2814e796d2c02d9ca72d6165efaa43912b0f52ecaded4818762942634cff1282

Analysis

max time kernel
119s
max time network
122s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
30-12-2023 18:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c1910fca8bc43fd04860aad7fe97d316.exe
Size

45KB
MD5

c1910fca8bc43fd04860aad7fe97d316
SHA1

865385b7516af705e821a22682a6ddc5007594ad
SHA256

2814e796d2c02d9ca72d6165efaa43912b0f52ecaded4818762942634cff1282
SHA512

bec2924da1e10fb0434935c928c783100b8a23c5136eaeda4a7b8eee1e7b529ebc67cc53df68bd07280f867d461fac256c7f8fe11eb3989e22dbf10b4583664d
SSDEEP

768:zpnSl8GC0ZuVZDD6QwCT2nt21SKCQ6BeVFFqD46ulIzj7V99/1H5n:zpnSl1PuVtDT2nt21SKCQ6BGnCNjh93l

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hpgkeodo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jmpnppap.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpoljg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Feifgnki.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njmopj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gdheol32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nilkkq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oediim32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kclnfi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nbmmoklg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kiikkada.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajmgof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gojgkl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kiajck32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qbggmk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hjjbmhfg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mpqklh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Obccpj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fjdajhbi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fanigb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njcpok32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnebmgjj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Efampahd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Endnohdp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qmkfoj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hahlnefd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jhhgmlli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Oahgnh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bjeckojo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jfalhgni.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mbpoop32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kbocng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Adjnaj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nmjdaoni.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Obnbjdfi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lkenkhec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmhibi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nfchjddj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fggkifmg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pgllad32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jlponebi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Emdjjo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Icgqqmib.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jelhcd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hlnqln32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ojhnlh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kafcadej.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jginej32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jkajnh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ponfed32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lkenkhec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gablgk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ehjdejkj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gegchl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jginej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ojhnlh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Obnbjdfi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ejegdngb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	c1910fca8bc43fd04860aad7fe97d316.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jjnqap32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kfejmobh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lfbpcgbl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nmajbnha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmhkoaco.exe

Executes dropped EXE 64 IoCs

pid	Process
4032	Gcgqag32.exe
4544	Jmbdmg32.exe
4728	Jelhcd32.exe
1956	Jmijnfgd.exe
1980	Ldanloba.exe
2160	Mhfmbl32.exe
4216	Moeoje32.exe
1760	Noqofdlj.exe
3120	Ngnppfgb.exe
4748	Oediim32.exe
4524	Pgllad32.exe
1752	Pnhacn32.exe
3868	Qhghge32.exe
4268	Afpbkicl.exe
2800	Aiqkmd32.exe
2964	Bghddp32.exe
3872	Bkhjpn32.exe
2364	Bgokdomj.exe
4796	Ciogobcm.exe
620	Ceehcc32.exe
2884	Cblebgfh.exe
4384	Cnebmgjj.exe
4424	Dbckcf32.exe
3172	Dojlhg32.exe
936	Dlpigk32.exe
1720	Ebagdddp.exe
4420	Ellicihn.exe
3976	Efampahd.exe
4028	Fplnogmb.exe
2768	Feifgnki.exe
1960	Fifomlap.exe
112	Fpcdof32.exe
2628	Gojnfb32.exe
4128	Gomkkagl.exe
4972	Gegchl32.exe
3548	Hcommoin.exe
1680	Hgdlcm32.exe
3632	Jcgldl32.exe
2928	Jqklnp32.exe
4520	Jginej32.exe
536	Kaflio32.exe
1944	Kiaqnagj.exe
920	Kclnfi32.exe
3476	Lfmghdpl.exe
3192	Lplaaiqd.exe
2740	Mmpbkm32.exe
1420	Mpqklh32.exe
2680	Mfmpob32.exe
2836	Minipm32.exe
4532	Najjmjkg.exe
3204	Nhfoocaa.exe
5020	Oileakbj.exe
5028	Oahgnh32.exe
2632	Pjgemi32.exe
5040	Phpklp32.exe
3328	Aqdbfa32.exe
1064	Ajmgof32.exe
760	Bhbahm32.exe
2404	Bgjjoi32.exe
3036	Bbbkbbkg.exe
4508	Cicjokll.exe
3356	Cgjcfgoa.exe
1356	Dgaiffii.exe
4944	Elfhmc32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Hlnqln32.exe	Hahlnefd.exe
File created	C:\Windows\SysWOW64\Bojohp32.exe	Aoalba32.exe
File opened for modification	C:\Windows\SysWOW64\Jkkbnl32.exe	Jdajabdc.exe
File created	C:\Windows\SysWOW64\Foajai32.dll	Ffeaichg.exe
File created	C:\Windows\SysWOW64\Lihhnokg.dll	Fapobl32.exe
File created	C:\Windows\SysWOW64\Aohcbiop.dll	Kpanmb32.exe
File created	C:\Windows\SysWOW64\Mfmpob32.exe	Mpqklh32.exe
File opened for modification	C:\Windows\SysWOW64\Hoibmmpi.exe	Hfmqapcl.exe
File created	C:\Windows\SysWOW64\Adjnaj32.exe	Pdalkk32.exe
File created	C:\Windows\SysWOW64\Ldobocab.dll	Mnggnh32.exe
File created	C:\Windows\SysWOW64\Igkhpdnd.dll	Bojohp32.exe
File created	C:\Windows\SysWOW64\Molpkleo.dll	Cdicje32.exe
File created	C:\Windows\SysWOW64\Plhhcc32.dll	Qmkfoj32.exe
File created	C:\Windows\SysWOW64\Hokdpc32.dll	Commjgga.exe
File created	C:\Windows\SysWOW64\Gqdbbelf.exe	Gbcaemdg.exe
File created	C:\Windows\SysWOW64\Jojgkahb.dll	Gimoce32.exe
File opened for modification	C:\Windows\SysWOW64\Jhhgmlli.exe	Jkajnh32.exe
File opened for modification	C:\Windows\SysWOW64\Ojhnlh32.exe	Nbmmoklg.exe
File opened for modification	C:\Windows\SysWOW64\Nhfoocaa.exe	Najjmjkg.exe
File opened for modification	C:\Windows\SysWOW64\Cqinng32.exe	Cklffq32.exe
File created	C:\Windows\SysWOW64\Aekecn32.dll	Odkaac32.exe
File opened for modification	C:\Windows\SysWOW64\Lfmghdpl.exe	Kclnfi32.exe
File created	C:\Windows\SysWOW64\Goipae32.exe	Glhgojef.exe
File created	C:\Windows\SysWOW64\Bdendn32.dll	Fgqehgco.exe
File opened for modification	C:\Windows\SysWOW64\Ejegdngb.exe	Eoocfegl.exe
File opened for modification	C:\Windows\SysWOW64\Oahgnh32.exe	Oileakbj.exe
File opened for modification	C:\Windows\SysWOW64\Opjponbf.exe	Obccpj32.exe
File created	C:\Windows\SysWOW64\Oioahn32.exe	Olkqnjhd.exe
File created	C:\Windows\SysWOW64\Ncaepc32.dll	Lkenkhec.exe
File created	C:\Windows\SysWOW64\Jfalhgni.exe	Jinloboo.exe
File opened for modification	C:\Windows\SysWOW64\Mmahff32.exe	Mfhpilbc.exe
File opened for modification	C:\Windows\SysWOW64\Dmhkoaco.exe	Cggikk32.exe
File created	C:\Windows\SysWOW64\Jdajabdc.exe	Hoibmmpi.exe
File created	C:\Windows\SysWOW64\Fgpijd32.dll	Flfjjkgi.exe
File created	C:\Windows\SysWOW64\Icgqqmib.exe	Hpgkeodo.exe
File opened for modification	C:\Windows\SysWOW64\Eclmlpfl.exe	Dkjbgooi.exe
File opened for modification	C:\Windows\SysWOW64\Hmecba32.exe	Gdheol32.exe
File created	C:\Windows\SysWOW64\Hoibmmpi.exe	Hfmqapcl.exe
File created	C:\Windows\SysWOW64\Imabnofj.exe	Idinej32.exe
File created	C:\Windows\SysWOW64\Kpfmhf32.dll	Kiikkada.exe
File created	C:\Windows\SysWOW64\Bmeono32.dll	Mdfopf32.exe
File created	C:\Windows\SysWOW64\Ohdgoi32.dll	Qbggmk32.exe
File created	C:\Windows\SysWOW64\Abkejc32.dll	Ciogobcm.exe
File opened for modification	C:\Windows\SysWOW64\Mfmpob32.exe	Mpqklh32.exe
File created	C:\Windows\SysWOW64\Kloaob32.dll	Imabnofj.exe
File opened for modification	C:\Windows\SysWOW64\Pnhacn32.exe	Pgllad32.exe
File created	C:\Windows\SysWOW64\Emjfif32.dll	Ceehcc32.exe
File created	C:\Windows\SysWOW64\Pjgemi32.exe	Oahgnh32.exe
File created	C:\Windows\SysWOW64\Mqimdomb.exe	Loecgfjf.exe
File created	C:\Windows\SysWOW64\Ldanloba.exe	Jmijnfgd.exe
File created	C:\Windows\SysWOW64\Bgokdomj.exe	Bkhjpn32.exe
File created	C:\Windows\SysWOW64\Ajmgof32.exe	Aqdbfa32.exe
File opened for modification	C:\Windows\SysWOW64\Hcommoin.exe	Gcmpgpkp.exe
File created	C:\Windows\SysWOW64\Kfejmobh.exe	Kiajck32.exe
File created	C:\Windows\SysWOW64\Fgnihmpg.dll	Dcglfjgf.exe
File created	C:\Windows\SysWOW64\Nfeepdbg.exe	Nlpabkba.exe
File created	C:\Windows\SysWOW64\Bnmpgabd.dll	Hfmqapcl.exe
File created	C:\Windows\SysWOW64\Afcafo32.dll	Fofigd32.exe
File opened for modification	C:\Windows\SysWOW64\Odnngclb.exe	Ojhijjll.exe
File created	C:\Windows\SysWOW64\Hcommoin.exe	Gcmpgpkp.exe
File opened for modification	C:\Windows\SysWOW64\Qolbgbgb.exe	Qmkfoj32.exe
File created	C:\Windows\SysWOW64\Kpanmb32.exe	Jpoagb32.exe
File opened for modification	C:\Windows\SysWOW64\Bojohp32.exe	Aoalba32.exe
File opened for modification	C:\Windows\SysWOW64\Ngnppfgb.exe	Noqofdlj.exe

Program crash 2 IoCs

pid	pid_target	Process	procid_target
5808	6304	WerFault.exe	380
5940	6304	WerFault.exe	380

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gcgqag32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gplofb32.dll"	Bkepeaaa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Plhhcc32.dll"	Qmkfoj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmaimd32.dll"	Khplnn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mgpaqbcf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Knndpffi.dll"	Qolbgbgb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bgqedh32.dll"	Mbkfcabb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jinloboo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ojhijjll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Plimpg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jhapmphg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jqklnp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eoljhi32.dll"	Mmahff32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ggliem32.dll"	Idinej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohdgoi32.dll"	Qbggmk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbjnanih.dll"	Phpklp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Eapmedef.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qmkfoj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mkepgp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bmhibi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gakahfoj.dll"	Nilkkq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ojfmdk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gomkkagl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohcoob32.dll"	Focakm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mmahff32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cqinng32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nfchjddj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Igkhpdnd.dll"	Bojohp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cgdlfk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nmjdaoni.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hqdehm32.dll"	Nofmndkd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mhfmbl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ellicihn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Elfhmc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Imdndbkn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Oediim32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cghdlppn.dll"	Jagqfp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aekeqi32.dll"	Mgpaqbcf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kaflio32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Molpkleo.dll"	Cdicje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Icgqqmib.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ebagdddp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fgmlkg32.dll"	Gcmpgpkp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Poifgc32.dll"	Iabodcnj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Emfgpo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jondojna.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Eoocfegl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kkbbbm32.dll"	Pnhacn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cnebmgjj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oepnld32.dll"	Fpcdof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ofcaab32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pmpfcl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Loecgfjf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Booaii32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oaegbm32.dll"	Efampahd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Obdbqm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fbgjeohk.dll"	Ecphbckp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Njcpok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipmpcock.dll"	Bmhibi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Odnngclb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gkeakl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cdbmifdl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fapobl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lmqiag32.dll"	Lkiqla32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1192 wrote to memory of 4032	1192	c1910fca8bc43fd04860aad7fe97d316.exe	94
PID 1192 wrote to memory of 4032	1192	c1910fca8bc43fd04860aad7fe97d316.exe	94
PID 1192 wrote to memory of 4032	1192	c1910fca8bc43fd04860aad7fe97d316.exe	94
PID 4032 wrote to memory of 4544	4032	Gcgqag32.exe	95
PID 4032 wrote to memory of 4544	4032	Gcgqag32.exe	95
PID 4032 wrote to memory of 4544	4032	Gcgqag32.exe	95
PID 4544 wrote to memory of 4728	4544	Jmbdmg32.exe	96
PID 4544 wrote to memory of 4728	4544	Jmbdmg32.exe	96
PID 4544 wrote to memory of 4728	4544	Jmbdmg32.exe	96
PID 4728 wrote to memory of 1956	4728	Jelhcd32.exe	97
PID 4728 wrote to memory of 1956	4728	Jelhcd32.exe	97
PID 4728 wrote to memory of 1956	4728	Jelhcd32.exe	97
PID 1956 wrote to memory of 1980	1956	Jmijnfgd.exe	98
PID 1956 wrote to memory of 1980	1956	Jmijnfgd.exe	98
PID 1956 wrote to memory of 1980	1956	Jmijnfgd.exe	98
PID 1980 wrote to memory of 2160	1980	Ldanloba.exe	99
PID 1980 wrote to memory of 2160	1980	Ldanloba.exe	99
PID 1980 wrote to memory of 2160	1980	Ldanloba.exe	99
PID 2160 wrote to memory of 4216	2160	Mhfmbl32.exe	100
PID 2160 wrote to memory of 4216	2160	Mhfmbl32.exe	100
PID 2160 wrote to memory of 4216	2160	Mhfmbl32.exe	100
PID 4216 wrote to memory of 1760	4216	Moeoje32.exe	101
PID 4216 wrote to memory of 1760	4216	Moeoje32.exe	101
PID 4216 wrote to memory of 1760	4216	Moeoje32.exe	101
PID 1760 wrote to memory of 3120	1760	Noqofdlj.exe	102
PID 1760 wrote to memory of 3120	1760	Noqofdlj.exe	102
PID 1760 wrote to memory of 3120	1760	Noqofdlj.exe	102
PID 3120 wrote to memory of 4748	3120	Ngnppfgb.exe	103
PID 3120 wrote to memory of 4748	3120	Ngnppfgb.exe	103
PID 3120 wrote to memory of 4748	3120	Ngnppfgb.exe	103
PID 4748 wrote to memory of 4524	4748	Oediim32.exe	104
PID 4748 wrote to memory of 4524	4748	Oediim32.exe	104
PID 4748 wrote to memory of 4524	4748	Oediim32.exe	104
PID 4524 wrote to memory of 1752	4524	Pgllad32.exe	106
PID 4524 wrote to memory of 1752	4524	Pgllad32.exe	106
PID 4524 wrote to memory of 1752	4524	Pgllad32.exe	106
PID 1752 wrote to memory of 3868	1752	Pnhacn32.exe	107
PID 1752 wrote to memory of 3868	1752	Pnhacn32.exe	107
PID 1752 wrote to memory of 3868	1752	Pnhacn32.exe	107
PID 3868 wrote to memory of 4268	3868	Qhghge32.exe	108
PID 3868 wrote to memory of 4268	3868	Qhghge32.exe	108
PID 3868 wrote to memory of 4268	3868	Qhghge32.exe	108
PID 4268 wrote to memory of 2800	4268	Afpbkicl.exe	109
PID 4268 wrote to memory of 2800	4268	Afpbkicl.exe	109
PID 4268 wrote to memory of 2800	4268	Afpbkicl.exe	109
PID 2800 wrote to memory of 2964	2800	Aiqkmd32.exe	110
PID 2800 wrote to memory of 2964	2800	Aiqkmd32.exe	110
PID 2800 wrote to memory of 2964	2800	Aiqkmd32.exe	110
PID 2964 wrote to memory of 3872	2964	Bghddp32.exe	111
PID 2964 wrote to memory of 3872	2964	Bghddp32.exe	111
PID 2964 wrote to memory of 3872	2964	Bghddp32.exe	111
PID 3872 wrote to memory of 2364	3872	Bkhjpn32.exe	112
PID 3872 wrote to memory of 2364	3872	Bkhjpn32.exe	112
PID 3872 wrote to memory of 2364	3872	Bkhjpn32.exe	112
PID 2364 wrote to memory of 4796	2364	Bgokdomj.exe	113
PID 2364 wrote to memory of 4796	2364	Bgokdomj.exe	113
PID 2364 wrote to memory of 4796	2364	Bgokdomj.exe	113
PID 4796 wrote to memory of 620	4796	Ciogobcm.exe	114
PID 4796 wrote to memory of 620	4796	Ciogobcm.exe	114
PID 4796 wrote to memory of 620	4796	Ciogobcm.exe	114
PID 620 wrote to memory of 2884	620	Ceehcc32.exe	115
PID 620 wrote to memory of 2884	620	Ceehcc32.exe	115
PID 620 wrote to memory of 2884	620	Ceehcc32.exe	115
PID 2884 wrote to memory of 4384	2884	Cblebgfh.exe	116

C:\Users\Admin\AppData\Local\Temp\c1910fca8bc43fd04860aad7fe97d316.exe
"C:\Users\Admin\AppData\Local\Temp\c1910fca8bc43fd04860aad7fe97d316.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Suspicious use of WriteProcessMemory
PID:1192
- C:\Windows\SysWOW64\Gcgqag32.exe
  C:\Windows\system32\Gcgqag32.exe
  2⤵
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4032
- - C:\Windows\SysWOW64\Jmbdmg32.exe
    C:\Windows\system32\Jmbdmg32.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:4544
  - - C:\Windows\SysWOW64\Jelhcd32.exe
      C:\Windows\system32\Jelhcd32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:4728
    - - C:\Windows\SysWOW64\Jmijnfgd.exe
        
        C:\Windows\system32\Jmijnfgd.exe
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1956
      - C:\Windows\SysWOW64\Ldanloba.exe
        
        C:\Windows\system32\Ldanloba.exe
        6⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1980
        
        C:\Windows\SysWOW64\Mhfmbl32.exe
        
        C:\Windows\system32\Mhfmbl32.exe
        7⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2160
        
        C:\Windows\SysWOW64\Moeoje32.exe
        
        C:\Windows\system32\Moeoje32.exe
        8⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4216
        
        C:\Windows\SysWOW64\Noqofdlj.exe
        
        C:\Windows\system32\Noqofdlj.exe
        9⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1760
        
        C:\Windows\SysWOW64\Ngnppfgb.exe
        
        C:\Windows\system32\Ngnppfgb.exe
        10⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3120
        
        C:\Windows\SysWOW64\Oediim32.exe
        
        C:\Windows\system32\Oediim32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4748
        
        C:\Windows\SysWOW64\Pgllad32.exe
        
        C:\Windows\system32\Pgllad32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4524
        
        C:\Windows\SysWOW64\Pnhacn32.exe
        
        C:\Windows\system32\Pnhacn32.exe
        13⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1752
        
        C:\Windows\SysWOW64\Qhghge32.exe
        
        C:\Windows\system32\Qhghge32.exe
        14⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3868
        
        C:\Windows\SysWOW64\Afpbkicl.exe
        
        C:\Windows\system32\Afpbkicl.exe
        15⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4268
        
        C:\Windows\SysWOW64\Aiqkmd32.exe
        
        C:\Windows\system32\Aiqkmd32.exe
        16⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2800
        
        C:\Windows\SysWOW64\Bghddp32.exe
        
        C:\Windows\system32\Bghddp32.exe
        17⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2964
        
        C:\Windows\SysWOW64\Bkhjpn32.exe
        
        C:\Windows\system32\Bkhjpn32.exe
        18⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3872
        
        C:\Windows\SysWOW64\Bgokdomj.exe
        
        C:\Windows\system32\Bgokdomj.exe
        19⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2364
        
        C:\Windows\SysWOW64\Ciogobcm.exe
        
        C:\Windows\system32\Ciogobcm.exe
        20⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4796
        
        C:\Windows\SysWOW64\Ceehcc32.exe
        
        C:\Windows\system32\Ceehcc32.exe
        21⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:620
        
        C:\Windows\SysWOW64\Cblebgfh.exe
        
        C:\Windows\system32\Cblebgfh.exe
        22⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2884
        
        C:\Windows\SysWOW64\Cnebmgjj.exe
        
        C:\Windows\system32\Cnebmgjj.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4384
        
        C:\Windows\SysWOW64\Dbckcf32.exe
        
        C:\Windows\system32\Dbckcf32.exe
        24⤵
        Executes dropped EXE
        
        PID:4424
        
        C:\Windows\SysWOW64\Dojlhg32.exe
        
        C:\Windows\system32\Dojlhg32.exe
        25⤵
        Executes dropped EXE
        
        PID:3172
        
        C:\Windows\SysWOW64\Dlpigk32.exe
        
        C:\Windows\system32\Dlpigk32.exe
        26⤵
        Executes dropped EXE
        
        PID:936
        
        C:\Windows\SysWOW64\Ebagdddp.exe
        
        C:\Windows\system32\Ebagdddp.exe
        27⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1720
        
        C:\Windows\SysWOW64\Ellicihn.exe
        
        C:\Windows\system32\Ellicihn.exe
        28⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4420
        
        C:\Windows\SysWOW64\Efampahd.exe
        
        C:\Windows\system32\Efampahd.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3976
        
        C:\Windows\SysWOW64\Fplnogmb.exe
        
        C:\Windows\system32\Fplnogmb.exe
        30⤵
        Executes dropped EXE
        
        PID:4028
        
        C:\Windows\SysWOW64\Feifgnki.exe
        
        C:\Windows\system32\Feifgnki.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2768
        
        C:\Windows\SysWOW64\Fifomlap.exe
        
        C:\Windows\system32\Fifomlap.exe
        32⤵
        Executes dropped EXE
        
        PID:1960
        
        C:\Windows\SysWOW64\Fpcdof32.exe
        
        C:\Windows\system32\Fpcdof32.exe
        33⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:112
        
        C:\Windows\SysWOW64\Gojnfb32.exe
        
        C:\Windows\system32\Gojnfb32.exe
        34⤵
        Executes dropped EXE
        
        PID:2628
        
        C:\Windows\SysWOW64\Gomkkagl.exe
        
        C:\Windows\system32\Gomkkagl.exe
        35⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4128
        
        C:\Windows\SysWOW64\Gegchl32.exe
        
        C:\Windows\system32\Gegchl32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4972
        
        C:\Windows\SysWOW64\Gcmpgpkp.exe
        
        C:\Windows\system32\Gcmpgpkp.exe
        37⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4504
        
        C:\Windows\SysWOW64\Hcommoin.exe
        
        C:\Windows\system32\Hcommoin.exe
        38⤵
        Executes dropped EXE
        
        PID:3548
        
        C:\Windows\SysWOW64\Hgdlcm32.exe
        
        C:\Windows\system32\Hgdlcm32.exe
        39⤵
        Executes dropped EXE
        
        PID:1680
        
        C:\Windows\SysWOW64\Jcgldl32.exe
        
        C:\Windows\system32\Jcgldl32.exe
        40⤵
        Executes dropped EXE
        
        PID:3632
        
        C:\Windows\SysWOW64\Jqklnp32.exe
        
        C:\Windows\system32\Jqklnp32.exe
        41⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2928
        
        C:\Windows\SysWOW64\Jginej32.exe
        
        C:\Windows\system32\Jginej32.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4520
        
        C:\Windows\SysWOW64\Kaflio32.exe
        
        C:\Windows\system32\Kaflio32.exe
        43⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:536
        
        C:\Windows\SysWOW64\Kiaqnagj.exe
        
        C:\Windows\system32\Kiaqnagj.exe
        44⤵
        Executes dropped EXE
        
        PID:1944
        
        C:\Windows\SysWOW64\Kclnfi32.exe
        
        C:\Windows\system32\Kclnfi32.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:920
        
        C:\Windows\SysWOW64\Lfmghdpl.exe
        
        C:\Windows\system32\Lfmghdpl.exe
        46⤵
        Executes dropped EXE
        
        PID:3476
        
        C:\Windows\SysWOW64\Lplaaiqd.exe
        
        C:\Windows\system32\Lplaaiqd.exe
        47⤵
        Executes dropped EXE
        
        PID:3192
        
        C:\Windows\SysWOW64\Mmpbkm32.exe
        
        C:\Windows\system32\Mmpbkm32.exe
        48⤵
        Executes dropped EXE
        
        PID:2740
        
        C:\Windows\SysWOW64\Mpqklh32.exe
        
        C:\Windows\system32\Mpqklh32.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1420
        
        C:\Windows\SysWOW64\Mfmpob32.exe
        
        C:\Windows\system32\Mfmpob32.exe
        50⤵
        Executes dropped EXE
        
        PID:2680
        
        C:\Windows\SysWOW64\Minipm32.exe
        
        C:\Windows\system32\Minipm32.exe
        51⤵
        Executes dropped EXE
        
        PID:2836
        
        C:\Windows\SysWOW64\Najjmjkg.exe
        
        C:\Windows\system32\Najjmjkg.exe
        52⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4532
        
        C:\Windows\SysWOW64\Nhfoocaa.exe
        
        C:\Windows\system32\Nhfoocaa.exe
        53⤵
        Executes dropped EXE
        
        PID:3204
        
        C:\Windows\SysWOW64\Oileakbj.exe
        
        C:\Windows\system32\Oileakbj.exe
        54⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5020
        
        C:\Windows\SysWOW64\Oahgnh32.exe
        
        C:\Windows\system32\Oahgnh32.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5028
        
        C:\Windows\SysWOW64\Pjgemi32.exe
        
        C:\Windows\system32\Pjgemi32.exe
        56⤵
        Executes dropped EXE
        
        PID:2632
        
        C:\Windows\SysWOW64\Phpklp32.exe
        
        C:\Windows\system32\Phpklp32.exe
        57⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:5040
        
        C:\Windows\SysWOW64\Aqdbfa32.exe
        
        C:\Windows\system32\Aqdbfa32.exe
        58⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3328
        
        C:\Windows\SysWOW64\Ajmgof32.exe
        
        C:\Windows\system32\Ajmgof32.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1064
        
        C:\Windows\SysWOW64\Bhbahm32.exe
        
        C:\Windows\system32\Bhbahm32.exe
        60⤵
        Executes dropped EXE
        
        PID:760
        
        C:\Windows\SysWOW64\Bgjjoi32.exe
        
        C:\Windows\system32\Bgjjoi32.exe
        61⤵
        Executes dropped EXE
        
        PID:2404
        
        C:\Windows\SysWOW64\Bbbkbbkg.exe
        
        C:\Windows\system32\Bbbkbbkg.exe
        62⤵
        Executes dropped EXE
        
        PID:3036
        
        C:\Windows\SysWOW64\Cicjokll.exe
        
        C:\Windows\system32\Cicjokll.exe
        63⤵
        Executes dropped EXE
        
        PID:4508
        
        C:\Windows\SysWOW64\Cgjcfgoa.exe
        
        C:\Windows\system32\Cgjcfgoa.exe
        64⤵
        Executes dropped EXE
        
        PID:3356
        
        C:\Windows\SysWOW64\Dgaiffii.exe
        
        C:\Windows\system32\Dgaiffii.exe
        65⤵
        Executes dropped EXE
        
        PID:1356
        
        C:\Windows\SysWOW64\Elfhmc32.exe
        
        C:\Windows\system32\Elfhmc32.exe
        66⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4944
        
        C:\Windows\SysWOW64\Fkbkoo32.exe
        
        C:\Windows\system32\Fkbkoo32.exe
        67⤵
        
        PID:3308
        
        C:\Windows\SysWOW64\Focakm32.exe
        
        C:\Windows\system32\Focakm32.exe
        68⤵
        Modifies registry class
        
        PID:1196
        
        C:\Windows\SysWOW64\Flgadake.exe
        
        C:\Windows\system32\Flgadake.exe
        69⤵
        
        PID:3312
        
        C:\Windows\SysWOW64\Gimoce32.exe
        
        C:\Windows\system32\Gimoce32.exe
        70⤵
        Drops file in System32 directory
        
        PID:4076
        
        C:\Windows\SysWOW64\Gojgkl32.exe
        
        C:\Windows\system32\Gojgkl32.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2300
        
        C:\Windows\SysWOW64\Glpdjpbj.exe
        
        C:\Windows\system32\Glpdjpbj.exe
        72⤵
        
        PID:816
        
        C:\Windows\SysWOW64\Gkeakl32.exe
        
        C:\Windows\system32\Gkeakl32.exe
        73⤵
        Modifies registry class
        
        PID:5084
        
        C:\Windows\SysWOW64\Haafnf32.exe
        
        C:\Windows\system32\Haafnf32.exe
        74⤵
        
        PID:848
        
        C:\Windows\SysWOW64\Hohcmjic.exe
        
        C:\Windows\system32\Hohcmjic.exe
        75⤵
        
        PID:2684
        
        C:\Windows\SysWOW64\Hahlnefd.exe
        
        C:\Windows\system32\Hahlnefd.exe
        76⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:1868
        
        C:\Windows\SysWOW64\Hlnqln32.exe
        
        C:\Windows\system32\Hlnqln32.exe
        77⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4044
        
        C:\Windows\SysWOW64\Iameid32.exe
        
        C:\Windows\system32\Iameid32.exe
        78⤵
        
        PID:4352
        
        C:\Windows\SysWOW64\Iabodcnj.exe
        
        C:\Windows\system32\Iabodcnj.exe
        79⤵
        Modifies registry class
        
        PID:2640
        
        C:\Windows\SysWOW64\Jjnqap32.exe
        
        C:\Windows\system32\Jjnqap32.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3624
        
        C:\Windows\SysWOW64\Jkajnh32.exe
        
        C:\Windows\system32\Jkajnh32.exe
        81⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:2524
        
        C:\Windows\SysWOW64\Jhhgmlli.exe
        
        C:\Windows\system32\Jhhgmlli.exe
        82⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2748
        
        C:\Windows\SysWOW64\Joaojf32.exe
        
        C:\Windows\system32\Joaojf32.exe
        83⤵
        
        PID:4340
        
        C:\Windows\SysWOW64\Jflgfpkc.exe
        
        C:\Windows\system32\Jflgfpkc.exe
        84⤵
        
        PID:5060
        
        C:\Windows\SysWOW64\Kiomnk32.exe
        
        C:\Windows\system32\Kiomnk32.exe
        85⤵
        
        PID:5132
        
        C:\Windows\SysWOW64\Kiajck32.exe
        
        C:\Windows\system32\Kiajck32.exe
        86⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5172
        
        C:\Windows\SysWOW64\Kfejmobh.exe
        
        C:\Windows\system32\Kfejmobh.exe
        87⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5216
        
        C:\Windows\SysWOW64\Lkflpe32.exe
        
        C:\Windows\system32\Lkflpe32.exe
        88⤵
        
        PID:5260
        
        C:\Windows\SysWOW64\Lflpmn32.exe
        
        C:\Windows\system32\Lflpmn32.exe
        89⤵
        
        PID:5316
        
        C:\Windows\SysWOW64\Mfhpilbc.exe
        
        C:\Windows\system32\Mfhpilbc.exe
        90⤵
        Drops file in System32 directory
        
        PID:5352
        
        C:\Windows\SysWOW64\Mmahff32.exe
        
        C:\Windows\system32\Mmahff32.exe
        91⤵
        Modifies registry class
        
        PID:5408
        
        C:\Windows\SysWOW64\Njmopj32.exe
        
        C:\Windows\system32\Njmopj32.exe
        92⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5452
        
        C:\Windows\SysWOW64\Nbmmoklg.exe
        
        C:\Windows\system32\Nbmmoklg.exe
        93⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5496
        
        C:\Windows\SysWOW64\Ojhnlh32.exe
        
        C:\Windows\system32\Ojhnlh32.exe
        94⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5540
        
        C:\Windows\SysWOW64\Obccpj32.exe
        
        C:\Windows\system32\Obccpj32.exe
        95⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5584
        
        C:\Windows\SysWOW64\Opjponbf.exe
        
        C:\Windows\system32\Opjponbf.exe
        96⤵
        
        PID:5624
        
        C:\Windows\SysWOW64\Okodlgbl.exe
        
        C:\Windows\system32\Okodlgbl.exe
        97⤵
        
        PID:5664
        
        C:\Windows\SysWOW64\Plcmiofg.exe
        
        C:\Windows\system32\Plcmiofg.exe
        98⤵
        
        PID:5712
        
        C:\Windows\SysWOW64\Pcaoahio.exe
        
        C:\Windows\system32\Pcaoahio.exe
        99⤵
        
        PID:5756
        
        C:\Windows\SysWOW64\Pdalkk32.exe
        
        C:\Windows\system32\Pdalkk32.exe
        100⤵
        Drops file in System32 directory
        
        PID:5800
        
        C:\Windows\SysWOW64\Adjnaj32.exe
        
        C:\Windows\system32\Adjnaj32.exe
        101⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5848
        
        C:\Windows\SysWOW64\Akkmocjl.exe
        
        C:\Windows\system32\Akkmocjl.exe
        102⤵
        
        PID:5900
        
        C:\Windows\SysWOW64\Bjeckojo.exe
        
        C:\Windows\system32\Bjeckojo.exe
        103⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5940
        
        C:\Windows\SysWOW64\Bkepeaaa.exe
        
        C:\Windows\system32\Bkepeaaa.exe
        104⤵
        Modifies registry class
        
        PID:5992
        
        C:\Windows\SysWOW64\Bdmdng32.exe
        
        C:\Windows\system32\Bdmdng32.exe
        105⤵
        
        PID:6032
        
        C:\Windows\SysWOW64\Bmhibi32.exe
        
        C:\Windows\system32\Bmhibi32.exe
        106⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6076
        
        C:\Windows\SysWOW64\Ckiipa32.exe
        
        C:\Windows\system32\Ckiipa32.exe
        107⤵
        
        PID:6120
        
        C:\Windows\SysWOW64\Cdbmifdl.exe
        
        C:\Windows\system32\Cdbmifdl.exe
        108⤵
        Modifies registry class
        
        PID:2120
        
        C:\Windows\SysWOW64\Cklffq32.exe
        
        C:\Windows\system32\Cklffq32.exe
        109⤵
        Drops file in System32 directory
        
        PID:5200
        
        C:\Windows\SysWOW64\Cqinng32.exe
        
        C:\Windows\system32\Cqinng32.exe
        110⤵
        Modifies registry class
        
        PID:5252
        
        C:\Windows\SysWOW64\Cnmoglij.exe
        
        C:\Windows\system32\Cnmoglij.exe
        111⤵
        
        PID:4284
        
        C:\Windows\SysWOW64\Ckqoapgd.exe
        
        C:\Windows\system32\Ckqoapgd.exe
        112⤵
        
        PID:5292
        
        C:\Windows\SysWOW64\Cdicje32.exe
        
        C:\Windows\system32\Cdicje32.exe
        113⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5376
        
        C:\Windows\SysWOW64\Dnfanjqp.exe
        
        C:\Windows\system32\Dnfanjqp.exe
        114⤵
        
        PID:5432
        
        C:\Windows\SysWOW64\Ddpjjd32.exe
        
        C:\Windows\system32\Ddpjjd32.exe
        115⤵
        
        PID:5504
        
        C:\Windows\SysWOW64\Dkjbgooi.exe
        
        C:\Windows\system32\Dkjbgooi.exe
        116⤵
        Drops file in System32 directory
        
        PID:5608
        
        C:\Windows\SysWOW64\Eclmlpfl.exe
        
        C:\Windows\system32\Eclmlpfl.exe
        117⤵
        
        PID:5652
        
        C:\Windows\SysWOW64\Ejfeij32.exe
        
        C:\Windows\system32\Ejfeij32.exe
        118⤵
        
        PID:5740
        
        C:\Windows\SysWOW64\Eapmedef.exe
        
        C:\Windows\system32\Eapmedef.exe
        119⤵
        Modifies registry class
        
        PID:5840
        
        C:\Windows\SysWOW64\Endnohdp.exe
        
        C:\Windows\system32\Endnohdp.exe
        120⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5876
        
        C:\Windows\SysWOW64\Eepbabjj.exe
        
        C:\Windows\system32\Eepbabjj.exe
        121⤵
        
        PID:5972
        
        C:\Windows\SysWOW64\Flmhclod.exe
        
        C:\Windows\system32\Flmhclod.exe
        122⤵
        
        PID:6052
        
        C:\Windows\SysWOW64\Fjdajhbi.exe
        
        C:\Windows\system32\Fjdajhbi.exe
        123⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6108
        
        C:\Windows\SysWOW64\Fanigb32.exe
        
        C:\Windows\system32\Fanigb32.exe
        124⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5164
        
        C:\Windows\SysWOW64\Fhhaclqc.exe
        
        C:\Windows\system32\Fhhaclqc.exe
        125⤵
        
        PID:4112
        
        C:\Windows\SysWOW64\Flfjjkgi.exe
        
        C:\Windows\system32\Flfjjkgi.exe
        126⤵
        Drops file in System32 directory
        
        PID:5284
        
        C:\Windows\SysWOW64\Glhgojef.exe
        
        C:\Windows\system32\Glhgojef.exe
        127⤵
        Drops file in System32 directory
        
        PID:5424
        
        C:\Windows\SysWOW64\Goipae32.exe
        
        C:\Windows\system32\Goipae32.exe
        128⤵
        
        PID:5524
        
        C:\Windows\SysWOW64\Gdheol32.exe
        
        C:\Windows\system32\Gdheol32.exe
        129⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5632
        
        C:\Windows\SysWOW64\Hmecba32.exe
        
        C:\Windows\system32\Hmecba32.exe
        130⤵
        
        PID:5764
        
        C:\Windows\SysWOW64\Hoglbc32.exe
        
        C:\Windows\system32\Hoglbc32.exe
        131⤵
        
        PID:5912
        
        C:\Windows\SysWOW64\Idinej32.exe
        
        C:\Windows\system32\Idinej32.exe
        132⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6028
        
        C:\Windows\SysWOW64\Imabnofj.exe
        
        C:\Windows\system32\Imabnofj.exe
        133⤵
        Drops file in System32 directory
        
        PID:5148
        
        C:\Windows\SysWOW64\Jlponebi.exe
        
        C:\Windows\system32\Jlponebi.exe
        134⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3028
        
        C:\Windows\SysWOW64\Knmkak32.exe
        
        C:\Windows\system32\Knmkak32.exe
        135⤵
        
        PID:5444
        
        C:\Windows\SysWOW64\Lilbdcfe.exe
        
        C:\Windows\system32\Lilbdcfe.exe
        136⤵
        
        PID:5548
        
        C:\Windows\SysWOW64\Lfbpcgbl.exe
        
        C:\Windows\system32\Lfbpcgbl.exe
        137⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5068
        
        C:\Windows\SysWOW64\Mmfjfp32.exe
        
        C:\Windows\system32\Mmfjfp32.exe
        138⤵
        
        PID:6060
        
        C:\Windows\SysWOW64\Mnggnh32.exe
        
        C:\Windows\system32\Mnggnh32.exe
        139⤵
        Drops file in System32 directory
        
        PID:5160
        
        C:\Windows\SysWOW64\Nilkkq32.exe
        
        C:\Windows\system32\Nilkkq32.exe
        140⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5212
        
        C:\Windows\SysWOW64\Nmjdaoni.exe
        
        C:\Windows\system32\Nmjdaoni.exe
        141⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:2284
        
        C:\Windows\SysWOW64\Nfchjddj.exe
        
        C:\Windows\system32\Nfchjddj.exe
        142⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5788
        
        C:\Windows\SysWOW64\Nlpabkba.exe
        
        C:\Windows\system32\Nlpabkba.exe
        143⤵
        Drops file in System32 directory
        
        PID:4304
        
        C:\Windows\SysWOW64\Nfeepdbg.exe
        
        C:\Windows\system32\Nfeepdbg.exe
        144⤵
        
        PID:5984
        
        C:\Windows\SysWOW64\Nmajbnha.exe
        
        C:\Windows\system32\Nmajbnha.exe
        145⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6096
        
        C:\Windows\SysWOW64\Obnbjdfi.exe
        
        C:\Windows\system32\Obnbjdfi.exe
        146⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5396
        
        C:\Windows\SysWOW64\Olfgcj32.exe
        
        C:\Windows\system32\Olfgcj32.exe
        147⤵
        
        PID:2064
        
        C:\Windows\SysWOW64\Oeoklp32.exe
        
        C:\Windows\system32\Oeoklp32.exe
        148⤵
        
        PID:5380
        
        C:\Windows\SysWOW64\Olkqnjhd.exe
        
        C:\Windows\system32\Olkqnjhd.exe
        149⤵
        Drops file in System32 directory
        
        PID:5612
        
        C:\Windows\SysWOW64\Oioahn32.exe
        
        C:\Windows\system32\Oioahn32.exe
        150⤵
        
        PID:384
        
        C:\Windows\SysWOW64\Ofcaab32.exe
        
        C:\Windows\system32\Ofcaab32.exe
        151⤵
        Modifies registry class
        
        PID:4016
        
        C:\Windows\SysWOW64\Ponfed32.exe
        
        C:\Windows\system32\Ponfed32.exe
        152⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5956
        
        C:\Windows\SysWOW64\Pmpfcl32.exe
        
        C:\Windows\system32\Pmpfcl32.exe
        153⤵
        Modifies registry class
        
        PID:5572
        
        C:\Windows\SysWOW64\Pblolb32.exe
        
        C:\Windows\system32\Pblolb32.exe
        154⤵
        
        PID:3740
        
        C:\Windows\SysWOW64\Pppoeg32.exe
        
        C:\Windows\system32\Pppoeg32.exe
        155⤵
        
        PID:3948
        
        C:\Windows\SysWOW64\Plimpg32.exe
        
        C:\Windows\system32\Plimpg32.exe
        156⤵
        Modifies registry class
        
        PID:4744
        
        C:\Windows\SysWOW64\Peaahmcd.exe
        
        C:\Windows\system32\Peaahmcd.exe
        157⤵
        
        PID:6020
        
        C:\Windows\SysWOW64\Qbeaba32.exe
        
        C:\Windows\system32\Qbeaba32.exe
        158⤵
        
        PID:3120
        
        C:\Windows\SysWOW64\Qmkfoj32.exe
        
        C:\Windows\system32\Qmkfoj32.exe
        159⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:1760
        
        C:\Windows\SysWOW64\Qolbgbgb.exe
        
        C:\Windows\system32\Qolbgbgb.exe
        160⤵
        Modifies registry class
        
        PID:4728
        
        C:\Windows\SysWOW64\Ampojimo.exe
        
        C:\Windows\system32\Ampojimo.exe
        161⤵
        
        PID:6104
        
        C:\Windows\SysWOW64\Aoalba32.exe
        
        C:\Windows\system32\Aoalba32.exe
        162⤵
        Drops file in System32 directory
        
        PID:4032
        
        C:\Windows\SysWOW64\Bojohp32.exe
        
        C:\Windows\system32\Bojohp32.exe
        163⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1752
        
        C:\Windows\SysWOW64\Cgdlfk32.exe
        
        C:\Windows\system32\Cgdlfk32.exe
        164⤵
        Modifies registry class
        
        PID:4840
        
        C:\Windows\SysWOW64\Cnndbecl.exe
        
        C:\Windows\system32\Cnndbecl.exe
        165⤵
        
        PID:3960
        
        C:\Windows\SysWOW64\Cggikk32.exe
        
        C:\Windows\system32\Cggikk32.exe
        166⤵
        Drops file in System32 directory
        
        PID:2232
        
        C:\Windows\SysWOW64\Dmhkoaco.exe
        
        C:\Windows\system32\Dmhkoaco.exe
        167⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4268
        
        C:\Windows\SysWOW64\Dcbckk32.exe
        
        C:\Windows\system32\Dcbckk32.exe
        168⤵
        
        PID:4328
        
        C:\Windows\SysWOW64\Dcglfjgf.exe
        
        C:\Windows\system32\Dcglfjgf.exe
        169⤵
        Drops file in System32 directory
        
        PID:2584
        
        C:\Windows\SysWOW64\Emanepld.exe
        
        C:\Windows\system32\Emanepld.exe
        170⤵
        
        PID:5100
        
        C:\Windows\SysWOW64\Eggbbhkj.exe
        
        C:\Windows\system32\Eggbbhkj.exe
        171⤵
        
        PID:2184
        
        C:\Windows\SysWOW64\Emdjjo32.exe
        
        C:\Windows\system32\Emdjjo32.exe
        172⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:408
        
        C:\Windows\SysWOW64\Emfgpo32.exe
        
        C:\Windows\system32\Emfgpo32.exe
        173⤵
        Modifies registry class
        
        PID:2484
        
        C:\Windows\SysWOW64\Eglkmh32.exe
        
        C:\Windows\system32\Eglkmh32.exe
        174⤵
        
        PID:3496
        
        C:\Windows\SysWOW64\Fgqehgco.exe
        
        C:\Windows\system32\Fgqehgco.exe
        175⤵
        Drops file in System32 directory
        
        PID:5052
        
        C:\Windows\SysWOW64\Ffeaichg.exe
        
        C:\Windows\system32\Ffeaichg.exe
        176⤵
        Drops file in System32 directory
        
        PID:952
        
        C:\Windows\SysWOW64\Fmpjfn32.exe
        
        C:\Windows\system32\Fmpjfn32.exe
        177⤵
        
        PID:3868
        
        C:\Windows\SysWOW64\Fmbflm32.exe
        
        C:\Windows\system32\Fmbflm32.exe
        178⤵
        
        PID:2444
        
        C:\Windows\SysWOW64\Fggkifmg.exe
        
        C:\Windows\system32\Fggkifmg.exe
        179⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6180
        
        C:\Windows\SysWOW64\Fapobl32.exe
        
        C:\Windows\system32\Fapobl32.exe
        180⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6240
        
        C:\Windows\SysWOW64\Gablgk32.exe
        
        C:\Windows\system32\Gablgk32.exe
        181⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6328
        
        C:\Windows\SysWOW64\Gmkibl32.exe
        
        C:\Windows\system32\Gmkibl32.exe
        182⤵
        
        PID:6384
        
        C:\Windows\SysWOW64\Gcgndf32.exe
        
        C:\Windows\system32\Gcgndf32.exe
        183⤵
        
        PID:6452
        
        C:\Windows\SysWOW64\Hpqlof32.exe
        
        C:\Windows\system32\Hpqlof32.exe
        184⤵
        
        PID:6512
        
        C:\Windows\SysWOW64\Hfmqapcl.exe
        
        C:\Windows\system32\Hfmqapcl.exe
        185⤵
        Drops file in System32 directory
        
        PID:6576
        
        C:\Windows\SysWOW64\Hoibmmpi.exe
        
        C:\Windows\system32\Hoibmmpi.exe
        186⤵
        Drops file in System32 directory
        
        PID:6644
        
        C:\Windows\SysWOW64\Jdajabdc.exe
        
        C:\Windows\system32\Jdajabdc.exe
        187⤵
        Drops file in System32 directory
        
        PID:6684
        
        C:\Windows\SysWOW64\Jkkbnl32.exe
        
        C:\Windows\system32\Jkkbnl32.exe
        188⤵
        
        PID:6740
        
        C:\Windows\SysWOW64\Jhapmphg.exe
        
        C:\Windows\system32\Jhapmphg.exe
        189⤵
        Modifies registry class
        
        PID:6784
        
        C:\Windows\SysWOW64\Jmnheggo.exe
        
        C:\Windows\system32\Jmnheggo.exe
        190⤵
        
        PID:6828
        
        C:\Windows\SysWOW64\Jhdlbp32.exe
        
        C:\Windows\system32\Jhdlbp32.exe
        191⤵
        
        PID:6868
        
        C:\Windows\SysWOW64\Jondojna.exe
        
        C:\Windows\system32\Jondojna.exe
        192⤵
        Modifies registry class
        
        PID:6916
        
        C:\Windows\SysWOW64\Jpoagb32.exe
        
        C:\Windows\system32\Jpoagb32.exe
        193⤵
        Drops file in System32 directory
        
        PID:6964
        
        C:\Windows\SysWOW64\Kpanmb32.exe
        
        C:\Windows\system32\Kpanmb32.exe
        194⤵
        Drops file in System32 directory
        
        PID:7032
        
        C:\Windows\SysWOW64\Kdpfbp32.exe
        
        C:\Windows\system32\Kdpfbp32.exe
        195⤵
        
        PID:7068
        
        C:\Windows\SysWOW64\Koekpi32.exe
        
        C:\Windows\system32\Koekpi32.exe
        196⤵
        
        PID:7112

C:\Windows\SysWOW64\Khmoionj.exe
C:\Windows\system32\Khmoionj.exe
1⤵
PID:7156
- C:\Windows\SysWOW64\Kklkej32.exe
  C:\Windows\system32\Kklkej32.exe
  2⤵
  PID:3284
- - C:\Windows\SysWOW64\Kafcadej.exe
    C:\Windows\system32\Kafcadej.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    PID:6196
  - - C:\Windows\SysWOW64\Khplnn32.exe
      C:\Windows\system32\Khplnn32.exe
      4⤵
      Modifies registry class
      PID:6256
    - - C:\Windows\SysWOW64\Ldkfno32.exe
        
        C:\Windows\system32\Ldkfno32.exe
        5⤵
        
        PID:6300
      - C:\Windows\SysWOW64\Lkenkhec.exe
        
        C:\Windows\system32\Lkenkhec.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6356
        
        C:\Windows\SysWOW64\Loecgfjf.exe
        
        C:\Windows\system32\Loecgfjf.exe
        7⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4036
        
        C:\Windows\SysWOW64\Mqimdomb.exe
        
        C:\Windows\system32\Mqimdomb.exe
        8⤵
        
        PID:3052
        
        C:\Windows\SysWOW64\Mgceqh32.exe
        
        C:\Windows\system32\Mgceqh32.exe
        9⤵
        
        PID:6500
        
        C:\Windows\SysWOW64\Mbkfcabb.exe
        
        C:\Windows\system32\Mbkfcabb.exe
        10⤵
        Modifies registry class
        
        PID:6560
        
        C:\Windows\SysWOW64\Mqpcdn32.exe
        
        C:\Windows\system32\Mqpcdn32.exe
        11⤵
        
        PID:6596
        
        C:\Windows\SysWOW64\Mbpoop32.exe
        
        C:\Windows\system32\Mbpoop32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6612
        
        C:\Windows\SysWOW64\Mdnlkl32.exe
        
        C:\Windows\system32\Mdnlkl32.exe
        13⤵
        
        PID:6704
        
        C:\Windows\SysWOW64\Nkhdgfen.exe
        
        C:\Windows\system32\Nkhdgfen.exe
        14⤵
        
        PID:6768
        
        C:\Windows\SysWOW64\Nofmndkd.exe
        
        C:\Windows\system32\Nofmndkd.exe
        15⤵
        Modifies registry class
        
        PID:6824
        
        C:\Windows\SysWOW64\Ndbefkjk.exe
        
        C:\Windows\system32\Ndbefkjk.exe
        16⤵
        
        PID:6936
        
        C:\Windows\SysWOW64\Obnlpnbm.exe
        
        C:\Windows\system32\Obnlpnbm.exe
        17⤵
        
        PID:6972
        
        C:\Windows\SysWOW64\Oigdmh32.exe
        
        C:\Windows\system32\Oigdmh32.exe
        18⤵
        
        PID:4964
        
        C:\Windows\SysWOW64\Okkidceh.exe
        
        C:\Windows\system32\Okkidceh.exe
        19⤵
        
        PID:7100
        
        C:\Windows\SysWOW64\Obdbqm32.exe
        
        C:\Windows\system32\Obdbqm32.exe
        20⤵
        Modifies registry class
        
        PID:7132
        
        C:\Windows\SysWOW64\Picchg32.exe
        
        C:\Windows\system32\Picchg32.exe
        21⤵
        
        PID:6160
        
        C:\Windows\SysWOW64\Pblhalfm.exe
        
        C:\Windows\system32\Pblhalfm.exe
        22⤵
        
        PID:6212
        
        C:\Windows\SysWOW64\Pelacg32.exe
        
        C:\Windows\system32\Pelacg32.exe
        23⤵
        
        PID:6312
        
        C:\Windows\SysWOW64\Ppbepp32.exe
        
        C:\Windows\system32\Ppbepp32.exe
        24⤵
        
        PID:464
        
        C:\Windows\SysWOW64\Pngbam32.exe
        
        C:\Windows\system32\Pngbam32.exe
        25⤵
        
        PID:6428
        
        C:\Windows\SysWOW64\Qbggmk32.exe
        
        C:\Windows\system32\Qbggmk32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6444
        
        C:\Windows\SysWOW64\Aihfjd32.exe
        
        C:\Windows\system32\Aihfjd32.exe
        27⤵
        
        PID:3848
        
        C:\Windows\SysWOW64\Booaii32.exe
        
        C:\Windows\system32\Booaii32.exe
        28⤵
        Modifies registry class
        
        PID:6624
        
        C:\Windows\SysWOW64\Commjgga.exe
        
        C:\Windows\system32\Commjgga.exe
        29⤵
        Drops file in System32 directory
        
        PID:6776
        
        C:\Windows\SysWOW64\Ehekjk32.exe
        
        C:\Windows\system32\Ehekjk32.exe
        30⤵
        
        PID:2864
        
        C:\Windows\SysWOW64\Eoocfegl.exe
        
        C:\Windows\system32\Eoocfegl.exe
        31⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4736
        
        C:\Windows\SysWOW64\Ejegdngb.exe
        
        C:\Windows\system32\Ejegdngb.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6876
        
        C:\Windows\SysWOW64\Eoapldei.exe
        
        C:\Windows\system32\Eoapldei.exe
        33⤵
        
        PID:4588
        
        C:\Windows\SysWOW64\Ehjdejkj.exe
        
        C:\Windows\system32\Ehjdejkj.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3364
        
        C:\Windows\SysWOW64\Ecphbckp.exe
        
        C:\Windows\system32\Ecphbckp.exe
        35⤵
        Modifies registry class
        
        PID:7108
        
        C:\Windows\SysWOW64\Fofigd32.exe
        
        C:\Windows\system32\Fofigd32.exe
        36⤵
        Drops file in System32 directory
        
        PID:7152
        
        C:\Windows\SysWOW64\Fhonpi32.exe
        
        C:\Windows\system32\Fhonpi32.exe
        37⤵
        
        PID:6172
        
        C:\Windows\SysWOW64\Fbgbione.exe
        
        C:\Windows\system32\Fbgbione.exe
        38⤵
        
        PID:6288
        
        C:\Windows\SysWOW64\Fbiooolb.exe
        
        C:\Windows\system32\Fbiooolb.exe
        39⤵
        
        PID:6344
        
        C:\Windows\SysWOW64\Gbcaemdg.exe
        
        C:\Windows\system32\Gbcaemdg.exe
        40⤵
        Drops file in System32 directory
        
        PID:2176
        
        C:\Windows\SysWOW64\Gqdbbelf.exe
        
        C:\Windows\system32\Gqdbbelf.exe
        41⤵
        
        PID:2560
        
        C:\Windows\SysWOW64\Gcggjp32.exe
        
        C:\Windows\system32\Gcggjp32.exe
        42⤵
        
        PID:6620
        
        C:\Windows\SysWOW64\Hboaql32.exe
        
        C:\Windows\system32\Hboaql32.exe
        43⤵
        
        PID:2140
        
        C:\Windows\SysWOW64\Hjhfgi32.exe
        
        C:\Windows\system32\Hjhfgi32.exe
        44⤵
        
        PID:836
        
        C:\Windows\SysWOW64\Hjjbmhfg.exe
        
        C:\Windows\system32\Hjjbmhfg.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6720
        
        C:\Windows\SysWOW64\Hpgkeodo.exe
        
        C:\Windows\system32\Hpgkeodo.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:1688
        
        C:\Windows\SysWOW64\Icgqqmib.exe
        
        C:\Windows\system32\Icgqqmib.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:7020
        
        C:\Windows\SysWOW64\Imbaobmp.exe
        
        C:\Windows\system32\Imbaobmp.exe
        48⤵
        
        PID:3152
        
        C:\Windows\SysWOW64\Imdndbkn.exe
        
        C:\Windows\system32\Imdndbkn.exe
        49⤵
        Modifies registry class
        
        PID:6320
        
        C:\Windows\SysWOW64\Jinloboo.exe
        
        C:\Windows\system32\Jinloboo.exe
        50⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:2884
        
        C:\Windows\SysWOW64\Jfalhgni.exe
        
        C:\Windows\system32\Jfalhgni.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5028
        
        C:\Windows\SysWOW64\Jagqfp32.exe
        
        C:\Windows\system32\Jagqfp32.exe
        52⤵
        Modifies registry class
        
        PID:5040
        
        C:\Windows\SysWOW64\Jmpnppap.exe
        
        C:\Windows\system32\Jmpnppap.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3128
        
        C:\Windows\SysWOW64\Jdjfmjhm.exe
        
        C:\Windows\system32\Jdjfmjhm.exe
        54⤵
        
        PID:1604
        
        C:\Windows\SysWOW64\Kbocng32.exe
        
        C:\Windows\system32\Kbocng32.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6628
        
        C:\Windows\SysWOW64\Kiikkada.exe
        
        C:\Windows\system32\Kiikkada.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:840
        
        C:\Windows\SysWOW64\Kdophj32.exe
        
        C:\Windows\system32\Kdophj32.exe
        57⤵
        
        PID:1748
        
        C:\Windows\SysWOW64\Kaemgn32.exe
        
        C:\Windows\system32\Kaemgn32.exe
        58⤵
        
        PID:3540
        
        C:\Windows\SysWOW64\Kgbepdpf.exe
        
        C:\Windows\system32\Kgbepdpf.exe
        59⤵
        
        PID:2400
        
        C:\Windows\SysWOW64\Kagimmol.exe
        
        C:\Windows\system32\Kagimmol.exe
        60⤵
        
        PID:2684
        
        C:\Windows\SysWOW64\Lkpnec32.exe
        
        C:\Windows\system32\Lkpnec32.exe
        61⤵
        
        PID:3920
        
        C:\Windows\SysWOW64\Lkiqla32.exe
        
        C:\Windows\system32\Lkiqla32.exe
        62⤵
        Modifies registry class
        
        PID:664
        
        C:\Windows\SysWOW64\Mgpaqbcf.exe
        
        C:\Windows\system32\Mgpaqbcf.exe
        63⤵
        Modifies registry class
        
        PID:3308
        
        C:\Windows\SysWOW64\Maefnk32.exe
        
        C:\Windows\system32\Maefnk32.exe
        64⤵
        
        PID:6496
        
        C:\Windows\SysWOW64\Mcgbfcij.exe
        
        C:\Windows\system32\Mcgbfcij.exe
        65⤵
        
        PID:3096
        
        C:\Windows\SysWOW64\Mjqjbn32.exe
        
        C:\Windows\system32\Mjqjbn32.exe
        66⤵
        
        PID:2712
        
        C:\Windows\SysWOW64\Mdfopf32.exe
        
        C:\Windows\system32\Mdfopf32.exe
        67⤵
        Drops file in System32 directory
        
        PID:5144
        
        C:\Windows\SysWOW64\Mjcghm32.exe
        
        C:\Windows\system32\Mjcghm32.exe
        68⤵
        
        PID:6732
        
        C:\Windows\SysWOW64\Mpmodg32.exe
        
        C:\Windows\system32\Mpmodg32.exe
        69⤵
        
        PID:3316
        
        C:\Windows\SysWOW64\Mkbcbp32.exe
        
        C:\Windows\system32\Mkbcbp32.exe
        70⤵
        
        PID:6924
        
        C:\Windows\SysWOW64\Mpoljg32.exe
        
        C:\Windows\system32\Mpoljg32.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:772
        
        C:\Windows\SysWOW64\Mkepgp32.exe
        
        C:\Windows\system32\Mkepgp32.exe
        72⤵
        Modifies registry class
        
        PID:3632
        
        C:\Windows\SysWOW64\Ncbaabom.exe
        
        C:\Windows\system32\Ncbaabom.exe
        73⤵
        
        PID:2880
        
        C:\Windows\SysWOW64\Nqklfe32.exe
        
        C:\Windows\system32\Nqklfe32.exe
        74⤵
        
        PID:4044
        
        C:\Windows\SysWOW64\Njcpok32.exe
        
        C:\Windows\system32\Njcpok32.exe
        75⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:1632
        
        C:\Windows\SysWOW64\Odidld32.exe
        
        C:\Windows\system32\Odidld32.exe
        76⤵
        
        PID:4668
        
        C:\Windows\SysWOW64\Ojfmdk32.exe
        
        C:\Windows\system32\Ojfmdk32.exe
        77⤵
        Modifies registry class
        
        PID:2452
        
        C:\Windows\SysWOW64\Odkaac32.exe
        
        C:\Windows\system32\Odkaac32.exe
        78⤵
        Drops file in System32 directory
        
        PID:2476
        
        C:\Windows\SysWOW64\Ojhijjll.exe
        
        C:\Windows\system32\Ojhijjll.exe
        79⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6660
        
        C:\Windows\SysWOW64\Odnngclb.exe
        
        C:\Windows\system32\Odnngclb.exe
        80⤵
        Modifies registry class
        
        PID:3036
        
        C:\Windows\SysWOW64\Ojjfpjjj.exe
        
        C:\Windows\system32\Ojjfpjjj.exe
        81⤵
        
        PID:4532
        
        C:\Windows\SysWOW64\Pcgdcome.exe
        
        C:\Windows\system32\Pcgdcome.exe
        82⤵
        
        PID:5328
        
        C:\Windows\SysWOW64\Pjalpida.exe
        
        C:\Windows\system32\Pjalpida.exe
        83⤵
        
        PID:5132
        
        C:\Windows\SysWOW64\Pqkdmc32.exe
        
        C:\Windows\system32\Pqkdmc32.exe
        84⤵
        
        PID:6304
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6304 -s 400
        85⤵
        Program crash
        
        PID:5808
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6304 -s 400
        85⤵
        Program crash
        
        PID:5940

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 368 -p 6304 -ip 6304
1⤵
PID:6544

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Afpbkicl.exe

Filesize
45KB

MD5
a9633af6a980a7ffa90166c0377d3357

SHA1
7a75548b89498db9fb9f54e24bd08857b5823a85

SHA256
d35c7f0cf0725c0a3d263d39141b98d9ef47a069b31640b715bb24291a645f0b

SHA512
bbc89286b4a4cf031f931dde251c02e47bb4606f99e0e56df89fb698b5dd4e5359d194dd560af5d466a2d0dd756cad8a0d50738f710bf7a2311bcf66c1a28334

Download Submit
C:\Windows\SysWOW64\Aiqkmd32.exe

Filesize
45KB

MD5
3e11624819277e92ad0cdbf020434bea

SHA1
a7cb389358c416950c4a8456079550c0035a1e99

SHA256
4865e34a1529923b23b82d291bf8141541b0234c93a623fe2cc21136ddc0a496

SHA512
0c685be2dabad0ef3cecd147cfad521b1c5686f5546d18e41f39193391b0f0f55a726e6c1f104609b3d85d4cdd7fee0d1a618d7bb6c5d67670e8e5e94f1333c1

Download Submit
C:\Windows\SysWOW64\Bbbkbbkg.exe

Filesize
45KB

MD5
6fe882c4ad564c7528d0d995fff0affe

SHA1
8908181e5c6c8d44afd165e72fcf388b5e4a2095

SHA256
e87abaef5c9c26fde1af3cd38823ceae8797a02f84c2bc677b41803f80707fe0

SHA512
dda3d69ffbb83d8ba7950dd20bcdaddc00aa2592dddf069fb1a92e555d22e938c15558a10035624adb3bd9b4015252646ad63e7f31b7f98dc010659a48c92b47

Download Submit
C:\Windows\SysWOW64\Bghddp32.exe

Filesize
45KB

MD5
2d327893aac5d67c3fb8b2990f9f9c57

SHA1
dc9d9fa1cbeb21936ee10e5374c950c90e39bd0b

SHA256
972c3f06edc01278dfd177b992ac22f8bc82a5aa203a19b7e9f3e179d71de778

SHA512
54c6ff73b3b4c5cfa1ff823e1c5022f309398b2773f53a6865a586c14a1d5da1ae9b6721bb1a11fc2bf8a1d7236a79328aeddc410578fd3ffcf5884d2c499a4f

Download Submit
C:\Windows\SysWOW64\Bgokdomj.exe

Filesize
45KB

MD5
5b36c3359b4b6c2ffbba1611fc83e107

SHA1
e6407633a0c86b97775571498b06a1aca78bc4ba

SHA256
2acff8fe45a64a37bebdafc8fb6cb8f8622711784698830ced0402f4f74f248e

SHA512
bea13a9839792fa92d2168bb95cccc5c519af1ae90dc8b035719bf224d9d7a0850303acf0f73f237850c2ea875ff03bb6a61fdaf5193f5e885a8881f20a42c9c

Download Submit
C:\Windows\SysWOW64\Bkhjpn32.exe

Filesize
45KB

MD5
5a0d2176d3882467934d1c034bc2fae4

SHA1
4906cf2c620f19bc034bd02144f16b60e9addcee

SHA256
cdac472e7ba73619e795c847d577c0582ad15ec8b31faa0a4e8bd9ed7b2d419d

SHA512
357593fbd06c53bf37efc510fc4e99f2843184c5fcfb92434e6bd0fe0cebb7cc8cb7426c4ec780276a457164d835208994e7bb27e302ef6fdd85a84caf419588

Download Submit
C:\Windows\SysWOW64\Cblebgfh.exe

Filesize
45KB

MD5
0cb41948285db68e47e9e11fa659d224

SHA1
4c3d3555000e62927814746bc517d21961f29c50

SHA256
b6b7f87228c1072c8a6754902eeb8144d350861ac04dfe65390e8909be2a8b79

SHA512
f797606a82027c79d4870f7ecb2dd5e8c4ec1dbabbd7ae331a0f17bcc580bbc4fb1507546e2b7d0a8f1d894feb9b95841cb98fac842c4b25e75f8cd374002f31

Download Submit
C:\Windows\SysWOW64\Ceehcc32.exe

Filesize
45KB

MD5
65dec8681e4c7c33d689ade524a7ef93

SHA1
23073b15f07e7d6e1b64201f467473049befcd45

SHA256
53cc78897fa22131e8893933960d2bf4f11552d451afa49fc4a01ec4fda8cd50

SHA512
94003a1d556766b7a552d6e59c39b50fb4c935c5b43f83b55f3457715293acaaa41a8935675edc08b5a4468399ebf567cd681a9f61c68bb76ec1d3c69c0158b3

Download Submit
C:\Windows\SysWOW64\Ciogobcm.exe

Filesize
45KB

MD5
2d2a288ea8e5edec626825a98859e46a

SHA1
503f780b8aa87c537e22a573f8de1551d7333c76

SHA256
78b783e246c0d2bbfc875766a023aef54e64ab43375c09dd68d649f5d742c208

SHA512
47931ca1aba5ce847c52dc93105f6f3204bdf61e4d90fbbeb399716510190e3767a0d20ebc33cc39dd771b542d62c1c308399d0d0cd821b85611fef3ba024c43

Download Submit
C:\Windows\SysWOW64\Cnebmgjj.exe

Filesize
45KB

MD5
77b790adb15aa435d7bed21bda8df15a

SHA1
ecd97c872d57276c1e5e73359e5f9b7c504e909b

SHA256
00617db7c8b33e27c4e249e8101c6daa8f2105976166c0b65977be272dea290c

SHA512
fb8d2fdb6beddefbe29069c12c6908a3cef7eaf9d06654cf6502de319c45e426af7940e9d8414e3d47fb4ea5745c56bed5a2e1fa20ebb7c0c4ae6773c9702dff

Download Submit
C:\Windows\SysWOW64\Cnmoglij.exe

Filesize
45KB

MD5
a5ad9b7b4fd48a282e8a3d79a97ebb7d

SHA1
2c6d75898c2d6cf55182063430ade0cd27ccdca3

SHA256
4faf6bf639a7b6079f291649fe4d74be4f2862d2ff517dc4a2fc8a76eda78626

SHA512
2cc094bfa4973c704786e202621db1f667dd59a7dbe38e7b22470d6ea5ca30f25168a00949ab5c09e5e5c814983d522c31bb462ff114bfc88a5bc17c13f12896

Download Submit
C:\Windows\SysWOW64\Dbckcf32.exe

Filesize
45KB

MD5
c894ba89bd105560c0cdea1aec1ea8bf

SHA1
d1ba3306f1bb92eee1f72a4d9e6e79223a91258a

SHA256
2dcb67cf285e90b7755e58d6d2b311aeda71cbdf57afce311a606bbc78156030

SHA512
fe1883d94d8ac1da03b3c3dea43096fa0b576e2cc21e30ae0cf3c78d3bfa13451aec2e262923894c6559961d0c881d254152815eb8d27ff77a8138597343caae

Download Submit
C:\Windows\SysWOW64\Dlpigk32.exe

Filesize
45KB

MD5
0d8c37ef2c263f860e788d3175168aa6

SHA1
7659de56b6f22edf4c29be8a82f11123847a0c7d

SHA256
fdc4b1124abd4fedf57a2b8cc0f653b72e97f315487324c62c1480a9e8ae221a

SHA512
0269486d3d5450603dd7aad6a593a1dcd055f8c83d2fca11c589f77e22ead7822d9f06d482a52cb28804caff7bf9a22824d5600423ef2672da08038195d8c6c3

Download Submit
C:\Windows\SysWOW64\Dojlhg32.exe

Filesize
45KB

MD5
d0e66e50cb2b09c90f842715b9b859dd

SHA1
7d84ac84d798b1cf0fc0c764a479c60d6a5bd35b

SHA256
8e25e1fd097db0b79d288685003a6047242285281ad7c03789ffac3f8f650ec3

SHA512
5365946200fc02e1e270fa3293e391747dfca158e76387a6eae75ec79c584baae1b9510478ecd2e1667902f6ad300cc18a3d2de49df75b7c56b46c90607ca735

Download Submit
C:\Windows\SysWOW64\Ebagdddp.exe

Filesize
45KB

MD5
1426daab1a38acec7c9f7bf9736f96b4

SHA1
7360651c1ab69adeca0e596376a2169eecfcbfb3

SHA256
d23c1772f11ad9a27f06573d0520a3ec3c1aae71cdfb02372064e2564a3f2618

SHA512
1092f759b5154d365344db100b30fd9653576a6b39cf1e8f862387572d73a885670da85b0c07446c9441b0c73890b31e532a9a8b14c79ad56eddb44c65a6e2e6

Download Submit
C:\Windows\SysWOW64\Efampahd.exe

Filesize
45KB

MD5
2a2336c98137d1d7626ca2cc2ecb2916

SHA1
7d2b00e908b50d660870c8c12f60aa0e716491d0

SHA256
f155c39861fe2d2dbbaf8625d3610a1c1ba361c8e16f317a04cecc63a271f131

SHA512
2c6d918bf67eb8071b58ff78cf2d9fa23f5b4759d23c1721bcd70ae1cfbb6d627d48a449fdd756bbc1508ae5b0d36481c04ee1a082b2ace4f1c76c0a50d6387d

Download Submit
C:\Windows\SysWOW64\Ellicihn.exe

Filesize
45KB

MD5
edd00bbb034aa448338edfb192ee2a43

SHA1
9291608368f7a8a5a22d9b2c247f76c2860f1da5

SHA256
e1bda8b3c4e7731fb49e56fe59fe79621cfcd860118634c91de370838902a1c8

SHA512
d539943442d705f12517ca5d623b6ee1245ad05157c7d592f0eeb5c481b0fe6eee673f267dd85103459fdd84a40e4acf246b19ca06d56b84bbd9a994df63657d

Download Submit
C:\Windows\SysWOW64\Feifgnki.exe

Filesize
45KB

MD5
f32e217cdebdf636ea20b54de7d02d76

SHA1
42ff3a399336cd418c4671317bb3667a4189acaa

SHA256
caa3307d1bdf79e1f3688d1da3c65ce78d02147b852d4b97bd8db84a247bad30

SHA512
7776d4ab69a4516933ae4fce5cd8fff08142d379e9fc572608a94bc73be226edee4164ea0c2c1e594be2bbe4215ed9908af2983a46217265f7278b76ccc31ca0

Download Submit
C:\Windows\SysWOW64\Fifomlap.exe

Filesize
45KB

MD5
124c5bd01d75b7c689a6a07f094eddfc

SHA1
d28d8fefd1d60d3f4ca1ba12144230e32e09d4ad

SHA256
8650cecdcaa2945afd5772a6c908b0c34bf6585d42219fec038068140eea80f5

SHA512
aaaa4d0b865a5023bcb87950075a333290f8f34502ff404ad98bf2a10026f55bec45831374ed7aab223e502ecfa12b627d8f8a80a2065e8c5b094db9d08abada

Download Submit
C:\Windows\SysWOW64\Fpcdof32.exe

Filesize
45KB

MD5
d32518edc48df8b729e770db373fcde4

SHA1
049e6c948330f8bf65c074272209772950b05509

SHA256
fc8a063746dffed47d26808620bfdcdedcd262e1eb6f5fbfa6fef825dbed4a7a

SHA512
013293d4ce2196b1aa50e62a772f11aff3b863b8a15b8919bcd20ec584f9bf03b35ff1b00a1a72873401f3be8985780fa3cebefb1b5b103acd66ed92a5dfb356

Download Submit
C:\Windows\SysWOW64\Fplnogmb.exe

Filesize
45KB

MD5
d944d5d6c6d0dca3b44a3fcef69a1a14

SHA1
b6de8be07c98a383d873efceb0e703f8a0744eb2

SHA256
32c382f1c35fd8d6fea791a2d9713835194983f8da063d1d06c39be9d903243c

SHA512
d9fcff18e786a521440a3c7a7b7df8b122980fa220f544058676c6da91d143ac7da66f44c718297b9967e44b22059e35da921ff3f91074faf7a0765246e6bd21

Download Submit
C:\Windows\SysWOW64\Gcgqag32.exe

Filesize
45KB

MD5
59e5d6c7be9e4351cbd5f07967f7a655

SHA1
451703d7770b51565487033c643baf74cf1f8f83

SHA256
cf8fbeab1df3328f34b4e17e294caa1dde583ebaa37bcd8d95e02a5cc62948b0

SHA512
f144a282fdb1ec800092bb0461e0e3f84b06deb8affa72303a253ee2ad33e0f6d777746b766c2718bd70fedf9acf76acb1392cf9ab09655b62d14ebe24b4ad3d

Download Submit
C:\Windows\SysWOW64\Hahlnefd.exe

Filesize
45KB

MD5
7b202ef3eddad6a9d9a333455834572f

SHA1
c90be81d182a6f284258c855f27b668e34b32fb1

SHA256
015e4ac79156215d5f1f21da1826aa6e89c837917e23d5bc7f5a95f2853acfd5

SHA512
4217b285520e57351d7e24f8cc5a073ade105b5e28e93a3201a6a337ab3c0939ef7460b3dd8623635e70a1552a853c9f6c8a2cd9de51571d91d8ee362eacf2f1

Download Submit
C:\Windows\SysWOW64\Jelhcd32.exe

Filesize
45KB

MD5
aea924b3a2afbc03544c53e423498af0

SHA1
fc51bcb53b3bb173eee3f3608a463301d13d631a

SHA256
c08638af126d7a8f146cd97c1ad228897a23ebe674e4e698afbabdf2d46cf52b

SHA512
6d9afa2471f46111c7e5c9db48dbef11cfba65165a33263565978cbf50f7dd90d47a3551aae77b086cba50867f8fba44fd100f348736af21b940750cc27996d5

Download Submit
C:\Windows\SysWOW64\Jmbdmg32.exe

Filesize
45KB

MD5
0df3ed22e5b7495511130d81b180f30f

SHA1
15f52841d95cc75bd2d6c25345dfbeb82234b760

SHA256
8f1c24367754a1f5a40c3b613a8d53d6b5da11df1eb846602a5bada16453ae4f

SHA512
1dfae2e911ad3dac5378eaed6e1c51af48814ccdc83a23aff659c3e8280ffb87aee98a02db7f0d7d95090e5aa8a3893f6f95c1e32d4b154a494a4190893ab379

Download Submit
C:\Windows\SysWOW64\Jmijnfgd.exe

Filesize
45KB

MD5
9daba2a3fbd80c5956a51a5b606da3d1

SHA1
d7d3433f110dc59b67fdf928382e1f7d9dee7902

SHA256
839c7d01f4899d742512b6009e62c4f71d3d968440010484764cafcf90258424

SHA512
beb98271981da28e2a0d8854a0c3994b06d326b87fd5dc7dc196a01548ffda6bb52fb004d038819f8f318aca6016d6719d9cad2852861a91ce3edb47e8091804

Download Submit
C:\Windows\SysWOW64\Knmkak32.exe

Filesize
45KB

MD5
fccb1f116721b1e35778928c611cbbe6

SHA1
71707598d7c3f00e9f9803624300e8d28ad0aac7

SHA256
ac0125f21facf10b9b6f6afd07fb13bc75d8daf197eca046a135f7a933439e7f

SHA512
e473f85280df64a7c126f003d3aa2b5ffb9838d59d1c1ed2221f185cc9eb42f0df7a97e5f44bb3cc27a0940cb4cef110b2bb6de4c6f48c81bf9a7bbf6944ec02

Download Submit
C:\Windows\SysWOW64\Ldanloba.exe

Filesize
45KB

MD5
8456868a200e619d02014744d342241d

SHA1
dbb24e475a0eaf5cef243df412ed1c252ffc915b

SHA256
705771c39debc05bf5d76931d0eb1c29f5a51f17074010243af39b82d4b17174

SHA512
56241ccd762fb7724bfd243b7721946e82d4842bb1bbfd17f9bedd792539c469083285d6f74857cecea10cd981c2c587fcdb3fdc0e7c76a86651360172fd60fe

Download Submit
C:\Windows\SysWOW64\Mhfmbl32.exe

Filesize
45KB

MD5
07d848c344be23ac73edbf00fb5eed05

SHA1
6df08b5224092ed448228b4b1490cd3903931e3d

SHA256
6a09253b1fdd9b6eeb525b86c1d4dd668ae8b223dc33c79573d49140e1f26f76

SHA512
8eddfa3d2c65cbec5fd852327bc4f046f9900d890ba74d48d52d29eed56254295ad6ae9086c6636a6dda630d3de70fe968afa5783992ec5e487f9b906942e258

Download Submit
C:\Windows\SysWOW64\Moeoje32.exe

Filesize
45KB

MD5
449ceefa3d35d2e49ff616f857ede9f3

SHA1
0ab405e37586fe662177a8bdcf90dde9aff7c31b

SHA256
c778d19053a3299ba6b215c919e88e0e27b3eb18c0df53c308751dbf3a274b08

SHA512
bf6d2c4be892547a1ae02f97b9ac0d01965e919407686dfc7619795a845fa64dfd44a9d66c78b4ab9477444ea09f6d2f4633d817a8abbdef10b24ca483f286aa

Download Submit
C:\Windows\SysWOW64\Ngnppfgb.exe

Filesize
45KB

MD5
4d6323faa98abad717ff6d472d41df01

SHA1
7cc3b6e34bac7b014ba11f7f6d3359a222b50ac5

SHA256
7479d0d3bc9b0d51a6b4fef5d2d71d88812c4aa9c179b7fd2cb573d84ccb4226

SHA512
7070cb9184695806f1c13a8d3a8a0bf96e3ebc74b5a1a9a2907861b04e9a540eae41c0cc6c36ac6a185c57af21b3b81a5435db759d0c9dc7dd8293fb6b2fa581

Download Submit
C:\Windows\SysWOW64\Noqofdlj.exe

Filesize
45KB

MD5
ca3fcb4702b3b93be1921240b4c96ad3

SHA1
3ad146315ff041089c73a061700c993378d5d207

SHA256
21324dd1564fcaea6d3b6de40be0ffe1aec05919a7f401038c6af6f4fa8d7632

SHA512
7e74c2233861dc9d56f731001ec2d83d92ae1e858219e3f15e24a55811c294a19c3c557872cf7ed23397a0e9c77fb29804db6f16c1241ab60674e2259745149c

Download Submit
C:\Windows\SysWOW64\Oediim32.exe

Filesize
45KB

MD5
e550b4d8d069dbfcaa8edb2c404d66ea

SHA1
4a2f5e94f8d2fd34b1f101d4de9c96d0139edc6c

SHA256
c1c653243cab9d10f0fd40c8ae6ad4e4e073467bd6c0bf681ec07a98459a3ace

SHA512
a53d9f062cbae354e167d77d928eeb78895881cfe33a72bbefce325873d3d4206bca26b801ba48ed6d192864402609ff1c9253f3473b63e3b1212073d602a5c5

Download Submit
C:\Windows\SysWOW64\Pgllad32.exe

Filesize
45KB

MD5
1c7ae7b7fd7062e7a1d9446f242eaaea

SHA1
d9cc4031460d3e36da24aba224eb554336361c48

SHA256
812a1d10ad28b8975893c7ad1fbb8e030b6e7b5396c0da22541bbc4e50224382

SHA512
574257c9cfd9afb122fff9dcd014fc3e3ab0a5510f31c0740f1ee23b629f8c9d68765628a69d496723b09c4fc262bf0e0fdd1d6fc0fe13e14e5f8f31391fe200

Download Submit
C:\Windows\SysWOW64\Pnhacn32.exe

Filesize
45KB

MD5
a6e7029b31e31f9337315ccf519ec273

SHA1
d837e42165d2dc798aa5cab51a85eaa7d282a07d

SHA256
b919911a56555d0b83d715537933e7f271311fb92844c59f04e9a875412d0d2c

SHA512
8647d5c388456efdb54a48d3660d39058e3eecfd5f75b04f2b628f0c05fd155a872d71c9804d1fc61ee9128eeb43cd385989590f731dcc7e12bca4344da31a93

Download Submit
C:\Windows\SysWOW64\Pppoeg32.exe

Filesize
45KB

MD5
23b2de0c96c363d1381f9db0122e292f

SHA1
b76acf5ad74e83b8e53611c31b58665e00f9f406

SHA256
c253cc143e8ccb52375ca3bb6dfe3b12d2d33d1ecf4f0a974e094003f12c3949

SHA512
2d8061b2b32e4590263ff611c1f7055f672201adb6d92e77a6823a6e359f91f765c1e0953ceda063ed1df508d4d9f3135c92da63460240db6cd4e27177ba734b

Download Submit
C:\Windows\SysWOW64\Qhghge32.exe

Filesize
45KB

MD5
363c3209455ad8db8f369e8a4b7f5b5b

SHA1
0cf5966cdcb90727a441b201bb9832b27fbebec0

SHA256
fbd47965d5657343de6bb57091dd4526b29a9db54319fbccae615bdae699fe10

SHA512
25776b9515f7113d65e897953ed1494b8be3d9b68bbdc5bcbe9644b734c65797a4b80d90b7e4ee916e8abe140d3739a47f8ea9f917810e8f100a4c15b037e440

Download Submit
memory/112-260-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/536-318-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/620-164-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/620-453-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/760-436-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/920-330-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/936-203-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/936-472-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1064-431-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1192-1-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1192-122-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1192-0-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1420-357-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1680-292-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1720-479-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1720-211-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1752-410-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1752-98-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1760-66-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1760-382-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1944-324-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1956-34-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1956-336-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1960-491-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1960-252-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1980-343-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1980-42-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2160-51-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2160-356-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2364-148-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2364-447-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2404-440-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2628-266-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2632-408-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2680-363-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2740-350-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2768-487-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2768-243-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2800-128-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2800-426-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2836-369-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2884-172-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2884-456-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2928-309-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2964-131-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2964-433-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3036-454-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3120-75-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3120-389-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3172-195-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3172-469-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3192-348-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3204-383-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3328-418-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3356-470-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3476-341-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3548-285-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3632-298-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3868-107-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3868-411-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3872-446-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3872-139-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3976-485-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3976-228-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4028-486-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4028-235-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4032-291-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4032-10-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4128-272-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4216-375-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4216-58-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4268-419-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4268-114-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4384-179-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4384-461-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4420-219-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4420-484-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4424-188-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4424-464-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4504-279-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4508-462-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4520-317-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4524-403-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4524-90-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4532-376-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4544-304-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4544-19-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4728-26-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4728-311-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4748-396-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4748-82-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4796-448-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4796-156-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4972-278-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5020-390-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5028-397-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5040-417-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads