4f1af0d844e9d9e8219d3c4d247d7644c35144c9b2bd344a4c867acb01753cd6

Analysis

max time kernel
139s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20231023-en
resource tags

arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system
submitted
07-11-2023 14:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.ba44646445cdfb88a1936d102f20b2bc.exe
Size

112KB
MD5

ba44646445cdfb88a1936d102f20b2bc
SHA1

13486a2f7431958f97b300be49cce0ed91827829
SHA256

4f1af0d844e9d9e8219d3c4d247d7644c35144c9b2bd344a4c867acb01753cd6
SHA512

c36ba29a6a0641d6c4cabaf0d097fdd6969ae69f15ecfae4dcf35b17a05517ab4ce993728544be0933b71e7d0fed0269951d75a12280c370d4ab7233746e7b26
SSDEEP

1536:hvsBxqSflA5enerMAUQ/lPAwacQRuniKjXq+66DFUABABOVLefEjw6YmLg:RsBxq0W5MwDniKj6+JB8M6mk

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aoioli32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Boldhf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gejhef32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Feenjgfq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lhgkgijg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fflohaij.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mqafhl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fqeioiam.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ibqnkh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Omopjcjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pfhmjf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bgkiaj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hbenoi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hpioin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jekjcaef.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lomjicei.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nqmojd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nglhld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Palklf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Adcjop32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ihdldn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nqfbpb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Imkbnf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qmgelf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Akpoaj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Iiopca32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Klekfinp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hiipmhmk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qpcecb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eqgmmk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pjoppf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gpbpbecj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hfaajnfb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hmpcbhji.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqmojd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hlpfhe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mcifkf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kcoccc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eohmkb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jlikkkhn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mbgeqmjp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ofckhj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ppikbm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fbmohmoh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Geanfelc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jaajhb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nimmifgo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Llodgnja.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ebifmm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Legben32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ggkqgaol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mfnhfm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ppdbgncl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ckbemgcp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ofgdcipq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ekdnei32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bhblllfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dnmaea32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dggbcf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Opbean32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcoljagj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mlhqcgnk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Piocecgj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pbjddh32.exe

Executes dropped EXE 64 IoCs

pid	Process
1288	Ddligq32.exe
4128	Dndnpf32.exe
2952	Dijbno32.exe
3064	Dodjjimm.exe
4648	Emhkdmlg.exe
4924	Eecphp32.exe
392	Enkdaepb.exe
4984	Eehicoel.exe
820	Enpmld32.exe
1080	Ekdnei32.exe
312	Efjbcakl.exe
1616	Fflohaij.exe
2768	Fpdcag32.exe
2932	Fmhdkknd.exe
3668	Fbelcblk.exe
816	Fmkqpkla.exe
4880	Ffceip32.exe
4752	Fnnjmbpm.exe
4272	Gpnfge32.exe
4768	Gfhndpol.exe
3760	Gncchb32.exe
1464	Gpbpbecj.exe
4920	Geohklaa.exe
548	Gbchdp32.exe
844	Gmimai32.exe
5060	Hfaajnfb.exe
4968	Hefnkkkj.exe
1656	Hlpfhe32.exe
4356	Hffken32.exe
2860	Hmpcbhji.exe
4480	Hekgfj32.exe
3936	Hiipmhmk.exe
2352	Hoeieolb.exe
4004	Imgicgca.exe
3292	Ibcaknbi.exe
3532	Imiehfao.exe
5096	Ibfnqmpf.exe
2488	Imkbnf32.exe
2188	Klfaapbl.exe
2744	Kfnfjehl.exe
1148	Kofkbk32.exe
4296	Kngkqbgl.exe
3524	Lfbped32.exe
2212	Lqhdbm32.exe
1124	Llodgnja.exe
3336	Ljceqb32.exe
4304	Mqafhl32.exe
1640	Mjjkaabc.exe
1784	Mgnlkfal.exe
2536	Mmkdcm32.exe
3900	Mcelpggq.exe
3256	Mnjqmpgg.exe
5116	Mcgiefen.exe
4776	Mmpmnl32.exe
5064	Mcifkf32.exe
1700	Nmbjcljl.exe
3516	Nopfpgip.exe
2184	Nmdgikhi.exe
264	Ncnofeof.exe
4636	Nmfcok32.exe
3428	Nglhld32.exe
1728	Nmipdk32.exe
2568	Njmqnobn.exe
3372	Nfcabp32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Hiebgmkm.dll	Qfmmplad.exe
File created	C:\Windows\SysWOW64\Ibegfglj.exe	Ipgkjlmg.exe
File created	C:\Windows\SysWOW64\Hemikcpm.dll	Kofkbk32.exe
File opened for modification	C:\Windows\SysWOW64\Mcifkf32.exe	Mmpmnl32.exe
File opened for modification	C:\Windows\SysWOW64\Jppnpjel.exe	Jekjcaef.exe
File created	C:\Windows\SysWOW64\Kafkmp32.dll	Jaajhb32.exe
File created	C:\Windows\SysWOW64\Mbgeqmjp.exe	Mpeiie32.exe
File created	C:\Windows\SysWOW64\Dodjjimm.exe	Dijbno32.exe
File created	C:\Windows\SysWOW64\Bhpopokm.dll	Fpdcag32.exe
File created	C:\Windows\SysWOW64\Fkccgodj.dll	Fbelcblk.exe
File created	C:\Windows\SysWOW64\Eehicoel.exe	Enkdaepb.exe
File created	C:\Windows\SysWOW64\Koonge32.exe	Jbepme32.exe
File created	C:\Windows\SysWOW64\Hoeieolb.exe	Hiipmhmk.exe
File created	C:\Windows\SysWOW64\Pfojdh32.exe	Ppdbgncl.exe
File created	C:\Windows\SysWOW64\Panhbfep.exe	Pfiddm32.exe
File created	C:\Windows\SysWOW64\Ehkaqc32.dll	Ibcaknbi.exe
File created	C:\Windows\SysWOW64\Ekaacddn.dll	Opeiadfg.exe
File opened for modification	C:\Windows\SysWOW64\Panhbfep.exe	Pfiddm32.exe
File opened for modification	C:\Windows\SysWOW64\Koonge32.exe	Jbepme32.exe
File created	C:\Windows\SysWOW64\Enpmld32.exe	Eehicoel.exe
File opened for modification	C:\Windows\SysWOW64\Nqmojd32.exe	Njbgmjgl.exe
File opened for modification	C:\Windows\SysWOW64\Gnpphljo.exe	Fkofga32.exe
File created	C:\Windows\SysWOW64\Jjpdeo32.dll	Fkofga32.exe
File created	C:\Windows\SysWOW64\Enkdaepb.exe	Eecphp32.exe
File opened for modification	C:\Windows\SysWOW64\Pfoann32.exe	Opeiadfg.exe
File created	C:\Windows\SysWOW64\Hodbhp32.dll	Nfcabp32.exe
File opened for modification	C:\Windows\SysWOW64\Hpkknmgd.exe	Hiacacpg.exe
File created	C:\Windows\SysWOW64\Pekihfdc.dll	Jeapcq32.exe
File created	C:\Windows\SysWOW64\Kofmfi32.dll	Oplfkeob.exe
File opened for modification	C:\Windows\SysWOW64\Mcelpggq.exe	Mmkdcm32.exe
File created	C:\Windows\SysWOW64\Ncnofeof.exe	Nmdgikhi.exe
File created	C:\Windows\SysWOW64\Ppgegd32.exe	Pnfiplog.exe
File created	C:\Windows\SysWOW64\Kjiqkhgo.dll	Iiopca32.exe
File opened for modification	C:\Windows\SysWOW64\Nopfpgip.exe	Nmbjcljl.exe
File created	C:\Windows\SysWOW64\Ekjali32.dll	Iehmmb32.exe
File opened for modification	C:\Windows\SysWOW64\Pmphaaln.exe	Pbjddh32.exe
File opened for modification	C:\Windows\SysWOW64\Agimkk32.exe	Apodoq32.exe
File created	C:\Windows\SysWOW64\Edionhpn.exe	Enpfan32.exe
File created	C:\Windows\SysWOW64\Ogmeemdg.dll	Nqfbpb32.exe
File created	C:\Windows\SysWOW64\Ibfnqmpf.exe	Imiehfao.exe
File opened for modification	C:\Windows\SysWOW64\Ojdgnn32.exe	Ojajin32.exe
File opened for modification	C:\Windows\SysWOW64\Jadgnb32.exe	Jlgoek32.exe
File opened for modification	C:\Windows\SysWOW64\Ppjbmc32.exe	Pfandnla.exe
File created	C:\Windows\SysWOW64\Gngeik32.exe	Ggmmlamj.exe
File created	C:\Windows\SysWOW64\Oipgkfab.dll	Mofmobmo.exe
File created	C:\Windows\SysWOW64\Epoaed32.dll	Dqnjgl32.exe
File opened for modification	C:\Windows\SysWOW64\Pnkbkk32.exe	Ppjbmc32.exe
File opened for modification	C:\Windows\SysWOW64\Hiipmhmk.exe	Hekgfj32.exe
File opened for modification	C:\Windows\SysWOW64\Opeiadfg.exe	Ojhpimhp.exe
File opened for modification	C:\Windows\SysWOW64\Ahmjjoig.exe	Qmgelf32.exe
File created	C:\Windows\SysWOW64\Bgbpaipl.exe	Bphgeo32.exe
File created	C:\Windows\SysWOW64\Cbqfhb32.dll	Lpgmhg32.exe
File opened for modification	C:\Windows\SysWOW64\Ibfnqmpf.exe	Imiehfao.exe
File created	C:\Windows\SysWOW64\Blqhpg32.dll	Onkidm32.exe
File opened for modification	C:\Windows\SysWOW64\Lindkm32.exe	Lohqnd32.exe
File opened for modification	C:\Windows\SysWOW64\Mqhfoebo.exe	Mbgeqmjp.exe
File created	C:\Windows\SysWOW64\Gabfbmnl.dll	Mcelpggq.exe
File opened for modification	C:\Windows\SysWOW64\Ffceip32.exe	Fmkqpkla.exe
File created	C:\Windows\SysWOW64\Fhphpicg.dll	Kpnjah32.exe
File created	C:\Windows\SysWOW64\Dijbno32.exe	Dndnpf32.exe
File created	C:\Windows\SysWOW64\Dolmodpi.exe	Dhbebj32.exe
File opened for modification	C:\Windows\SysWOW64\Kpnjah32.exe	Kidben32.exe
File created	C:\Windows\SysWOW64\Blnfhilh.dll	Hpioin32.exe
File created	C:\Windows\SysWOW64\Iokifhcf.dll	Jppnpjel.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
8292	8200	WerFault.exe	357

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nqgnfcmm.dll"	Ekonpckp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qfmmplad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Apodoq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Oikjkc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fkofga32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jadgnb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gfhndpol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hfaajnfb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hkfoel32.dll"	Ojhpimhp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Palklf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Eohmkb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gbchdp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jeapcq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hioflcbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ieagmcmq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ncbafoge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Efjbcakl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ehkaqc32.dll"	Ibcaknbi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lcfidb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ahmjjoig.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cdimqm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gnpphljo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Eehicoel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mnjqmpgg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bgkiaj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lqppgj32.dll"	Bgnffj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bgbpaipl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gngeik32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jgbfjmkq.dll"	Mfenglqf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ppdbgncl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Begfqa32.dll"	Edionhpn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogakfe32.dll"	Pdhkcb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Njljch32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ecpfpo32.dll"	Bdagpnbk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnflfgji.dll"	Cammjakm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fjohgj32.dll"	Kcmfnd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mcgiefen.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kjmgil32.dll"	Ppdbgncl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Njbgmjgl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Emhkdmlg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pbhafkok.dll"	Nmfcok32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Eehicoel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Adcjop32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ipihpkkd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hiebgmkm.dll"	Qfmmplad.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bgpcliao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ehblpall.dll"	Eqiibjlj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cbqfhb32.dll"	Lpgmhg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nfldgk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Eqgmmk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpgkbmbm.dll"	Ncbafoge.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dkndie32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gbpedjnb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jlgoek32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pmphaaln.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fflohaij.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gejhef32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfmlqhcc.dll"	Jbepme32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mfenglqf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nqaiecjd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nlbkmokh.dll"	Ehpadhll.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hhfpbpdo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Oghghb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Legben32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3784 wrote to memory of 1288	3784	NEAS.ba44646445cdfb88a1936d102f20b2bc.exe	84
PID 3784 wrote to memory of 1288	3784	NEAS.ba44646445cdfb88a1936d102f20b2bc.exe	84
PID 3784 wrote to memory of 1288	3784	NEAS.ba44646445cdfb88a1936d102f20b2bc.exe	84
PID 1288 wrote to memory of 4128	1288	Ddligq32.exe	85
PID 1288 wrote to memory of 4128	1288	Ddligq32.exe	85
PID 1288 wrote to memory of 4128	1288	Ddligq32.exe	85
PID 4128 wrote to memory of 2952	4128	Dndnpf32.exe	86
PID 4128 wrote to memory of 2952	4128	Dndnpf32.exe	86
PID 4128 wrote to memory of 2952	4128	Dndnpf32.exe	86
PID 2952 wrote to memory of 3064	2952	Dijbno32.exe	87
PID 2952 wrote to memory of 3064	2952	Dijbno32.exe	87
PID 2952 wrote to memory of 3064	2952	Dijbno32.exe	87
PID 3064 wrote to memory of 4648	3064	Dodjjimm.exe	88
PID 3064 wrote to memory of 4648	3064	Dodjjimm.exe	88
PID 3064 wrote to memory of 4648	3064	Dodjjimm.exe	88
PID 4648 wrote to memory of 4924	4648	Emhkdmlg.exe	89
PID 4648 wrote to memory of 4924	4648	Emhkdmlg.exe	89
PID 4648 wrote to memory of 4924	4648	Emhkdmlg.exe	89
PID 4924 wrote to memory of 392	4924	Eecphp32.exe	90
PID 4924 wrote to memory of 392	4924	Eecphp32.exe	90
PID 4924 wrote to memory of 392	4924	Eecphp32.exe	90
PID 392 wrote to memory of 4984	392	Enkdaepb.exe	91
PID 392 wrote to memory of 4984	392	Enkdaepb.exe	91
PID 392 wrote to memory of 4984	392	Enkdaepb.exe	91
PID 4984 wrote to memory of 820	4984	Eehicoel.exe	92
PID 4984 wrote to memory of 820	4984	Eehicoel.exe	92
PID 4984 wrote to memory of 820	4984	Eehicoel.exe	92
PID 820 wrote to memory of 1080	820	Enpmld32.exe	93
PID 820 wrote to memory of 1080	820	Enpmld32.exe	93
PID 820 wrote to memory of 1080	820	Enpmld32.exe	93
PID 1080 wrote to memory of 312	1080	Ekdnei32.exe	94
PID 1080 wrote to memory of 312	1080	Ekdnei32.exe	94
PID 1080 wrote to memory of 312	1080	Ekdnei32.exe	94
PID 312 wrote to memory of 1616	312	Efjbcakl.exe	95
PID 312 wrote to memory of 1616	312	Efjbcakl.exe	95
PID 312 wrote to memory of 1616	312	Efjbcakl.exe	95
PID 1616 wrote to memory of 2768	1616	Fflohaij.exe	96
PID 1616 wrote to memory of 2768	1616	Fflohaij.exe	96
PID 1616 wrote to memory of 2768	1616	Fflohaij.exe	96
PID 2768 wrote to memory of 2932	2768	Fpdcag32.exe	97
PID 2768 wrote to memory of 2932	2768	Fpdcag32.exe	97
PID 2768 wrote to memory of 2932	2768	Fpdcag32.exe	97
PID 2932 wrote to memory of 3668	2932	Fmhdkknd.exe	98
PID 2932 wrote to memory of 3668	2932	Fmhdkknd.exe	98
PID 2932 wrote to memory of 3668	2932	Fmhdkknd.exe	98
PID 3668 wrote to memory of 816	3668	Fbelcblk.exe	99
PID 3668 wrote to memory of 816	3668	Fbelcblk.exe	99
PID 3668 wrote to memory of 816	3668	Fbelcblk.exe	99
PID 816 wrote to memory of 4880	816	Fmkqpkla.exe	100
PID 816 wrote to memory of 4880	816	Fmkqpkla.exe	100
PID 816 wrote to memory of 4880	816	Fmkqpkla.exe	100
PID 4880 wrote to memory of 4752	4880	Ffceip32.exe	101
PID 4880 wrote to memory of 4752	4880	Ffceip32.exe	101
PID 4880 wrote to memory of 4752	4880	Ffceip32.exe	101
PID 4752 wrote to memory of 4272	4752	Fnnjmbpm.exe	102
PID 4752 wrote to memory of 4272	4752	Fnnjmbpm.exe	102
PID 4752 wrote to memory of 4272	4752	Fnnjmbpm.exe	102
PID 4272 wrote to memory of 4768	4272	Gpnfge32.exe	103
PID 4272 wrote to memory of 4768	4272	Gpnfge32.exe	103
PID 4272 wrote to memory of 4768	4272	Gpnfge32.exe	103
PID 4768 wrote to memory of 3760	4768	Gfhndpol.exe	104
PID 4768 wrote to memory of 3760	4768	Gfhndpol.exe	104
PID 4768 wrote to memory of 3760	4768	Gfhndpol.exe	104
PID 3760 wrote to memory of 1464	3760	Gncchb32.exe	105

C:\Users\Admin\AppData\Local\Temp\NEAS.ba44646445cdfb88a1936d102f20b2bc.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.ba44646445cdfb88a1936d102f20b2bc.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3784
- C:\Windows\SysWOW64\Ddligq32.exe
  C:\Windows\system32\Ddligq32.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1288
- - C:\Windows\SysWOW64\Dndnpf32.exe
    C:\Windows\system32\Dndnpf32.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious use of WriteProcessMemory
    PID:4128
  - - C:\Windows\SysWOW64\Dijbno32.exe
      C:\Windows\system32\Dijbno32.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious use of WriteProcessMemory
      PID:2952
    - - C:\Windows\SysWOW64\Dodjjimm.exe
        
        C:\Windows\system32\Dodjjimm.exe
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3064
      - C:\Windows\SysWOW64\Emhkdmlg.exe
        
        C:\Windows\system32\Emhkdmlg.exe
        6⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4648
        
        C:\Windows\SysWOW64\Eecphp32.exe
        
        C:\Windows\system32\Eecphp32.exe
        7⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4924
        
        C:\Windows\SysWOW64\Enkdaepb.exe
        
        C:\Windows\system32\Enkdaepb.exe
        8⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:392
        
        C:\Windows\SysWOW64\Eehicoel.exe
        
        C:\Windows\system32\Eehicoel.exe
        9⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4984
        
        C:\Windows\SysWOW64\Enpmld32.exe
        
        C:\Windows\system32\Enpmld32.exe
        10⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:820
        
        C:\Windows\SysWOW64\Ekdnei32.exe
        
        C:\Windows\system32\Ekdnei32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1080
        
        C:\Windows\SysWOW64\Efjbcakl.exe
        
        C:\Windows\system32\Efjbcakl.exe
        12⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:312
        
        C:\Windows\SysWOW64\Fflohaij.exe
        
        C:\Windows\system32\Fflohaij.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1616
        
        C:\Windows\SysWOW64\Fpdcag32.exe
        
        C:\Windows\system32\Fpdcag32.exe
        14⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2768
        
        C:\Windows\SysWOW64\Fmhdkknd.exe
        
        C:\Windows\system32\Fmhdkknd.exe
        15⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2932
        
        C:\Windows\SysWOW64\Fbelcblk.exe
        
        C:\Windows\system32\Fbelcblk.exe
        16⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3668
        
        C:\Windows\SysWOW64\Fmkqpkla.exe
        
        C:\Windows\system32\Fmkqpkla.exe
        17⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:816
        
        C:\Windows\SysWOW64\Ffceip32.exe
        
        C:\Windows\system32\Ffceip32.exe
        18⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4880
        
        C:\Windows\SysWOW64\Fnnjmbpm.exe
        
        C:\Windows\system32\Fnnjmbpm.exe
        19⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4752
        
        C:\Windows\SysWOW64\Gpnfge32.exe
        
        C:\Windows\system32\Gpnfge32.exe
        20⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4272
        
        C:\Windows\SysWOW64\Gfhndpol.exe
        
        C:\Windows\system32\Gfhndpol.exe
        21⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4768
        
        C:\Windows\SysWOW64\Gncchb32.exe
        
        C:\Windows\system32\Gncchb32.exe
        22⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3760
        
        C:\Windows\SysWOW64\Gpbpbecj.exe
        
        C:\Windows\system32\Gpbpbecj.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1464
        
        C:\Windows\SysWOW64\Geohklaa.exe
        
        C:\Windows\system32\Geohklaa.exe
        24⤵
        Executes dropped EXE
        
        PID:4920
        
        C:\Windows\SysWOW64\Gbchdp32.exe
        
        C:\Windows\system32\Gbchdp32.exe
        25⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:548
        
        C:\Windows\SysWOW64\Gmimai32.exe
        
        C:\Windows\system32\Gmimai32.exe
        26⤵
        Executes dropped EXE
        
        PID:844
        
        C:\Windows\SysWOW64\Hfaajnfb.exe
        
        C:\Windows\system32\Hfaajnfb.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:5060
        
        C:\Windows\SysWOW64\Hefnkkkj.exe
        
        C:\Windows\system32\Hefnkkkj.exe
        28⤵
        Executes dropped EXE
        
        PID:4968
        
        C:\Windows\SysWOW64\Hlpfhe32.exe
        
        C:\Windows\system32\Hlpfhe32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1656
        
        C:\Windows\SysWOW64\Hffken32.exe
        
        C:\Windows\system32\Hffken32.exe
        30⤵
        Executes dropped EXE
        
        PID:4356
        
        C:\Windows\SysWOW64\Hmpcbhji.exe
        
        C:\Windows\system32\Hmpcbhji.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2860
        
        C:\Windows\SysWOW64\Hekgfj32.exe
        
        C:\Windows\system32\Hekgfj32.exe
        32⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4480
        
        C:\Windows\SysWOW64\Hiipmhmk.exe
        
        C:\Windows\system32\Hiipmhmk.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3936
        
        C:\Windows\SysWOW64\Hoeieolb.exe
        
        C:\Windows\system32\Hoeieolb.exe
        34⤵
        Executes dropped EXE
        
        PID:2352
        
        C:\Windows\SysWOW64\Imgicgca.exe
        
        C:\Windows\system32\Imgicgca.exe
        35⤵
        Executes dropped EXE
        
        PID:4004
        
        C:\Windows\SysWOW64\Ibcaknbi.exe
        
        C:\Windows\system32\Ibcaknbi.exe
        36⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3292
        
        C:\Windows\SysWOW64\Imiehfao.exe
        
        C:\Windows\system32\Imiehfao.exe
        37⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3532
        
        C:\Windows\SysWOW64\Ibfnqmpf.exe
        
        C:\Windows\system32\Ibfnqmpf.exe
        38⤵
        Executes dropped EXE
        
        PID:5096
        
        C:\Windows\SysWOW64\Imkbnf32.exe
        
        C:\Windows\system32\Imkbnf32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2488
        
        C:\Windows\SysWOW64\Klfaapbl.exe
        
        C:\Windows\system32\Klfaapbl.exe
        40⤵
        Executes dropped EXE
        
        PID:2188
        
        C:\Windows\SysWOW64\Kfnfjehl.exe
        
        C:\Windows\system32\Kfnfjehl.exe
        41⤵
        Executes dropped EXE
        
        PID:2744
        
        C:\Windows\SysWOW64\Kofkbk32.exe
        
        C:\Windows\system32\Kofkbk32.exe
        42⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1148
        
        C:\Windows\SysWOW64\Kngkqbgl.exe
        
        C:\Windows\system32\Kngkqbgl.exe
        43⤵
        Executes dropped EXE
        
        PID:4296
        
        C:\Windows\SysWOW64\Lfbped32.exe
        
        C:\Windows\system32\Lfbped32.exe
        44⤵
        Executes dropped EXE
        
        PID:3524
        
        C:\Windows\SysWOW64\Lqhdbm32.exe
        
        C:\Windows\system32\Lqhdbm32.exe
        45⤵
        Executes dropped EXE
        
        PID:2212
        
        C:\Windows\SysWOW64\Llodgnja.exe
        
        C:\Windows\system32\Llodgnja.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1124
        
        C:\Windows\SysWOW64\Ljceqb32.exe
        
        C:\Windows\system32\Ljceqb32.exe
        47⤵
        Executes dropped EXE
        
        PID:3336
        
        C:\Windows\SysWOW64\Mqafhl32.exe
        
        C:\Windows\system32\Mqafhl32.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4304
        
        C:\Windows\SysWOW64\Mjjkaabc.exe
        
        C:\Windows\system32\Mjjkaabc.exe
        49⤵
        Executes dropped EXE
        
        PID:1640
        
        C:\Windows\SysWOW64\Mgnlkfal.exe
        
        C:\Windows\system32\Mgnlkfal.exe
        50⤵
        Executes dropped EXE
        
        PID:1784
        
        C:\Windows\SysWOW64\Mmkdcm32.exe
        
        C:\Windows\system32\Mmkdcm32.exe
        51⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2536
        
        C:\Windows\SysWOW64\Mcelpggq.exe
        
        C:\Windows\system32\Mcelpggq.exe
        52⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3900
        
        C:\Windows\SysWOW64\Mnjqmpgg.exe
        
        C:\Windows\system32\Mnjqmpgg.exe
        53⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3256
        
        C:\Windows\SysWOW64\Mcgiefen.exe
        
        C:\Windows\system32\Mcgiefen.exe
        54⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:5116
        
        C:\Windows\SysWOW64\Mmpmnl32.exe
        
        C:\Windows\system32\Mmpmnl32.exe
        55⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4776
        
        C:\Windows\SysWOW64\Mcifkf32.exe
        
        C:\Windows\system32\Mcifkf32.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:5064
        
        C:\Windows\SysWOW64\Nmbjcljl.exe
        
        C:\Windows\system32\Nmbjcljl.exe
        57⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1700
        
        C:\Windows\SysWOW64\Nopfpgip.exe
        
        C:\Windows\system32\Nopfpgip.exe
        58⤵
        Executes dropped EXE
        
        PID:3516
        
        C:\Windows\SysWOW64\Nmdgikhi.exe
        
        C:\Windows\system32\Nmdgikhi.exe
        59⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2184
        
        C:\Windows\SysWOW64\Ncnofeof.exe
        
        C:\Windows\system32\Ncnofeof.exe
        60⤵
        Executes dropped EXE
        
        PID:264
        
        C:\Windows\SysWOW64\Nmfcok32.exe
        
        C:\Windows\system32\Nmfcok32.exe
        61⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4636
        
        C:\Windows\SysWOW64\Nglhld32.exe
        
        C:\Windows\system32\Nglhld32.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3428
        
        C:\Windows\SysWOW64\Nmipdk32.exe
        
        C:\Windows\system32\Nmipdk32.exe
        63⤵
        Executes dropped EXE
        
        PID:1728
        
        C:\Windows\SysWOW64\Njmqnobn.exe
        
        C:\Windows\system32\Njmqnobn.exe
        64⤵
        Executes dropped EXE
        
        PID:2568
        
        C:\Windows\SysWOW64\Nfcabp32.exe
        
        C:\Windows\system32\Nfcabp32.exe
        65⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3372
        
        C:\Windows\SysWOW64\Onkidm32.exe
        
        C:\Windows\system32\Onkidm32.exe
        66⤵
        Drops file in System32 directory
        
        PID:3844
        
        C:\Windows\SysWOW64\Oplfkeob.exe
        
        C:\Windows\system32\Oplfkeob.exe
        67⤵
        Drops file in System32 directory
        
        PID:1140
        
        C:\Windows\SysWOW64\Ojajin32.exe
        
        C:\Windows\system32\Ojajin32.exe
        68⤵
        Drops file in System32 directory
        
        PID:948
        
        C:\Windows\SysWOW64\Ojdgnn32.exe
        
        C:\Windows\system32\Ojdgnn32.exe
        69⤵
        
        PID:1844
        
        C:\Windows\SysWOW64\Oghghb32.exe
        
        C:\Windows\system32\Oghghb32.exe
        70⤵
        Modifies registry class
        
        PID:4500
        
        C:\Windows\SysWOW64\Onapdl32.exe
        
        C:\Windows\system32\Onapdl32.exe
        71⤵
        
        PID:452
        
        C:\Windows\SysWOW64\Opclldhj.exe
        
        C:\Windows\system32\Opclldhj.exe
        72⤵
        
        PID:1680
        
        C:\Windows\SysWOW64\Ojhpimhp.exe
        
        C:\Windows\system32\Ojhpimhp.exe
        73⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:2088
        
        C:\Windows\SysWOW64\Opeiadfg.exe
        
        C:\Windows\system32\Opeiadfg.exe
        74⤵
        Drops file in System32 directory
        
        PID:4332
        
        C:\Windows\SysWOW64\Pfoann32.exe
        
        C:\Windows\system32\Pfoann32.exe
        75⤵
        
        PID:3772
        
        C:\Windows\SysWOW64\Pnfiplog.exe
        
        C:\Windows\system32\Pnfiplog.exe
        76⤵
        Drops file in System32 directory
        
        PID:2068
        
        C:\Windows\SysWOW64\Ppgegd32.exe
        
        C:\Windows\system32\Ppgegd32.exe
        77⤵
        
        PID:3260
        
        C:\Windows\SysWOW64\Pfandnla.exe
        
        C:\Windows\system32\Pfandnla.exe
        78⤵
        Drops file in System32 directory
        
        PID:1168
        
        C:\Windows\SysWOW64\Ppjbmc32.exe
        
        C:\Windows\system32\Ppjbmc32.exe
        79⤵
        Drops file in System32 directory
        
        PID:4172
        
        C:\Windows\SysWOW64\Pnkbkk32.exe
        
        C:\Windows\system32\Pnkbkk32.exe
        80⤵
        
        PID:4692
        
        C:\Windows\SysWOW64\Pdhkcb32.exe
        
        C:\Windows\system32\Pdhkcb32.exe
        81⤵
        Modifies registry class
        
        PID:3488
        
        C:\Windows\SysWOW64\Pnmopk32.exe
        
        C:\Windows\system32\Pnmopk32.exe
        82⤵
        
        PID:4464
        
        C:\Windows\SysWOW64\Palklf32.exe
        
        C:\Windows\system32\Palklf32.exe
        83⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:1572
        
        C:\Windows\SysWOW64\Pfiddm32.exe
        
        C:\Windows\system32\Pfiddm32.exe
        84⤵
        Drops file in System32 directory
        
        PID:2012
        
        C:\Windows\SysWOW64\Panhbfep.exe
        
        C:\Windows\system32\Panhbfep.exe
        85⤵
        
        PID:4932
        
        C:\Windows\SysWOW64\Qobhkjdi.exe
        
        C:\Windows\system32\Qobhkjdi.exe
        86⤵
        
        PID:408
        
        C:\Windows\SysWOW64\Qpcecb32.exe
        
        C:\Windows\system32\Qpcecb32.exe
        87⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1928
        
        C:\Windows\SysWOW64\Qfmmplad.exe
        
        C:\Windows\system32\Qfmmplad.exe
        88⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4876
        
        C:\Windows\SysWOW64\Qmgelf32.exe
        
        C:\Windows\system32\Qmgelf32.exe
        89⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:1276
        
        C:\Windows\SysWOW64\Ahmjjoig.exe
        
        C:\Windows\system32\Ahmjjoig.exe
        90⤵
        Modifies registry class
        
        PID:1544
        
        C:\Windows\SysWOW64\Aogbfi32.exe
        
        C:\Windows\system32\Aogbfi32.exe
        91⤵
        
        PID:4856
        
        C:\Windows\SysWOW64\Adcjop32.exe
        
        C:\Windows\system32\Adcjop32.exe
        92⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5132
        
        C:\Windows\SysWOW64\Aoioli32.exe
        
        C:\Windows\system32\Aoioli32.exe
        93⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5176
        
        C:\Windows\SysWOW64\Adfgdpmi.exe
        
        C:\Windows\system32\Adfgdpmi.exe
        94⤵
        
        PID:5224
        
        C:\Windows\SysWOW64\Akpoaj32.exe
        
        C:\Windows\system32\Akpoaj32.exe
        95⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5268
        
        C:\Windows\SysWOW64\Aajhndkb.exe
        
        C:\Windows\system32\Aajhndkb.exe
        96⤵
        
        PID:5312
        
        C:\Windows\SysWOW64\Aggpfkjj.exe
        
        C:\Windows\system32\Aggpfkjj.exe
        97⤵
        
        PID:5352
        
        C:\Windows\SysWOW64\Apodoq32.exe
        
        C:\Windows\system32\Apodoq32.exe
        98⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5396
        
        C:\Windows\SysWOW64\Agimkk32.exe
        
        C:\Windows\system32\Agimkk32.exe
        99⤵
        
        PID:5432
        
        C:\Windows\SysWOW64\Aopemh32.exe
        
        C:\Windows\system32\Aopemh32.exe
        100⤵
        
        PID:5480
        
        C:\Windows\SysWOW64\Apaadpng.exe
        
        C:\Windows\system32\Apaadpng.exe
        101⤵
        
        PID:5520
        
        C:\Windows\SysWOW64\Bgkiaj32.exe
        
        C:\Windows\system32\Bgkiaj32.exe
        102⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5568
        
        C:\Windows\SysWOW64\Bobabg32.exe
        
        C:\Windows\system32\Bobabg32.exe
        103⤵
        
        PID:5612
        
        C:\Windows\SysWOW64\Bpdnjple.exe
        
        C:\Windows\system32\Bpdnjple.exe
        104⤵
        
        PID:5660
        
        C:\Windows\SysWOW64\Bgnffj32.exe
        
        C:\Windows\system32\Bgnffj32.exe
        105⤵
        Modifies registry class
        
        PID:5704
        
        C:\Windows\SysWOW64\Bacjdbch.exe
        
        C:\Windows\system32\Bacjdbch.exe
        106⤵
        
        PID:5748
        
        C:\Windows\SysWOW64\Bdagpnbk.exe
        
        C:\Windows\system32\Bdagpnbk.exe
        107⤵
        Modifies registry class
        
        PID:5788
        
        C:\Windows\SysWOW64\Bgpcliao.exe
        
        C:\Windows\system32\Bgpcliao.exe
        108⤵
        Modifies registry class
        
        PID:5848
        
        C:\Windows\SysWOW64\Bphgeo32.exe
        
        C:\Windows\system32\Bphgeo32.exe
        109⤵
        Drops file in System32 directory
        
        PID:5896
        
        C:\Windows\SysWOW64\Bgbpaipl.exe
        
        C:\Windows\system32\Bgbpaipl.exe
        110⤵
        Modifies registry class
        
        PID:5940
        
        C:\Windows\SysWOW64\Bahdob32.exe
        
        C:\Windows\system32\Bahdob32.exe
        111⤵
        
        PID:5984
        
        C:\Windows\SysWOW64\Bhblllfo.exe
        
        C:\Windows\system32\Bhblllfo.exe
        112⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6028
        
        C:\Windows\SysWOW64\Boldhf32.exe
        
        C:\Windows\system32\Boldhf32.exe
        113⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6068
        
        C:\Windows\SysWOW64\Cdimqm32.exe
        
        C:\Windows\system32\Cdimqm32.exe
        114⤵
        Modifies registry class
        
        PID:6112
        
        C:\Windows\SysWOW64\Ckbemgcp.exe
        
        C:\Windows\system32\Ckbemgcp.exe
        115⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2124
        
        C:\Windows\SysWOW64\Cammjakm.exe
        
        C:\Windows\system32\Cammjakm.exe
        116⤵
        Modifies registry class
        
        PID:5188
        
        C:\Windows\SysWOW64\Chfegk32.exe
        
        C:\Windows\system32\Chfegk32.exe
        117⤵
        
        PID:5264
        
        C:\Windows\SysWOW64\Coqncejg.exe
        
        C:\Windows\system32\Coqncejg.exe
        118⤵
        
        PID:5336
        
        C:\Windows\SysWOW64\Cklhcfle.exe
        
        C:\Windows\system32\Cklhcfle.exe
        119⤵
        
        PID:5428
        
        C:\Windows\SysWOW64\Dpiplm32.exe
        
        C:\Windows\system32\Dpiplm32.exe
        120⤵
        
        PID:5488
        
        C:\Windows\SysWOW64\Dkndie32.exe
        
        C:\Windows\system32\Dkndie32.exe
        121⤵
        Modifies registry class
        
        PID:5536
        
        C:\Windows\SysWOW64\Dnmaea32.exe
        
        C:\Windows\system32\Dnmaea32.exe
        122⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5624
        
        C:\Windows\SysWOW64\Dhbebj32.exe
        
        C:\Windows\system32\Dhbebj32.exe
        123⤵
        Drops file in System32 directory
        
        PID:5684
        
        C:\Windows\SysWOW64\Dolmodpi.exe
        
        C:\Windows\system32\Dolmodpi.exe
        124⤵
        
        PID:5756
        
        C:\Windows\SysWOW64\Dqnjgl32.exe
        
        C:\Windows\system32\Dqnjgl32.exe
        125⤵
        Drops file in System32 directory
        
        PID:5836
        
        C:\Windows\SysWOW64\Dggbcf32.exe
        
        C:\Windows\system32\Dggbcf32.exe
        126⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5880
        
        C:\Windows\SysWOW64\Dqpfmlce.exe
        
        C:\Windows\system32\Dqpfmlce.exe
        127⤵
        
        PID:5964
        
        C:\Windows\SysWOW64\Dgjoif32.exe
        
        C:\Windows\system32\Dgjoif32.exe
        128⤵
        
        PID:6020
        
        C:\Windows\SysWOW64\Ddnobj32.exe
        
        C:\Windows\system32\Ddnobj32.exe
        129⤵
        
        PID:6092
        
        C:\Windows\SysWOW64\Doccpcja.exe
        
        C:\Windows\system32\Doccpcja.exe
        130⤵
        
        PID:5168
        
        C:\Windows\SysWOW64\Edplhjhi.exe
        
        C:\Windows\system32\Edplhjhi.exe
        131⤵
        
        PID:5280
        
        C:\Windows\SysWOW64\Egohdegl.exe
        
        C:\Windows\system32\Egohdegl.exe
        132⤵
        
        PID:5332
        
        C:\Windows\SysWOW64\Eqgmmk32.exe
        
        C:\Windows\system32\Eqgmmk32.exe
        133⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5512
        
        C:\Windows\SysWOW64\Egaejeej.exe
        
        C:\Windows\system32\Egaejeej.exe
        134⤵
        
        PID:5604
        
        C:\Windows\SysWOW64\Eohmkb32.exe
        
        C:\Windows\system32\Eohmkb32.exe
        135⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5736
        
        C:\Windows\SysWOW64\Eqiibjlj.exe
        
        C:\Windows\system32\Eqiibjlj.exe
        136⤵
        Modifies registry class
        
        PID:5820
        
        C:\Windows\SysWOW64\Ehpadhll.exe
        
        C:\Windows\system32\Ehpadhll.exe
        137⤵
        Modifies registry class
        
        PID:5924
        
        C:\Windows\SysWOW64\Ekonpckp.exe
        
        C:\Windows\system32\Ekonpckp.exe
        138⤵
        Modifies registry class
        
        PID:6060
        
        C:\Windows\SysWOW64\Ebifmm32.exe
        
        C:\Windows\system32\Ebifmm32.exe
        139⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5140
        
        C:\Windows\SysWOW64\Edgbii32.exe
        
        C:\Windows\system32\Edgbii32.exe
        140⤵
        
        PID:5296
        
        C:\Windows\SysWOW64\Ekajec32.exe
        
        C:\Windows\system32\Ekajec32.exe
        141⤵
        
        PID:5532
        
        C:\Windows\SysWOW64\Enpfan32.exe
        
        C:\Windows\system32\Enpfan32.exe
        142⤵
        Drops file in System32 directory
        
        PID:5668
        
        C:\Windows\SysWOW64\Edionhpn.exe
        
        C:\Windows\system32\Edionhpn.exe
        143⤵
        Modifies registry class
        
        PID:5824
        
        C:\Windows\SysWOW64\Ekcgkb32.exe
        
        C:\Windows\system32\Ekcgkb32.exe
        144⤵
        
        PID:6100
        
        C:\Windows\SysWOW64\Fbmohmoh.exe
        
        C:\Windows\system32\Fbmohmoh.exe
        145⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5248
        
        C:\Windows\SysWOW64\Fqeioiam.exe
        
        C:\Windows\system32\Fqeioiam.exe
        146⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5460
        
        C:\Windows\SysWOW64\Fgoakc32.exe
        
        C:\Windows\system32\Fgoakc32.exe
        147⤵
        
        PID:5720
        
        C:\Windows\SysWOW64\Fqgedh32.exe
        
        C:\Windows\system32\Fqgedh32.exe
        148⤵
        
        PID:6012
        
        C:\Windows\SysWOW64\Feenjgfq.exe
        
        C:\Windows\system32\Feenjgfq.exe
        149⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5456
        
        C:\Windows\SysWOW64\Fkofga32.exe
        
        C:\Windows\system32\Fkofga32.exe
        150⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5972
        
        C:\Windows\SysWOW64\Gnpphljo.exe
        
        C:\Windows\system32\Gnpphljo.exe
        151⤵
        Modifies registry class
        
        PID:6152
        
        C:\Windows\SysWOW64\Gejhef32.exe
        
        C:\Windows\system32\Gejhef32.exe
        152⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6192
        
        C:\Windows\SysWOW64\Gghdaa32.exe
        
        C:\Windows\system32\Gghdaa32.exe
        153⤵
        
        PID:6240
        
        C:\Windows\SysWOW64\Gnblnlhl.exe
        
        C:\Windows\system32\Gnblnlhl.exe
        154⤵
        
        PID:6300
        
        C:\Windows\SysWOW64\Ggkqgaol.exe
        
        C:\Windows\system32\Ggkqgaol.exe
        155⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6340
        
        C:\Windows\SysWOW64\Gbpedjnb.exe
        
        C:\Windows\system32\Gbpedjnb.exe
        156⤵
        Modifies registry class
        
        PID:6384
        
        C:\Windows\SysWOW64\Ggmmlamj.exe
        
        C:\Windows\system32\Ggmmlamj.exe
        157⤵
        Drops file in System32 directory
        
        PID:6428
        
        C:\Windows\SysWOW64\Gngeik32.exe
        
        C:\Windows\system32\Gngeik32.exe
        158⤵
        Modifies registry class
        
        PID:6476
        
        C:\Windows\SysWOW64\Geanfelc.exe
        
        C:\Windows\system32\Geanfelc.exe
        159⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6516
        
        C:\Windows\SysWOW64\Hlkfbocp.exe
        
        C:\Windows\system32\Hlkfbocp.exe
        160⤵
        
        PID:6560
        
        C:\Windows\SysWOW64\Hbenoi32.exe
        
        C:\Windows\system32\Hbenoi32.exe
        161⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6596
        
        C:\Windows\SysWOW64\Hioflcbj.exe
        
        C:\Windows\system32\Hioflcbj.exe
        162⤵
        Modifies registry class
        
        PID:6648
        
        C:\Windows\SysWOW64\Hpioin32.exe
        
        C:\Windows\system32\Hpioin32.exe
        163⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6688
        
        C:\Windows\SysWOW64\Hbgkei32.exe
        
        C:\Windows\system32\Hbgkei32.exe
        164⤵
        
        PID:6736
        
        C:\Windows\SysWOW64\Hiacacpg.exe
        
        C:\Windows\system32\Hiacacpg.exe
        165⤵
        Drops file in System32 directory
        
        PID:6780
        
        C:\Windows\SysWOW64\Hpkknmgd.exe
        
        C:\Windows\system32\Hpkknmgd.exe
        166⤵
        
        PID:6832
        
        C:\Windows\SysWOW64\Hbihjifh.exe
        
        C:\Windows\system32\Hbihjifh.exe
        167⤵
        
        PID:6868
        
        C:\Windows\SysWOW64\Hhfpbpdo.exe
        
        C:\Windows\system32\Hhfpbpdo.exe
        168⤵
        Modifies registry class
        
        PID:6920
        
        C:\Windows\SysWOW64\Haodle32.exe
        
        C:\Windows\system32\Haodle32.exe
        169⤵
        
        PID:6968
        
        C:\Windows\SysWOW64\Hhimhobl.exe
        
        C:\Windows\system32\Hhimhobl.exe
        170⤵
        
        PID:7016
        
        C:\Windows\SysWOW64\Haaaaeim.exe
        
        C:\Windows\system32\Haaaaeim.exe
        171⤵
        
        PID:7068
        
        C:\Windows\SysWOW64\Ipbaol32.exe
        
        C:\Windows\system32\Ipbaol32.exe
        172⤵
        
        PID:7112
        
        C:\Windows\SysWOW64\Ibqnkh32.exe
        
        C:\Windows\system32\Ibqnkh32.exe
        173⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7164
        
        C:\Windows\SysWOW64\Iijfhbhl.exe
        
        C:\Windows\system32\Iijfhbhl.exe
        174⤵
        
        PID:5872
        
        C:\Windows\SysWOW64\Ipdndloi.exe
        
        C:\Windows\system32\Ipdndloi.exe
        175⤵
        
        PID:6256
        
        C:\Windows\SysWOW64\Ieagmcmq.exe
        
        C:\Windows\system32\Ieagmcmq.exe
        176⤵
        Modifies registry class
        
        PID:6320
        
        C:\Windows\SysWOW64\Ipgkjlmg.exe
        
        C:\Windows\system32\Ipgkjlmg.exe
        177⤵
        Drops file in System32 directory
        
        PID:6424
        
        C:\Windows\SysWOW64\Ibegfglj.exe
        
        C:\Windows\system32\Ibegfglj.exe
        178⤵
        
        PID:6528
        
        C:\Windows\SysWOW64\Iiopca32.exe
        
        C:\Windows\system32\Iiopca32.exe
        179⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6580
        
        C:\Windows\SysWOW64\Ipihpkkd.exe
        
        C:\Windows\system32\Ipihpkkd.exe
        180⤵
        Modifies registry class
        
        PID:6644
        
        C:\Windows\SysWOW64\Iajdgcab.exe
        
        C:\Windows\system32\Iajdgcab.exe
        181⤵
        
        PID:6716
        
        C:\Windows\SysWOW64\Ihdldn32.exe
        
        C:\Windows\system32\Ihdldn32.exe
        182⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6840
        
        C:\Windows\SysWOW64\Iondqhpl.exe
        
        C:\Windows\system32\Iondqhpl.exe
        183⤵
        
        PID:6904
        
        C:\Windows\SysWOW64\Iehmmb32.exe
        
        C:\Windows\system32\Iehmmb32.exe
        184⤵
        Drops file in System32 directory
        
        PID:6976
        
        C:\Windows\SysWOW64\Jhgiim32.exe
        
        C:\Windows\system32\Jhgiim32.exe
        185⤵
        
        PID:7080
        
        C:\Windows\SysWOW64\Joqafgni.exe
        
        C:\Windows\system32\Joqafgni.exe
        186⤵
        
        PID:7156
        
        C:\Windows\SysWOW64\Jekjcaef.exe
        
        C:\Windows\system32\Jekjcaef.exe
        187⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6284
        
        C:\Windows\SysWOW64\Jppnpjel.exe
        
        C:\Windows\system32\Jppnpjel.exe
        188⤵
        Drops file in System32 directory
        
        PID:6324
        
        C:\Windows\SysWOW64\Jaajhb32.exe
        
        C:\Windows\system32\Jaajhb32.exe
        189⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6472
        
        C:\Windows\SysWOW64\Jlgoek32.exe
        
        C:\Windows\system32\Jlgoek32.exe
        190⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6632
        
        C:\Windows\SysWOW64\Jadgnb32.exe
        
        C:\Windows\system32\Jadgnb32.exe
        191⤵
        Modifies registry class
        
        PID:6724
        
        C:\Windows\SysWOW64\Jlikkkhn.exe
        
        C:\Windows\system32\Jlikkkhn.exe
        192⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1364
        
        C:\Windows\SysWOW64\Johggfha.exe
        
        C:\Windows\system32\Johggfha.exe
        193⤵
        
        PID:7048
        
        C:\Windows\SysWOW64\Jeapcq32.exe
        
        C:\Windows\system32\Jeapcq32.exe
        194⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:7140
        
        C:\Windows\SysWOW64\Jllhpkfk.exe
        
        C:\Windows\system32\Jllhpkfk.exe
        195⤵
        
        PID:6332
        
        C:\Windows\SysWOW64\Jbepme32.exe
        
        C:\Windows\system32\Jbepme32.exe
        196⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6616
        
        C:\Windows\SysWOW64\Koonge32.exe
        
        C:\Windows\system32\Koonge32.exe
        197⤵
        
        PID:6728
        
        C:\Windows\SysWOW64\Kidben32.exe
        
        C:\Windows\system32\Kidben32.exe
        198⤵
        Drops file in System32 directory
        
        PID:6960
        
        C:\Windows\SysWOW64\Kpnjah32.exe
        
        C:\Windows\system32\Kpnjah32.exe
        199⤵
        Drops file in System32 directory
        
        PID:6308
        
        C:\Windows\SysWOW64\Kcmfnd32.exe
        
        C:\Windows\system32\Kcmfnd32.exe
        200⤵
        Modifies registry class
        
        PID:6468
        
        C:\Windows\SysWOW64\Kifojnol.exe
        
        C:\Windows\system32\Kifojnol.exe
        201⤵
        
        PID:4988
        
        C:\Windows\SysWOW64\Klekfinp.exe
        
        C:\Windows\system32\Klekfinp.exe
        202⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6440
        
        C:\Windows\SysWOW64\Kcoccc32.exe
        
        C:\Windows\system32\Kcoccc32.exe
        203⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6456
        
        C:\Windows\SysWOW64\Kiikpnmj.exe
        
        C:\Windows\system32\Kiikpnmj.exe
        204⤵
        
        PID:6684
        
        C:\Windows\SysWOW64\Klggli32.exe
        
        C:\Windows\system32\Klggli32.exe
        205⤵
        
        PID:7204
        
        C:\Windows\SysWOW64\Kofdhd32.exe
        
        C:\Windows\system32\Kofdhd32.exe
        206⤵
        
        PID:7244
        
        C:\Windows\SysWOW64\Lepleocn.exe
        
        C:\Windows\system32\Lepleocn.exe
        207⤵
        
        PID:7284
        
        C:\Windows\SysWOW64\Lljdai32.exe
        
        C:\Windows\system32\Lljdai32.exe
        208⤵
        
        PID:7324
        
        C:\Windows\SysWOW64\Lohqnd32.exe
        
        C:\Windows\system32\Lohqnd32.exe
        209⤵
        Drops file in System32 directory
        
        PID:7364
        
        C:\Windows\SysWOW64\Lindkm32.exe
        
        C:\Windows\system32\Lindkm32.exe
        210⤵
        
        PID:7404
        
        C:\Windows\SysWOW64\Lpgmhg32.exe
        
        C:\Windows\system32\Lpgmhg32.exe
        211⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:7444
        
        C:\Windows\SysWOW64\Lcfidb32.exe
        
        C:\Windows\system32\Lcfidb32.exe
        212⤵
        Modifies registry class
        
        PID:7484
        
        C:\Windows\SysWOW64\Ljpaqmgb.exe
        
        C:\Windows\system32\Ljpaqmgb.exe
        213⤵
        
        PID:7520
        
        C:\Windows\SysWOW64\Lomjicei.exe
        
        C:\Windows\system32\Lomjicei.exe
        214⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7568
        
        C:\Windows\SysWOW64\Legben32.exe
        
        C:\Windows\system32\Legben32.exe
        215⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:7608
        
        C:\Windows\SysWOW64\Lhgkgijg.exe
        
        C:\Windows\system32\Lhgkgijg.exe
        216⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7648
        
        C:\Windows\SysWOW64\Lcmodajm.exe
        
        C:\Windows\system32\Lcmodajm.exe
        217⤵
        
        PID:7684
        
        C:\Windows\SysWOW64\Mjggal32.exe
        
        C:\Windows\system32\Mjggal32.exe
        218⤵
        
        PID:7728
        
        C:\Windows\SysWOW64\Mledmg32.exe
        
        C:\Windows\system32\Mledmg32.exe
        219⤵
        
        PID:7768
        
        C:\Windows\SysWOW64\Mcoljagj.exe
        
        C:\Windows\system32\Mcoljagj.exe
        220⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7812
        
        C:\Windows\SysWOW64\Mfnhfm32.exe
        
        C:\Windows\system32\Mfnhfm32.exe
        221⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7856
        
        C:\Windows\SysWOW64\Mlhqcgnk.exe
        
        C:\Windows\system32\Mlhqcgnk.exe
        222⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7900
        
        C:\Windows\SysWOW64\Mofmobmo.exe
        
        C:\Windows\system32\Mofmobmo.exe
        223⤵
        Drops file in System32 directory
        
        PID:7944
        
        C:\Windows\SysWOW64\Mfpell32.exe
        
        C:\Windows\system32\Mfpell32.exe
        224⤵
        
        PID:7988
        
        C:\Windows\SysWOW64\Mpeiie32.exe
        
        C:\Windows\system32\Mpeiie32.exe
        225⤵
        Drops file in System32 directory
        
        PID:8020
        
        C:\Windows\SysWOW64\Mbgeqmjp.exe
        
        C:\Windows\system32\Mbgeqmjp.exe
        226⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:8068
        
        C:\Windows\SysWOW64\Mqhfoebo.exe
        
        C:\Windows\system32\Mqhfoebo.exe
        227⤵
        
        PID:8112
        
        C:\Windows\SysWOW64\Mcfbkpab.exe
        
        C:\Windows\system32\Mcfbkpab.exe
        228⤵
        
        PID:8148
        
        C:\Windows\SysWOW64\Mfenglqf.exe
        
        C:\Windows\system32\Mfenglqf.exe
        229⤵
        Modifies registry class
        
        PID:6856
        
        C:\Windows\SysWOW64\Mlofcf32.exe
        
        C:\Windows\system32\Mlofcf32.exe
        230⤵
        
        PID:7240
        
        C:\Windows\SysWOW64\Momcpa32.exe
        
        C:\Windows\system32\Momcpa32.exe
        231⤵
        
        PID:7308
        
        C:\Windows\SysWOW64\Njbgmjgl.exe
        
        C:\Windows\system32\Njbgmjgl.exe
        232⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:7412
        
        C:\Windows\SysWOW64\Nqmojd32.exe
        
        C:\Windows\system32\Nqmojd32.exe
        233⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7464
        
        C:\Windows\SysWOW64\Nckkfp32.exe
        
        C:\Windows\system32\Nckkfp32.exe
        234⤵
        
        PID:7552
        
        C:\Windows\SysWOW64\Nhhdnf32.exe
        
        C:\Windows\system32\Nhhdnf32.exe
        235⤵
        
        PID:7616
        
        C:\Windows\SysWOW64\Noblkqca.exe
        
        C:\Windows\system32\Noblkqca.exe
        236⤵
        
        PID:7692
        
        C:\Windows\SysWOW64\Nfldgk32.exe
        
        C:\Windows\system32\Nfldgk32.exe
        237⤵
        Modifies registry class
        
        PID:7752
        
        C:\Windows\SysWOW64\Nqaiecjd.exe
        
        C:\Windows\system32\Nqaiecjd.exe
        238⤵
        Modifies registry class
        
        PID:7804
        
        C:\Windows\SysWOW64\Nbbeml32.exe
        
        C:\Windows\system32\Nbbeml32.exe
        239⤵
        
        PID:7876
        
        C:\Windows\SysWOW64\Nimmifgo.exe
        
        C:\Windows\system32\Nimmifgo.exe
        240⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7936
        
        C:\Windows\SysWOW64\Ncbafoge.exe
        
        C:\Windows\system32\Ncbafoge.exe
        241⤵
        Modifies registry class
        
        PID:8028
        
        C:\Windows\SysWOW64\Njljch32.exe
        
        C:\Windows\system32\Njljch32.exe
        242⤵
        Modifies registry class
        
        PID:8048
        
        C:\Windows\SysWOW64\Nqfbpb32.exe
        
        C:\Windows\system32\Nqfbpb32.exe
        243⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:8132
        
        C:\Windows\SysWOW64\Ofckhj32.exe
        
        C:\Windows\system32\Ofckhj32.exe
        244⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8188
        
        C:\Windows\SysWOW64\Ommceclc.exe
        
        C:\Windows\system32\Ommceclc.exe
        245⤵
        
        PID:7304
        
        C:\Windows\SysWOW64\Ofegni32.exe
        
        C:\Windows\system32\Ofegni32.exe
        246⤵
        
        PID:7396
        
        C:\Windows\SysWOW64\Omopjcjp.exe
        
        C:\Windows\system32\Omopjcjp.exe
        247⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7528
        
        C:\Windows\SysWOW64\Oonlfo32.exe
        
        C:\Windows\system32\Oonlfo32.exe
        248⤵
        
        PID:7604
        
        C:\Windows\SysWOW64\Ofgdcipq.exe
        
        C:\Windows\system32\Ofgdcipq.exe
        249⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7724
        
        C:\Windows\SysWOW64\Omalpc32.exe
        
        C:\Windows\system32\Omalpc32.exe
        250⤵
        
        PID:7844
        
        C:\Windows\SysWOW64\Oophlo32.exe
        
        C:\Windows\system32\Oophlo32.exe
        251⤵
        
        PID:7916
        
        C:\Windows\SysWOW64\Ojemig32.exe
        
        C:\Windows\system32\Ojemig32.exe
        252⤵
        
        PID:8052
        
        C:\Windows\SysWOW64\Opbean32.exe
        
        C:\Windows\system32\Opbean32.exe
        253⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7172
        
        C:\Windows\SysWOW64\Oikjkc32.exe
        
        C:\Windows\system32\Oikjkc32.exe
        254⤵
        Modifies registry class
        
        PID:7280
        
        C:\Windows\SysWOW64\Ppdbgncl.exe
        
        C:\Windows\system32\Ppdbgncl.exe
        255⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:7512
        
        C:\Windows\SysWOW64\Pfojdh32.exe
        
        C:\Windows\system32\Pfojdh32.exe
        256⤵
        
        PID:7716
        
        C:\Windows\SysWOW64\Padnaq32.exe
        
        C:\Windows\system32\Padnaq32.exe
        257⤵
        
        PID:7952
        
        C:\Windows\SysWOW64\Pbekii32.exe
        
        C:\Windows\system32\Pbekii32.exe
        258⤵
        
        PID:8156
        
        C:\Windows\SysWOW64\Piocecgj.exe
        
        C:\Windows\system32\Piocecgj.exe
        259⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7212
        
        C:\Windows\SysWOW64\Ppikbm32.exe
        
        C:\Windows\system32\Ppikbm32.exe
        260⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7452
        
        C:\Windows\SysWOW64\Pjoppf32.exe
        
        C:\Windows\system32\Pjoppf32.exe
        261⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7824
        
        C:\Windows\SysWOW64\Pmmlla32.exe
        
        C:\Windows\system32\Pmmlla32.exe
        262⤵
        
        PID:7980
        
        C:\Windows\SysWOW64\Pbjddh32.exe
        
        C:\Windows\system32\Pbjddh32.exe
        263⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:7492
        
        C:\Windows\SysWOW64\Pmphaaln.exe
        
        C:\Windows\system32\Pmphaaln.exe
        264⤵
        Modifies registry class
        
        PID:8120
        
        C:\Windows\SysWOW64\Pciqnk32.exe
        
        C:\Windows\system32\Pciqnk32.exe
        265⤵
        
        PID:7708
        
        C:\Windows\SysWOW64\Pfhmjf32.exe
        
        C:\Windows\system32\Pfhmjf32.exe
        266⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7292
        
        C:\Windows\SysWOW64\Pififb32.exe
        
        C:\Windows\system32\Pififb32.exe
        267⤵
        
        PID:8200
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 8200 -s 408
        268⤵
        Program crash
        
        PID:8292

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 8200 -ip 8200
1⤵
PID:8264

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Ddligq32.exe

Filesize
112KB

MD5
97b8dedcc78e405f2b212f640289f953

SHA1
e3dc73a5836693e22e893ee9d957f6efef30bb31

SHA256
eef05061ac39718eb8c2ed7faddaf6ad9b8b9d58b86666084b7f51f8df7b0441

SHA512
62a89099f84e8c0edb9775b7d80915b00bf70b371be73c10c1a5427a8a4ceeab990fc96dba4c25b090b3cff3a79879e799755617c58eb1c56fe4d2b0fd5153d0

Download Submit
C:\Windows\SysWOW64\Ddligq32.exe

Filesize
112KB

MD5
97b8dedcc78e405f2b212f640289f953

SHA1
e3dc73a5836693e22e893ee9d957f6efef30bb31

SHA256
eef05061ac39718eb8c2ed7faddaf6ad9b8b9d58b86666084b7f51f8df7b0441

SHA512
62a89099f84e8c0edb9775b7d80915b00bf70b371be73c10c1a5427a8a4ceeab990fc96dba4c25b090b3cff3a79879e799755617c58eb1c56fe4d2b0fd5153d0

Download Submit
C:\Windows\SysWOW64\Dijbno32.exe

Filesize
112KB

MD5
fafac0b0a996031fdedb04bc16bf8295

SHA1
1e127631388a479f9a604ba5a552e70527ec55a7

SHA256
9515cfa6c3e5270380874b5c80ebf3c42274d361b022c7b6b22dce67aef2c7ea

SHA512
9cf7cbddf12eb0d31b531a2c535934641bc2b720ba83d54d7985e20b41345af765453b9ef45a1b9d6c4a8722c1e424f9bbfc9858be356ddd4f53b9031e0bf530

Download Submit
C:\Windows\SysWOW64\Dijbno32.exe

Filesize
112KB

MD5
fafac0b0a996031fdedb04bc16bf8295

SHA1
1e127631388a479f9a604ba5a552e70527ec55a7

SHA256
9515cfa6c3e5270380874b5c80ebf3c42274d361b022c7b6b22dce67aef2c7ea

SHA512
9cf7cbddf12eb0d31b531a2c535934641bc2b720ba83d54d7985e20b41345af765453b9ef45a1b9d6c4a8722c1e424f9bbfc9858be356ddd4f53b9031e0bf530

Download Submit
C:\Windows\SysWOW64\Dndnpf32.exe

Filesize
112KB

MD5
e1aceaaff3d5c0f7712f29d318d9f22d

SHA1
8d4b327d6fa934d7562bc887f4af7aa3fbd0d8ba

SHA256
1e77eb95ce6a864e94888d63f9723992d021a27628158566d07ba066f3e54561

SHA512
1147143dd464cff1062c816a69c51bef884b26a3784b3398a156e870f00d72001ff59b92509fef506a2acfe19d66295471cdc923e3c0b1b7364b0464a77d64a1

Download Submit
C:\Windows\SysWOW64\Dndnpf32.exe

Filesize
112KB

MD5
e1aceaaff3d5c0f7712f29d318d9f22d

SHA1
8d4b327d6fa934d7562bc887f4af7aa3fbd0d8ba

SHA256
1e77eb95ce6a864e94888d63f9723992d021a27628158566d07ba066f3e54561

SHA512
1147143dd464cff1062c816a69c51bef884b26a3784b3398a156e870f00d72001ff59b92509fef506a2acfe19d66295471cdc923e3c0b1b7364b0464a77d64a1

Download Submit
C:\Windows\SysWOW64\Dodjjimm.exe

Filesize
112KB

MD5
37755f0ea6ac5ffdb73aa6e4c4a6a3e5

SHA1
a2a976a0b4fe7ec772a6a0236c129989195af658

SHA256
ffb3922378d7965f122bccab5087a55e89c4582a2799a01dfd217d2b771d0424

SHA512
3dea11ab8db727e92d410b3be8b1315e9a4948e25d76f86f573804f5e480ca029f8a84f5749911b28623efaf9ec7b459ea146638c726a5b99ef9a8b70d92124f

Download Submit
C:\Windows\SysWOW64\Dodjjimm.exe

Filesize
112KB

MD5
37755f0ea6ac5ffdb73aa6e4c4a6a3e5

SHA1
a2a976a0b4fe7ec772a6a0236c129989195af658

SHA256
ffb3922378d7965f122bccab5087a55e89c4582a2799a01dfd217d2b771d0424

SHA512
3dea11ab8db727e92d410b3be8b1315e9a4948e25d76f86f573804f5e480ca029f8a84f5749911b28623efaf9ec7b459ea146638c726a5b99ef9a8b70d92124f

Download Submit
C:\Windows\SysWOW64\Eecphp32.exe

Filesize
112KB

MD5
3d77f9cdea3bada49c34766fe1ecee8f

SHA1
a12a10b54a5b6154d81a5eb7189043ae181cf7a6

SHA256
aea05fbe233ce17fd9b917f1dc99e2d90fcbb553d9c58739683b1d9ec598f5a8

SHA512
0727467597ff87e10d607bfe797e70d25b10192ec290f01a72c2f2ce7172d1087d65b12234a90a21b23b93ec896cec96eda03802b62062667834dd024d0959ad

Download Submit
C:\Windows\SysWOW64\Eecphp32.exe

Filesize
112KB

MD5
3d77f9cdea3bada49c34766fe1ecee8f

SHA1
a12a10b54a5b6154d81a5eb7189043ae181cf7a6

SHA256
aea05fbe233ce17fd9b917f1dc99e2d90fcbb553d9c58739683b1d9ec598f5a8

SHA512
0727467597ff87e10d607bfe797e70d25b10192ec290f01a72c2f2ce7172d1087d65b12234a90a21b23b93ec896cec96eda03802b62062667834dd024d0959ad

Download Submit
C:\Windows\SysWOW64\Eehicoel.exe

Filesize
112KB

MD5
cea6393539b2a0006bc6d12bf2c18b04

SHA1
8e295763fe2a890af673df23a94a5c2098552bd5

SHA256
ff843396ce372b213d6dd679d572a7c8362a3fe3f2d19f44c046c3b8357bce7c

SHA512
40e9f6cf0c94b58264aa7fc2df729e9902006d689d359dd9dedb91eb587f662d1bc1a31af0d76cf502c65824f97b2c0ff16fcb71b3b32f89a092ce1e62e32e13

Download Submit
C:\Windows\SysWOW64\Eehicoel.exe

Filesize
112KB

MD5
cea6393539b2a0006bc6d12bf2c18b04

SHA1
8e295763fe2a890af673df23a94a5c2098552bd5

SHA256
ff843396ce372b213d6dd679d572a7c8362a3fe3f2d19f44c046c3b8357bce7c

SHA512
40e9f6cf0c94b58264aa7fc2df729e9902006d689d359dd9dedb91eb587f662d1bc1a31af0d76cf502c65824f97b2c0ff16fcb71b3b32f89a092ce1e62e32e13

Download Submit
C:\Windows\SysWOW64\Efjbcakl.exe

Filesize
112KB

MD5
8fe644a30e28f0b3a607e727c1ef5a94

SHA1
88bdfc70ed6064e0baefd1f07420670c3ac9aa72

SHA256
74c0a6f0085c3c0cae2b6faa45669403204a696cebcd68830d6784b07fb6ebae

SHA512
5bf1fa16b35704018c4f74585bf431341ec3a3708e5946ea596ca06d7818a74bfb7cd35598214f1a8269d876c042cbd0a62a11ab8f0b6a7fc1e815328210245f

Download Submit
C:\Windows\SysWOW64\Efjbcakl.exe

Filesize
112KB

MD5
c6dbd79b180c68a53b00b7eb9e24cc15

SHA1
4c20cc8ab53f3118283e1347d32837bdccf4b385

SHA256
1fe53787bd8ef86175941a63f7fe0e1d51a2e624a605c2961a9e023a0cf6be6e

SHA512
6231e119252a1ff97a0884f3ad9fdfd45438ccb0c9521ecca710868652bb4118c8dac825764ca49f4b5376bd9e14ed1f5eb7cb7308a44c8013c759073fd3d9d6

Download Submit
C:\Windows\SysWOW64\Efjbcakl.exe

Filesize
112KB

MD5
c6dbd79b180c68a53b00b7eb9e24cc15

SHA1
4c20cc8ab53f3118283e1347d32837bdccf4b385

SHA256
1fe53787bd8ef86175941a63f7fe0e1d51a2e624a605c2961a9e023a0cf6be6e

SHA512
6231e119252a1ff97a0884f3ad9fdfd45438ccb0c9521ecca710868652bb4118c8dac825764ca49f4b5376bd9e14ed1f5eb7cb7308a44c8013c759073fd3d9d6

Download Submit
C:\Windows\SysWOW64\Ekdnei32.exe

Filesize
112KB

MD5
8fe644a30e28f0b3a607e727c1ef5a94

SHA1
88bdfc70ed6064e0baefd1f07420670c3ac9aa72

SHA256
74c0a6f0085c3c0cae2b6faa45669403204a696cebcd68830d6784b07fb6ebae

SHA512
5bf1fa16b35704018c4f74585bf431341ec3a3708e5946ea596ca06d7818a74bfb7cd35598214f1a8269d876c042cbd0a62a11ab8f0b6a7fc1e815328210245f

Download Submit
C:\Windows\SysWOW64\Ekdnei32.exe

Filesize
112KB

MD5
8fe644a30e28f0b3a607e727c1ef5a94

SHA1
88bdfc70ed6064e0baefd1f07420670c3ac9aa72

SHA256
74c0a6f0085c3c0cae2b6faa45669403204a696cebcd68830d6784b07fb6ebae

SHA512
5bf1fa16b35704018c4f74585bf431341ec3a3708e5946ea596ca06d7818a74bfb7cd35598214f1a8269d876c042cbd0a62a11ab8f0b6a7fc1e815328210245f

Download Submit
C:\Windows\SysWOW64\Emhkdmlg.exe

Filesize
112KB

MD5
cdeffefbe5bfd29f411c7af980e0e51a

SHA1
5f16dde7a4c4442bde98349c1ceaaa2232c59d49

SHA256
3115fd22f84ba15e7973c10b58ea4d8591e4ae2ce42ccffda2965e426b61950b

SHA512
faef68393766865878325fad80b6cdf3bc4e2387e978c3630d57c5a5ca1b0c056a1c29508ec601a610abda7be80ee677a26a907abd6259ede96f2d68910cc3ab

Download Submit
C:\Windows\SysWOW64\Emhkdmlg.exe

Filesize
112KB

MD5
cdeffefbe5bfd29f411c7af980e0e51a

SHA1
5f16dde7a4c4442bde98349c1ceaaa2232c59d49

SHA256
3115fd22f84ba15e7973c10b58ea4d8591e4ae2ce42ccffda2965e426b61950b

SHA512
faef68393766865878325fad80b6cdf3bc4e2387e978c3630d57c5a5ca1b0c056a1c29508ec601a610abda7be80ee677a26a907abd6259ede96f2d68910cc3ab

Download Submit
C:\Windows\SysWOW64\Enkdaepb.exe

Filesize
112KB

MD5
4db50c24ccc1a2c3c3eabd8645937ab1

SHA1
1cec6a33f8367fa13c447b74bc646e097821d2d0

SHA256
fc119a6c0e6341f4a99332813e71d7cec983adc590d4ed016d5d87a3e0fad864

SHA512
9aa183c517bce6cf184e62f837410f3a2759cc9ff1b895756dd65bfdb33d3f10be1ed4a5401926e24fe3a1e107db49b724d6f08425f30de38afa7802e1ed2b69

Download Submit
C:\Windows\SysWOW64\Enkdaepb.exe

Filesize
112KB

MD5
4db50c24ccc1a2c3c3eabd8645937ab1

SHA1
1cec6a33f8367fa13c447b74bc646e097821d2d0

SHA256
fc119a6c0e6341f4a99332813e71d7cec983adc590d4ed016d5d87a3e0fad864

SHA512
9aa183c517bce6cf184e62f837410f3a2759cc9ff1b895756dd65bfdb33d3f10be1ed4a5401926e24fe3a1e107db49b724d6f08425f30de38afa7802e1ed2b69

Download Submit
C:\Windows\SysWOW64\Enkdaepb.exe

Filesize
112KB

MD5
4db50c24ccc1a2c3c3eabd8645937ab1

SHA1
1cec6a33f8367fa13c447b74bc646e097821d2d0

SHA256
fc119a6c0e6341f4a99332813e71d7cec983adc590d4ed016d5d87a3e0fad864

SHA512
9aa183c517bce6cf184e62f837410f3a2759cc9ff1b895756dd65bfdb33d3f10be1ed4a5401926e24fe3a1e107db49b724d6f08425f30de38afa7802e1ed2b69

Download Submit
C:\Windows\SysWOW64\Enpmld32.exe

Filesize
112KB

MD5
69e9791e1d3b713efbb94dbd64bae8c6

SHA1
65c430efef1da87ecc502a193cda9fb0a3f99acf

SHA256
f7c5d5e6f80caaf140a5defd97fce9f17902880987072568f97813d5eb761eef

SHA512
5ae953938b10e242a69580122ae94b10d9a0e31292591b2567d80d480a3f73c715d346c9b125518fcfdc64f9cf7ae49e944c68a2dc1ef632ede1161af43bafdd

Download Submit
C:\Windows\SysWOW64\Enpmld32.exe

Filesize
112KB

MD5
69e9791e1d3b713efbb94dbd64bae8c6

SHA1
65c430efef1da87ecc502a193cda9fb0a3f99acf

SHA256
f7c5d5e6f80caaf140a5defd97fce9f17902880987072568f97813d5eb761eef

SHA512
5ae953938b10e242a69580122ae94b10d9a0e31292591b2567d80d480a3f73c715d346c9b125518fcfdc64f9cf7ae49e944c68a2dc1ef632ede1161af43bafdd

Download Submit
C:\Windows\SysWOW64\Fbelcblk.exe

Filesize
112KB

MD5
78f6b9fccd6f8d7c10201ddabed752e9

SHA1
2e7882a9a2632c4413fc4a34c2596a1c5b5b6b41

SHA256
fa2ab8996283d6aec77c20adbf8e110372e3436eaaff85df894496e4c1305e38

SHA512
47f96e8d9ed19bfa1ff41453338afa10e2cd9d7008aad0a223427e28202d3e7098f237b4179d88976fbbed4d70d448d73e9775815906c45dd27ea91fdedfe4a9

Download Submit
C:\Windows\SysWOW64\Fbelcblk.exe

Filesize
112KB

MD5
78f6b9fccd6f8d7c10201ddabed752e9

SHA1
2e7882a9a2632c4413fc4a34c2596a1c5b5b6b41

SHA256
fa2ab8996283d6aec77c20adbf8e110372e3436eaaff85df894496e4c1305e38

SHA512
47f96e8d9ed19bfa1ff41453338afa10e2cd9d7008aad0a223427e28202d3e7098f237b4179d88976fbbed4d70d448d73e9775815906c45dd27ea91fdedfe4a9

Download Submit
C:\Windows\SysWOW64\Ffceip32.exe

Filesize
112KB

MD5
fa725f363a16970080ee183e55fd61e6

SHA1
7fcd7050652e79d8a26fe1e492007139f7604d54

SHA256
f6dc9206350b97b9d0cb372cb0683291ef23f7542a90fa474e105a97847c7222

SHA512
061a25701c16b5e58e7135f2df26ccb14310666da549d68215a394b69ce51dcf81aa8ffa6c2c66fad74e05d0ac5230668c0dba3df76cc022d870dde4ab0a4872

Download Submit
C:\Windows\SysWOW64\Ffceip32.exe

Filesize
112KB

MD5
fa725f363a16970080ee183e55fd61e6

SHA1
7fcd7050652e79d8a26fe1e492007139f7604d54

SHA256
f6dc9206350b97b9d0cb372cb0683291ef23f7542a90fa474e105a97847c7222

SHA512
061a25701c16b5e58e7135f2df26ccb14310666da549d68215a394b69ce51dcf81aa8ffa6c2c66fad74e05d0ac5230668c0dba3df76cc022d870dde4ab0a4872

Download Submit
C:\Windows\SysWOW64\Fflohaij.exe

Filesize
112KB

MD5
3562e60ca4311ccd12330735d7584776

SHA1
81e8de58992bd4cc973de7403c96199a843473a6

SHA256
7e87a8fdec94eaa50e4c31caaf0755f4aca8e27a8befaa55a14839a3e55f9af2

SHA512
4f4c6b6df131e14c300ff937cfc4e65abc9695913ad3ae272de3b8d8514f59ecaafea8d58113ed84a6a5f8ceb10b6f0c12d46d7fa3e0edabb810e24c1d179dbb

Download Submit
C:\Windows\SysWOW64\Fflohaij.exe

Filesize
112KB

MD5
3562e60ca4311ccd12330735d7584776

SHA1
81e8de58992bd4cc973de7403c96199a843473a6

SHA256
7e87a8fdec94eaa50e4c31caaf0755f4aca8e27a8befaa55a14839a3e55f9af2

SHA512
4f4c6b6df131e14c300ff937cfc4e65abc9695913ad3ae272de3b8d8514f59ecaafea8d58113ed84a6a5f8ceb10b6f0c12d46d7fa3e0edabb810e24c1d179dbb

Download Submit
C:\Windows\SysWOW64\Fmhdkknd.exe

Filesize
112KB

MD5
7f98f3dc259f3c785923b381d3ce7372

SHA1
5a44b70e15debc0b2d997f2512a006a1dc43285f

SHA256
e933b1910237ae9c53426ba61c69e0a29bc6a976d05476dc92cc6c8f34040df4

SHA512
4252399f3274b0c8f29292acfa47a22b399b73545db0746b65e7504d86d2dd60842eb48f5416b0f7cb4b3e8c782ad8002316142650f57359d27b36f93868d232

Download Submit
C:\Windows\SysWOW64\Fmhdkknd.exe

Filesize
112KB

MD5
7f98f3dc259f3c785923b381d3ce7372

SHA1
5a44b70e15debc0b2d997f2512a006a1dc43285f

SHA256
e933b1910237ae9c53426ba61c69e0a29bc6a976d05476dc92cc6c8f34040df4

SHA512
4252399f3274b0c8f29292acfa47a22b399b73545db0746b65e7504d86d2dd60842eb48f5416b0f7cb4b3e8c782ad8002316142650f57359d27b36f93868d232

Download Submit
C:\Windows\SysWOW64\Fmkqpkla.exe

Filesize
112KB

MD5
2d939f9fcdbd98a37e3fa9372bad35e9

SHA1
a170395136354d525c8c0ba8a52cb32aa59145d4

SHA256
2193a2a751ecaee5180082232af651cb47f5f82e570e998b11c47312e51bfe67

SHA512
9d27016304d68352576264575a21e7c7d91019a1270c3bb6bce23470c94dc00d52142e3b7557c034fa6011f907eed5f8720073162cf32f82f0eff4ffae6287d0

Download Submit
C:\Windows\SysWOW64\Fmkqpkla.exe

Filesize
112KB

MD5
2d939f9fcdbd98a37e3fa9372bad35e9

SHA1
a170395136354d525c8c0ba8a52cb32aa59145d4

SHA256
2193a2a751ecaee5180082232af651cb47f5f82e570e998b11c47312e51bfe67

SHA512
9d27016304d68352576264575a21e7c7d91019a1270c3bb6bce23470c94dc00d52142e3b7557c034fa6011f907eed5f8720073162cf32f82f0eff4ffae6287d0

Download Submit
C:\Windows\SysWOW64\Fnnjmbpm.exe

Filesize
112KB

MD5
cafbaff46dc1c04af21b5a838af92adc

SHA1
7bc48d0b7445e2408be249992665fff306882b1b

SHA256
5ffd4cafb00cb46dc636c6bd4a1c533365eecc4c43fb0d5620b4bbfbe0c1a7e0

SHA512
0e2bfd6e3e64259127954ec90fb49ce8c2a64e0ffed25eddc2e6eed2318f59ea4d977ef7fdb545a6c670041e64f2083132bc6374c724ef720e19ec5e6d1623c9

Download Submit
C:\Windows\SysWOW64\Fnnjmbpm.exe

Filesize
112KB

MD5
cafbaff46dc1c04af21b5a838af92adc

SHA1
7bc48d0b7445e2408be249992665fff306882b1b

SHA256
5ffd4cafb00cb46dc636c6bd4a1c533365eecc4c43fb0d5620b4bbfbe0c1a7e0

SHA512
0e2bfd6e3e64259127954ec90fb49ce8c2a64e0ffed25eddc2e6eed2318f59ea4d977ef7fdb545a6c670041e64f2083132bc6374c724ef720e19ec5e6d1623c9

Download Submit
C:\Windows\SysWOW64\Fpdcag32.exe

Filesize
112KB

MD5
1055989ff50bccfdf07011f101f6eb7f

SHA1
8ddc39f57499f8c7a2d45c088b54baf4548f4f13

SHA256
3f018943f637f481ebd6b3657c14077410a5eaac66e0d7582d315a0edabc7053

SHA512
cf49dca7de3e115f338e9c9b5d7101354774bd1558234657d1683603cb43b5f82634909f8b3ffe74705a2758d0a8e5923c60a750e483bcdf304094812f4439d0

Download Submit
C:\Windows\SysWOW64\Fpdcag32.exe

Filesize
112KB

MD5
1055989ff50bccfdf07011f101f6eb7f

SHA1
8ddc39f57499f8c7a2d45c088b54baf4548f4f13

SHA256
3f018943f637f481ebd6b3657c14077410a5eaac66e0d7582d315a0edabc7053

SHA512
cf49dca7de3e115f338e9c9b5d7101354774bd1558234657d1683603cb43b5f82634909f8b3ffe74705a2758d0a8e5923c60a750e483bcdf304094812f4439d0

Download Submit
C:\Windows\SysWOW64\Fqgedh32.exe

Filesize
112KB

MD5
817fbf2f3204442619f214415edd45a9

SHA1
93f02957c46ac2128fe8747fc113d52345f8bb1a

SHA256
d03d868bc6a0496efb4e1850c0f48e061ed119ef08fc21f18d0169182cebbbff

SHA512
1c026adc08e14f2bc8a5c58e94ec3dcf70a9ce4032c5520256fe2ec1b2eb645e68339e5b0095e5399c244dac4fa76d9f0cfb7db8d8116408af09c0c250aeebd8

Download Submit
C:\Windows\SysWOW64\Gbchdp32.exe

Filesize
112KB

MD5
2c17fa59687b1a4974ea519431cff130

SHA1
20e557e7ba80d5b21a1035f67ffcf250b7890877

SHA256
5e677422edab66d4f171890b5291cea7a29ba8757cbe099ff0efca6a291be621

SHA512
04e0b2aef01613171d26f537860057117b3c194de0d702a2a6f0a026982cd50891e5512fd0018290e6a205a578ed6cbe248efca96f4b83a50eb2baa38ffba563

Download Submit
C:\Windows\SysWOW64\Gbchdp32.exe

Filesize
112KB

MD5
2c17fa59687b1a4974ea519431cff130

SHA1
20e557e7ba80d5b21a1035f67ffcf250b7890877

SHA256
5e677422edab66d4f171890b5291cea7a29ba8757cbe099ff0efca6a291be621

SHA512
04e0b2aef01613171d26f537860057117b3c194de0d702a2a6f0a026982cd50891e5512fd0018290e6a205a578ed6cbe248efca96f4b83a50eb2baa38ffba563

Download Submit
C:\Windows\SysWOW64\Geohklaa.exe

Filesize
112KB

MD5
18714fe2289af214161fbbff6640b073

SHA1
4be6b5979af96833df04520a658e063091446d06

SHA256
9611c3056be6e3fedff58f77fee619da16c84778819828603ef9f585bb4a0f0c

SHA512
a22b11721a93f3175850c72c0fe313d6e96c5d64c0223931c759ff59ce783b824da91dbd93135355c5fae0f42cf85e378a627953e9807fa394efd3f2c90c3d54

Download Submit
C:\Windows\SysWOW64\Geohklaa.exe

Filesize
112KB

MD5
18714fe2289af214161fbbff6640b073

SHA1
4be6b5979af96833df04520a658e063091446d06

SHA256
9611c3056be6e3fedff58f77fee619da16c84778819828603ef9f585bb4a0f0c

SHA512
a22b11721a93f3175850c72c0fe313d6e96c5d64c0223931c759ff59ce783b824da91dbd93135355c5fae0f42cf85e378a627953e9807fa394efd3f2c90c3d54

Download Submit
C:\Windows\SysWOW64\Gfhndpol.exe

Filesize
112KB

MD5
1d621eac3bf39590d27f198e02817b74

SHA1
34239a84692844f939992564cefec8189b8af05c

SHA256
b224e0b84c6f58e4463d78c1255074a7381e967b4a66ac954fb0b6bdf1129591

SHA512
53d20bfdc4fdb66103689f6ec3852cf05b0d0a690c71221d6ada46ffea86da89910022a460558ca833d60baf97206d47609c2380990bef5251e46e589792565b

Download Submit
C:\Windows\SysWOW64\Gfhndpol.exe

Filesize
112KB

MD5
1d621eac3bf39590d27f198e02817b74

SHA1
34239a84692844f939992564cefec8189b8af05c

SHA256
b224e0b84c6f58e4463d78c1255074a7381e967b4a66ac954fb0b6bdf1129591

SHA512
53d20bfdc4fdb66103689f6ec3852cf05b0d0a690c71221d6ada46ffea86da89910022a460558ca833d60baf97206d47609c2380990bef5251e46e589792565b

Download Submit
C:\Windows\SysWOW64\Gmimai32.exe

Filesize
112KB

MD5
ca81bcce975123f6a43fd2d8e09514f0

SHA1
eebb8bd5954e300b97f75a29def5005a536a42fa

SHA256
87878d4ac67aece2b558262a7b86a8c6b192963569fc397c60bc4b62a938d036

SHA512
377478f3a3fcf27b7d1812674123c10e8575ca3a9f74cc09bbe8172576af9a0b755ec43254063611b4bd2a592d0bb1a66b510df2ac7ce43cd5d96338f4b6b1f9

Download Submit
C:\Windows\SysWOW64\Gmimai32.exe

Filesize
112KB

MD5
ca81bcce975123f6a43fd2d8e09514f0

SHA1
eebb8bd5954e300b97f75a29def5005a536a42fa

SHA256
87878d4ac67aece2b558262a7b86a8c6b192963569fc397c60bc4b62a938d036

SHA512
377478f3a3fcf27b7d1812674123c10e8575ca3a9f74cc09bbe8172576af9a0b755ec43254063611b4bd2a592d0bb1a66b510df2ac7ce43cd5d96338f4b6b1f9

Download Submit
C:\Windows\SysWOW64\Gncchb32.exe

Filesize
112KB

MD5
7becbdec211b71e917d7f9fc6f61db24

SHA1
2a1fe84fdf1d73654be52ee6f18819f0f9e2781c

SHA256
450664d7a9cf3908c0b0179a24a053d1f321da5dfcc9ff813fec033bc889bd35

SHA512
850fc6fa8687b284e4450004bd94ff0b58f1e7ea987be92cf111314351e2e710181f896f2d0517bdbafb22fb43441e3f9443db8ba98f78ea836ada2cd00abc24

Download Submit
C:\Windows\SysWOW64\Gncchb32.exe

Filesize
112KB

MD5
7becbdec211b71e917d7f9fc6f61db24

SHA1
2a1fe84fdf1d73654be52ee6f18819f0f9e2781c

SHA256
450664d7a9cf3908c0b0179a24a053d1f321da5dfcc9ff813fec033bc889bd35

SHA512
850fc6fa8687b284e4450004bd94ff0b58f1e7ea987be92cf111314351e2e710181f896f2d0517bdbafb22fb43441e3f9443db8ba98f78ea836ada2cd00abc24

Download Submit
C:\Windows\SysWOW64\Gpbpbecj.exe

Filesize
112KB

MD5
2e06eda967ee55943fbe576f986de3f6

SHA1
d83030cedf40526e2372842a2348452dc4fdd4e1

SHA256
5c9be8e768b8fb96f4f1e39dcac59e02498bfba1a31be68f074c6131bb70c173

SHA512
5692f9ddc5387874cd51af052383f5831aa3c5cfedc1b81f5733a668f903bde589f7ac30564bec17f0845d97cbdbad7100b699cbe7889c80a62982b68f97a3d4

Download Submit
C:\Windows\SysWOW64\Gpbpbecj.exe

Filesize
112KB

MD5
2e06eda967ee55943fbe576f986de3f6

SHA1
d83030cedf40526e2372842a2348452dc4fdd4e1

SHA256
5c9be8e768b8fb96f4f1e39dcac59e02498bfba1a31be68f074c6131bb70c173

SHA512
5692f9ddc5387874cd51af052383f5831aa3c5cfedc1b81f5733a668f903bde589f7ac30564bec17f0845d97cbdbad7100b699cbe7889c80a62982b68f97a3d4

Download Submit
C:\Windows\SysWOW64\Gpnfge32.exe

Filesize
112KB

MD5
ae7edd331d1f56945553b73c944452c8

SHA1
7f1eb945cf91adbb0055e6d03fbedba972a29c41

SHA256
5a60c3e207c99077d55af95eea9e32acdcb58477cb68c7e28484ed3864311969

SHA512
9bdbbe038598c4e50c071f31bf26509414adeb149b235ca88553d8aa803c1395875695352ec815782cfbcb86f9f18575cc4caba85907d2933d2a0a84b4102e66

Download Submit
C:\Windows\SysWOW64\Gpnfge32.exe

Filesize
112KB

MD5
ae7edd331d1f56945553b73c944452c8

SHA1
7f1eb945cf91adbb0055e6d03fbedba972a29c41

SHA256
5a60c3e207c99077d55af95eea9e32acdcb58477cb68c7e28484ed3864311969

SHA512
9bdbbe038598c4e50c071f31bf26509414adeb149b235ca88553d8aa803c1395875695352ec815782cfbcb86f9f18575cc4caba85907d2933d2a0a84b4102e66

Download Submit
C:\Windows\SysWOW64\Hefnkkkj.exe

Filesize
112KB

MD5
5edc94cede298b36d1444bcfbb9bdcf1

SHA1
023861eaa1aa17826a2bfbf3a408062bae658928

SHA256
fdf8ec38b7846773ec467ed7bb68d293d698166ace385b64f091b47d4cc04ec9

SHA512
641ee399a431aea79549cabd416e7f9266626894ca8694c2ad4e0e1bb0c09716415e8171c79f4aabdf368f4061bde8180442591c981ceacc5cc07233cb364f50

Download Submit
C:\Windows\SysWOW64\Hefnkkkj.exe

Filesize
112KB

MD5
5edc94cede298b36d1444bcfbb9bdcf1

SHA1
023861eaa1aa17826a2bfbf3a408062bae658928

SHA256
fdf8ec38b7846773ec467ed7bb68d293d698166ace385b64f091b47d4cc04ec9

SHA512
641ee399a431aea79549cabd416e7f9266626894ca8694c2ad4e0e1bb0c09716415e8171c79f4aabdf368f4061bde8180442591c981ceacc5cc07233cb364f50

Download Submit
C:\Windows\SysWOW64\Hekgfj32.exe

Filesize
112KB

MD5
7f3f604a6b4cbff20c212904d13f76d9

SHA1
4e0b078952cbaff92169a3d566d8513c1887da81

SHA256
90144f86b6a011f6802d9335b8dd44aec9e7e881013bf465c31ad83b2b20c908

SHA512
cbecc88d6636f1a00a57fdb359c9c01fa1dedf8849c4e996128ae93bac384896a1b48192bf98247962f4d1723c1fda9c9b3921a3cdf81873e0a2cc646f716427

Download Submit
C:\Windows\SysWOW64\Hekgfj32.exe

Filesize
112KB

MD5
7f3f604a6b4cbff20c212904d13f76d9

SHA1
4e0b078952cbaff92169a3d566d8513c1887da81

SHA256
90144f86b6a011f6802d9335b8dd44aec9e7e881013bf465c31ad83b2b20c908

SHA512
cbecc88d6636f1a00a57fdb359c9c01fa1dedf8849c4e996128ae93bac384896a1b48192bf98247962f4d1723c1fda9c9b3921a3cdf81873e0a2cc646f716427

Download Submit
C:\Windows\SysWOW64\Hfaajnfb.exe

Filesize
112KB

MD5
1b754eeface2818ed921c08b1e68b60b

SHA1
80deecfd9cca5f483deefcb8df353c8915e6c4a8

SHA256
c5da1dcd6b7108113768f9fd7032f139c60e5bfa25cb2f08cf672dfcdd89ab29

SHA512
370a90f6a05eabdc132a3c0030dcf793baeb4c121b892c723edc41b5aff80e9cf57a481ff5a4f6a3bef8f8c94b56f5068c0cb1a31a5e84915e4c632c382f36d0

Download Submit
C:\Windows\SysWOW64\Hfaajnfb.exe

Filesize
112KB

MD5
1b754eeface2818ed921c08b1e68b60b

SHA1
80deecfd9cca5f483deefcb8df353c8915e6c4a8

SHA256
c5da1dcd6b7108113768f9fd7032f139c60e5bfa25cb2f08cf672dfcdd89ab29

SHA512
370a90f6a05eabdc132a3c0030dcf793baeb4c121b892c723edc41b5aff80e9cf57a481ff5a4f6a3bef8f8c94b56f5068c0cb1a31a5e84915e4c632c382f36d0

Download Submit
C:\Windows\SysWOW64\Hffken32.exe

Filesize
112KB

MD5
f4461aef036335dea3239caab4c70f07

SHA1
a7152f21dcd0f49e65ada56a9c378b401c26efbc

SHA256
6907eef78fc524798e456d5f3d52157b96116d23bebf463bd38276034cde5f80

SHA512
3a9ad2a2e681c2ecd65ec4d4ee4ea0bd11b3d45066ded3cdd6b069deff036f34b9bbe6e6057e05625b0f5dcc27f101f834577d19cc914532e81b87c8aea1e682

Download Submit
C:\Windows\SysWOW64\Hffken32.exe

Filesize
112KB

MD5
f4461aef036335dea3239caab4c70f07

SHA1
a7152f21dcd0f49e65ada56a9c378b401c26efbc

SHA256
6907eef78fc524798e456d5f3d52157b96116d23bebf463bd38276034cde5f80

SHA512
3a9ad2a2e681c2ecd65ec4d4ee4ea0bd11b3d45066ded3cdd6b069deff036f34b9bbe6e6057e05625b0f5dcc27f101f834577d19cc914532e81b87c8aea1e682

Download Submit
C:\Windows\SysWOW64\Hiipmhmk.exe

Filesize
112KB

MD5
b2e50d749a01279d2a9add772eb1b5a9

SHA1
f0495834c32bdfc7c4dcdb98c35aab89455cbcc6

SHA256
d967f3773935aa317012aee8e3e54cfa74f1f32212b0c40b69e2005e437c61f1

SHA512
1cf717c1e798ad566e521358e98728ff52820ffe7664bc90b48249815ad39ca77ae7fa576fbbcb56a0c5ff452cd525b84f8fbf701bdb257266675cf4a2546d77

Download Submit
C:\Windows\SysWOW64\Hiipmhmk.exe

Filesize
112KB

MD5
b2e50d749a01279d2a9add772eb1b5a9

SHA1
f0495834c32bdfc7c4dcdb98c35aab89455cbcc6

SHA256
d967f3773935aa317012aee8e3e54cfa74f1f32212b0c40b69e2005e437c61f1

SHA512
1cf717c1e798ad566e521358e98728ff52820ffe7664bc90b48249815ad39ca77ae7fa576fbbcb56a0c5ff452cd525b84f8fbf701bdb257266675cf4a2546d77

Download Submit
C:\Windows\SysWOW64\Hlpfhe32.exe

Filesize
112KB

MD5
ce65b1f71c76d457df8d4548c240e0fd

SHA1
2e6b4033c29313d717143bb6548b0cfddf602073

SHA256
8061f4a3441d55398b29d89b603288063c4ae29b6e7800f878adb8b3621cb967

SHA512
99ccb6d274a031f74ae7f3fcdfc5932180d879fa2c3636dfd1985252cba1b640839bfbcf2454ff7c36e9586123e5953ab2cb6b91292379ecc45205897a80d992

Download Submit
C:\Windows\SysWOW64\Hlpfhe32.exe

Filesize
112KB

MD5
ce65b1f71c76d457df8d4548c240e0fd

SHA1
2e6b4033c29313d717143bb6548b0cfddf602073

SHA256
8061f4a3441d55398b29d89b603288063c4ae29b6e7800f878adb8b3621cb967

SHA512
99ccb6d274a031f74ae7f3fcdfc5932180d879fa2c3636dfd1985252cba1b640839bfbcf2454ff7c36e9586123e5953ab2cb6b91292379ecc45205897a80d992

Download Submit
C:\Windows\SysWOW64\Hmpcbhji.exe

Filesize
112KB

MD5
554328fef70d0cda10a1e23f8988a7a0

SHA1
d7295c0f804aa4721897703d067d2a6cd9028090

SHA256
9ef48b068d610d4d6a7a56154fef8e7cc94f34ce6cad36ab9ffe2ba1d3a30907

SHA512
d1c3b44d7fd6645eee02611214aee4ac93d0ae2dcb9f2460ce40ae470e83378c048f2deb562bee8a15648ce4bbebc5b4f7aff4008d65a964e66a3f454887764b

Download Submit
C:\Windows\SysWOW64\Hmpcbhji.exe

Filesize
112KB

MD5
554328fef70d0cda10a1e23f8988a7a0

SHA1
d7295c0f804aa4721897703d067d2a6cd9028090

SHA256
9ef48b068d610d4d6a7a56154fef8e7cc94f34ce6cad36ab9ffe2ba1d3a30907

SHA512
d1c3b44d7fd6645eee02611214aee4ac93d0ae2dcb9f2460ce40ae470e83378c048f2deb562bee8a15648ce4bbebc5b4f7aff4008d65a964e66a3f454887764b

Download Submit
C:\Windows\SysWOW64\Klfaapbl.exe

Filesize
64KB

MD5
043319c40f3638499f7d57132a50e95a

SHA1
39dcdabca87bc263324fe8c580eef9fba98005f2

SHA256
c66cd90fdda68c2f77eaed573539aa75eac39d029c5fa4ed378eafbe3e83f2a9

SHA512
09357a105468b0ba654cd8ba70505e390b78e2bac3ebffd2e462cf38009d05abc6cfcdc1c93a714e9065a0ebe14607e540774c97172b9eebef97d59e1061ca74

Download Submit
C:\Windows\SysWOW64\Lindkm32.exe

Filesize
112KB

MD5
4101a8076dd56f11f593e506cca2e3db

SHA1
cbc74360052cebd6ab637721f01b8c1b656ee83d

SHA256
fa2cd674a8c85bc0f010c962e813176948f33416d0585b437bd0653b93fc073c

SHA512
3e45119c9ef5e93a146a3880d4f9064fabe2aece006f8878c28c3906eff8f5483feb87e1a8addada24f16284029728270dc32b45b1b0a684cc7d241ebf75af4a

Download Submit
C:\Windows\SysWOW64\Ofegni32.exe

Filesize
112KB

MD5
c2d400a15c3573b35e5d5dec114b7cbe

SHA1
ef6b69a4b5199d834e9a6550cb9c9f539e4e6fd9

SHA256
2a05496eb3beb268cfcc3a67503809bca69c8a927ea1110c8964a0b905dadb56

SHA512
ef00490c6b93578b00da41927162ae44bb978fc6a6cbbd8c947c2cbee594eaec6f2cb5b4886292806f3dfd40894201741def61f364f25545c4d4e2256c5d56d8

Download Submit
memory/264-420-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/312-90-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/392-57-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/548-193-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/816-130-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/820-73-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/844-206-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1080-86-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1124-336-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1148-312-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1288-13-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1464-181-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1616-101-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1640-354-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1656-226-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1700-406-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1784-360-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2184-414-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2188-300-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2212-330-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2352-268-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2488-294-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2536-369-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2744-306-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2768-106-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2860-242-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2932-114-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2952-29-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3064-33-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3256-378-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3292-280-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3336-342-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3428-432-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3516-408-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3524-324-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3532-282-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3668-126-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3760-169-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3784-1-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3784-82-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3784-0-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3900-372-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3936-257-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4004-270-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4128-17-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4272-154-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4296-318-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4304-348-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4356-234-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4480-249-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4636-430-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4648-40-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4752-145-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4768-166-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4776-390-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4880-137-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4920-185-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4924-48-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4968-217-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4984-65-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5060-209-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5064-396-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5096-288-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5116-384-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads