\SysWOW64\Bjaqpbkh.exe
        
        C:\Windows\system32\Bjaqpbkh.exe
        30⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3896
        
        C:\Windows\SysWOW64\Bqkill32.exe
        
        C:\Windows\system32\Bqkill32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3692

C:\Windows\SysWOW64\Bmbiamhi.exe
C:\Windows\system32\Bmbiamhi.exe
1⤵
- Executes dropped EXE
- Modifies registry class
PID:1932
- C:\Windows\SysWOW64\Bppfmigl.exe
  C:\Windows\system32\Bppfmigl.exe
  2⤵
  - Executes dropped EXE
  PID:5064
- - C:\Windows\SysWOW64\Bfjnjcni.exe
    C:\Windows\system32\Bfjnjcni.exe
    3⤵
    - Executes dropped EXE
    PID:1892
  - - C:\Windows\SysWOW64\Bihjfnmm.exe
      C:\Windows\system32\Bihjfnmm.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Modifies registry class
      PID:1880
    - - C:\Windows\SysWOW64\Cgjjdf32.exe
        
        C:\Windows\system32\Cgjjdf32.exe
        5⤵
        Executes dropped EXE
        
        PID:3416
      - C:\Windows\SysWOW64\Cikglnkj.exe
        
        C:\Windows\system32\Cikglnkj.exe
        6⤵
        Executes dropped EXE
        
        PID:4584
        
        C:\Windows\SysWOW64\Cglgjeci.exe
        
        C:\Windows\system32\Cglgjeci.exe
        7⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4764
        
        C:\Windows\SysWOW64\Cadlbk32.exe
        
        C:\Windows\system32\Cadlbk32.exe
        8⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:208
        
        C:\Windows\SysWOW64\Dpckjfgg.exe
        
        C:\Windows\system32\Dpckjfgg.exe
        9⤵
        Executes dropped EXE
        
        PID:1744
        
        C:\Windows\SysWOW64\Cbphdn32.exe
        
        C:\Windows\system32\Cbphdn32.exe
        10⤵
        Executes dropped EXE
        
        PID:3380
        
        C:\Windows\SysWOW64\Cijpahho.exe
        
        C:\Windows\system32\Cijpahho.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2612
        
        C:\Windows\SysWOW64\Codhnb32.exe
        
        C:\Windows\system32\Codhnb32.exe
        12⤵
        Executes dropped EXE
        
        PID:4872
        
        C:\Windows\SysWOW64\Cofecami.exe
        
        C:\Windows\system32\Cofecami.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4392
        
        C:\Windows\SysWOW64\Igigla32.exe
        
        C:\Windows\system32\Igigla32.exe
        14⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4916
        
        C:\Windows\SysWOW64\Ldgccb32.exe
        
        C:\Windows\system32\Ldgccb32.exe
        15⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1012
        
        C:\Windows\SysWOW64\Lkalplel.exe
        
        C:\Windows\system32\Lkalplel.exe
        16⤵
        Executes dropped EXE
        
        PID:1844
        
        C:\Windows\SysWOW64\Lmbhgd32.exe
        
        C:\Windows\system32\Lmbhgd32.exe
        17⤵
        Executes dropped EXE
        
        PID:1776
        
        C:\Windows\SysWOW64\Lggldm32.exe
        
        C:\Windows\system32\Lggldm32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:5088
        
        C:\Windows\SysWOW64\Lnadagbm.exe
        
        C:\Windows\system32\Lnadagbm.exe
        19⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4524
        
        C:\Windows\SysWOW64\Lkeekk32.exe
        
        C:\Windows\system32\Lkeekk32.exe
        20⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4920
        
        C:\Windows\SysWOW64\Lmgabcge.exe
        
        C:\Windows\system32\Lmgabcge.exe
        21⤵
        Executes dropped EXE
        
        PID:3704
        
        C:\Windows\SysWOW64\Mcqjon32.exe
        
        C:\Windows\system32\Mcqjon32.exe
        22⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4264
        
        C:\Windows\SysWOW64\Mjkblhfo.exe
        
        C:\Windows\system32\Mjkblhfo.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3624
        
        C:\Windows\SysWOW64\Mminhceb.exe
        
        C:\Windows\system32\Mminhceb.exe
        24⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4568
        
        C:\Windows\SysWOW64\Mgobel32.exe
        
        C:\Windows\system32\Mgobel32.exe
        25⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4208
        
        C:\Windows\SysWOW64\Maggnali.exe
        
        C:\Windows\system32\Maggnali.exe
        26⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3748
        
        C:\Windows\SysWOW64\Mnkggfkb.exe
        
        C:\Windows\system32\Mnkggfkb.exe
        27⤵
        Executes dropped EXE
        
        PID:2116
        
        C:\Windows\SysWOW64\Mchppmij.exe
        
        C:\Windows\system32\Mchppmij.exe
        28⤵
        Executes dropped EXE
        
        PID:492
        
        C:\Windows\SysWOW64\Mnmdme32.exe
        
        C:\Windows\system32\Mnmdme32.exe
        29⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2436
        
        C:\Windows\SysWOW64\Mkadfj32.exe
        
        C:\Windows\system32\Mkadfj32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3016
        
        C:\Windows\SysWOW64\Clchbqoo.exe
        
        C:\Windows\system32\Clchbqoo.exe
        31⤵
        Executes dropped EXE
        
        PID:4388
        
        C:\Windows\SysWOW64\Cbpajgmf.exe
        
        C:\Windows\system32\Cbpajgmf.exe
        32⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1268
        
        C:\Windows\SysWOW64\Chiigadc.exe
        
        C:\Windows\system32\Chiigadc.exe
        33⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4984
        
        C:\Windows\SysWOW64\Cocacl32.exe
        
        C:\Windows\system32\Cocacl32.exe
        34⤵
        Modifies registry class
        
        PID:4620
        
        C:\Windows\SysWOW64\Cfnjpfcl.exe
        
        C:\Windows\system32\Cfnjpfcl.exe
        35⤵
        
        PID:1948
        
        C:\Windows\SysWOW64\Clgbmp32.exe
        
        C:\Windows\system32\Clgbmp32.exe
        36⤵
        Drops file in System32 directory
        
        PID:4896
        
        C:\Windows\SysWOW64\Cnindhpg.exe
        
        C:\Windows\system32\Cnindhpg.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3608
        
        C:\Windows\SysWOW64\Chnbbqpn.exe
        
        C:\Windows\system32\Chnbbqpn.exe
        38⤵
        
        PID:1340
        
        C:\Windows\SysWOW64\Ckmonl32.exe
        
        C:\Windows\system32\Ckmonl32.exe
        39⤵
        
        PID:3368
        
        C:\Windows\SysWOW64\Cbfgkffn.exe
        
        C:\Windows\system32\Cbfgkffn.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2232
        
        C:\Windows\SysWOW64\Dmlkhofd.exe
        
        C:\Windows\system32\Dmlkhofd.exe
        41⤵
        Drops file in System32 directory
        
        PID:4696
        
        C:\Windows\SysWOW64\Dnmhpg32.exe
        
        C:\Windows\system32\Dnmhpg32.exe
        42⤵
        
        PID:3612
        
        C:\Windows\SysWOW64\Dfdpad32.exe
        
        C:\Windows\system32\Dfdpad32.exe
        43⤵
        
        PID:3900
        
        C:\Windows\SysWOW64\Dmohno32.exe
        
        C:\Windows\system32\Dmohno32.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4544
        
        C:\Windows\SysWOW64\Dnpdegjp.exe
        
        C:\Windows\system32\Dnpdegjp.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4884
        
        C:\Windows\SysWOW64\Dfglfdkb.exe
        
        C:\Windows\system32\Dfglfdkb.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:3188
        
        C:\Windows\SysWOW64\Dheibpje.exe
        
        C:\Windows\system32\Dheibpje.exe
        47⤵
        
        PID:4396
        
        C:\Windows\SysWOW64\Dnbakghm.exe
        
        C:\Windows\system32\Dnbakghm.exe
        48⤵
        
        PID:5156
        
        C:\Windows\SysWOW64\Ddligq32.exe
        
        C:\Windows\system32\Ddligq32.exe
        49⤵
        
        PID:5200
        
        C:\Windows\SysWOW64\Dmcain32.exe
        
        C:\Windows\system32\Dmcain32.exe
        50⤵
        
        PID:5248
        
        C:\Windows\SysWOW64\Dndnpf32.exe
        
        C:\Windows\system32\Dndnpf32.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5296
        
        C:\Windows\SysWOW64\Ekkkoj32.exe
        
        C:\Windows\system32\Ekkkoj32.exe
        52⤵
        
        PID:5340
        
        C:\Windows\SysWOW64\Ebdcld32.exe
        
        C:\Windows\system32\Ebdcld32.exe
        53⤵
        
        PID:5400
        
        C:\Windows\SysWOW64\Ekmhejao.exe
        
        C:\Windows\system32\Ekmhejao.exe
        54⤵
        Drops file in System32 directory
        
        PID:5448
        
        C:\Windows\SysWOW64\Enkdaepb.exe
        
        C:\Windows\system32\Enkdaepb.exe
        55⤵
        Drops file in System32 directory
        
        PID:5492
        
        C:\Windows\SysWOW64\Eeelnp32.exe
        
        C:\Windows\system32\Eeelnp32.exe
        56⤵
        
        PID:5676
        
        C:\Windows\SysWOW64\Mjcngpjh.exe
        
        C:\Windows\system32\Mjcngpjh.exe
        57⤵
        
        PID:5716
        
        C:\Windows\SysWOW64\Nmipdk32.exe
        
        C:\Windows\system32\Nmipdk32.exe
        58⤵
        Drops file in System32 directory
        
        PID:5784
        
        C:\Windows\SysWOW64\Ocgbld32.exe
        
        C:\Windows\system32\Ocgbld32.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5828
        
        C:\Windows\SysWOW64\Ogekbb32.exe
        
        C:\Windows\system32\Ogekbb32.exe
        60⤵
        
        PID:5872
        
        C:\Windows\SysWOW64\Onapdl32.exe
        
        C:\Windows\system32\Onapdl32.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5912
        
        C:\Windows\SysWOW64\Ocohmc32.exe
        
        C:\Windows\system32\Ocohmc32.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5944
        
        C:\Windows\SysWOW64\Ofmdio32.exe
        
        C:\Windows\system32\Ofmdio32.exe
        63⤵
        
        PID:5984
        
        C:\Windows\SysWOW64\Omgmeigd.exe
        
        C:\Windows\system32\Omgmeigd.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6024
        
        C:\Windows\SysWOW64\Ocaebc32.exe
        
        C:\Windows\system32\Ocaebc32.exe
        65⤵
        Drops file in System32 directory
        
        PID:6072
        
        C:\Windows\SysWOW64\Pnfiplog.exe
        
        C:\Windows\system32\Pnfiplog.exe
        66⤵
        
        PID:6112
        
        C:\Windows\SysWOW64\Paeelgnj.exe
        
        C:\Windows\system32\Paeelgnj.exe
        67⤵
        
        PID:4904
        
        C:\Windows\SysWOW64\Pnifekmd.exe
        
        C:\Windows\system32\Pnifekmd.exe
        68⤵
        
        PID:5144
        
        C:\Windows\SysWOW64\Pplobcpp.exe
        
        C:\Windows\system32\Pplobcpp.exe
        69⤵
        
        PID:5236
        
        C:\Windows\SysWOW64\Pmpolgoi.exe
        
        C:\Windows\system32\Pmpolgoi.exe
        70⤵
        Modifies registry class
        
        PID:5280
        
        C:\Windows\SysWOW64\Pjdpelnc.exe
        
        C:\Windows\system32\Pjdpelnc.exe
        71⤵
        
        PID:5352
        
        C:\Windows\SysWOW64\Qhhpop32.exe
        
        C:\Windows\system32\Qhhpop32.exe
        72⤵
        
        PID:3592
        
        C:\Windows\SysWOW64\Qjfmkk32.exe
        
        C:\Windows\system32\Qjfmkk32.exe
        73⤵
        
        PID:4112
        
        C:\Windows\SysWOW64\Qaqegecm.exe
        
        C:\Windows\system32\Qaqegecm.exe
        74⤵
        Drops file in System32 directory
        
        PID:5476
        
        C:\Windows\SysWOW64\Qmgelf32.exe
        
        C:\Windows\system32\Qmgelf32.exe
        75⤵
        Modifies registry class
        
        PID:1592
        
        C:\Windows\SysWOW64\Qdaniq32.exe
        
        C:\Windows\system32\Qdaniq32.exe
        76⤵
        
        PID:3388
        
        C:\Windows\SysWOW64\Aogbfi32.exe
        
        C:\Windows\system32\Aogbfi32.exe
        77⤵
        
        PID:4360
        
        C:\Windows\SysWOW64\Ahofoogd.exe
        
        C:\Windows\system32\Ahofoogd.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4260
        
        C:\Windows\SysWOW64\Aoioli32.exe
        
        C:\Windows\system32\Aoioli32.exe
        79⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5576
        
        C:\Windows\SysWOW64\Apjkcadp.exe
        
        C:\Windows\system32\Apjkcadp.exe
        80⤵
        
        PID:5620
        
        C:\Windows\SysWOW64\Amnlme32.exe
        
        C:\Windows\system32\Amnlme32.exe
        81⤵
        
        PID:5640
        
        C:\Windows\SysWOW64\Ahdpjn32.exe
        
        C:\Windows\system32\Ahdpjn32.exe
        82⤵
        
        PID:3736
        
        C:\Windows\SysWOW64\Apodoq32.exe
        
        C:\Windows\system32\Apodoq32.exe
        83⤵
        
        PID:3772
        
        C:\Windows\SysWOW64\Agimkk32.exe
        
        C:\Windows\system32\Agimkk32.exe
        84⤵
        Modifies registry class
        
        PID:5688
        
        C:\Windows\SysWOW64\Aaoaic32.exe
        
        C:\Windows\system32\Aaoaic32.exe
        85⤵
        
        PID:5756
        
        C:\Windows\SysWOW64\Bobabg32.exe
        
        C:\Windows\system32\Bobabg32.exe
        86⤵
        
        PID:5824
        
        C:\Windows\SysWOW64\Bgnffj32.exe
        
        C:\Windows\system32\Bgnffj32.exe
        87⤵
        
        PID:5908
        
        C:\Windows\SysWOW64\Bacjdbch.exe
        
        C:\Windows\system32\Bacjdbch.exe
        88⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6008
        
        C:\Windows\SysWOW64\Bklomh32.exe
        
        C:\Windows\system32\Bklomh32.exe
        89⤵
        Modifies registry class
        
        PID:6096
        
        C:\Windows\SysWOW64\Bddcenpi.exe
        
        C:\Windows\system32\Bddcenpi.exe
        90⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1328
        
        C:\Windows\SysWOW64\Bgbpaipl.exe
        
        C:\Windows\system32\Bgbpaipl.exe
        91⤵
        Drops file in System32 directory
        
        PID:3312
        
        C:\Windows\SysWOW64\Bnlhncgi.exe
        
        C:\Windows\system32\Bnlhncgi.exe
        92⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5284
        
        C:\Windows\SysWOW64\Bgelgi32.exe
        
        C:\Windows\system32\Bgelgi32.exe
        93⤵
        
        PID:5332
        
        C:\Windows\SysWOW64\Cdimqm32.exe
        
        C:\Windows\system32\Cdimqm32.exe
        94⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5468
        
        C:\Windows\SysWOW64\Ckbemgcp.exe
        
        C:\Windows\system32\Ckbemgcp.exe
        95⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5548
        
        C:\Windows\SysWOW64\Cponen32.exe
        
        C:\Windows\system32\Cponen32.exe
        96⤵
        
        PID:4772
        
        C:\Windows\SysWOW64\Cncnob32.exe
        
        C:\Windows\system32\Cncnob32.exe
        97⤵
        
        PID:5604
        
        C:\Windows\SysWOW64\Caageq32.exe
        
        C:\Windows\system32\Caageq32.exe
        98⤵
        Modifies registry class
        
        PID:4344
        
        C:\Windows\SysWOW64\Cdbpgl32.exe
        
        C:\Windows\system32\Cdbpgl32.exe
        99⤵
        
        PID:5704
        
        C:\Windows\SysWOW64\Dgcihgaj.exe
        
        C:\Windows\system32\Dgcihgaj.exe
        100⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1424
        
        C:\Windows\SysWOW64\Dojqjdbl.exe
        
        C:\Windows\system32\Dojqjdbl.exe
        101⤵
        
        PID:5880
        
        C:\Windows\SysWOW64\Ddgibkpc.exe
        
        C:\Windows\system32\Ddgibkpc.exe
        102⤵
        Drops file in System32 directory
        
        PID:5952
        
        C:\Windows\SysWOW64\Dolmodpi.exe
        
        C:\Windows\system32\Dolmodpi.exe
        103⤵
        Modifies registry class
        
        PID:1952
        
        C:\Windows\SysWOW64\Dhdbhifj.exe
        
        C:\Windows\system32\Dhdbhifj.exe
        104⤵
        Drops file in System32 directory
        
        PID:1216
        
        C:\Windows\SysWOW64\Doojec32.exe
        
        C:\Windows\system32\Doojec32.exe
        105⤵
        Drops file in System32 directory
        
        PID:5140
        
        C:\Windows\SysWOW64\Dqpfmlce.exe
        
        C:\Windows\system32\Dqpfmlce.exe
        106⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4376
        
        C:\Windows\SysWOW64\Dgjoif32.exe
        
        C:\Windows\system32\Dgjoif32.exe
        107⤵
        
        PID:5388
        
        C:\Windows\SysWOW64\Doagjc32.exe
        
        C:\Windows\system32\Doagjc32.exe
        108⤵
        
        PID:2876
        
        C:\Windows\SysWOW64\Dqbcbkab.exe
        
        C:\Windows\system32\Dqbcbkab.exe
        109⤵
        Drops file in System32 directory
        
        PID:5012
        
        C:\Windows\SysWOW64\Enfckp32.exe
        
        C:\Windows\system32\Enfckp32.exe
        110⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:3128
        
        C:\Windows\SysWOW64\Edplhjhi.exe
        
        C:\Windows\system32\Edplhjhi.exe
        111⤵
        
        PID:872
        
        C:\Windows\SysWOW64\Enhpao32.exe
        
        C:\Windows\system32\Enhpao32.exe
        112⤵
        
        PID:1860
        
        C:\Windows\SysWOW64\Eqgmmk32.exe
        
        C:\Windows\system32\Eqgmmk32.exe
        113⤵
        Modifies registry class
        
        PID:1116
        
        C:\Windows\SysWOW64\Egaejeej.exe
        
        C:\Windows\system32\Egaejeej.exe
        114⤵
        
        PID:5700
        
        C:\Windows\SysWOW64\Eohmkb32.exe
        
        C:\Windows\system32\Eohmkb32.exe
        115⤵
        
        PID:3416
        
        C:\Windows\SysWOW64\Ehpadhll.exe
        
        C:\Windows\system32\Ehpadhll.exe
        116⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5112
        
        C:\Windows\SysWOW64\Eqncnj32.exe
        
        C:\Windows\system32\Eqncnj32.exe
        117⤵
        
        PID:5928
        
        C:\Windows\SysWOW64\Eghkjdoa.exe
        
        C:\Windows\system32\Eghkjdoa.exe
        118⤵
        Modifies registry class
        
        PID:6084
        
        C:\Windows\SysWOW64\Fnbcgn32.exe
        
        C:\Windows\system32\Fnbcgn32.exe
        119⤵
        
        PID:4016
        
        C:\Windows\SysWOW64\Fdlkdhnk.exe
        
        C:\Windows\system32\Fdlkdhnk.exe
        120⤵
        Modifies registry class
        
        PID:5208
        
        C:\Windows\SysWOW64\Foapaa32.exe
        
        C:\Windows\system32\Foapaa32.exe
        121⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:752
        
        C:\Windows\SysWOW64\Fbplml32.exe
        
        C:\Windows\system32\Fbplml32.exe
        122⤵
        Drops file in System32 directory
        
        PID:5460
        
        C:\Windows\SysWOW64\Fgmdec32.exe
        
        C:\Windows\system32\Fgmdec32.exe
        123⤵
        Drops file in System32 directory
        
        PID:5516
        
        C:\Windows\SysWOW64\Fkjmlaac.exe
        
        C:\Windows\system32\Fkjmlaac.exe
        124⤵
        Drops file in System32 directory
        
        PID:5584
        
        C:\Windows\SysWOW64\Fqgedh32.exe
        
        C:\Windows\system32\Fqgedh32.exe
        125⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:368
        
        C:\Windows\SysWOW64\Fgcjfbed.exe
        
        C:\Windows\system32\Fgcjfbed.exe
        126⤵
        
        PID:5684
        
        C:\Windows\SysWOW64\Galoohke.exe
        
        C:\Windows\system32\Galoohke.exe
        127⤵
        Modifies registry class
        
        PID:4048
        
        C:\Windows\SysWOW64\Ggfglb32.exe
        
        C:\Windows\system32\Ggfglb32.exe
        128⤵
        
        PID:5852
        
        C:\Windows\SysWOW64\Gnpphljo.exe
        
        C:\Windows\system32\Gnpphljo.exe
        129⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4816
        
        C:\Windows\SysWOW64\Gghdaa32.exe
        
        C:\Windows\system32\Gghdaa32.exe
        130⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5196
        
        C:\Windows\SysWOW64\Gpolbo32.exe
        
        C:\Windows\system32\Gpolbo32.exe
        131⤵
        
        PID:4960
        
        C:\Windows\SysWOW64\Gaqhjggp.exe
        
        C:\Windows\system32\Gaqhjggp.exe
        132⤵
        
        PID:3048
        
        C:\Windows\SysWOW64\Ggkqgaol.exe
        
        C:\Windows\system32\Ggkqgaol.exe
        133⤵
        
        PID:2492
        
        C:\Windows\SysWOW64\Gndick32.exe
        
        C:\Windows\system32\Gndick32.exe
        134⤵
        
        PID:3660
        
        C:\Windows\SysWOW64\Geoapenf.exe
        
        C:\Windows\system32\Geoapenf.exe
        135⤵
        
        PID:5976
        
        C:\Windows\SysWOW64\Gngeik32.exe
        
        C:\Windows\system32\Gngeik32.exe
        136⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2256
        
        C:\Windows\SysWOW64\Gaebef32.exe
        
        C:\Windows\system32\Gaebef32.exe
        137⤵
        
        PID:4420
        
        C:\Windows\SysWOW64\Ghojbq32.exe
        
        C:\Windows\system32\Ghojbq32.exe
        138⤵
        
        PID:3392
        
        C:\Windows\SysWOW64\Hbenoi32.exe
        
        C:\Windows\system32\Hbenoi32.exe
        139⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5656
        
        C:\Windows\SysWOW64\Hecjke32.exe
        
        C:\Windows\system32\Hecjke32.exe
        140⤵
        Modifies registry class
        
        PID:4712
        
        C:\Windows\SysWOW64\Hlmchoan.exe
        
        C:\Windows\system32\Hlmchoan.exe
        141⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4472
        
        C:\Windows\SysWOW64\Hajkqfoe.exe
        
        C:\Windows\system32\Hajkqfoe.exe
        142⤵
        
        PID:5520
        
        C:\Windows\SysWOW64\Hbihjifh.exe
        
        C:\Windows\system32\Hbihjifh.exe
        143⤵
        
        PID:5484
        
        C:\Windows\SysWOW64\Hhfpbpdo.exe
        
        C:\Windows\system32\Hhfpbpdo.exe
        144⤵
        Drops file in System32 directory
        
        PID:2400
        
        C:\Windows\SysWOW64\Hnphoj32.exe
        
        C:\Windows\system32\Hnphoj32.exe
        145⤵
        
        PID:5064
        
        C:\Windows\SysWOW64\Hifmmb32.exe
        
        C:\Windows\system32\Hifmmb32.exe
        146⤵
        Modifies registry class
        
        PID:4676
        
        C:\Windows\SysWOW64\Hppeim32.exe
        
        C:\Windows\system32\Hppeim32.exe
        147⤵
        Modifies registry class
        
        PID:6212
        
        C:\Windows\SysWOW64\Iacngdgj.exe
        
        C:\Windows\system32\Iacngdgj.exe
        148⤵
        
        PID:6260
        
        C:\Windows\SysWOW64\Ipdndloi.exe
        
        C:\Windows\system32\Ipdndloi.exe
        149⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6300
        
        C:\Windows\SysWOW64\Iafkld32.exe
        
        C:\Windows\system32\Iafkld32.exe
        150⤵
        
        PID:6348
        
        C:\Windows\SysWOW64\Ieccbbkn.exe
        
        C:\Windows\system32\Ieccbbkn.exe
        151⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6392
        
        C:\Windows\SysWOW64\Ihdldn32.exe
        
        C:\Windows\system32\Ihdldn32.exe
        152⤵
        
        PID:6440
        
        C:\Windows\SysWOW64\Iamamcop.exe
        
        C:\Windows\system32\Iamamcop.exe
        153⤵
        
        PID:6488
        
        C:\Windows\SysWOW64\Jidinqpb.exe
        
        C:\Windows\system32\Jidinqpb.exe
        154⤵
        
        PID:6532
        
        C:\Windows\SysWOW64\Joqafgni.exe
        
        C:\Windows\system32\Joqafgni.exe
        155⤵
        Drops file in System32 directory
        
        PID:6596
        
        C:\Windows\SysWOW64\Jhifomdj.exe
        
        C:\Windows\system32\Jhifomdj.exe
        156⤵
        
        PID:6652
        
        C:\Windows\SysWOW64\Jihbip32.exe
        
        C:\Windows\system32\Jihbip32.exe
        157⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6712
        
        C:\Windows\SysWOW64\Jikoopij.exe
        
        C:\Windows\system32\Jikoopij.exe
        158⤵
        
        PID:6756
        
        C:\Windows\SysWOW64\Jllhpkfk.exe
        
        C:\Windows\system32\Jllhpkfk.exe
        159⤵
        Drops file in System32 directory
        
        PID:6796
        
        C:\Windows\SysWOW64\Klndfj32.exe
        
        C:\Windows\system32\Klndfj32.exe
        160⤵
        Modifies registry class
        
        PID:6844
        
        C:\Windows\SysWOW64\Kefiopki.exe
        
        C:\Windows\system32\Kefiopki.exe
        161⤵
        
        PID:6888
        
        C:\Windows\SysWOW64\Khgbqkhj.exe
        
        C:\Windows\system32\Khgbqkhj.exe
        162⤵
        
        PID:6924
        
        C:\Windows\SysWOW64\Koajmepf.exe
        
        C:\Windows\system32\Koajmepf.exe
        163⤵
        Modifies registry class
        
        PID:6968
        
        C:\Windows\SysWOW64\Kifojnol.exe
        
        C:\Windows\system32\Kifojnol.exe
        164⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:7008
        
        C:\Windows\SysWOW64\Kpqggh32.exe
        
        C:\Windows\system32\Kpqggh32.exe
        165⤵
        Drops file in System32 directory
        
        PID:7048
        
        C:\Windows\SysWOW64\Kemooo32.exe
        
        C:\Windows\system32\Kemooo32.exe
        166⤵
        
        PID:7092
        
        C:\Windows\SysWOW64\Kadpdp32.exe
        
        C:\Windows\system32\Kadpdp32.exe
        167⤵
        
        PID:7128
        
        C:\Windows\SysWOW64\Likhem32.exe
        
        C:\Windows\system32\Likhem32.exe
        168⤵
        Modifies registry class
        
        PID:2360
        
        C:\Windows\SysWOW64\Lpepbgbd.exe
        
        C:\Windows\system32\Lpepbgbd.exe
        169⤵
        Modifies registry class
        
        PID:6236
        
        C:\Windows\SysWOW64\Lhqefjpo.exe
        
        C:\Windows\system32\Lhqefjpo.exe
        170⤵
        Drops file in System32 directory
        
        PID:6308
        
        C:\Windows\SysWOW64\Lojmcdgl.exe
        
        C:\Windows\system32\Lojmcdgl.exe
        171⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:3696
        
        C:\Windows\SysWOW64\Lchfib32.exe
        
        C:\Windows\system32\Lchfib32.exe
        172⤵
        
        PID:6472
        
        C:\Windows\SysWOW64\Ljbnfleo.exe
        
        C:\Windows\system32\Ljbnfleo.exe
        173⤵
        Modifies registry class
        
        PID:6572
        
        C:\Windows\SysWOW64\Lplfcf32.exe
        
        C:\Windows\system32\Lplfcf32.exe
        174⤵
        
        PID:6640
        
        C:\Windows\SysWOW64\Lfiokmkc.exe
        
        C:\Windows\system32\Lfiokmkc.exe
        175⤵
        Modifies registry class
        
        PID:6204
        
        C:\Windows\SysWOW64\Llcghg32.exe
        
        C:\Windows\system32\Llcghg32.exe
        176⤵
        Drops file in System32 directory
        
        PID:6772
        
        C:\Windows\SysWOW64\Lcmodajm.exe
        
        C:\Windows\system32\Lcmodajm.exe
        177⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6808
        
        C:\Windows\SysWOW64\Mhjhmhhd.exe
        
        C:\Windows\system32\Mhjhmhhd.exe
        178⤵
        
        PID:6672
        
        C:\Windows\SysWOW64\Modpib32.exe
        
        C:\Windows\system32\Modpib32.exe
        179⤵
        
        PID:6912
        
        C:\Windows\SysWOW64\Mjidgkog.exe
        
        C:\Windows\system32\Mjidgkog.exe
        180⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7000
        
        C:\Windows\SysWOW64\Mofmobmo.exe
        
        C:\Windows\system32\Mofmobmo.exe
        181⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7088
        
        C:\Windows\SysWOW64\Mfpell32.exe
        
        C:\Windows\system32\Mfpell32.exe
        182⤵
        
        PID:5108
        
        C:\Windows\SysWOW64\Mljmhflh.exe
        
        C:\Windows\system32\Mljmhflh.exe
        183⤵
        
        PID:6240
        
        C:\Windows\SysWOW64\Mohidbkl.exe
        
        C:\Windows\system32\Mohidbkl.exe
        184⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6380
        
        C:\Windows\SysWOW64\Mhanngbl.exe
        
        C:\Windows\system32\Mhanngbl.exe
        185⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5072
        
        C:\Windows\SysWOW64\Mokfja32.exe
        
        C:\Windows\system32\Mokfja32.exe
        186⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6620
        
        C:\Windows\SysWOW64\Mfenglqf.exe
        
        C:\Windows\system32\Mfenglqf.exe
        187⤵
        Modifies registry class
        
        PID:6748
        
        C:\Windows\SysWOW64\Nhegig32.exe
        
        C:\Windows\system32\Nhegig32.exe
        188⤵
        Modifies registry class
        
        PID:6780
        
        C:\Windows\SysWOW64\Nfihbk32.exe
        
        C:\Windows\system32\Nfihbk32.exe
        189⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6592
        
        C:\Windows\SysWOW64\Ncmhko32.exe
        
        C:\Windows\system32\Ncmhko32.exe
        190⤵
        Modifies registry class
        
        PID:6960
        
        C:\Windows\SysWOW64\Nfnamjhk.exe
        
        C:\Windows\system32\Nfnamjhk.exe
        191⤵
        Drops file in System32 directory
        
        PID:7072
        
        C:\Windows\SysWOW64\Nmhijd32.exe
        
        C:\Windows\system32\Nmhijd32.exe
        192⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6168
        
        C:\Windows\SysWOW64\Ncbafoge.exe
        
        C:\Windows\system32\Ncbafoge.exe
        193⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6384
        
        C:\Windows\SysWOW64\Nfqnbjfi.exe
        
        C:\Windows\system32\Nfqnbjfi.exe
        194⤵
        
        PID:6524
        
        C:\Windows\SysWOW64\Ocdnln32.exe
        
        C:\Windows\system32\Ocdnln32.exe
        195⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5024
        
        C:\Windows\SysWOW64\Ojnfihmo.exe
        
        C:\Windows\system32\Ojnfihmo.exe
        196⤵
        Drops file in System32 directory
        
        PID:388
        
        C:\Windows\SysWOW64\Objkmkjj.exe
        
        C:\Windows\system32\Objkmkjj.exe
        197⤵
        
        PID:6340
        
        C:\Windows\SysWOW64\Oqklkbbi.exe
        
        C:\Windows\system32\Oqklkbbi.exe
        198⤵
        
        PID:6608
        
        C:\Windows\SysWOW64\Ofgdcipq.exe
        
        C:\Windows\system32\Ofgdcipq.exe
        199⤵
        
        PID:7016
        
        C:\Windows\SysWOW64\Omalpc32.exe
        
        C:\Windows\system32\Omalpc32.exe
        200⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5556
        
        C:\Windows\SysWOW64\Ockdmmoj.exe
        
        C:\Windows\system32\Ockdmmoj.exe
        201⤵
        
        PID:6412
        
        C:\Windows\SysWOW64\Ofjqihnn.exe
        
        C:\Windows\system32\Ofjqihnn.exe
        202⤵
        Drops file in System32 directory
        
        PID:6196
        
        C:\Windows\SysWOW64\Oqoefand.exe
        
        C:\Windows\system32\Oqoefand.exe
        203⤵
        
        PID:4536
        
        C:\Windows\SysWOW64\Oflmnh32.exe
        
        C:\Windows\system32\Oflmnh32.exe
        204⤵
        
        PID:6852
        
        C:\Windows\SysWOW64\Ppdbgncl.exe
        
        C:\Windows\system32\Ppdbgncl.exe
        205⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6976
        
        C:\Windows\SysWOW64\Pfojdh32.exe
        
        C:\Windows\system32\Pfojdh32.exe
        206⤵
        
        PID:6328
        
        C:\Windows\SysWOW64\Pimfpc32.exe
        
        C:\Windows\system32\Pimfpc32.exe
        207⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6588
        
        C:\Windows\SysWOW64\Pbekii32.exe
        
        C:\Windows\system32\Pbekii32.exe
        208⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:2696
        
        C:\Windows\SysWOW64\Pafkgphl.exe
        
        C:\Windows\system32\Pafkgphl.exe
        209⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:7112
        
        C:\Windows\SysWOW64\Pbhgoh32.exe
        
        C:\Windows\system32\Pbhgoh32.exe
        210⤵
        
        PID:3928
        
        C:\Windows\SysWOW64\Pmmlla32.exe
        
        C:\Windows\system32\Pmmlla32.exe
        211⤵
        Modifies registry class
        
        PID:208
        
        C:\Windows\SysWOW64\Pfepdg32.exe
        
        C:\Windows\system32\Pfepdg32.exe
        212⤵
        
        PID:4156
        
        C:\Windows\SysWOW64\Pmphaaln.exe
        
        C:\Windows\system32\Pmphaaln.exe
        213⤵
        
        PID:6548
        
        C:\Windows\SysWOW64\Pfhmjf32.exe
        
        C:\Windows\system32\Pfhmjf32.exe
        214⤵
        
        PID:6668
        
        C:\Windows\SysWOW64\Qbonoghb.exe
        
        C:\Windows\system32\Qbonoghb.exe
        215⤵
        
        PID:7208
        
        C:\Windows\SysWOW64\Qbajeg32.exe
        
        C:\Windows\system32\Qbajeg32.exe
        216⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:7252
        
        C:\Windows\SysWOW64\Qjhbfd32.exe
        
        C:\Windows\system32\Qjhbfd32.exe
        217⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7296
        
        C:\Windows\SysWOW64\Acqgojmb.exe
        
        C:\Windows\system32\Acqgojmb.exe
        218⤵
        
        PID:7340
        
        C:\Windows\SysWOW64\Afappe32.exe
        
        C:\Windows\system32\Afappe32.exe
        219⤵
        
        PID:7376
        
        C:\Windows\SysWOW64\Aagdnn32.exe
        
        C:\Windows\system32\Aagdnn32.exe
        220⤵
        
        PID:7420
        
        C:\Windows\SysWOW64\Bigbmpco.exe
        
        C:\Windows\system32\Bigbmpco.exe
        221⤵
        
        PID:7456
        
        C:\Windows\SysWOW64\Bpqjjjjl.exe
        
        C:\Windows\system32\Bpqjjjjl.exe
        222⤵
        
        PID:7500
        
        C:\Windows\SysWOW64\Bdocph32.exe
        
        C:\Windows\system32\Bdocph32.exe
        223⤵
        Drops file in System32 directory
        
        PID:7540
        
        C:\Windows\SysWOW64\Babcil32.exe
        
        C:\Windows\system32\Babcil32.exe
        224⤵
        
        PID:7584
        
        C:\Windows\SysWOW64\Bbdpad32.exe
        
        C:\Windows\system32\Bbdpad32.exe
        225⤵
        Modifies registry class
        
        PID:7620
        
        C:\Windows\SysWOW64\Bdcmkgmm.exe
        
        C:\Windows\system32\Bdcmkgmm.exe
        226⤵
        Modifies registry class
        
        PID:7668
        
        C:\Windows\SysWOW64\Cdhffg32.exe
        
        C:\Windows\system32\Cdhffg32.exe
        227⤵
        Drops file in System32 directory
        
        PID:7708
        
        C:\Windows\SysWOW64\Ckbncapd.exe
        
        C:\Windows\system32\Ckbncapd.exe
        228⤵
        Drops file in System32 directory
        
        PID:7760
        
        C:\Windows\SysWOW64\Cmpjoloh.exe
        
        C:\Windows\system32\Cmpjoloh.exe
        229⤵
        
        PID:7808
        
        C:\Windows\SysWOW64\Cdjblf32.exe
        
        C:\Windows\system32\Cdjblf32.exe
        230⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:7852
        
        C:\Windows\SysWOW64\Cgiohbfi.exe
        
        C:\Windows\system32\Cgiohbfi.exe
        231⤵
        Modifies registry class
        
        PID:7892
        
        C:\Windows\SysWOW64\Cmbgdl32.exe
        
        C:\Windows\system32\Cmbgdl32.exe
        232⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:7936
        
        C:\Windows\SysWOW64\Cdmoafdb.exe
        
        C:\Windows\system32\Cdmoafdb.exe
        233⤵
        
        PID:7992
        
        C:\Windows\SysWOW64\Ciihjmcj.exe
        
        C:\Windows\system32\Ciihjmcj.exe
        234⤵
        
        PID:8036
        
        C:\Windows\SysWOW64\Cpcpfg32.exe
        
        C:\Windows\system32\Cpcpfg32.exe
        235⤵
        Drops file in System32 directory
        
        PID:8080
        
        C:\Windows\SysWOW64\Cgmhcaac.exe
        
        C:\Windows\system32\Cgmhcaac.exe
        236⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8116
        
        C:\Windows\SysWOW64\Cildom32.exe
        
        C:\Windows\system32\Cildom32.exe
        237⤵
        Modifies registry class
        
        PID:8164
        
        C:\Windows\SysWOW64\Cpfmlghd.exe
        
        C:\Windows\system32\Cpfmlghd.exe
        238⤵
        
        PID:6956
        
        C:\Windows\SysWOW64\Dgpeha32.exe
        
        C:\Windows\system32\Dgpeha32.exe
        239⤵
        
        PID:7240
        
        C:\Windows\SysWOW64\Daeifj32.exe
        
        C:\Windows\system32\Daeifj32.exe
        240⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7348
        
        C:\Windows\SysWOW64\Diqnjl32.exe
        
        C:\Windows\system32\Diqnjl32.exe
        241⤵
        
        PID:7428
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 7428 -s 400
        242⤵
        Program crash
        
        PID:7524

C:\Windows\SysWOW64\Bgeaifia.exe
C:\Windows\system32\Bgeaifia.exe
1⤵
- Executes dropped EXE
PID:4600

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 7428 -ip 7428
1⤵
PID:7492

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aagdnn32.exe

Filesize
448KB

MD5
dc5cd890c43229e4cb1a6fb6988b4002

SHA1
6d8a95dd961c91068f743d650c93ea649a8ac304

SHA256
a248592a13ed77cb5534a98640e911827fd917e5ca45913eabc901007cd4dff8

SHA512
9dd977e33b42d165e76723606110cfc978c2cbd783e28abfd36bb965b6c0a61d503e3a0e360b1e63eda4a363b0608eed74f89af36e6f865ffbada0bbf48c7728

Download Submit
C:\Windows\SysWOW64\Ackigjmh.exe

Filesize
448KB

MD5
9e7235ea5f3fd27d90e449809921cecb

SHA1
dbb2d0981a7ece364d4d593eafbe65a8bf613e24

SHA256
edb159223021c2024009a3226d0dc768b869c4c5e48bc9b20699386edf189c3c

SHA512
4dc6a81871c27e6b0d3afafd8c7d187420d71000c96a753a40323246ec1bc104e69ab37708b75e5a912629b71bcf8b6354cc8b333b3ba63ed1a031145fbadcb3

Download Submit
C:\Windows\SysWOW64\Ackigjmh.exe

Filesize
448KB

MD5
9e7235ea5f3fd27d90e449809921cecb

SHA1
dbb2d0981a7ece364d4d593eafbe65a8bf613e24

SHA256
edb159223021c2024009a3226d0dc768b869c4c5e48bc9b20699386edf189c3c

SHA512
4dc6a81871c27e6b0d3afafd8c7d187420d71000c96a753a40323246ec1bc104e69ab37708b75e5a912629b71bcf8b6354cc8b333b3ba63ed1a031145fbadcb3

Download Submit
C:\Windows\SysWOW64\Acpbbi32.exe

Filesize
448KB

MD5
5984699a6ecb5484e5f13977eca1b71b

SHA1
ee7d9207de3f9fa3aaf2a6dca29b006fa706d541

SHA256
e11d67d45d68a8a9b625fa6966940feea48fa3fe8e4f9ebd4f718be2d19f2a76

SHA512
62764904c975f51dc53e830490079d11a249cef7084cd254e405a5796116bbda9a1cddecd55039b23438bfa52f3a1d0d08a65f14d83ee4560dd51f581ea1295a

Download Submit
C:\Windows\SysWOW64\Acpbbi32.exe

Filesize
448KB

MD5
5984699a6ecb5484e5f13977eca1b71b

SHA1
ee7d9207de3f9fa3aaf2a6dca29b006fa706d541

SHA256
e11d67d45d68a8a9b625fa6966940feea48fa3fe8e4f9ebd4f718be2d19f2a76

SHA512
62764904c975f51dc53e830490079d11a249cef7084cd254e405a5796116bbda9a1cddecd55039b23438bfa52f3a1d0d08a65f14d83ee4560dd51f581ea1295a

Download Submit
C:\Windows\SysWOW64\Aihaoqlp.exe

Filesize
448KB

MD5
cc9f507e4ed7301f066c48127e44d478

SHA1
7977878fbf7539bd331c18d45699341383ea2732

SHA256
438323cfbafc703a8e03b3bf81a5b367386e85c2c5fdf39e9c63c4e51bf8ce60

SHA512
d62fbb5a4be3a12c6408e0f5af22872e2d16ba345c96e02aa6385e222344209bde7f897d82676a96b7edafae2bc9400b98ff8236f9fd281de4b986f6d696bd1b

Download Submit
C:\Windows\SysWOW64\Aihaoqlp.exe

Filesize
448KB

MD5
cc9f507e4ed7301f066c48127e44d478

SHA1
7977878fbf7539bd331c18d45699341383ea2732

SHA256
438323cfbafc703a8e03b3bf81a5b367386e85c2c5fdf39e9c63c4e51bf8ce60

SHA512
d62fbb5a4be3a12c6408e0f5af22872e2d16ba345c96e02aa6385e222344209bde7f897d82676a96b7edafae2bc9400b98ff8236f9fd281de4b986f6d696bd1b

Download Submit
C:\Windows\SysWOW64\Amfjeobf.exe

Filesize
448KB

MD5
60693c0b9d5473e03474ba8f5893f21c

SHA1
2064fa503158a3f438556cf8f1dd15e87bf63145

SHA256
67004212b15f5d848cce2ced837ec89c0df9731920c45542168d16f1e3377b33

SHA512
53aa3e81ab033f39bcb742466824d4558dc5784b878f16da56b04210f12dc9ed86193cb9871f82f73190e73ed6ba122595ec807341ec9a6115c43aec0d2b3dc3

Download Submit
C:\Windows\SysWOW64\Amfjeobf.exe

Filesize
448KB

MD5
60693c0b9d5473e03474ba8f5893f21c

SHA1
2064fa503158a3f438556cf8f1dd15e87bf63145

SHA256
67004212b15f5d848cce2ced837ec89c0df9731920c45542168d16f1e3377b33

SHA512
53aa3e81ab033f39bcb742466824d4558dc5784b878f16da56b04210f12dc9ed86193cb9871f82f73190e73ed6ba122595ec807341ec9a6115c43aec0d2b3dc3

Download Submit
C:\Windows\SysWOW64\Aompak32.exe

Filesize
448KB

MD5
c79ec98c26be23d4f329263aef0e98cd

SHA1
f3c1ec05ea4783c6070666866b9c28e388a40c6b

SHA256
69908b250b520a4b60c5d79c6c01f20e0a55be01e46cfea8158752a95d31fe22

SHA512
69df1a83b8403697c12887d40ab2a2c47fdbb30092665aba1e7ab0cf43eecc274c648a839fa185bb9f3ee4c53e26ef27d8fdabfd75039666781c88781ae210e8

Download Submit
C:\Windows\SysWOW64\Aompak32.exe

Filesize
448KB

MD5
c79ec98c26be23d4f329263aef0e98cd

SHA1
f3c1ec05ea4783c6070666866b9c28e388a40c6b

SHA256
69908b250b520a4b60c5d79c6c01f20e0a55be01e46cfea8158752a95d31fe22

SHA512
69df1a83b8403697c12887d40ab2a2c47fdbb30092665aba1e7ab0cf43eecc274c648a839fa185bb9f3ee4c53e26ef27d8fdabfd75039666781c88781ae210e8

Download Submit
C:\Windows\SysWOW64\Aompak32.exe

Filesize
448KB

MD5
c79ec98c26be23d4f329263aef0e98cd

SHA1
f3c1ec05ea4783c6070666866b9c28e388a40c6b

SHA256
69908b250b520a4b60c5d79c6c01f20e0a55be01e46cfea8158752a95d31fe22

SHA512
69df1a83b8403697c12887d40ab2a2c47fdbb30092665aba1e7ab0cf43eecc274c648a839fa185bb9f3ee4c53e26ef27d8fdabfd75039666781c88781ae210e8

Download Submit
C:\Windows\SysWOW64\Bcbohigp.exe

Filesize
448KB

MD5
7a604b5251b8a95654f4490865f61b80

SHA1
2402ae8cc388826c57427a9165032785dad0d39e

SHA256
648c505f2e8f89646f0e76d201787950993839bda235b0e2c4f71315c78f4fd7

SHA512
a4b43e1e892d488d953a0321d5e40599188e0ae32cf1fa9fdf37de80e9d39eb3dba3129b704d18a4663e5fcff01ae47a700289b4e1393eb16c7f910b65cfa6cb

Download Submit
C:\Windows\SysWOW64\Bcbohigp.exe

Filesize
448KB

MD5
7a604b5251b8a95654f4490865f61b80

SHA1
2402ae8cc388826c57427a9165032785dad0d39e

SHA256
648c505f2e8f89646f0e76d201787950993839bda235b0e2c4f71315c78f4fd7

SHA512
a4b43e1e892d488d953a0321d5e40599188e0ae32cf1fa9fdf37de80e9d39eb3dba3129b704d18a4663e5fcff01ae47a700289b4e1393eb16c7f910b65cfa6cb

Download Submit
C:\Windows\SysWOW64\Bcghch32.exe

Filesize
448KB

MD5
1c8e14ac2f10c079e5a47d02ed9bbd47

SHA1
9a972cce5e5f5a68af4fd3102afe7a170bfe038d

SHA256
55cd647fff231bcbf2924b95e22e9cc59a0f633ee59da064b144923a8b16370e

SHA512
333fc483ab29296f53e8ad4fa2ebc8bfb0fcbd3a2a50da5be93c6067b91c70b44843808325b3e22cd763d11b5325726432ea2ae3e0a3faa3fe463c7b37217db9

Download Submit
C:\Windows\SysWOW64\Bcghch32.exe

Filesize
448KB

MD5
1c8e14ac2f10c079e5a47d02ed9bbd47

SHA1
9a972cce5e5f5a68af4fd3102afe7a170bfe038d

SHA256
55cd647fff231bcbf2924b95e22e9cc59a0f633ee59da064b144923a8b16370e

SHA512
333fc483ab29296f53e8ad4fa2ebc8bfb0fcbd3a2a50da5be93c6067b91c70b44843808325b3e22cd763d11b5325726432ea2ae3e0a3faa3fe463c7b37217db9

Download Submit
C:\Windows\SysWOW64\Bfchidda.exe

Filesize
448KB

MD5
9cce93eb1a1b28dc3e521f3eac17875d

SHA1
1eb1b8056e438140d8a517c9f3fbbc706153bce5

SHA256
97181f8e63c3c117e6ade7ea37df85cd928e9b9095cceb712d95713c2c28dd7c

SHA512
4fcd008024fbf9bb6afa2867b8b7b840f4cb203b7600c97a9fda8296e8fbecad9650f28a7ee37389cb8c123c7e27be9ae9b7355457e0b074aee1a32f97cb15dd

Download Submit
C:\Windows\SysWOW64\Bfchidda.exe

Filesize
448KB

MD5
9cce93eb1a1b28dc3e521f3eac17875d

SHA1
1eb1b8056e438140d8a517c9f3fbbc706153bce5

SHA256
97181f8e63c3c117e6ade7ea37df85cd928e9b9095cceb712d95713c2c28dd7c

SHA512
4fcd008024fbf9bb6afa2867b8b7b840f4cb203b7600c97a9fda8296e8fbecad9650f28a7ee37389cb8c123c7e27be9ae9b7355457e0b074aee1a32f97cb15dd

Download Submit
C:\Windows\SysWOW64\Bgeaifia.exe

Filesize
448KB

MD5
53592d530fb4f2be2d3e9d9974bbe4a3

SHA1
03d47d48db7fcece30d0795883fded12b77f1a78

SHA256
cda5733df8f647aab6a7f4502cd4525a2d15da26bd08fb70af8e6899a8d7fddc

SHA512
36533ef8f9f380fb96bdba6d9add89c657bfeb23d4314db61c65c058a01496b31c9b1d0f91594d5cf5b77136224fe3eadaad293011e799d6e4991a9862340534

Download Submit
C:\Windows\SysWOW64\Bgeaifia.exe

Filesize
448KB

MD5
53592d530fb4f2be2d3e9d9974bbe4a3

SHA1
03d47d48db7fcece30d0795883fded12b77f1a78

SHA256
cda5733df8f647aab6a7f4502cd4525a2d15da26bd08fb70af8e6899a8d7fddc

SHA512
36533ef8f9f380fb96bdba6d9add89c657bfeb23d4314db61c65c058a01496b31c9b1d0f91594d5cf5b77136224fe3eadaad293011e799d6e4991a9862340534

Download Submit
C:\Windows\SysWOW64\Bjaqpbkh.exe

Filesize
448KB

MD5
86fd030fd37066ef326d2fde061a5ce8

SHA1
e560a76bdf5a1866c172fcafd0179b48585ce487

SHA256
acc081dc3ee8b23e3c5343d72b4d74748e85437fb680c3bc6805eae5fc97981c

SHA512
49718b5108b0418be60eac5458be6dce68952f0233a018544f38da36507b9b24314e93b984f7cf9e7031316665b4b8cf75e1ab6122a182288438038075074266

Download Submit
C:\Windows\SysWOW64\Bjaqpbkh.exe

Filesize
448KB

MD5
86fd030fd37066ef326d2fde061a5ce8

SHA1
e560a76bdf5a1866c172fcafd0179b48585ce487

SHA256
acc081dc3ee8b23e3c5343d72b4d74748e85437fb680c3bc6805eae5fc97981c

SHA512
49718b5108b0418be60eac5458be6dce68952f0233a018544f38da36507b9b24314e93b984f7cf9e7031316665b4b8cf75e1ab6122a182288438038075074266

Download Submit
C:\Windows\SysWOW64\Bmbiamhi.exe

Filesize
448KB

MD5
f061bd21b9b9cf9871aca3560e97c719

SHA1
b6983d16b68d108c5ccf325ca0dff8104422827a

SHA256
9a4f66109ee4e9f945f92bd33eb4f6c6ba352d31eee74f0d6df2440ed406cd41

SHA512
1d0a0a50f3ed4d1a292e9a78580022297314ca40e6deb64438762e6ab51f12e7a0a411d26e0a0c190afb61ad2030375844cfb4cd4aaa44e8049e71f9ff2feda1

Download Submit
C:\Windows\SysWOW64\Bmbiamhi.exe

Filesize
448KB

MD5
f061bd21b9b9cf9871aca3560e97c719

SHA1
b6983d16b68d108c5ccf325ca0dff8104422827a

SHA256
9a4f66109ee4e9f945f92bd33eb4f6c6ba352d31eee74f0d6df2440ed406cd41

SHA512
1d0a0a50f3ed4d1a292e9a78580022297314ca40e6deb64438762e6ab51f12e7a0a411d26e0a0c190afb61ad2030375844cfb4cd4aaa44e8049e71f9ff2feda1

Download Submit
C:\Windows\SysWOW64\Boipmj32.exe

Filesize
448KB

MD5
f2cc36800896018d33a47032cd40d548

SHA1
d4e0823a384c448778202aa2437789655c887559

SHA256
5e119048c60f1e67913670e28bc4be220ba597a5193084562168d370baec54f4

SHA512
2556227e28d90fcf1bee0322f458aeeb33303c92ab413ddba8c7065e5046a8eea589d1074e53c1ae515f0064ddc6f6a317072df778fc850547aab266eecee8f6

Download Submit
C:\Windows\SysWOW64\Boipmj32.exe

Filesize
448KB

MD5
f2cc36800896018d33a47032cd40d548

SHA1
d4e0823a384c448778202aa2437789655c887559

SHA256
5e119048c60f1e67913670e28bc4be220ba597a5193084562168d370baec54f4

SHA512
2556227e28d90fcf1bee0322f458aeeb33303c92ab413ddba8c7065e5046a8eea589d1074e53c1ae515f0064ddc6f6a317072df778fc850547aab266eecee8f6

Download Submit
C:\Windows\SysWOW64\Bpqjjjjl.exe

Filesize
384KB

MD5
4a4e30a4be75af7cba27c951442a11af

SHA1
ebd0d078aead6750fa885e1bb51cfd6aac6f29f3

SHA256
550c9a99e17d16c9b0cc6fbc86571501f455c4a8b8efcff4610cf171079fc570

SHA512
d66f5ed254eba203d692235598f5d802c2b30a408d57eed29652ca3b4d0b94316dea93673d00e9ff52767ddf86367eabe758ec7e5eae00595ff6b636ccbc1c5c

Download Submit
C:\Windows\SysWOW64\Bqkill32.exe

Filesize
448KB

MD5
1bd5c22b4f39c72d79b7d7c1fa360e1b

SHA1
d59f54941f8e3cdea19e1c356c8386c836f7139b

SHA256
aaeae0a0bff57396d45aa533b618c8467c154986dae9544f1b87bbba9d3027ec

SHA512
45a871d759844acaaffc70fbf40b129e6d441910453fc2775405a003c22f412585305e6de26e928a1bb6fed5372474279681c0a29b9c7272d35207469667eace

Download Submit
C:\Windows\SysWOW64\Bqkill32.exe

Filesize
448KB

MD5
1bd5c22b4f39c72d79b7d7c1fa360e1b

SHA1
d59f54941f8e3cdea19e1c356c8386c836f7139b

SHA256
aaeae0a0bff57396d45aa533b618c8467c154986dae9544f1b87bbba9d3027ec

SHA512
45a871d759844acaaffc70fbf40b129e6d441910453fc2775405a003c22f412585305e6de26e928a1bb6fed5372474279681c0a29b9c7272d35207469667eace

Download Submit
C:\Windows\SysWOW64\Dfpgffpm.exe

Filesize
448KB

MD5
0d3dc90fa3b654d8248596e0c44e4565

SHA1
8b702c1a1f91b2a6a287db06ffbd5ebb1a98c37f

SHA256
f270cd063565c771821b37b96dae67fad841b5ed4c84daf05af205dc30226ced

SHA512
e0e5dbc449f7e101d84eb35b79045e6e2174ed3bd316ab7fc4965b4505dcbdead922e6b0b904120e0199143b56eaba8b30bb343bbd395622ff2612186fc93293

Download Submit
C:\Windows\SysWOW64\Dfpgffpm.exe

Filesize
448KB

MD5
0d3dc90fa3b654d8248596e0c44e4565

SHA1
8b702c1a1f91b2a6a287db06ffbd5ebb1a98c37f

SHA256
f270cd063565c771821b37b96dae67fad841b5ed4c84daf05af205dc30226ced

SHA512
e0e5dbc449f7e101d84eb35b79045e6e2174ed3bd316ab7fc4965b4505dcbdead922e6b0b904120e0199143b56eaba8b30bb343bbd395622ff2612186fc93293

Download Submit
C:\Windows\SysWOW64\Doilmc32.exe

Filesize
448KB

MD5
594a5ce6e101e66885363306ba89a4c2

SHA1
9c025e2ff0dd5a535015f0c220e5cc96a973a485

SHA256
ba6e5aecb5b4369711eeb3f20518715509bac720434f5c79138ee646a29a95fd

SHA512
08e0fc2b827a504deeaeee58d7c82caa3cb11044af0994d11306385d1e633e7aa7f60eb4f748f17d8ef5a78c74a5e055b754db73b4d9cd20cc870da1bafbb844

Download Submit
C:\Windows\SysWOW64\Doilmc32.exe

Filesize
448KB

MD5
594a5ce6e101e66885363306ba89a4c2

SHA1
9c025e2ff0dd5a535015f0c220e5cc96a973a485

SHA256
ba6e5aecb5b4369711eeb3f20518715509bac720434f5c79138ee646a29a95fd

SHA512
08e0fc2b827a504deeaeee58d7c82caa3cb11044af0994d11306385d1e633e7aa7f60eb4f748f17d8ef5a78c74a5e055b754db73b4d9cd20cc870da1bafbb844

Download Submit
C:\Windows\SysWOW64\Dpckjfgg.exe

Filesize
448KB

MD5
1d4d9835cef036ce171d5b03ffa02127

SHA1
1ef8258c6fe53f28ccb572ae84972043239ce233

SHA256
1e413d7b63d22dd8c66ddf4d8ab2a7f2d1f84d926e3e13a1c8fac9bae9f327ff

SHA512
b0aa1cc9af72da522d0db6adefb4337452a0ccf092db08f15a8a9af1c10684957de0d23cb45a14a2d80e0fb7f28dd944fe735c32bb2520ca7b4acc48b493b842

Download Submit
C:\Windows\SysWOW64\Eaakpm32.exe

Filesize
448KB

MD5
a7a97a8a7a27bd8af25ae2287eb43dbc

SHA1
e8904f367abb478bdceecbd8a4da3913c492dea2

SHA256
75b3c1b8eac41139f7c8d960549a675a06df86cc399e541294d1033d4fc5d6e1

SHA512
59c82ba35af39fbc7c0f85b5c6a51049a4fbf70d7667e9bdfa4f43b4dceb48f23c745d78ed6a6286e926142d2ad30b52bac08bdbd8bf14461bb228dd6ea9ed9b

Download Submit
C:\Windows\SysWOW64\Eaakpm32.exe

Filesize
448KB

MD5
a7a97a8a7a27bd8af25ae2287eb43dbc

SHA1
e8904f367abb478bdceecbd8a4da3913c492dea2

SHA256
75b3c1b8eac41139f7c8d960549a675a06df86cc399e541294d1033d4fc5d6e1

SHA512
59c82ba35af39fbc7c0f85b5c6a51049a4fbf70d7667e9bdfa4f43b4dceb48f23c745d78ed6a6286e926142d2ad30b52bac08bdbd8bf14461bb228dd6ea9ed9b

Download Submit
C:\Windows\SysWOW64\Edknqiho.exe

Filesize
448KB

MD5
4d6801ee533d67e673962b048ef3f17c

SHA1
b5f2b0297ac7b50ed11c652791945b8316110762

SHA256
21ca46b813f716911248d1c0088a3e96cd1d07877d95fb89c1234f4407cd2d26

SHA512
4bf60cf0b218b8d8596823a6b1d789c2723a0c14a95fa99297b6a6ea2b54f5935a413f08d34903f4f6be192881f5d456915dfa07c1f5c10fb7e8bd456d04f9fe

Download Submit
C:\Windows\SysWOW64\Edknqiho.exe

Filesize
448KB

MD5
4d6801ee533d67e673962b048ef3f17c

SHA1
b5f2b0297ac7b50ed11c652791945b8316110762

SHA256
21ca46b813f716911248d1c0088a3e96cd1d07877d95fb89c1234f4407cd2d26

SHA512
4bf60cf0b218b8d8596823a6b1d789c2723a0c14a95fa99297b6a6ea2b54f5935a413f08d34903f4f6be192881f5d456915dfa07c1f5c10fb7e8bd456d04f9fe

Download Submit
C:\Windows\SysWOW64\Eefaomcg.exe

Filesize
448KB

MD5
23c8fc17fabf9242ff729c873e61bb10

SHA1
4132f79bdddae38f6f0e328ad3310576d63aa533

SHA256
964f10593ba90cf7b9551e1a82bb90a9309def88b6af93b5a2d038afdc523ff3

SHA512
37e634cb2e5d5cfe15dc73001a7f55444984b866f8c33c70d020915db81ca42a8f811c3ec6df284b1f6a101de6ce52e3c1e08ec4e51d3d848c5fa22f345088f9

Download Submit
C:\Windows\SysWOW64\Eefaomcg.exe

Filesize
448KB

MD5
23c8fc17fabf9242ff729c873e61bb10

SHA1
4132f79bdddae38f6f0e328ad3310576d63aa533

SHA256
964f10593ba90cf7b9551e1a82bb90a9309def88b6af93b5a2d038afdc523ff3

SHA512
37e634cb2e5d5cfe15dc73001a7f55444984b866f8c33c70d020915db81ca42a8f811c3ec6df284b1f6a101de6ce52e3c1e08ec4e51d3d848c5fa22f345088f9

Download Submit
C:\Windows\SysWOW64\Ehkclgmb.exe

Filesize
448KB

MD5
c1b809702f1233e1dc5556ef703eb010

SHA1
3cafec52311a04df72a799b956510cfaa8fa524d

SHA256
6850f085759b911c177c4566092ecbf029345e0f7a043b1251404be6dcd47431

SHA512
ed4dcca17a9e9c420736912da0a7cadad1585c75a124656ce275fda4faa1ca79af322a79cd5a7b6ac91ac70b3ec8e7525ae577bfc2a0fc8ae6e32ffcc8af4262

Download Submit
C:\Windows\SysWOW64\Ehkclgmb.exe

Filesize
448KB

MD5
c1b809702f1233e1dc5556ef703eb010

SHA1
3cafec52311a04df72a799b956510cfaa8fa524d

SHA256
6850f085759b911c177c4566092ecbf029345e0f7a043b1251404be6dcd47431

SHA512
ed4dcca17a9e9c420736912da0a7cadad1585c75a124656ce275fda4faa1ca79af322a79cd5a7b6ac91ac70b3ec8e7525ae577bfc2a0fc8ae6e32ffcc8af4262

Download Submit
C:\Windows\SysWOW64\Ekbihd32.exe

Filesize
448KB

MD5
3aaca995cb8fa10b1d026e38ca3f95ff

SHA1
539c5b02a4d0ba468abcf2c65d661e62d1bbe242

SHA256
f18fda7c216f3aebc2d29a6712a35fdca734e07ec90b437858a9b342253b1dae

SHA512
78b6328dbe41a8d207101593275e098315a3b85451af008a4cafd8611ee87e26868f10d7efeb302eb471d5204eedc552131916c99258348f423418609c05daca

Download Submit
C:\Windows\SysWOW64\Ekbihd32.exe

Filesize
448KB

MD5
3aaca995cb8fa10b1d026e38ca3f95ff

SHA1
539c5b02a4d0ba468abcf2c65d661e62d1bbe242

SHA256
f18fda7c216f3aebc2d29a6712a35fdca734e07ec90b437858a9b342253b1dae

SHA512
78b6328dbe41a8d207101593275e098315a3b85451af008a4cafd8611ee87e26868f10d7efeb302eb471d5204eedc552131916c99258348f423418609c05daca

Download Submit
C:\Windows\SysWOW64\Eolhbc32.exe

Filesize
448KB

MD5
c0d6af0333ea3ed59dae4493cb6c3d4f

SHA1
15aa369aad673980cc26d01547eb529e1aaf9393

SHA256
d375d3595ecee87e311cf0ec57d648121d6b8eb05b2ace150ad0124da16c7e70

SHA512
21a1108c5196932b51815f8c951f968f781de1c1964359c95855c4c85bed9b6140bfc3ec294a355509e1f2fb1031927f03ec778c59e98909ac583d52d4cab9b5

Download Submit
C:\Windows\SysWOW64\Eolhbc32.exe

Filesize
448KB

MD5
c0d6af0333ea3ed59dae4493cb6c3d4f

SHA1
15aa369aad673980cc26d01547eb529e1aaf9393

SHA256
d375d3595ecee87e311cf0ec57d648121d6b8eb05b2ace150ad0124da16c7e70

SHA512
21a1108c5196932b51815f8c951f968f781de1c1964359c95855c4c85bed9b6140bfc3ec294a355509e1f2fb1031927f03ec778c59e98909ac583d52d4cab9b5

Download Submit
C:\Windows\SysWOW64\Fafdkmap.exe

Filesize
448KB

MD5
09fabf45438fdaa7f2cc89455cb8c50e

SHA1
a409a660463bd1d3e942d5892aab55b9f5c54fa6

SHA256
fdef134a6a542aa4c2a3a3b62449f0a00121c8bb30275ddf8955143abd8b9dc3

SHA512
75975773170b260e92317fcc7f29392ffdf6ff290bdc78bb55eabc2d7b971f4fb84e925f94125c612fc0e6b3871d3d6a35e35841b7f95516f70da5cac07fd76f

Download Submit
C:\Windows\SysWOW64\Fafdkmap.exe

Filesize
448KB

MD5
09fabf45438fdaa7f2cc89455cb8c50e

SHA1
a409a660463bd1d3e942d5892aab55b9f5c54fa6

SHA256
fdef134a6a542aa4c2a3a3b62449f0a00121c8bb30275ddf8955143abd8b9dc3

SHA512
75975773170b260e92317fcc7f29392ffdf6ff290bdc78bb55eabc2d7b971f4fb84e925f94125c612fc0e6b3871d3d6a35e35841b7f95516f70da5cac07fd76f

Download Submit
C:\Windows\SysWOW64\Fdbdah32.exe

Filesize
448KB

MD5
69c08cef660b5a5afb6e86494b130560

SHA1
6a81be5d9c59a1dfee7f94fb5b5020f210097853

SHA256
684bf0bfeb1735390b762bd980d72295d6ce15fcb9c0a06d85db4c4b79087eb2

SHA512
1aea12e7b28e8113492ba75d9b1456c4dd8272877ac329ab54c0149804ddeffbf15534e8752aa2340c0a5dcaa0f9fb6c899151115c41ba44a647dcb2ca5078aa

Download Submit
C:\Windows\SysWOW64\Fdbdah32.exe

Filesize
448KB

MD5
69c08cef660b5a5afb6e86494b130560

SHA1
6a81be5d9c59a1dfee7f94fb5b5020f210097853

SHA256
684bf0bfeb1735390b762bd980d72295d6ce15fcb9c0a06d85db4c4b79087eb2

SHA512
1aea12e7b28e8113492ba75d9b1456c4dd8272877ac329ab54c0149804ddeffbf15534e8752aa2340c0a5dcaa0f9fb6c899151115c41ba44a647dcb2ca5078aa

Download Submit
C:\Windows\SysWOW64\Fedmqk32.exe

Filesize
448KB

MD5
38b683d0d5f8cf708c9cad2642fe0dd3

SHA1
3dca49a18fc51e3f69569b28fa961be7abfa21b6

SHA256
a3dc0312b0bc8555f1b6fc2f25c8ec77c755284e62b6028fe3f98684e3421ad0

SHA512
03694537ca36ad3e05433968541c70e9c651f056924fa8496307bccf357dda14f507e04012a181a8a730a4760c8b2597500116e19ba97ec4f4d08d5960c79c2a

Download Submit
C:\Windows\SysWOW64\Fedmqk32.exe

Filesize
448KB

MD5
38b683d0d5f8cf708c9cad2642fe0dd3

SHA1
3dca49a18fc51e3f69569b28fa961be7abfa21b6

SHA256
a3dc0312b0bc8555f1b6fc2f25c8ec77c755284e62b6028fe3f98684e3421ad0

SHA512
03694537ca36ad3e05433968541c70e9c651f056924fa8496307bccf357dda14f507e04012a181a8a730a4760c8b2597500116e19ba97ec4f4d08d5960c79c2a

Download Submit
C:\Windows\SysWOW64\Fedmqk32.exe

Filesize
448KB

MD5
38b683d0d5f8cf708c9cad2642fe0dd3

SHA1
3dca49a18fc51e3f69569b28fa961be7abfa21b6

SHA256
a3dc0312b0bc8555f1b6fc2f25c8ec77c755284e62b6028fe3f98684e3421ad0

SHA512
03694537ca36ad3e05433968541c70e9c651f056924fa8496307bccf357dda14f507e04012a181a8a730a4760c8b2597500116e19ba97ec4f4d08d5960c79c2a

Download Submit
C:\Windows\SysWOW64\Fefjfked.exe

Filesize
448KB

MD5
b59469d4922286426b60cd2aef24a45c

SHA1
c4d15075869e59d111d901a09034e22fc9e42a01

SHA256
bbf577512871ca2b714fb3c8b24b5952659cbf8d34f29f29a63b6277abefe562

SHA512
1fb507c6b07750052a938a564c0665a24f4bc66194a9b56c7287dba91891fd76f8977b826f649c0434b209e9bddc2c138d4692fd9a846d61f659260a66c48928

Download Submit
C:\Windows\SysWOW64\Fefjfked.exe

Filesize
448KB

MD5
b59469d4922286426b60cd2aef24a45c

SHA1
c4d15075869e59d111d901a09034e22fc9e42a01

SHA256
bbf577512871ca2b714fb3c8b24b5952659cbf8d34f29f29a63b6277abefe562

SHA512
1fb507c6b07750052a938a564c0665a24f4bc66194a9b56c7287dba91891fd76f8977b826f649c0434b209e9bddc2c138d4692fd9a846d61f659260a66c48928

Download Submit
C:\Windows\SysWOW64\Fgmdec32.exe

Filesize
448KB

MD5
417ace70e987c81d1b215158db293a86

SHA1
072f12b75336f23a3212405312cbc99fac923c5c

SHA256
720336432470eee526346dee81d0a4813dadbd7a19b83584292619de10c84a7c

SHA512
3e9cdb89b549771f9838f87f88bd082b043a3463c7efc11b361abdbdcea18a5d68bc5993e6f0777c1a2de24fd1965f1c01510b60a544fcd0d17af78519b9d147

Download Submit
C:\Windows\SysWOW64\Fnaokmco.exe

Filesize
448KB

MD5
7559f1d5f3fcda9258a4650b552b746e

SHA1
40ac77424e579f352e7a40bda3bc17b90ec230d0

SHA256
becdeadca782c4c7023e1e3fa142195bac92a037e438eb0f72ef844d40bbba2b

SHA512
cf2860b6082c0ac9d7e133bbc106a6378898a555cac64eed8703d55fb3453170190a08c3cab5a80ae0350f20cab85fecd0c177f03d5f0882c0243665b185617d

Download Submit
C:\Windows\SysWOW64\Fnaokmco.exe

Filesize
448KB

MD5
7559f1d5f3fcda9258a4650b552b746e

SHA1
40ac77424e579f352e7a40bda3bc17b90ec230d0

SHA256
becdeadca782c4c7023e1e3fa142195bac92a037e438eb0f72ef844d40bbba2b

SHA512
cf2860b6082c0ac9d7e133bbc106a6378898a555cac64eed8703d55fb3453170190a08c3cab5a80ae0350f20cab85fecd0c177f03d5f0882c0243665b185617d

Download Submit
C:\Windows\SysWOW64\Galoohke.exe

Filesize
448KB

MD5
5703707613f918a6e267e5045811c1a2

SHA1
9c2472015c9322051b5798488aa50119e615fded

SHA256
b2cc59329ef8ae898ae128a81fe12710d3ceadc86b054adb56ca53bf74cf7b7f

SHA512
05b96fab912ad8b54dd650a86d514994338d9bca59c9cbd6d88bac2f6edf67162f5693365e3cbb122b4cfaace89635f9e692233347b6321ab0c4735817a2757d

Download Submit
C:\Windows\SysWOW64\Gekcaj32.exe

Filesize
448KB

MD5
b180e79b197296bc40ff2b879a9d9ed7

SHA1
6c628278bbc3320cfdcc65dc124780672ccb9281

SHA256
930b1fd49216e25d82b28a345b350cfe37da39136cf082db9eb0b6e9d62229a0

SHA512
768167b7d65ca22c11236d6ca8446969420bc0a678f4a624b6c86307d546a85ce620f8347a6d815e8e799c99d63013747a57b69329caa025776b778e8ca6e1d7

Download Submit
C:\Windows\SysWOW64\Gekcaj32.exe

Filesize
448KB

MD5
b180e79b197296bc40ff2b879a9d9ed7

SHA1
6c628278bbc3320cfdcc65dc124780672ccb9281

SHA256
930b1fd49216e25d82b28a345b350cfe37da39136cf082db9eb0b6e9d62229a0

SHA512
768167b7d65ca22c11236d6ca8446969420bc0a678f4a624b6c86307d546a85ce620f8347a6d815e8e799c99d63013747a57b69329caa025776b778e8ca6e1d7

Download Submit
C:\Windows\SysWOW64\Ieccbbkn.exe

Filesize
448KB

MD5
380980952d4488df75acc1b8e874b5b7

SHA1
6626be0b27444a05952d4e2bc30556ef3b3ec3e6

SHA256
def4cfc2b7acbd758b7110d947e6da99564977cb627a44f1d65ba7fb94a81228

SHA512
1e5415b0eab6426285fcddc2b0d46f5e742260ab01787f8995432bb880772cdfd66b41f78ca1be3fd84ea2288c55f9e3a69fb398eaccc9deaab663635ff64ee2

Download Submit
C:\Windows\SysWOW64\Jihbip32.exe

Filesize
448KB

MD5
147ccccf094498df7fab5441f7482daf

SHA1
35406bbc403de50d39a2119fbf491cad3f7a9f1c

SHA256
4246c70546ccebb1dd15d50d6af1410011d92b9c13ea58103225fbf80d3f21ba

SHA512
715d6865396477534329556354836d18b2b0b936dc30028a8fd16fa78379a919a742800f2c0000c9ad4cd7dbd9a0edfb49a6578499baac1bc5cde7221adff9f1

Download Submit
C:\Windows\SysWOW64\Kefiopki.exe

Filesize
448KB

MD5
fc8c0de0cfadac91f538437eb1f1944d

SHA1
087c625e7f019f925fc1010c6e83e45e00624df8

SHA256
540d870386d6440fee5bc0d6829317b2fbfb180623412d8aa969aff481579200

SHA512
cf4997d3b9f86c26ba5ede5ea3430419da5a19e3a55813bf043d4cd9196b099a471ccfa012caae7c42aae7621d63af02c1245cdb965512439f0fb23ee5c38a01

Download Submit
C:\Windows\SysWOW64\Maggnali.exe

Filesize
448KB

MD5
eb4664bf17592a01de3374a012659f2f

SHA1
3f00f6291f660455ff0ff8cd5f65a17f9a38d13a

SHA256
b4a98a653b30f383c2fd71104d6d535768c783e87dd6d5d2940bd2031c759679

SHA512
7e62e5b6723973c5a1e813be064a4a6ff3c899f3acf8e1e5e85fbe816c69d1dd227a9f72a084a0b67121b7c2468afdea54529aac5114579a6d7ed3fe1908dac6

Download Submit
C:\Windows\SysWOW64\Ncmhko32.exe

Filesize
448KB

MD5
53ce99b557f14c6c30fda7a87fe877c3

SHA1
7bfedde0ff5e80ada0f40f5d12922904cf43d730

SHA256
3b1fe4afecfa1e66f76836c145b32434d71ce80583e1bb495b26de9779bbd558

SHA512
d3bb028f3f4d39b943b9c67ef7cadbc1af2a2e36e2d5d4a3e8f3f8988e91d61d5efc5e94b1e65da93f3f0929ff3d77831e7dbc81a1b45588259f9fe1f370c82b

Download Submit
C:\Windows\SysWOW64\Ocgbld32.exe

Filesize
448KB

MD5
7b2195725ab1fe6aca57ac3183ad8e47

SHA1
4771393308a634c49a28524a58e99d89e84583da

SHA256
d9a5ee6dbada8c3e9a90fa504ce75c9a69fbf0a7dbea6454832141a694d68452

SHA512
5e63717385c0048f01ae53e8497fc47808f39f7dfbf063fde432f96997b1b0c3c97761188622a462feafbef789f7bdb6f28a8f76fed02b6ee8e85a5bfbd49274

Download Submit
C:\Windows\SysWOW64\Ojnfihmo.exe

Filesize
448KB

MD5
511843b10aa72fab60bdcde2106018b3

SHA1
b9007f3ac40afd60905476e799806cf1e6074758

SHA256
790303158079257f32c194ba6eeda620c650b3b42ba9e6969f96072407efbbe2

SHA512
67651461ac046b9c4cc1f9f3cea91ac9b32ea4387d30d8654377c5e23fce56c96b8b7d6d8f7a580bf5639a1300646b2b53ef5448f9711dff9fe6bd0e877cc9ee

Download Submit
C:\Windows\SysWOW64\Oqklkbbi.exe

Filesize
448KB

MD5
32310158af845891f5a9a0c26c5f1bc9

SHA1
af617e144872618e194b49e325d0d5fca95f79c5

SHA256
aa0ae67a23aa61e520caf879d4add93e46d68604fa4b083010f7310d6bdd3a2c

SHA512
b0e10ca3d7681f8a5a8d3ac3db15bb4859be95e1a93502f75e759aaf77ccd9d166f025501c03ce598c843fa722507b20d50c3ecfb11d35062b296dc98bef1cab

Download Submit
C:\Windows\SysWOW64\Pdmpje32.exe

Filesize
448KB

MD5
8a22d19c3c34111a97dbfe55948ff3d1

SHA1
85d850b2629e8ef102cd4832116fa6962329d54d

SHA256
421252842f5569099f8fdd5760dd2ecd85d79dad0861611f343c7531724a2300

SHA512
1a3d5b22f5c2bff0ada8e848ee5175893a0a9bb25a40cf64b96ac1843e46df15ab18ce226589688bc938d83561de3b8a50411a1d8540a21befdadce3f84e83c7

Download Submit
C:\Windows\SysWOW64\Pdmpje32.exe

Filesize
448KB

MD5
8a22d19c3c34111a97dbfe55948ff3d1

SHA1
85d850b2629e8ef102cd4832116fa6962329d54d

SHA256
421252842f5569099f8fdd5760dd2ecd85d79dad0861611f343c7531724a2300

SHA512
1a3d5b22f5c2bff0ada8e848ee5175893a0a9bb25a40cf64b96ac1843e46df15ab18ce226589688bc938d83561de3b8a50411a1d8540a21befdadce3f84e83c7

Download Submit
C:\Windows\SysWOW64\Pmannhhj.exe

Filesize
448KB

MD5
d84db6777a668a749f5496732f7562c5

SHA1
2dec9fdf69a08f3780aa777e48212871618d13ba

SHA256
79fde4cffbae5490a8878b1291acf14967b951303297dda5d4951358e7b61d74

SHA512
1c15dc3cff14678f7267b162808fbddc42491dd54c56f73bd6c2ff8a3f8b5b65b25a592cc9a043679b225f258bb6365ef9043882be5301005d9c7e03f2cbde33

Download Submit
C:\Windows\SysWOW64\Pmannhhj.exe

Filesize
448KB

MD5
d84db6777a668a749f5496732f7562c5

SHA1
2dec9fdf69a08f3780aa777e48212871618d13ba

SHA256
79fde4cffbae5490a8878b1291acf14967b951303297dda5d4951358e7b61d74

SHA512
1c15dc3cff14678f7267b162808fbddc42491dd54c56f73bd6c2ff8a3f8b5b65b25a592cc9a043679b225f258bb6365ef9043882be5301005d9c7e03f2cbde33

Download Submit
C:\Windows\SysWOW64\Pmdkch32.exe

Filesize
448KB

MD5
0ff78a4c511c99c537dcb9ccb9d1ab42

SHA1
c5911bf7e25074287a697fe3a833521415eb563f

SHA256
b6c506e6a533718d10ba58f0b1dcceec59581221ae9cbc04e4001a984ec6c555

SHA512
9bc1a386a594f5c6bb0877829546fe5a4bffd0d11c12fe3c464c4df7bced6dfe32a3927dbd173afc296cf4860f5b107483f3700a8628e15ce2b6ff375add5788

Download Submit
C:\Windows\SysWOW64\Pmdkch32.exe

Filesize
448KB

MD5
0ff78a4c511c99c537dcb9ccb9d1ab42

SHA1
c5911bf7e25074287a697fe3a833521415eb563f

SHA256
b6c506e6a533718d10ba58f0b1dcceec59581221ae9cbc04e4001a984ec6c555

SHA512
9bc1a386a594f5c6bb0877829546fe5a4bffd0d11c12fe3c464c4df7bced6dfe32a3927dbd173afc296cf4860f5b107483f3700a8628e15ce2b6ff375add5788

Download Submit
C:\Windows\SysWOW64\Pncgmkmj.exe

Filesize
448KB

MD5
a4671d84f1d0c704ccc289cfc9e68067

SHA1
ed9447d6c338f80d18b0d7ee5f5b1419cc65ceaa

SHA256
11ab618b9a3437176fcf7535b435f01db74cc1c08c3634fdf0a7d9dfafbd7461

SHA512
e3ee8e69b2a10a7ac61ed9c3cbaa661fb52f46483f85ff2bd8f850049e32795880712a6cee7de236c7dec065c014cb6dcaf3b0f575c4f5315002dbf2064508f3

Download Submit
C:\Windows\SysWOW64\Pncgmkmj.exe

Filesize
448KB

MD5
a4671d84f1d0c704ccc289cfc9e68067

SHA1
ed9447d6c338f80d18b0d7ee5f5b1419cc65ceaa

SHA256
11ab618b9a3437176fcf7535b435f01db74cc1c08c3634fdf0a7d9dfafbd7461

SHA512
e3ee8e69b2a10a7ac61ed9c3cbaa661fb52f46483f85ff2bd8f850049e32795880712a6cee7de236c7dec065c014cb6dcaf3b0f575c4f5315002dbf2064508f3

Download Submit
C:\Windows\SysWOW64\Pqdqof32.exe

Filesize
448KB

MD5
dbca0d65f0e641bbb258b2afbee23867

SHA1
b7bd4f3a975be72550c35bc72eb5dd7312cc2148

SHA256
52a1c4d1415721f25011a322dadc0e35e39749df7b8d45271f07ee2226f05d40

SHA512
f2d8d10260c8ad405223255be99aa091ac0987df06aaf1afe546823be555ce4a7149afd5f56dd8e051e0bcf1e221edadee57cda0f9dcaeefbd102cf847b9e3a9

Download Submit
C:\Windows\SysWOW64\Pqdqof32.exe

Filesize
448KB

MD5
dbca0d65f0e641bbb258b2afbee23867

SHA1
b7bd4f3a975be72550c35bc72eb5dd7312cc2148

SHA256
52a1c4d1415721f25011a322dadc0e35e39749df7b8d45271f07ee2226f05d40

SHA512
f2d8d10260c8ad405223255be99aa091ac0987df06aaf1afe546823be555ce4a7149afd5f56dd8e051e0bcf1e221edadee57cda0f9dcaeefbd102cf847b9e3a9

Download Submit
C:\Windows\SysWOW64\Qbonoghb.exe

Filesize
448KB

MD5
330bee14b348af5d658d3978292fc1ae

SHA1
8019b09c802e7f627d6d2555d9583f1401c0f97a

SHA256
e6e82484e57e3ee2cc48584df2700dccd706a0b014255726de552859215b7d1c

SHA512
0b408d42417197b5d1e5d9667d61f9e360c283cd48dc4ecda93a1358d3a0e3e21a97e1296353ad5797681442a540ba6db5dcdba2ff048dc01eb9fd778528bb58

Download Submit
C:\Windows\SysWOW64\Qmgelf32.exe

Filesize
448KB

MD5
8ec4468afdae987af60b88a8961d45b5

SHA1
412a5eeaf9732f3c9c3f4af112db44eca7b0c673

SHA256
9936d9b432d8ba2ba1bf6672fb94cfad92a159da779c18c0f62bdf87f01bd5df

SHA512
5e4f6b4b70acb14f1e5e4a3a9afce96c987ae5d3f4d5c20016cd4f537661e0bb6ffa53bfc08456d4468ab3e838ea55b1c1c0b01b54ea63ad9d83a1bc97d3591e

Download Submit
memory/208-305-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/492-471-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/956-2-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/956-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/956-65-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1012-393-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1500-316-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1500-89-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1560-166-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1560-332-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1736-231-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1736-354-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1744-325-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1776-405-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1844-403-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1880-301-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1892-300-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1932-295-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1952-182-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1952-334-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1980-137-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1980-322-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2116-465-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2152-56-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2152-312-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2184-98-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2184-317-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2304-323-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2304-145-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2436-477-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2520-319-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2520-114-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2612-363-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2828-82-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2828-315-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3016-529-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3116-122-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3116-320-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3140-66-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3140-313-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3244-318-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3244-106-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3380-362-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3416-302-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3436-16-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3436-153-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3584-48-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3584-311-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3600-215-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3600-348-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3624-441-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3692-249-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3692-357-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3700-154-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3700-25-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3704-429-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3748-459-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3756-74-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3756-314-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3804-8-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3804-152-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3856-223-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3856-349-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3896-239-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3896-356-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4112-33-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4112-155-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4128-179-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4128-333-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4208-453-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4264-435-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4392-381-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4412-41-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4412-310-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4432-198-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4432-341-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4472-321-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4472-129-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4524-417-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4560-158-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4560-331-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4568-447-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4584-294-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4600-277-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4764-303-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4872-364-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4916-387-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4920-423-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4960-347-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4960-206-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5000-191-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5000-335-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5064-292-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5088-411-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads