fb85b85f889731b895dbcfe5d8b0e3cc9d0919da5dc3dfb9d7eccb2d0203ea3b

Analysis

max time kernel
148s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
06/03/2024, 02:57 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fb85b85f889731b895dbcfe5d8b0e3cc9d0919da5dc3dfb9d7eccb2d0203ea3b.exe
Size

96KB
MD5

adcefb87f527a99648f0df6a9734cfd1
SHA1

68b90c9da12c5629d4f44ead2c315b9f394c4eff
SHA256

fb85b85f889731b895dbcfe5d8b0e3cc9d0919da5dc3dfb9d7eccb2d0203ea3b
SHA512

4f75fb9facf0b11d789275c4cfe3f5e99956a4aee6302b85e85d77138ba35bea65aa9cbf66f5cd24c787855b35e7650529fdca19690806bf04ea2b643ec6b946
SSDEEP

1536:ALqlBh7PWI1kKuX26AyKmmIjAskoax5/2yhrUQVoMdUT+irF:Ae9b1k5Kixkoauyhr1Rhk

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gfpcgpae.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Medgncoe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dopigd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Elgfgl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hbpgbo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jianff32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kbceejpf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Agoabn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Beeoaapl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddjejl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gokdeeec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kiidgeki.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ldjhpl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lebkhc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Neeqea32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bjddphlq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fhgjblfq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mdmnlj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qcgffqei.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Aclpap32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nepgjaeg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ocbddc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pgefeajb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jmmjgejj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ldanqkki.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nloiakho.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ofqpqo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Onhhamgg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cndikf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kepelfam.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kplpjn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Acjclpcf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bhhdil32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gcddpdpo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dknpmdfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Febgea32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fbnafb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcmabg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bfkedibe.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmefhako.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cdfkolkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ffgqqaip.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jfaedkdp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jmbdbd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kpeiioac.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mplhql32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mmbfpp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnbmefbg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cnkplejl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chcddk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ddjejl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bcebhoii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dhpjkojk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jfaedkdp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lllcen32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mbfkbhpa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mckemg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Odkjng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pncgmkmj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bgehcmmm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dhbgqohi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iefioj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pggbkagp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Beglgani.exe

Executes dropped EXE 64 IoCs

pid	Process
4000	Ddbbeade.exe
4872	Dlijfneg.exe
1560	Dafbne32.exe
2032	Dddojq32.exe
2688	Dhpjkojk.exe
1248	Ddgkpp32.exe
1848	Dhbgqohi.exe
5092	Eolpmi32.exe
4248	Eaklidoi.exe
4308	Ehedfo32.exe
1860	Ekcpbj32.exe
3900	Eamhodmf.exe
2536	Edkdkplj.exe
2132	Ekemhj32.exe
1300	Ecmeig32.exe
2488	Eekaebcm.exe
3612	Ednaqo32.exe
2872	Ekhjmiad.exe
1836	Ecoangbg.exe
1624	Eemnjbaj.exe
1064	Ehljfnpn.exe
5088	Elgfgl32.exe
2328	Fljcmlfd.exe
4916	Fohoigfh.exe
4828	Febgea32.exe
1120	Fhqcam32.exe
984	Faihkbci.exe
3064	Fdgdgnbm.exe
2944	Fomhdg32.exe
572	Ffgqqaip.exe
3264	Flqimk32.exe
3840	Fooeif32.exe
2888	Fbnafb32.exe
2260	Fhgjblfq.exe
3528	Flceckoj.exe
4492	Foabofnn.exe
2192	Fbpnkama.exe
1192	Fdnjgmle.exe
5000	Gkhbdg32.exe
4544	Gbbkaako.exe
1768	Gdqgmmjb.exe
1884	Gofkje32.exe
2532	Gcagkdba.exe
3876	Gfpcgpae.exe
2336	Ghopckpi.exe
2744	Gcddpdpo.exe
3124	Gfbploob.exe
1608	Gokdeeec.exe
2124	Gfembo32.exe
396	Gblngpbd.exe
384	Hopnqdan.exe
2284	Hkfoeega.exe
4928	Hobkfd32.exe
3452	Hbpgbo32.exe
4512	Hkikkeeo.exe
2528	Hfnphn32.exe
4864	Hmhhehlb.exe
3792	Hfqlnm32.exe
2384	Hmjdjgjo.exe
2804	Hoiafcic.exe
3960	Hbgmcnhf.exe
4168	Iefioj32.exe
5076	Icgjmapi.exe
2180	Ibjjhn32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Ijlbqboa.dll	Hopnqdan.exe
File opened for modification	C:\Windows\SysWOW64\Dmefhako.exe	Dhhnpjmh.exe
File created	C:\Windows\SysWOW64\Bagplp32.dll	Jblpek32.exe
File created	C:\Windows\SysWOW64\Lgmngglp.exe	Ldoaklml.exe
File created	C:\Windows\SysWOW64\Ncbknfed.exe	Mlhbal32.exe
File created	C:\Windows\SysWOW64\Jfihel32.dll	Bcoenmao.exe
File created	C:\Windows\SysWOW64\Hfqlnm32.exe	Hmhhehlb.exe
File created	C:\Windows\SysWOW64\Iledokkp.dll	Iejcji32.exe
File opened for modification	C:\Windows\SysWOW64\Olfobjbg.exe	Oflgep32.exe
File created	C:\Windows\SysWOW64\Pggbkagp.exe	Pdifoehl.exe
File opened for modification	C:\Windows\SysWOW64\Gfpcgpae.exe	Gcagkdba.exe
File created	C:\Windows\SysWOW64\Lpqiemge.exe	Lekehdgp.exe
File created	C:\Windows\SysWOW64\Ocdqjceo.exe	Odapnf32.exe
File opened for modification	C:\Windows\SysWOW64\Gofkje32.exe	Gdqgmmjb.exe
File created	C:\Windows\SysWOW64\Ghopckpi.exe	Gfpcgpae.exe
File opened for modification	C:\Windows\SysWOW64\Iihkpg32.exe	Ickchq32.exe
File created	C:\Windows\SysWOW64\Ocbddc32.exe	Ojjolnaq.exe
File opened for modification	C:\Windows\SysWOW64\Bnmcjg32.exe	Bjagjhnc.exe
File created	C:\Windows\SysWOW64\Eemnjbaj.exe	Ecoangbg.exe
File created	C:\Windows\SysWOW64\Jplfcpin.exe	Jmmjgejj.exe
File created	C:\Windows\SysWOW64\Pqbdjfln.exe	Pncgmkmj.exe
File opened for modification	C:\Windows\SysWOW64\Fdnjgmle.exe	Fbpnkama.exe
File created	C:\Windows\SysWOW64\Hlfofiig.dll	Ngbpidjh.exe
File created	C:\Windows\SysWOW64\Jfnbea32.dll	Kpgfooop.exe
File opened for modification	C:\Windows\SysWOW64\Nfgmjqop.exe	Ngdmod32.exe
File created	C:\Windows\SysWOW64\Gfbploob.exe	Gcddpdpo.exe
File created	C:\Windows\SysWOW64\Pmoahijl.exe	Ojaelm32.exe
File opened for modification	C:\Windows\SysWOW64\Beihma32.exe	Bmbplc32.exe
File created	C:\Windows\SysWOW64\Olfdahne.dll	Cnffqf32.exe
File created	C:\Windows\SysWOW64\Nokpao32.dll	Dhocqigp.exe
File created	C:\Windows\SysWOW64\Hmjdjgjo.exe	Hfqlnm32.exe
File opened for modification	C:\Windows\SysWOW64\Jcefno32.exe	Jlnnmb32.exe
File opened for modification	C:\Windows\SysWOW64\Gbbkaako.exe	Gkhbdg32.exe
File created	C:\Windows\SysWOW64\Gfhkicbi.dll	Mplhql32.exe
File opened for modification	C:\Windows\SysWOW64\Aeiofcji.exe	Ambgef32.exe
File opened for modification	C:\Windows\SysWOW64\Aclpap32.exe	Aeiofcji.exe
File created	C:\Windows\SysWOW64\Gfnphnen.dll	Afjlnk32.exe
File created	C:\Windows\SysWOW64\Dqfhilhd.dll	Aadifclh.exe
File created	C:\Windows\SysWOW64\Naqcfnjk.dll	Faihkbci.exe
File created	C:\Windows\SysWOW64\Opakbi32.exe	Olfobjbg.exe
File created	C:\Windows\SysWOW64\Pdfjifjo.exe	Pmoahijl.exe
File created	C:\Windows\SysWOW64\Aadifclh.exe	Anfmjhmd.exe
File created	C:\Windows\SysWOW64\Dejacond.exe	Dopigd32.exe
File created	C:\Windows\SysWOW64\Delnin32.exe	Dmefhako.exe
File opened for modification	C:\Windows\SysWOW64\Hbpgbo32.exe	Hobkfd32.exe
File created	C:\Windows\SysWOW64\Khchklef.dll	Jmpgldhg.exe
File created	C:\Windows\SysWOW64\Aomaga32.dll	Likjcbkc.exe
File created	C:\Windows\SysWOW64\Nfgmjqop.exe	Ngdmod32.exe
File opened for modification	C:\Windows\SysWOW64\Febgea32.exe	Fohoigfh.exe
File created	C:\Windows\SysWOW64\Ldoaklml.exe	Lmdina32.exe
File opened for modification	C:\Windows\SysWOW64\Dknpmdfc.exe	Dhocqigp.exe
File created	C:\Windows\SysWOW64\Qjkmdp32.dll	Ndaggimg.exe
File created	C:\Windows\SysWOW64\Llmglb32.dll	Ojjolnaq.exe
File opened for modification	C:\Windows\SysWOW64\Anogiicl.exe	Afhohlbj.exe
File created	C:\Windows\SysWOW64\Fqjamcpe.dll	Cfmajipb.exe
File created	C:\Windows\SysWOW64\Fbnkjc32.dll	Kepelfam.exe
File created	C:\Windows\SysWOW64\Mmbfpp32.exe	Melnob32.exe
File created	C:\Windows\SysWOW64\Nphhmj32.exe	Nnjlpo32.exe
File opened for modification	C:\Windows\SysWOW64\Npmagine.exe	Nfgmjqop.exe
File created	C:\Windows\SysWOW64\Clbcapmm.dll	Ofqpqo32.exe
File opened for modification	C:\Windows\SysWOW64\Pcbmka32.exe	Pmidog32.exe
File created	C:\Windows\SysWOW64\Beihma32.exe	Bmbplc32.exe
File created	C:\Windows\SysWOW64\Mpablkhc.exe	Mmbfpp32.exe
File created	C:\Windows\SysWOW64\Clncadfb.dll	Ocdqjceo.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
8592	8488	WerFault.exe	363

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ngdmod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Glgmkm32.dll"	Olcbmj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cnnlaehj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ekcpbj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pdfjifjo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kdnidn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mkfdhbpg.dll"	Bfkedibe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jbpbca32.dll"	Delnin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mlhbal32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Okokppbk.dll"	Kfckahdj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pmoahijl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Qcgffqei.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lommhphi.dll"	Agoabn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cfdhkhjj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dhkjej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjbbkg32.dll"	Njefqo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oijgnaaa.dll"	Fbnafb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Fbnafb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kepelfam.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bganhm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnieoofh.dll"	Cdcoim32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qkkdmeko.dll"	Fdgdgnbm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kpjgop32.dll"	Ekhjmiad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jmehcnhg.dll"	Icifbang.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pcbmka32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfjhbihm.dll"	Cfpnph32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipenkiei.dll"	Ddbbeade.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jioaqfcc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dmgbnq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Fbpnkama.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bcebhoii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gblnkg32.dll"	Bmbplc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Chmndlge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ldjhpl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Fljcmlfd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhondp32.dll"	Ghopckpi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bkomqm32.dll"	Gcddpdpo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lpebpm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kplcdidf.dll"	Eaklidoi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hobkfd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcjpfk32.dll"	Lgmngglp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bnmcjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ekemhj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lgokmgjm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cabfga32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dknpmdfc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jplfcpin.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Gcddpdpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mpablkhc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cpaqkn32.dll"	Elgfgl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Opakbi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Qfcfml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cegdnopg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Njefqo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mlcifmbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ehmdjdgk.dll"	Ajanck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ghopckpi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kemhff32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lmdina32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hfqlnm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lebkhc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pncgmkmj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kimnbd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cnffqf32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4768 wrote to memory of 4000	4768	fb85b85f889731b895dbcfe5d8b0e3cc9d0919da5dc3dfb9d7eccb2d0203ea3b.exe	89
PID 4768 wrote to memory of 4000	4768	fb85b85f889731b895dbcfe5d8b0e3cc9d0919da5dc3dfb9d7eccb2d0203ea3b.exe	89
PID 4768 wrote to memory of 4000	4768	fb85b85f889731b895dbcfe5d8b0e3cc9d0919da5dc3dfb9d7eccb2d0203ea3b.exe	89
PID 4000 wrote to memory of 4872	4000	Ddbbeade.exe	90
PID 4000 wrote to memory of 4872	4000	Ddbbeade.exe	90
PID 4000 wrote to memory of 4872	4000	Ddbbeade.exe	90
PID 4872 wrote to memory of 1560	4872	Dlijfneg.exe	91
PID 4872 wrote to memory of 1560	4872	Dlijfneg.exe	91
PID 4872 wrote to memory of 1560	4872	Dlijfneg.exe	91
PID 1560 wrote to memory of 2032	1560	Dafbne32.exe	92
PID 1560 wrote to memory of 2032	1560	Dafbne32.exe	92
PID 1560 wrote to memory of 2032	1560	Dafbne32.exe	92
PID 2032 wrote to memory of 2688	2032	Dddojq32.exe	93
PID 2032 wrote to memory of 2688	2032	Dddojq32.exe	93
PID 2032 wrote to memory of 2688	2032	Dddojq32.exe	93
PID 2688 wrote to memory of 1248	2688	Dhpjkojk.exe	94
PID 2688 wrote to memory of 1248	2688	Dhpjkojk.exe	94
PID 2688 wrote to memory of 1248	2688	Dhpjkojk.exe	94
PID 1248 wrote to memory of 1848	1248	Ddgkpp32.exe	95
PID 1248 wrote to memory of 1848	1248	Ddgkpp32.exe	95
PID 1248 wrote to memory of 1848	1248	Ddgkpp32.exe	95
PID 1848 wrote to memory of 5092	1848	Dhbgqohi.exe	96
PID 1848 wrote to memory of 5092	1848	Dhbgqohi.exe	96
PID 1848 wrote to memory of 5092	1848	Dhbgqohi.exe	96
PID 5092 wrote to memory of 4248	5092	Eolpmi32.exe	97
PID 5092 wrote to memory of 4248	5092	Eolpmi32.exe	97
PID 5092 wrote to memory of 4248	5092	Eolpmi32.exe	97
PID 4248 wrote to memory of 4308	4248	Eaklidoi.exe	98
PID 4248 wrote to memory of 4308	4248	Eaklidoi.exe	98
PID 4248 wrote to memory of 4308	4248	Eaklidoi.exe	98
PID 4308 wrote to memory of 1860	4308	Ehedfo32.exe	99
PID 4308 wrote to memory of 1860	4308	Ehedfo32.exe	99
PID 4308 wrote to memory of 1860	4308	Ehedfo32.exe	99
PID 1860 wrote to memory of 3900	1860	Ekcpbj32.exe	100
PID 1860 wrote to memory of 3900	1860	Ekcpbj32.exe	100
PID 1860 wrote to memory of 3900	1860	Ekcpbj32.exe	100
PID 3900 wrote to memory of 2536	3900	Eamhodmf.exe	101
PID 3900 wrote to memory of 2536	3900	Eamhodmf.exe	101
PID 3900 wrote to memory of 2536	3900	Eamhodmf.exe	101
PID 2536 wrote to memory of 2132	2536	Edkdkplj.exe	102
PID 2536 wrote to memory of 2132	2536	Edkdkplj.exe	102
PID 2536 wrote to memory of 2132	2536	Edkdkplj.exe	102
PID 2132 wrote to memory of 1300	2132	Ekemhj32.exe	103
PID 2132 wrote to memory of 1300	2132	Ekemhj32.exe	103
PID 2132 wrote to memory of 1300	2132	Ekemhj32.exe	103
PID 1300 wrote to memory of 2488	1300	Ecmeig32.exe	104
PID 1300 wrote to memory of 2488	1300	Ecmeig32.exe	104
PID 1300 wrote to memory of 2488	1300	Ecmeig32.exe	104
PID 2488 wrote to memory of 3612	2488	Eekaebcm.exe	105
PID 2488 wrote to memory of 3612	2488	Eekaebcm.exe	105
PID 2488 wrote to memory of 3612	2488	Eekaebcm.exe	105
PID 3612 wrote to memory of 2872	3612	Ednaqo32.exe	106
PID 3612 wrote to memory of 2872	3612	Ednaqo32.exe	106
PID 3612 wrote to memory of 2872	3612	Ednaqo32.exe	106
PID 2872 wrote to memory of 1836	2872	Ekhjmiad.exe	107
PID 2872 wrote to memory of 1836	2872	Ekhjmiad.exe	107
PID 2872 wrote to memory of 1836	2872	Ekhjmiad.exe	107
PID 1836 wrote to memory of 1624	1836	Ecoangbg.exe	108
PID 1836 wrote to memory of 1624	1836	Ecoangbg.exe	108
PID 1836 wrote to memory of 1624	1836	Ecoangbg.exe	108
PID 1624 wrote to memory of 1064	1624	Eemnjbaj.exe	110
PID 1624 wrote to memory of 1064	1624	Eemnjbaj.exe	110
PID 1624 wrote to memory of 1064	1624	Eemnjbaj.exe	110
PID 1064 wrote to memory of 5088	1064	Ehljfnpn.exe	111

C:\Users\Admin\AppData\Local\Temp\fb85b85f889731b895dbcfe5d8b0e3cc9d0919da5dc3dfb9d7eccb2d0203ea3b.exe
"C:\Users\Admin\AppData\Local\Temp\fb85b85f889731b895dbcfe5d8b0e3cc9d0919da5dc3dfb9d7eccb2d0203ea3b.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4768
- C:\Windows\SysWOW64\Ddbbeade.exe
  C:\Windows\system32\Ddbbeade.exe
  2⤵
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4000
- - C:\Windows\SysWOW64\Dlijfneg.exe
    C:\Windows\system32\Dlijfneg.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:4872
  - - C:\Windows\SysWOW64\Dafbne32.exe
      C:\Windows\system32\Dafbne32.exe
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:1560
    - - C:\Windows\SysWOW64\Dddojq32.exe
        
        C:\Windows\system32\Dddojq32.exe
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2032
      - C:\Windows\SysWOW64\Dhpjkojk.exe
        
        C:\Windows\system32\Dhpjkojk.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2688
        
        C:\Windows\SysWOW64\Ddgkpp32.exe
        
        C:\Windows\system32\Ddgkpp32.exe
        7⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1248
        
        C:\Windows\SysWOW64\Dhbgqohi.exe
        
        C:\Windows\system32\Dhbgqohi.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1848
        
        C:\Windows\SysWOW64\Eolpmi32.exe
        
        C:\Windows\system32\Eolpmi32.exe
        9⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:5092
        
        C:\Windows\SysWOW64\Eaklidoi.exe
        
        C:\Windows\system32\Eaklidoi.exe
        10⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4248
        
        C:\Windows\SysWOW64\Ehedfo32.exe
        
        C:\Windows\system32\Ehedfo32.exe
        11⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4308
        
        C:\Windows\SysWOW64\Ekcpbj32.exe
        
        C:\Windows\system32\Ekcpbj32.exe
        12⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1860
        
        C:\Windows\SysWOW64\Eamhodmf.exe
        
        C:\Windows\system32\Eamhodmf.exe
        13⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3900
        
        C:\Windows\SysWOW64\Edkdkplj.exe
        
        C:\Windows\system32\Edkdkplj.exe
        14⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2536
        
        C:\Windows\SysWOW64\Ekemhj32.exe
        
        C:\Windows\system32\Ekemhj32.exe
        15⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2132
        
        C:\Windows\SysWOW64\Ecmeig32.exe
        
        C:\Windows\system32\Ecmeig32.exe
        16⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1300
        
        C:\Windows\SysWOW64\Eekaebcm.exe
        
        C:\Windows\system32\Eekaebcm.exe
        17⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2488
        
        C:\Windows\SysWOW64\Ednaqo32.exe
        
        C:\Windows\system32\Ednaqo32.exe
        18⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3612
        
        C:\Windows\SysWOW64\Ekhjmiad.exe
        
        C:\Windows\system32\Ekhjmiad.exe
        19⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2872
        
        C:\Windows\SysWOW64\Ecoangbg.exe
        
        C:\Windows\system32\Ecoangbg.exe
        20⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1836
        
        C:\Windows\SysWOW64\Eemnjbaj.exe
        
        C:\Windows\system32\Eemnjbaj.exe
        21⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1624
        
        C:\Windows\SysWOW64\Ehljfnpn.exe
        
        C:\Windows\system32\Ehljfnpn.exe
        22⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1064
        
        C:\Windows\SysWOW64\Elgfgl32.exe
        
        C:\Windows\system32\Elgfgl32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:5088
        
        C:\Windows\SysWOW64\Fljcmlfd.exe
        
        C:\Windows\system32\Fljcmlfd.exe
        24⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2328
        
        C:\Windows\SysWOW64\Fohoigfh.exe
        
        C:\Windows\system32\Fohoigfh.exe
        25⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4916
        
        C:\Windows\SysWOW64\Febgea32.exe
        
        C:\Windows\system32\Febgea32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4828
        
        C:\Windows\SysWOW64\Fhqcam32.exe
        
        C:\Windows\system32\Fhqcam32.exe
        27⤵
        Executes dropped EXE
        
        PID:1120
        
        C:\Windows\SysWOW64\Faihkbci.exe
        
        C:\Windows\system32\Faihkbci.exe
        28⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:984
        
        C:\Windows\SysWOW64\Fdgdgnbm.exe
        
        C:\Windows\system32\Fdgdgnbm.exe
        29⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3064
        
        C:\Windows\SysWOW64\Fomhdg32.exe
        
        C:\Windows\system32\Fomhdg32.exe
        30⤵
        Executes dropped EXE
        
        PID:2944
        
        C:\Windows\SysWOW64\Ffgqqaip.exe
        
        C:\Windows\system32\Ffgqqaip.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:572
        
        C:\Windows\SysWOW64\Flqimk32.exe
        
        C:\Windows\system32\Flqimk32.exe
        32⤵
        Executes dropped EXE
        
        PID:3264
        
        C:\Windows\SysWOW64\Fooeif32.exe
        
        C:\Windows\system32\Fooeif32.exe
        33⤵
        Executes dropped EXE
        
        PID:3840
        
        C:\Windows\SysWOW64\Fbnafb32.exe
        
        C:\Windows\system32\Fbnafb32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2888
        
        C:\Windows\SysWOW64\Fhgjblfq.exe
        
        C:\Windows\system32\Fhgjblfq.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2260
        
        C:\Windows\SysWOW64\Flceckoj.exe
        
        C:\Windows\system32\Flceckoj.exe
        36⤵
        Executes dropped EXE
        
        PID:3528
        
        C:\Windows\SysWOW64\Foabofnn.exe
        
        C:\Windows\system32\Foabofnn.exe
        37⤵
        Executes dropped EXE
        
        PID:4492
        
        C:\Windows\SysWOW64\Fbpnkama.exe
        
        C:\Windows\system32\Fbpnkama.exe
        38⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2192
        
        C:\Windows\SysWOW64\Fdnjgmle.exe
        
        C:\Windows\system32\Fdnjgmle.exe
        39⤵
        Executes dropped EXE
        
        PID:1192
        
        C:\Windows\SysWOW64\Gkhbdg32.exe
        
        C:\Windows\system32\Gkhbdg32.exe
        40⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5000
        
        C:\Windows\SysWOW64\Gbbkaako.exe
        
        C:\Windows\system32\Gbbkaako.exe
        41⤵
        Executes dropped EXE
        
        PID:4544
        
        C:\Windows\SysWOW64\Gdqgmmjb.exe
        
        C:\Windows\system32\Gdqgmmjb.exe
        42⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1768
        
        C:\Windows\SysWOW64\Gofkje32.exe
        
        C:\Windows\system32\Gofkje32.exe
        43⤵
        Executes dropped EXE
        
        PID:1884
        
        C:\Windows\SysWOW64\Gcagkdba.exe
        
        C:\Windows\system32\Gcagkdba.exe
        44⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2532
        
        C:\Windows\SysWOW64\Gfpcgpae.exe
        
        C:\Windows\system32\Gfpcgpae.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3876
        
        C:\Windows\SysWOW64\Ghopckpi.exe
        
        C:\Windows\system32\Ghopckpi.exe
        46⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2336
        
        C:\Windows\SysWOW64\Gcddpdpo.exe
        
        C:\Windows\system32\Gcddpdpo.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2744
        
        C:\Windows\SysWOW64\Gfbploob.exe
        
        C:\Windows\system32\Gfbploob.exe
        48⤵
        Executes dropped EXE
        
        PID:3124
        
        C:\Windows\SysWOW64\Gokdeeec.exe
        
        C:\Windows\system32\Gokdeeec.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1608
        
        C:\Windows\SysWOW64\Gfembo32.exe
        
        C:\Windows\system32\Gfembo32.exe
        50⤵
        Executes dropped EXE
        
        PID:2124
        
        C:\Windows\SysWOW64\Gblngpbd.exe
        
        C:\Windows\system32\Gblngpbd.exe
        51⤵
        Executes dropped EXE
        
        PID:396
        
        C:\Windows\SysWOW64\Hopnqdan.exe
        
        C:\Windows\system32\Hopnqdan.exe
        52⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:384
        
        C:\Windows\SysWOW64\Hkfoeega.exe
        
        C:\Windows\system32\Hkfoeega.exe
        53⤵
        Executes dropped EXE
        
        PID:2284
        
        C:\Windows\SysWOW64\Hobkfd32.exe
        
        C:\Windows\system32\Hobkfd32.exe
        54⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4928
        
        C:\Windows\SysWOW64\Hbpgbo32.exe
        
        C:\Windows\system32\Hbpgbo32.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3452
        
        C:\Windows\SysWOW64\Hkikkeeo.exe
        
        C:\Windows\system32\Hkikkeeo.exe
        56⤵
        Executes dropped EXE
        
        PID:4512
        
        C:\Windows\SysWOW64\Hfnphn32.exe
        
        C:\Windows\system32\Hfnphn32.exe
        57⤵
        Executes dropped EXE
        
        PID:2528
        
        C:\Windows\SysWOW64\Hmhhehlb.exe
        
        C:\Windows\system32\Hmhhehlb.exe
        58⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4864
        
        C:\Windows\SysWOW64\Hfqlnm32.exe
        
        C:\Windows\system32\Hfqlnm32.exe
        59⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3792
        
        C:\Windows\SysWOW64\Hmjdjgjo.exe
        
        C:\Windows\system32\Hmjdjgjo.exe
        60⤵
        Executes dropped EXE
        
        PID:2384
        
        C:\Windows\SysWOW64\Hoiafcic.exe
        
        C:\Windows\system32\Hoiafcic.exe
        61⤵
        Executes dropped EXE
        
        PID:2804
        
        C:\Windows\SysWOW64\Hbgmcnhf.exe
        
        C:\Windows\system32\Hbgmcnhf.exe
        62⤵
        Executes dropped EXE
        
        PID:3960
        
        C:\Windows\SysWOW64\Iefioj32.exe
        
        C:\Windows\system32\Iefioj32.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4168
        
        C:\Windows\SysWOW64\Icgjmapi.exe
        
        C:\Windows\system32\Icgjmapi.exe
        64⤵
        Executes dropped EXE
        
        PID:5076
        
        C:\Windows\SysWOW64\Ibjjhn32.exe
        
        C:\Windows\system32\Ibjjhn32.exe
        65⤵
        Executes dropped EXE
        
        PID:2180
        
        C:\Windows\SysWOW64\Imoneg32.exe
        
        C:\Windows\system32\Imoneg32.exe
        66⤵
        
        PID:4344
        
        C:\Windows\SysWOW64\Icifbang.exe
        
        C:\Windows\system32\Icifbang.exe
        67⤵
        Modifies registry class
        
        PID:4464
        
        C:\Windows\SysWOW64\Iejcji32.exe
        
        C:\Windows\system32\Iejcji32.exe
        68⤵
        Drops file in System32 directory
        
        PID:3188
        
        C:\Windows\SysWOW64\Ickchq32.exe
        
        C:\Windows\system32\Ickchq32.exe
        69⤵
        Drops file in System32 directory
        
        PID:2584
        
        C:\Windows\SysWOW64\Iihkpg32.exe
        
        C:\Windows\system32\Iihkpg32.exe
        70⤵
        
        PID:3240
        
        C:\Windows\SysWOW64\Imdgqfbd.exe
        
        C:\Windows\system32\Imdgqfbd.exe
        71⤵
        
        PID:868
        
        C:\Windows\SysWOW64\Ifllil32.exe
        
        C:\Windows\system32\Ifllil32.exe
        72⤵
        
        PID:4900
        
        C:\Windows\SysWOW64\Iikhfg32.exe
        
        C:\Windows\system32\Iikhfg32.exe
        73⤵
        
        PID:1356
        
        C:\Windows\SysWOW64\Icplcpgo.exe
        
        C:\Windows\system32\Icplcpgo.exe
        74⤵
        
        PID:400
        
        C:\Windows\SysWOW64\Jpgmha32.exe
        
        C:\Windows\system32\Jpgmha32.exe
        75⤵
        
        PID:2100
        
        C:\Windows\SysWOW64\Jfaedkdp.exe
        
        C:\Windows\system32\Jfaedkdp.exe
        76⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2220
        
        C:\Windows\SysWOW64\Jioaqfcc.exe
        
        C:\Windows\system32\Jioaqfcc.exe
        77⤵
        Modifies registry class
        
        PID:1208
        
        C:\Windows\SysWOW64\Jlnnmb32.exe
        
        C:\Windows\system32\Jlnnmb32.exe
        78⤵
        Drops file in System32 directory
        
        PID:4324
        
        C:\Windows\SysWOW64\Jcefno32.exe
        
        C:\Windows\system32\Jcefno32.exe
        79⤵
        
        PID:1904
        
        C:\Windows\SysWOW64\Jianff32.exe
        
        C:\Windows\system32\Jianff32.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1380
        
        C:\Windows\SysWOW64\Jmmjgejj.exe
        
        C:\Windows\system32\Jmmjgejj.exe
        81⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:2632
        
        C:\Windows\SysWOW64\Jplfcpin.exe
        
        C:\Windows\system32\Jplfcpin.exe
        82⤵
        Modifies registry class
        
        PID:876
        
        C:\Windows\SysWOW64\Jfeopj32.exe
        
        C:\Windows\system32\Jfeopj32.exe
        83⤵
        
        PID:5140
        
        C:\Windows\SysWOW64\Jmpgldhg.exe
        
        C:\Windows\system32\Jmpgldhg.exe
        84⤵
        Drops file in System32 directory
        
        PID:5184
        
        C:\Windows\SysWOW64\Jblpek32.exe
        
        C:\Windows\system32\Jblpek32.exe
        85⤵
        Drops file in System32 directory
        
        PID:5224
        
        C:\Windows\SysWOW64\Jfhlejnh.exe
        
        C:\Windows\system32\Jfhlejnh.exe
        86⤵
        
        PID:5264
        
        C:\Windows\SysWOW64\Jmbdbd32.exe
        
        C:\Windows\system32\Jmbdbd32.exe
        87⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5312
        
        C:\Windows\SysWOW64\Jpppnp32.exe
        
        C:\Windows\system32\Jpppnp32.exe
        88⤵
        
        PID:5356
        
        C:\Windows\SysWOW64\Jcllonma.exe
        
        C:\Windows\system32\Jcllonma.exe
        89⤵
        
        PID:5396
        
        C:\Windows\SysWOW64\Kemhff32.exe
        
        C:\Windows\system32\Kemhff32.exe
        90⤵
        Modifies registry class
        
        PID:5440
        
        C:\Windows\SysWOW64\Kiidgeki.exe
        
        C:\Windows\system32\Kiidgeki.exe
        91⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5492
        
        C:\Windows\SysWOW64\Klgqcqkl.exe
        
        C:\Windows\system32\Klgqcqkl.exe
        92⤵
        
        PID:5536
        
        C:\Windows\SysWOW64\Kdnidn32.exe
        
        C:\Windows\system32\Kdnidn32.exe
        93⤵
        Modifies registry class
        
        PID:5584
        
        C:\Windows\SysWOW64\Kepelfam.exe
        
        C:\Windows\system32\Kepelfam.exe
        94⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5624
        
        C:\Windows\SysWOW64\Kikame32.exe
        
        C:\Windows\system32\Kikame32.exe
        95⤵
        
        PID:5668
        
        C:\Windows\SysWOW64\Kpeiioac.exe
        
        C:\Windows\system32\Kpeiioac.exe
        96⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5708
        
        C:\Windows\SysWOW64\Kbceejpf.exe
        
        C:\Windows\system32\Kbceejpf.exe
        97⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5760
        
        C:\Windows\SysWOW64\Kimnbd32.exe
        
        C:\Windows\system32\Kimnbd32.exe
        98⤵
        Modifies registry class
        
        PID:5800
        
        C:\Windows\SysWOW64\Kpgfooop.exe
        
        C:\Windows\system32\Kpgfooop.exe
        99⤵
        Drops file in System32 directory
        
        PID:5844
        
        C:\Windows\SysWOW64\Kbfbkj32.exe
        
        C:\Windows\system32\Kbfbkj32.exe
        100⤵
        
        PID:5884
        
        C:\Windows\SysWOW64\Kedoge32.exe
        
        C:\Windows\system32\Kedoge32.exe
        101⤵
        
        PID:5928
        
        C:\Windows\SysWOW64\Kipkhdeq.exe
        
        C:\Windows\system32\Kipkhdeq.exe
        102⤵
        
        PID:5972
        
        C:\Windows\SysWOW64\Klngdpdd.exe
        
        C:\Windows\system32\Klngdpdd.exe
        103⤵
        
        PID:6012
        
        C:\Windows\SysWOW64\Kpjcdn32.exe
        
        C:\Windows\system32\Kpjcdn32.exe
        104⤵
        
        PID:6044
        
        C:\Windows\SysWOW64\Kfckahdj.exe
        
        C:\Windows\system32\Kfckahdj.exe
        105⤵
        Modifies registry class
        
        PID:6088
        
        C:\Windows\SysWOW64\Klqcioba.exe
        
        C:\Windows\system32\Klqcioba.exe
        106⤵
        
        PID:6128
        
        C:\Windows\SysWOW64\Kplpjn32.exe
        
        C:\Windows\system32\Kplpjn32.exe
        107⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5156
        
        C:\Windows\SysWOW64\Lbjlfi32.exe
        
        C:\Windows\system32\Lbjlfi32.exe
        108⤵
        
        PID:5212
        
        C:\Windows\SysWOW64\Leihbeib.exe
        
        C:\Windows\system32\Leihbeib.exe
        109⤵
        
        PID:5308
        
        C:\Windows\SysWOW64\Liddbc32.exe
        
        C:\Windows\system32\Liddbc32.exe
        110⤵
        
        PID:5376
        
        C:\Windows\SysWOW64\Llcpoo32.exe
        
        C:\Windows\system32\Llcpoo32.exe
        111⤵
        
        PID:5432
        
        C:\Windows\SysWOW64\Ldjhpl32.exe
        
        C:\Windows\system32\Ldjhpl32.exe
        112⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5500
        
        C:\Windows\SysWOW64\Lekehdgp.exe
        
        C:\Windows\system32\Lekehdgp.exe
        113⤵
        Drops file in System32 directory
        
        PID:5564
        
        C:\Windows\SysWOW64\Lpqiemge.exe
        
        C:\Windows\system32\Lpqiemge.exe
        114⤵
        
        PID:5664
        
        C:\Windows\SysWOW64\Lboeaifi.exe
        
        C:\Windows\system32\Lboeaifi.exe
        115⤵
        
        PID:5692
        
        C:\Windows\SysWOW64\Lenamdem.exe
        
        C:\Windows\system32\Lenamdem.exe
        116⤵
        
        PID:5784
        
        C:\Windows\SysWOW64\Lmdina32.exe
        
        C:\Windows\system32\Lmdina32.exe
        117⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5828
        
        C:\Windows\SysWOW64\Ldoaklml.exe
        
        C:\Windows\system32\Ldoaklml.exe
        118⤵
        Drops file in System32 directory
        
        PID:5936
        
        C:\Windows\SysWOW64\Lgmngglp.exe
        
        C:\Windows\system32\Lgmngglp.exe
        119⤵
        Modifies registry class
        
        PID:5992
        
        C:\Windows\SysWOW64\Likjcbkc.exe
        
        C:\Windows\system32\Likjcbkc.exe
        120⤵
        Drops file in System32 directory
        
        PID:6080
        
        C:\Windows\SysWOW64\Lpebpm32.exe
        
        C:\Windows\system32\Lpebpm32.exe
        121⤵
        Modifies registry class
        
        PID:232
        
        C:\Windows\SysWOW64\Ldanqkki.exe
        
        C:\Windows\system32\Ldanqkki.exe
        122⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5192
        
        C:\Windows\SysWOW64\Lgokmgjm.exe
        
        C:\Windows\system32\Lgokmgjm.exe
        123⤵
        Modifies registry class
        
        PID:5304
        
        C:\Windows\SysWOW64\Lebkhc32.exe
        
        C:\Windows\system32\Lebkhc32.exe
        124⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5392
        
        C:\Windows\SysWOW64\Lllcen32.exe
        
        C:\Windows\system32\Lllcen32.exe
        125⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5520
        
        C:\Windows\SysWOW64\Mdckfk32.exe
        
        C:\Windows\system32\Mdckfk32.exe
        126⤵
        
        PID:5616
        
        C:\Windows\SysWOW64\Mbfkbhpa.exe
        
        C:\Windows\system32\Mbfkbhpa.exe
        127⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5740
        
        C:\Windows\SysWOW64\Medgncoe.exe
        
        C:\Windows\system32\Medgncoe.exe
        128⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5856
        
        C:\Windows\SysWOW64\Mdehlk32.exe
        
        C:\Windows\system32\Mdehlk32.exe
        129⤵
        
        PID:5952
        
        C:\Windows\SysWOW64\Mgddhf32.exe
        
        C:\Windows\system32\Mgddhf32.exe
        130⤵
        
        PID:6028
        
        C:\Windows\SysWOW64\Mibpda32.exe
        
        C:\Windows\system32\Mibpda32.exe
        131⤵
        
        PID:5172
        
        C:\Windows\SysWOW64\Mplhql32.exe
        
        C:\Windows\system32\Mplhql32.exe
        132⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5348
        
        C:\Windows\SysWOW64\Mckemg32.exe
        
        C:\Windows\system32\Mckemg32.exe
        133⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5560
        
        C:\Windows\SysWOW64\Mmpijp32.exe
        
        C:\Windows\system32\Mmpijp32.exe
        134⤵
        
        PID:5648
        
        C:\Windows\SysWOW64\Mlcifmbl.exe
        
        C:\Windows\system32\Mlcifmbl.exe
        135⤵
        Modifies registry class
        
        PID:5832
        
        C:\Windows\SysWOW64\Mcmabg32.exe
        
        C:\Windows\system32\Mcmabg32.exe
        136⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6040
        
        C:\Windows\SysWOW64\Melnob32.exe
        
        C:\Windows\system32\Melnob32.exe
        137⤵
        Drops file in System32 directory
        
        PID:5196
        
        C:\Windows\SysWOW64\Mmbfpp32.exe
        
        C:\Windows\system32\Mmbfpp32.exe
        138⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5488
        
        C:\Windows\SysWOW64\Mpablkhc.exe
        
        C:\Windows\system32\Mpablkhc.exe
        139⤵
        Modifies registry class
        
        PID:5696
        
        C:\Windows\SysWOW64\Mdmnlj32.exe
        
        C:\Windows\system32\Mdmnlj32.exe
        140⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6036
        
        C:\Windows\SysWOW64\Menjdbgj.exe
        
        C:\Windows\system32\Menjdbgj.exe
        141⤵
        
        PID:5340
        
        C:\Windows\SysWOW64\Mlhbal32.exe
        
        C:\Windows\system32\Mlhbal32.exe
        142⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5964
        
        C:\Windows\SysWOW64\Ncbknfed.exe
        
        C:\Windows\system32\Ncbknfed.exe
        143⤵
        
        PID:5152
        
        C:\Windows\SysWOW64\Nepgjaeg.exe
        
        C:\Windows\system32\Nepgjaeg.exe
        144⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5900
        
        C:\Windows\SysWOW64\Nilcjp32.exe
        
        C:\Windows\system32\Nilcjp32.exe
        145⤵
        
        PID:5176
        
        C:\Windows\SysWOW64\Nljofl32.exe
        
        C:\Windows\system32\Nljofl32.exe
        146⤵
        
        PID:6180
        
        C:\Windows\SysWOW64\Ndaggimg.exe
        
        C:\Windows\system32\Ndaggimg.exe
        147⤵
        Drops file in System32 directory
        
        PID:6224
        
        C:\Windows\SysWOW64\Ngpccdlj.exe
        
        C:\Windows\system32\Ngpccdlj.exe
        148⤵
        
        PID:6276
        
        C:\Windows\SysWOW64\Nnjlpo32.exe
        
        C:\Windows\system32\Nnjlpo32.exe
        149⤵
        Drops file in System32 directory
        
        PID:6316
        
        C:\Windows\SysWOW64\Nphhmj32.exe
        
        C:\Windows\system32\Nphhmj32.exe
        150⤵
        
        PID:6360
        
        C:\Windows\SysWOW64\Ngbpidjh.exe
        
        C:\Windows\system32\Ngbpidjh.exe
        151⤵
        Drops file in System32 directory
        
        PID:6404
        
        C:\Windows\SysWOW64\Neeqea32.exe
        
        C:\Windows\system32\Neeqea32.exe
        152⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6448
        
        C:\Windows\SysWOW64\Nloiakho.exe
        
        C:\Windows\system32\Nloiakho.exe
        153⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6500
        
        C:\Windows\SysWOW64\Ndfqbhia.exe
        
        C:\Windows\system32\Ndfqbhia.exe
        154⤵
        
        PID:6544
        
        C:\Windows\SysWOW64\Ngdmod32.exe
        
        C:\Windows\system32\Ngdmod32.exe
        155⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6596
        
        C:\Windows\SysWOW64\Nfgmjqop.exe
        
        C:\Windows\system32\Nfgmjqop.exe
        156⤵
        Drops file in System32 directory
        
        PID:6640
        
        C:\Windows\SysWOW64\Npmagine.exe
        
        C:\Windows\system32\Npmagine.exe
        157⤵
        
        PID:6688
        
        C:\Windows\SysWOW64\Njefqo32.exe
        
        C:\Windows\system32\Njefqo32.exe
        158⤵
        Modifies registry class
        
        PID:6736
        
        C:\Windows\SysWOW64\Olcbmj32.exe
        
        C:\Windows\system32\Olcbmj32.exe
        159⤵
        Modifies registry class
        
        PID:6780
        
        C:\Windows\SysWOW64\Odkjng32.exe
        
        C:\Windows\system32\Odkjng32.exe
        160⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6816
        
        C:\Windows\SysWOW64\Ocnjidkf.exe
        
        C:\Windows\system32\Ocnjidkf.exe
        161⤵
        
        PID:6868
        
        C:\Windows\SysWOW64\Oflgep32.exe
        
        C:\Windows\system32\Oflgep32.exe
        162⤵
        Drops file in System32 directory
        
        PID:6916
        
        C:\Windows\SysWOW64\Olfobjbg.exe
        
        C:\Windows\system32\Olfobjbg.exe
        163⤵
        Drops file in System32 directory
        
        PID:6956
        
        C:\Windows\SysWOW64\Opakbi32.exe
        
        C:\Windows\system32\Opakbi32.exe
        164⤵
        Modifies registry class
        
        PID:6996
        
        C:\Windows\SysWOW64\Ocpgod32.exe
        
        C:\Windows\system32\Ocpgod32.exe
        165⤵
        
        PID:7036
        
        C:\Windows\SysWOW64\Ojjolnaq.exe
        
        C:\Windows\system32\Ojjolnaq.exe
        166⤵
        Drops file in System32 directory
        
        PID:7080
        
        C:\Windows\SysWOW64\Ocbddc32.exe
        
        C:\Windows\system32\Ocbddc32.exe
        167⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7132
        
        C:\Windows\SysWOW64\Ofqpqo32.exe
        
        C:\Windows\system32\Ofqpqo32.exe
        168⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5568
        
        C:\Windows\SysWOW64\Onhhamgg.exe
        
        C:\Windows\system32\Onhhamgg.exe
        169⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6176
        
        C:\Windows\SysWOW64\Odapnf32.exe
        
        C:\Windows\system32\Odapnf32.exe
        170⤵
        Drops file in System32 directory
        
        PID:6296
        
        C:\Windows\SysWOW64\Ocdqjceo.exe
        
        C:\Windows\system32\Ocdqjceo.exe
        171⤵
        Drops file in System32 directory
        
        PID:6356
        
        C:\Windows\SysWOW64\Ojoign32.exe
        
        C:\Windows\system32\Ojoign32.exe
        172⤵
        
        PID:6432
        
        C:\Windows\SysWOW64\Olmeci32.exe
        
        C:\Windows\system32\Olmeci32.exe
        173⤵
        
        PID:6492
        
        C:\Windows\SysWOW64\Oddmdf32.exe
        
        C:\Windows\system32\Oddmdf32.exe
        174⤵
        
        PID:6584
        
        C:\Windows\SysWOW64\Ogbipa32.exe
        
        C:\Windows\system32\Ogbipa32.exe
        175⤵
        
        PID:6624
        
        C:\Windows\SysWOW64\Ojaelm32.exe
        
        C:\Windows\system32\Ojaelm32.exe
        176⤵
        Drops file in System32 directory
        
        PID:6684
        
        C:\Windows\SysWOW64\Pmoahijl.exe
        
        C:\Windows\system32\Pmoahijl.exe
        177⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6764
        
        C:\Windows\SysWOW64\Pdfjifjo.exe
        
        C:\Windows\system32\Pdfjifjo.exe
        178⤵
        Modifies registry class
        
        PID:6824
        
        C:\Windows\SysWOW64\Pgefeajb.exe
        
        C:\Windows\system32\Pgefeajb.exe
        179⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6904
        
        C:\Windows\SysWOW64\Pdifoehl.exe
        
        C:\Windows\system32\Pdifoehl.exe
        180⤵
        Drops file in System32 directory
        
        PID:6952
        
        C:\Windows\SysWOW64\Pggbkagp.exe
        
        C:\Windows\system32\Pggbkagp.exe
        181⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7016
        
        C:\Windows\SysWOW64\Pmdkch32.exe
        
        C:\Windows\system32\Pmdkch32.exe
        182⤵
        
        PID:7092
        
        C:\Windows\SysWOW64\Pdkcde32.exe
        
        C:\Windows\system32\Pdkcde32.exe
        183⤵
        
        PID:7156
        
        C:\Windows\SysWOW64\Pflplnlg.exe
        
        C:\Windows\system32\Pflplnlg.exe
        184⤵
        
        PID:6272
        
        C:\Windows\SysWOW64\Pncgmkmj.exe
        
        C:\Windows\system32\Pncgmkmj.exe
        185⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6348
        
        C:\Windows\SysWOW64\Pqbdjfln.exe
        
        C:\Windows\system32\Pqbdjfln.exe
        186⤵
        
        PID:6532
        
        C:\Windows\SysWOW64\Pdmpje32.exe
        
        C:\Windows\system32\Pdmpje32.exe
        187⤵
        
        PID:6620
        
        C:\Windows\SysWOW64\Pgllfp32.exe
        
        C:\Windows\system32\Pgllfp32.exe
        188⤵
        
        PID:6744
        
        C:\Windows\SysWOW64\Pfolbmje.exe
        
        C:\Windows\system32\Pfolbmje.exe
        189⤵
        
        PID:6852
        
        C:\Windows\SysWOW64\Pmidog32.exe
        
        C:\Windows\system32\Pmidog32.exe
        190⤵
        Drops file in System32 directory
        
        PID:6944
        
        C:\Windows\SysWOW64\Pcbmka32.exe
        
        C:\Windows\system32\Pcbmka32.exe
        191⤵
        Modifies registry class
        
        PID:7068
        
        C:\Windows\SysWOW64\Qnhahj32.exe
        
        C:\Windows\system32\Qnhahj32.exe
        192⤵
        
        PID:7160
        
        C:\Windows\SysWOW64\Qqfmde32.exe
        
        C:\Windows\system32\Qqfmde32.exe
        193⤵
        
        PID:6368
        
        C:\Windows\SysWOW64\Qfcfml32.exe
        
        C:\Windows\system32\Qfcfml32.exe
        194⤵
        Modifies registry class
        
        PID:6484
        
        C:\Windows\SysWOW64\Qcgffqei.exe
        
        C:\Windows\system32\Qcgffqei.exe
        195⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6712
        
        C:\Windows\SysWOW64\Qffbbldm.exe
        
        C:\Windows\system32\Qffbbldm.exe
        196⤵
        
        PID:6948
        
        C:\Windows\SysWOW64\Ajanck32.exe
        
        C:\Windows\system32\Ajanck32.exe
        197⤵
        Modifies registry class
        
        PID:7140
        
        C:\Windows\SysWOW64\Ampkof32.exe
        
        C:\Windows\system32\Ampkof32.exe
        198⤵
        
        PID:6528
        
        C:\Windows\SysWOW64\Adgbpc32.exe
        
        C:\Windows\system32\Adgbpc32.exe
        199⤵
        
        PID:6804
        
        C:\Windows\SysWOW64\Acjclpcf.exe
        
        C:\Windows\system32\Acjclpcf.exe
        200⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5656
        
        C:\Windows\SysWOW64\Afhohlbj.exe
        
        C:\Windows\system32\Afhohlbj.exe
        201⤵
        Drops file in System32 directory
        
        PID:6480
        
        C:\Windows\SysWOW64\Anogiicl.exe
        
        C:\Windows\system32\Anogiicl.exe
        202⤵
        
        PID:6976
        
        C:\Windows\SysWOW64\Ambgef32.exe
        
        C:\Windows\system32\Ambgef32.exe
        203⤵
        Drops file in System32 directory
        
        PID:6440
        
        C:\Windows\SysWOW64\Aeiofcji.exe
        
        C:\Windows\system32\Aeiofcji.exe
        204⤵
        Drops file in System32 directory
        
        PID:6936
        
        C:\Windows\SysWOW64\Aclpap32.exe
        
        C:\Windows\system32\Aclpap32.exe
        205⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7204
        
        C:\Windows\SysWOW64\Afjlnk32.exe
        
        C:\Windows\system32\Afjlnk32.exe
        206⤵
        Drops file in System32 directory
        
        PID:7252
        
        C:\Windows\SysWOW64\Anadoi32.exe
        
        C:\Windows\system32\Anadoi32.exe
        207⤵
        
        PID:7292
        
        C:\Windows\SysWOW64\Amddjegd.exe
        
        C:\Windows\system32\Amddjegd.exe
        208⤵
        
        PID:7332
        
        C:\Windows\SysWOW64\Aeklkchg.exe
        
        C:\Windows\system32\Aeklkchg.exe
        209⤵
        
        PID:7380
        
        C:\Windows\SysWOW64\Agjhgngj.exe
        
        C:\Windows\system32\Agjhgngj.exe
        210⤵
        
        PID:7420
        
        C:\Windows\SysWOW64\Ajhddjfn.exe
        
        C:\Windows\system32\Ajhddjfn.exe
        211⤵
        
        PID:7464
        
        C:\Windows\SysWOW64\Amgapeea.exe
        
        C:\Windows\system32\Amgapeea.exe
        212⤵
        
        PID:7508
        
        C:\Windows\SysWOW64\Aeniabfd.exe
        
        C:\Windows\system32\Aeniabfd.exe
        213⤵
        
        PID:7544
        
        C:\Windows\SysWOW64\Acqimo32.exe
        
        C:\Windows\system32\Acqimo32.exe
        214⤵
        
        PID:7588
        
        C:\Windows\SysWOW64\Anfmjhmd.exe
        
        C:\Windows\system32\Anfmjhmd.exe
        215⤵
        Drops file in System32 directory
        
        PID:7632
        
        C:\Windows\SysWOW64\Aadifclh.exe
        
        C:\Windows\system32\Aadifclh.exe
        216⤵
        Drops file in System32 directory
        
        PID:7672
        
        C:\Windows\SysWOW64\Agoabn32.exe
        
        C:\Windows\system32\Agoabn32.exe
        217⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:7712
        
        C:\Windows\SysWOW64\Bnhjohkb.exe
        
        C:\Windows\system32\Bnhjohkb.exe
        218⤵
        
        PID:7756
        
        C:\Windows\SysWOW64\Bagflcje.exe
        
        C:\Windows\system32\Bagflcje.exe
        219⤵
        
        PID:7796
        
        C:\Windows\SysWOW64\Bcebhoii.exe
        
        C:\Windows\system32\Bcebhoii.exe
        220⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:7836
        
        C:\Windows\SysWOW64\Bganhm32.exe
        
        C:\Windows\system32\Bganhm32.exe
        221⤵
        Modifies registry class
        
        PID:7880
        
        C:\Windows\SysWOW64\Bjokdipf.exe
        
        C:\Windows\system32\Bjokdipf.exe
        222⤵
        
        PID:7920
        
        C:\Windows\SysWOW64\Beeoaapl.exe
        
        C:\Windows\system32\Beeoaapl.exe
        223⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7956
        
        C:\Windows\SysWOW64\Bgcknmop.exe
        
        C:\Windows\system32\Bgcknmop.exe
        224⤵
        
        PID:8000
        
        C:\Windows\SysWOW64\Bjagjhnc.exe
        
        C:\Windows\system32\Bjagjhnc.exe
        225⤵
        Drops file in System32 directory
        
        PID:8040
        
        C:\Windows\SysWOW64\Bnmcjg32.exe
        
        C:\Windows\system32\Bnmcjg32.exe
        226⤵
        Modifies registry class
        
        PID:8084
        
        C:\Windows\SysWOW64\Beglgani.exe
        
        C:\Windows\system32\Beglgani.exe
        227⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8124
        
        C:\Windows\SysWOW64\Bgehcmmm.exe
        
        C:\Windows\system32\Bgehcmmm.exe
        228⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8160
        
        C:\Windows\SysWOW64\Bjddphlq.exe
        
        C:\Windows\system32\Bjddphlq.exe
        229⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6464
        
        C:\Windows\SysWOW64\Bnpppgdj.exe
        
        C:\Windows\system32\Bnpppgdj.exe
        230⤵
        
        PID:7220
        
        C:\Windows\SysWOW64\Bmbplc32.exe
        
        C:\Windows\system32\Bmbplc32.exe
        231⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:7280
        
        C:\Windows\SysWOW64\Beihma32.exe
        
        C:\Windows\system32\Beihma32.exe
        232⤵
        
        PID:7360
        
        C:\Windows\SysWOW64\Bhhdil32.exe
        
        C:\Windows\system32\Bhhdil32.exe
        233⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7448
        
        C:\Windows\SysWOW64\Bfkedibe.exe
        
        C:\Windows\system32\Bfkedibe.exe
        234⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:7492
        
        C:\Windows\SysWOW64\Bnbmefbg.exe
        
        C:\Windows\system32\Bnbmefbg.exe
        235⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7580
        
        C:\Windows\SysWOW64\Bapiabak.exe
        
        C:\Windows\system32\Bapiabak.exe
        236⤵
        
        PID:7664
        
        C:\Windows\SysWOW64\Bcoenmao.exe
        
        C:\Windows\system32\Bcoenmao.exe
        237⤵
        Drops file in System32 directory
        
        PID:7752
        
        C:\Windows\SysWOW64\Chjaol32.exe
        
        C:\Windows\system32\Chjaol32.exe
        238⤵
        
        PID:7808
        
        C:\Windows\SysWOW64\Cfmajipb.exe
        
        C:\Windows\system32\Cfmajipb.exe
        239⤵
        Drops file in System32 directory
        
        PID:7860
        
        C:\Windows\SysWOW64\Cndikf32.exe
        
        C:\Windows\system32\Cndikf32.exe
        240⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7964
        
        C:\Windows\SysWOW64\Cabfga32.exe
        
        C:\Windows\system32\Cabfga32.exe
        241⤵
        Modifies registry class
        
        PID:8036
        
        C:\Windows\SysWOW64\Cenahpha.exe
        
        C:\Windows\system32\Cenahpha.exe
        242⤵
        
        PID:8068
        
        C:\Windows\SysWOW64\Chmndlge.exe
        
        C:\Windows\system32\Chmndlge.exe
        243⤵
        Modifies registry class
        
        PID:8168
        
        C:\Windows\SysWOW64\Cfpnph32.exe
        
        C:\Windows\system32\Cfpnph32.exe
        244⤵
        Modifies registry class
        
        PID:7216
        
        C:\Windows\SysWOW64\Cnffqf32.exe
        
        C:\Windows\system32\Cnffqf32.exe
        245⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:7320
        
        C:\Windows\SysWOW64\Caebma32.exe
        
        C:\Windows\system32\Caebma32.exe
        246⤵
        
        PID:7416
        
        C:\Windows\SysWOW64\Cdcoim32.exe
        
        C:\Windows\system32\Cdcoim32.exe
        247⤵
        Modifies registry class
        
        PID:7560
        
        C:\Windows\SysWOW64\Chokikeb.exe
        
        C:\Windows\system32\Chokikeb.exe
        248⤵
        
        PID:7656
        
        C:\Windows\SysWOW64\Cjmgfgdf.exe
        
        C:\Windows\system32\Cjmgfgdf.exe
        249⤵
        
        PID:7784
        
        C:\Windows\SysWOW64\Cnicfe32.exe
        
        C:\Windows\system32\Cnicfe32.exe
        250⤵
        
        PID:7888
        
        C:\Windows\SysWOW64\Cagobalc.exe
        
        C:\Windows\system32\Cagobalc.exe
        251⤵
        
        PID:7992
        
        C:\Windows\SysWOW64\Cdfkolkf.exe
        
        C:\Windows\system32\Cdfkolkf.exe
        252⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8064
        
        C:\Windows\SysWOW64\Cfdhkhjj.exe
        
        C:\Windows\system32\Cfdhkhjj.exe
        253⤵
        Modifies registry class
        
        PID:8188
        
        C:\Windows\SysWOW64\Cnkplejl.exe
        
        C:\Windows\system32\Cnkplejl.exe
        254⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7328
        
        C:\Windows\SysWOW64\Ceehho32.exe
        
        C:\Windows\system32\Ceehho32.exe
        255⤵
        
        PID:7572
        
        C:\Windows\SysWOW64\Chcddk32.exe
        
        C:\Windows\system32\Chcddk32.exe
        256⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7744
        
        C:\Windows\SysWOW64\Cnnlaehj.exe
        
        C:\Windows\system32\Cnnlaehj.exe
        257⤵
        Modifies registry class
        
        PID:7828
        
        C:\Windows\SysWOW64\Cegdnopg.exe
        
        C:\Windows\system32\Cegdnopg.exe
        258⤵
        Modifies registry class
        
        PID:8080
        
        C:\Windows\SysWOW64\Ddjejl32.exe
        
        C:\Windows\system32\Ddjejl32.exe
        259⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7212
        
        C:\Windows\SysWOW64\Dfiafg32.exe
        
        C:\Windows\system32\Dfiafg32.exe
        260⤵
        
        PID:2044
        
        C:\Windows\SysWOW64\Dopigd32.exe
        
        C:\Windows\system32\Dopigd32.exe
        261⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:7848
        
        C:\Windows\SysWOW64\Dejacond.exe
        
        C:\Windows\system32\Dejacond.exe
        262⤵
        
        PID:6336
        
        C:\Windows\SysWOW64\Dhhnpjmh.exe
        
        C:\Windows\system32\Dhhnpjmh.exe
        263⤵
        Drops file in System32 directory
        
        PID:7780
        
        C:\Windows\SysWOW64\Dmefhako.exe
        
        C:\Windows\system32\Dmefhako.exe
        264⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:8116
        
        C:\Windows\SysWOW64\Delnin32.exe
        
        C:\Windows\system32\Delnin32.exe
        265⤵
        Modifies registry class
        
        PID:7616
        
        C:\Windows\SysWOW64\Dhkjej32.exe
        
        C:\Windows\system32\Dhkjej32.exe
        266⤵
        Modifies registry class
        
        PID:7824
        
        C:\Windows\SysWOW64\Dmgbnq32.exe
        
        C:\Windows\system32\Dmgbnq32.exe
        267⤵
        Modifies registry class
        
        PID:8236
        
        C:\Windows\SysWOW64\Ddakjkqi.exe
        
        C:\Windows\system32\Ddakjkqi.exe
        268⤵
        
        PID:8280
        
        C:\Windows\SysWOW64\Dkkcge32.exe
        
        C:\Windows\system32\Dkkcge32.exe
        269⤵
        
        PID:8316
        
        C:\Windows\SysWOW64\Deagdn32.exe
        
        C:\Windows\system32\Deagdn32.exe
        270⤵
        
        PID:8368
        
        C:\Windows\SysWOW64\Dhocqigp.exe
        
        C:\Windows\system32\Dhocqigp.exe
        271⤵
        Drops file in System32 directory
        
        PID:8412
        
        C:\Windows\SysWOW64\Dknpmdfc.exe
        
        C:\Windows\system32\Dknpmdfc.exe
        272⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:8452
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        273⤵
        
        PID:8488
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 8488 -s 408
        274⤵
        Program crash
        
        PID:8592

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 8488 -ip 8488
1⤵
PID:8560

Network

DNS

183.142.211.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

183.142.211.20.in-addr.arpa

IN PTR

Response
DNS

g.bing.com

Remote address:

8.8.8.8:53

Request

g.bing.com

IN A

Response

g.bing.com

IN CNAME

g-bing-com.a-0001.a-msedge.net

g-bing-com.a-0001.a-msedge.net

IN CNAME

dual-a-0001.a-msedge.net

dual-a-0001.a-msedge.net

IN A

204.79.197.200

dual-a-0001.a-msedge.net

IN A

13.107.21.200
DNS

g.bing.com

Remote address:

8.8.8.8:53

Request

g.bing.com

IN A
DNS

g.bing.com

Remote address:

8.8.8.8:53

Request

g.bing.com

IN A
DNS

g.bing.com

Remote address:

8.8.8.8:53

Request

g.bing.com

IN A
DNS

0.159.190.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

0.159.190.20.in-addr.arpa

IN PTR

Response
DNS

173.178.17.96.in-addr.arpa

Remote address:

8.8.8.8:53

Request

173.178.17.96.in-addr.arpa

IN PTR

Response

173.178.17.96.in-addr.arpa

IN PTR

a96-17-178-173deploystaticakamaitechnologiescom
GET

https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=8e93fcaa4b4946ff9c91afd757f9e999&localId=w:B4A3D36C-D183-1852-EB44-E34BD7DE44E3&deviceId=6755461009612214&anid=

Remote address:

204.79.197.200:443

Request

GET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=8e93fcaa4b4946ff9c91afd757f9e999&localId=w:B4A3D36C-D183-1852-EB44-E34BD7DE44E3&deviceId=6755461009612214&anid= HTTP/2.0
host: g.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)

Response

HTTP/2.0 204

cache-control: no-cache, must-revalidate
pragma: no-cache
expires: Fri, 01 Jan 1990 00:00:00 GMT
set-cookie: MUID=2C34408FE3BE604F332654B5E25E61AF; domain=.bing.com; expires=Mon, 31-Mar-2025 02:58:03 GMT; path=/; SameSite=None; Secure; Priority=High;
strict-transport-security: max-age=31536000; includeSubDomains; preload
access-control-allow-origin: *
x-cache: CONFIG_NOCACHE
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 25DC91B7D3EC4B409626DC119CA2E8A7 Ref B: LON04EDGE1105 Ref C: 2024-03-06T02:58:03Z
date: Wed, 06 Mar 2024 02:58:02 GMT
GET

https://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=8e93fcaa4b4946ff9c91afd757f9e999&localId=w:B4A3D36C-D183-1852-EB44-E34BD7DE44E3&deviceId=6755461009612214&anid=

Remote address:

204.79.197.200:443

Request

GET /neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=8e93fcaa4b4946ff9c91afd757f9e999&localId=w:B4A3D36C-D183-1852-EB44-E34BD7DE44E3&deviceId=6755461009612214&anid= HTTP/2.0
host: g.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)
cookie: MUID=2C34408FE3BE604F332654B5E25E61AF

Response

HTTP/2.0 204

cache-control: no-cache, must-revalidate
pragma: no-cache
expires: Fri, 01 Jan 1990 00:00:00 GMT
set-cookie: MSPTC=IiL0f12-hCThqjAG9kyxqQotqc2X_GIsyzZ6sl6bmFM; domain=.bing.com; expires=Mon, 31-Mar-2025 02:58:03 GMT; path=/; Partitioned; secure; SameSite=None
strict-transport-security: max-age=31536000; includeSubDomains; preload
access-control-allow-origin: *
x-cache: CONFIG_NOCACHE
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: AAA78A068B084358BB3D599BC09DDE44 Ref B: LON04EDGE1105 Ref C: 2024-03-06T02:58:03Z
date: Wed, 06 Mar 2024 02:58:03 GMT
GET

https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=8e93fcaa4b4946ff9c91afd757f9e999&localId=w:B4A3D36C-D183-1852-EB44-E34BD7DE44E3&deviceId=6755461009612214&anid=

Remote address:

204.79.197.200:443

Request

GET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=8e93fcaa4b4946ff9c91afd757f9e999&localId=w:B4A3D36C-D183-1852-EB44-E34BD7DE44E3&deviceId=6755461009612214&anid= HTTP/2.0
host: g.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)
cookie: MUID=2C34408FE3BE604F332654B5E25E61AF; MSPTC=IiL0f12-hCThqjAG9kyxqQotqc2X_GIsyzZ6sl6bmFM

Response

HTTP/2.0 204

cache-control: no-cache, must-revalidate
pragma: no-cache
expires: Fri, 01 Jan 1990 00:00:00 GMT
strict-transport-security: max-age=31536000; includeSubDomains; preload
access-control-allow-origin: *
x-cache: CONFIG_NOCACHE
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: E71013DECF2A4814BBBA73C5BC768ED9 Ref B: LON04EDGE1105 Ref C: 2024-03-06T02:58:04Z
date: Wed, 06 Mar 2024 02:58:03 GMT
DNS

200.197.79.204.in-addr.arpa

Remote address:

8.8.8.8:53

Request

200.197.79.204.in-addr.arpa

IN PTR

Response

200.197.79.204.in-addr.arpa

IN PTR

a-0001a-msedgenet
DNS

9.228.82.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

9.228.82.20.in-addr.arpa

IN PTR

Response
DNS

88.156.103.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

88.156.103.20.in-addr.arpa

IN PTR

Response
DNS

41.110.16.96.in-addr.arpa

Remote address:

8.8.8.8:53

Request

41.110.16.96.in-addr.arpa

IN PTR

Response

41.110.16.96.in-addr.arpa

IN PTR

a96-16-110-41deploystaticakamaitechnologiescom
DNS

50.23.12.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

50.23.12.20.in-addr.arpa

IN PTR

Response
DNS

206.23.85.13.in-addr.arpa

Remote address:

8.8.8.8:53

Request

206.23.85.13.in-addr.arpa

IN PTR

Response
DNS

104.241.123.92.in-addr.arpa

Remote address:

8.8.8.8:53

Request

104.241.123.92.in-addr.arpa

IN PTR

Response

104.241.123.92.in-addr.arpa

IN PTR

a92-123-241-104deploystaticakamaitechnologiescom
DNS

241.150.49.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

241.150.49.20.in-addr.arpa

IN PTR

Response
DNS

119.110.54.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

119.110.54.20.in-addr.arpa

IN PTR

Response
DNS

119.110.54.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

119.110.54.20.in-addr.arpa

IN PTR
DNS

18.134.221.88.in-addr.arpa

Remote address:

8.8.8.8:53

Request

18.134.221.88.in-addr.arpa

IN PTR

Response

18.134.221.88.in-addr.arpa

IN PTR

a88-221-134-18deploystaticakamaitechnologiescom
DNS

0.204.248.87.in-addr.arpa

Remote address:

8.8.8.8:53

Request

0.204.248.87.in-addr.arpa

IN PTR

Response

0.204.248.87.in-addr.arpa

IN PTR

https-87-248-204-0lhrllnwnet
DNS

32.134.221.88.in-addr.arpa

Remote address:

8.8.8.8:53

Request

32.134.221.88.in-addr.arpa

IN PTR

Response

32.134.221.88.in-addr.arpa

IN PTR

a88-221-134-32deploystaticakamaitechnologiescom
DNS

217.135.221.88.in-addr.arpa

Remote address:

8.8.8.8:53

Request

217.135.221.88.in-addr.arpa

IN PTR

Response

217.135.221.88.in-addr.arpa

IN PTR

a88-221-135-217deploystaticakamaitechnologiescom
DNS

79.121.231.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

79.121.231.20.in-addr.arpa

IN PTR

Response
DNS

79.121.231.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

79.121.231.20.in-addr.arpa

IN PTR
DNS

194.178.17.96.in-addr.arpa

Remote address:

8.8.8.8:53

Request

194.178.17.96.in-addr.arpa

IN PTR

Response

194.178.17.96.in-addr.arpa

IN PTR

a96-17-178-194deploystaticakamaitechnologiescom
DNS

194.178.17.96.in-addr.arpa

Remote address:

8.8.8.8:53

Request

194.178.17.96.in-addr.arpa

IN PTR

Response

194.178.17.96.in-addr.arpa

IN PTR

a96-17-178-194deploystaticakamaitechnologiescom
DNS

55.36.223.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

55.36.223.20.in-addr.arpa

IN PTR

Response
DNS

55.36.223.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

55.36.223.20.in-addr.arpa

IN PTR

Response
DNS

31.243.111.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

31.243.111.52.in-addr.arpa

IN PTR

Response
DNS

31.243.111.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

31.243.111.52.in-addr.arpa

IN PTR
DNS

tse1.mm.bing.net

Remote address:

8.8.8.8:53

Request

tse1.mm.bing.net

IN A

Response

tse1.mm.bing.net

IN CNAME

mm-mm.bing.net.trafficmanager.net

mm-mm.bing.net.trafficmanager.net

IN CNAME

dual-a-0001.a-msedge.net

dual-a-0001.a-msedge.net

IN A

204.79.197.200

dual-a-0001.a-msedge.net

IN A

13.107.21.200
DNS

tse1.mm.bing.net

Remote address:

8.8.8.8:53

Request

tse1.mm.bing.net

IN A

Response

tse1.mm.bing.net

IN CNAME

mm-mm.bing.net.trafficmanager.net

mm-mm.bing.net.trafficmanager.net

IN CNAME

dual-a-0001.a-msedge.net

dual-a-0001.a-msedge.net

IN A

204.79.197.200

dual-a-0001.a-msedge.net

IN A

13.107.21.200
GET

https://tse1.mm.bing.net/th?id=OADD2.10239340418606_136U7G6Z7CWHAJN4L&pid=21.2&w=1920&h=1080&c=4

Remote address:

204.79.197.200:443

Request

GET /th?id=OADD2.10239340418606_136U7G6Z7CWHAJN4L&pid=21.2&w=1920&h=1080&c=4 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-length: 388039
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: FFBAB4AB490A4F5799E79EB4DDAA5BEF Ref B: LON04EDGE0908 Ref C: 2024-03-06T02:59:40Z
date: Wed, 06 Mar 2024 02:59:40 GMT
GET

https://tse1.mm.bing.net/th?id=OADD2.10239360312918_180TGJBF6DGGGWMR4&pid=21.2&w=1920&h=1080&c=4

Remote address:

204.79.197.200:443

Request

GET /th?id=OADD2.10239360312918_180TGJBF6DGGGWMR4&pid=21.2&w=1920&h=1080&c=4 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-length: 335740
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: BBABBFA6DD7440288312BE2E2D6373DA Ref B: LON04EDGE0908 Ref C: 2024-03-06T02:59:42Z
date: Wed, 06 Mar 2024 02:59:41 GMT
GET

https://tse1.mm.bing.net/th?id=OADD2.10239317301558_105IVW87X3HJ5L2KP&pid=21.2&w=1080&h=1920&c=4

Remote address:

204.79.197.200:443

Request

GET /th?id=OADD2.10239317301558_105IVW87X3HJ5L2KP&pid=21.2&w=1080&h=1920&c=4 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-length: 503415
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 88F36760A75A46D0BB2F0B1C0FCCF3CB Ref B: LON04EDGE0908 Ref C: 2024-03-06T02:59:43Z
date: Wed, 06 Mar 2024 02:59:43 GMT
GET

https://tse1.mm.bing.net/th?id=OADD2.10239317301149_1C7UDVEUE5Q4XJNTT&pid=21.2&w=1920&h=1080&c=4

Remote address:

204.79.197.200:443

Request

GET /th?id=OADD2.10239317301149_1C7UDVEUE5Q4XJNTT&pid=21.2&w=1920&h=1080&c=4 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-length: 518274
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 04FF956C425D4FD8979B6CE9BAEB3A3F Ref B: LON04EDGE0908 Ref C: 2024-03-06T02:59:43Z
date: Wed, 06 Mar 2024 02:59:43 GMT
GET

https://tse1.mm.bing.net/th?id=OADD2.10239340418605_1YZ6O1QX1RJB3B5MZ&pid=21.2&w=1080&h=1920&c=4

Remote address:

204.79.197.200:443

Request

GET /th?id=OADD2.10239340418605_1YZ6O1QX1RJB3B5MZ&pid=21.2&w=1080&h=1920&c=4 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-length: 344848
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 1EB43726282742028550B02E99909F1B Ref B: LON04EDGE0908 Ref C: 2024-03-06T02:59:43Z
date: Wed, 06 Mar 2024 02:59:43 GMT
GET

https://tse1.mm.bing.net/th?id=OADD2.10239360312917_16ZMDWEI5FV6CL9RM&pid=21.2&w=1080&h=1920&c=4

Remote address:

204.79.197.200:443

Request

GET /th?id=OADD2.10239360312917_16ZMDWEI5FV6CL9RM&pid=21.2&w=1080&h=1920&c=4 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-length: 279023
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 3E656D4AAC2F4FB384FD7691759248B5 Ref B: LON04EDGE0908 Ref C: 2024-03-06T02:59:47Z
date: Wed, 06 Mar 2024 02:59:47 GMT
DNS

7.173.189.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

7.173.189.20.in-addr.arpa

IN PTR

Response
DNS

7.173.189.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

7.173.189.20.in-addr.arpa

IN PTR

204.79.197.200:443

https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=8e93fcaa4b4946ff9c91afd757f9e999&localId=w:B4A3D36C-D183-1852-EB44-E34BD7DE44E3&deviceId=6755461009612214&anid=

tls, http2

2.5kB
10.7kB
23
20

HTTP Request

GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=8e93fcaa4b4946ff9c91afd757f9e999&localId=w:B4A3D36C-D183-1852-EB44-E34BD7DE44E3&deviceId=6755461009612214&anid=

HTTP Response

204

HTTP Request

GET https://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=8e93fcaa4b4946ff9c91afd757f9e999&localId=w:B4A3D36C-D183-1852-EB44-E34BD7DE44E3&deviceId=6755461009612214&anid=

HTTP Response

204

HTTP Request

GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=8e93fcaa4b4946ff9c91afd757f9e999&localId=w:B4A3D36C-D183-1852-EB44-E34BD7DE44E3&deviceId=6755461009612214&anid=

HTTP Response

204
204.79.197.200:443

tse1.mm.bing.net

tls, http2

1.6kB
8.1kB
18
14
204.79.197.200:443

tse1.mm.bing.net

tls, http2

1.6kB
8.1kB
18
13
204.79.197.200:443

tse1.mm.bing.net

156 B
3
204.79.197.200:443

https://tse1.mm.bing.net/th?id=OADD2.10239360312917_16ZMDWEI5FV6CL9RM&pid=21.2&w=1080&h=1920&c=4

tls, http2

86.6kB
2.5MB
1822
1814

HTTP Request

GET https://tse1.mm.bing.net/th?id=OADD2.10239340418606_136U7G6Z7CWHAJN4L&pid=21.2&w=1920&h=1080&c=4

HTTP Response

200

HTTP Request

GET https://tse1.mm.bing.net/th?id=OADD2.10239360312918_180TGJBF6DGGGWMR4&pid=21.2&w=1920&h=1080&c=4

HTTP Response

200

HTTP Request

GET https://tse1.mm.bing.net/th?id=OADD2.10239317301558_105IVW87X3HJ5L2KP&pid=21.2&w=1080&h=1920&c=4

HTTP Request

GET https://tse1.mm.bing.net/th?id=OADD2.10239317301149_1C7UDVEUE5Q4XJNTT&pid=21.2&w=1920&h=1080&c=4

HTTP Request

GET https://tse1.mm.bing.net/th?id=OADD2.10239340418605_1YZ6O1QX1RJB3B5MZ&pid=21.2&w=1080&h=1920&c=4

HTTP Response

200

HTTP Response

200

HTTP Request

GET https://tse1.mm.bing.net/th?id=OADD2.10239360312917_16ZMDWEI5FV6CL9RM&pid=21.2&w=1080&h=1920&c=4

HTTP Response

200

HTTP Response

200
204.79.197.200:443

tse1.mm.bing.net

tls, http2

1.2kB
589 B
12
8
13.107.21.200:443

tse1.mm.bing.net

tls, http2

1.5kB
8.1kB
16
14

8.8.8.8:53

183.142.211.20.in-addr.arpa

dns

73 B
159 B
1
1

DNS Request

183.142.211.20.in-addr.arpa
8.8.8.8:53

g.bing.com

dns

224 B
158 B
4
1

DNS Request

g.bing.com

DNS Request

g.bing.com

DNS Request

g.bing.com

DNS Request

g.bing.com

DNS Response

204.79.197.200

13.107.21.200
8.8.8.8:53

0.159.190.20.in-addr.arpa

dns

71 B
157 B
1
1

DNS Request

0.159.190.20.in-addr.arpa
8.8.8.8:53

173.178.17.96.in-addr.arpa

dns

72 B
137 B
1
1

DNS Request

173.178.17.96.in-addr.arpa
8.8.8.8:53

200.197.79.204.in-addr.arpa

dns

73 B
106 B
1
1

DNS Request

200.197.79.204.in-addr.arpa
8.8.8.8:53

9.228.82.20.in-addr.arpa

dns

70 B
156 B
1
1

DNS Request

9.228.82.20.in-addr.arpa
8.8.8.8:53

88.156.103.20.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

88.156.103.20.in-addr.arpa
8.8.8.8:53

41.110.16.96.in-addr.arpa

dns

71 B
135 B
1
1

DNS Request

41.110.16.96.in-addr.arpa
8.8.8.8:53

50.23.12.20.in-addr.arpa

dns

70 B
156 B
1
1

DNS Request

50.23.12.20.in-addr.arpa
8.8.8.8:53

206.23.85.13.in-addr.arpa

dns

71 B
145 B
1
1

DNS Request

206.23.85.13.in-addr.arpa
8.8.8.8:53

104.241.123.92.in-addr.arpa

dns

73 B
139 B
1
1

DNS Request

104.241.123.92.in-addr.arpa
8.8.8.8:53

241.150.49.20.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

241.150.49.20.in-addr.arpa
8.8.8.8:53

119.110.54.20.in-addr.arpa

dns

144 B
158 B
2
1

DNS Request

119.110.54.20.in-addr.arpa

DNS Request

119.110.54.20.in-addr.arpa
8.8.8.8:53

18.134.221.88.in-addr.arpa

dns

72 B
137 B
1
1

DNS Request

18.134.221.88.in-addr.arpa
8.8.8.8:53

0.204.248.87.in-addr.arpa

dns

71 B
116 B
1
1

DNS Request

0.204.248.87.in-addr.arpa
8.8.8.8:53

32.134.221.88.in-addr.arpa

dns

72 B
137 B
1
1

DNS Request

32.134.221.88.in-addr.arpa
8.8.8.8:53

217.135.221.88.in-addr.arpa

dns

73 B
139 B
1
1

DNS Request

217.135.221.88.in-addr.arpa
8.8.8.8:53

79.121.231.20.in-addr.arpa

dns

144 B
158 B
2
1

DNS Request

79.121.231.20.in-addr.arpa

DNS Request

79.121.231.20.in-addr.arpa
8.8.8.8:53

194.178.17.96.in-addr.arpa

dns

144 B
274 B
2
2

DNS Request

194.178.17.96.in-addr.arpa

DNS Request

194.178.17.96.in-addr.arpa
8.8.8.8:53

55.36.223.20.in-addr.arpa

dns

142 B
314 B
2
2

DNS Request

55.36.223.20.in-addr.arpa

DNS Request

55.36.223.20.in-addr.arpa
8.8.8.8:53

31.243.111.52.in-addr.arpa

dns

144 B
158 B
2
1

DNS Request

31.243.111.52.in-addr.arpa

DNS Request

31.243.111.52.in-addr.arpa
8.8.8.8:53

tse1.mm.bing.net

dns

124 B
346 B
2
2

DNS Request

tse1.mm.bing.net

DNS Request

tse1.mm.bing.net

DNS Response

204.79.197.200

13.107.21.200

DNS Response

204.79.197.200

13.107.21.200
8.8.8.8:53

7.173.189.20.in-addr.arpa

dns

142 B
157 B
2
1

DNS Request

7.173.189.20.in-addr.arpa

DNS Request

7.173.189.20.in-addr.arpa

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Bapolp32.dll

Filesize
7KB

MD5
e840a5d0ab47cf940d360df9f212f96d

SHA1
d802ff1c959b3e26818ce3cd7c3a562a1add5610

SHA256
e20289882b06e0faadeb05e72585acef8401ba599fe45d7d09743ca3ac55c2d6

SHA512
788492df391394c8e3d2b54db45c8382d40d197dde892c0ff47683d2b08c09edc1870669b269d109ab0fc540f63ce9d83b77439e671b855ea3985d60f996892f

Download Submit
C:\Windows\SysWOW64\Dafbne32.exe

Filesize
96KB

MD5
2a7210ac5486531ee40998c708a02f88

SHA1
ae194baa7501b914f5402be4aba42c7bef6ff6f5

SHA256
3a22056d4db4cea6a86da1c82e3bb36fe3b2c6c6ef4af2e9f178402be4c8cf7f

SHA512
eb78de0626220cde255ce4426044984038f74042367330f54c1583abd7dd79baa16321ed712f5b480b662adb878b3694098af3992bc9bc07c07dbae8d57ce3f8

Download Submit
C:\Windows\SysWOW64\Ddbbeade.exe

Filesize
96KB

MD5
15f99ab0737dd53e8ef0efbf55428df0

SHA1
0a296426fa661f4612af8907ab1d713852f01567

SHA256
11dab37685f31d928ae921fd1351c96274f9fd0e40cba61ac1bc9446142b06df

SHA512
b0202a74919b73f2cf7e10918cb56c57306be6133c7bca6092c12fd890c3f27057a90d825b2ad40cb19d6e39e66448743ec14286629ad95bdbcb094fd631725a

Download Submit
C:\Windows\SysWOW64\Dddojq32.exe

Filesize
96KB

MD5
b636109baecef9ed482e8ff433dc5fdd

SHA1
233006cf92a086489c20a3e6c42b458ef82a0d98

SHA256
287685eaaea94a0abe70ed2fdf71db91b268f989e12f11072205c9e910fe822d

SHA512
3fb02a3f5ef2afe0f1f61acf065b7cd8e2a3ce4ed811c7a502109828c8eb88dfcb96207358d38fea57033b4d67053ae429f6070bc82eebb1b223b74cb81b2994

Download Submit
C:\Windows\SysWOW64\Ddgkpp32.exe

Filesize
96KB

MD5
3bd8d334d31c3ddf89da2517e4f7246f

SHA1
8041731d4d4f1d67e35fab5070ab350d819dafdf

SHA256
81bc24fc53f8a7d2a37703fb4621db99a440a79dd7fe93777315ae22bda86a52

SHA512
d355ef1c3e0258aefee3682f7f4519fdfaa0fbc6c89b130fdfe835c6b4379e8dc6ebfd835f7ad2cb39e23fc8e8c6e992da46e1d5124a32c7af2f1b6180bcc7e7

Download Submit
C:\Windows\SysWOW64\Dhbgqohi.exe

Filesize
96KB

MD5
15ac01966f080be90a2f84c5476cc545

SHA1
9e8045d7b8385ffffa656c720f6b8558375d2c1f

SHA256
79e9cc893dbaf6e8ea9102484c28e63b406d586c8e6b608d67753b6cc3932370

SHA512
f012cc5e1aedb46de6bcbbc646c53b20c751e02b2158aa9e9a787e6e5f8d4d31904c4a00113b4c4badb67e6404af2957c8a8295797c3482ed04ec70a4de632b8

Download Submit
C:\Windows\SysWOW64\Dhpjkojk.exe

Filesize
96KB

MD5
a02ac12176a9d24a62978ab6f32283f2

SHA1
e360f37543cbb93f12de4a5ae7b942a8e3f8ec1e

SHA256
db05c5e26622d0fbc18a5df9f955e84a9008ca1d403173194f621d4a68ac6e28

SHA512
770bf99c02538d4a9859b8bcb813af03509e7c18094a086a8ca82fe3afdfd10c39a775544f401e6a0f44244d9ce14c24248d10a263e149fe9ab20d572c5feccc

Download Submit
C:\Windows\SysWOW64\Dlijfneg.exe

Filesize
96KB

MD5
2f3750b3b8aa94ba4655fba7a35f534e

SHA1
21bfaaa5e248a3dc16ae04d0f11d6d3ce7497fde

SHA256
edbc9196f1461bcca85f15512c2d27dfebd862e797ae365395cd38498ac333f9

SHA512
257370b16da10faf1a98b4d0c7b1b64d4ea40cc0e6f2c6e963cb7e972bd921ffe1c66bbebc43684b9a0cf852ee675d25a721832d0e4cad43bd15f18e1b5aec07

Download Submit
C:\Windows\SysWOW64\Eaklidoi.exe

Filesize
96KB

MD5
30afeddb6f0be433668f0f81bec1204d

SHA1
4c90abafc51a9931166e1482f776b95f9660ced3

SHA256
30b9bd0f7a4f628af576c4646e585f13ebfe6260011ff9184a2ce810e09e5331

SHA512
7274f7129e3e7579c88ce2f488ac5f2d66e719645405fb67a9303800fc12217cf09951857d59b50929cef004b5c7b98f8a85777750b42e805cf32de87c236096

Download Submit
C:\Windows\SysWOW64\Eamhodmf.exe

Filesize
96KB

MD5
24c9c5a206a4251c34f0d05dd057b404

SHA1
f5944530809447427ce24305ae2abef04dd18490

SHA256
c2abfcd113e98a32985053c35e0174e84d401bf42125ece8de74d3060da020d9

SHA512
87c2f8ad434bc659f8973ecfc823461545cdbb3eee99be29ee57cd148987ea78004feb8daf7fdc8d3ebba0dba6f8d9be2cf14807a26c2ca97e43ad036f11d70f

Download Submit
C:\Windows\SysWOW64\Ecmeig32.exe

Filesize
96KB

MD5
8a4b49e21cb0f3267cc7040e1dbee62b

SHA1
a27db533c4b09dcf3e0268d2017b8b9f5f6f901e

SHA256
c4669e9c041cf49657b11b59cb5c5120d8c73aff782d0eca2c58a421922f794b

SHA512
6f07ae158c8ecd048f1534daedc5527b3c0d5a772b0fd1a3d418583eab31bcd12601f5ee3d86b13b878b42baad16205006a214126a0f8aea8942df501ea58513

Download Submit
C:\Windows\SysWOW64\Ecoangbg.exe

Filesize
96KB

MD5
f281de39d7f21c0ae2424dde303c38ea

SHA1
7899dbd8393c3ca2afd9a1f102174b750ca70554

SHA256
519252e49d9d3d9846c35587b91331da15c2dc03f9dc8fed38cbb77781db053e

SHA512
48bed7ad2a78303e5c7236cd55466434bbe96e76bd79f56a35af29b8ba0b0ad32dc956abfddc760c6bf3e32f0e0c1a36cbd38561642fc8576c70d1bd5d9df43f

Download Submit
C:\Windows\SysWOW64\Edkdkplj.exe

Filesize
96KB

MD5
6abfc842bb34b5275a62ec746ad65006

SHA1
d1802ba44c75b132f970b037c40b8f24b2ca8173

SHA256
56a991031cbefdc7e95a0bb8af5a1dd08d045f8a1088db165c4b63b13560b621

SHA512
2ed58ee61e962f228177c8f9fba9a966e3db092a4fcc4da15fa45a5196a1fccef701f3fa524dd38c72996b80ad6c94b0b2edf24042e295f2ac0dc86e0fe31a58

Download Submit
C:\Windows\SysWOW64\Ednaqo32.exe

Filesize
96KB

MD5
30f206b7da450789bf0aeeed2fe10821

SHA1
26a249bb818300148d1b0054c6cbf44ea2a76ce4

SHA256
73d4571875d3cc87956af7fc067484b9034abe5cc83fae9f8a2854854d051d61

SHA512
d6a7893ee6af257df636992656a1ea516da7977578f69b75bb5cb8e92bd936d2458d778316c8d47723b51486dbe03c3d552e66402f4d3534258c92fc71882ff9

Download Submit
C:\Windows\SysWOW64\Eekaebcm.exe

Filesize
96KB

MD5
10133dc876830ed5cf2cb0eb923f58a6

SHA1
810f58eb3de0b94f4f8e564aa9e96b8bef6b75f1

SHA256
1fb36e6ac9cceb53f2e2459ee8431e3695c8d0721814943df9832a0e72f17427

SHA512
86b67852a6eeeeac88eaccc17efec405ba04b95b2957194c8fcf0ba0fdffb03e71878c7b6e6f70b804f7499395cb1badc3874b9a410ddcc7576e6f6256872042

Download Submit
C:\Windows\SysWOW64\Eemnjbaj.exe

Filesize
96KB

MD5
97c8e05a3255dde86521363b4f49bc5e

SHA1
4fb0c00ea5543485da4b85523f0816023396a6cb

SHA256
407b19697740ed959cf63519b6bfb9bd0ee2b073e39fb84223f8358385482202

SHA512
109d05781b43381fdfa64ce1b864eba07646696a25f61803e2a61bb8ff9d3b20fd64f507ddf2bb0332456da333f037dac7542bcd73d80efb410a548ae6c4a210

Download Submit
C:\Windows\SysWOW64\Ehedfo32.exe

Filesize
96KB

MD5
35655c6066cb39f57b0ce1c5679431bf

SHA1
c4459f9b1bf84c21df2e8d76201e4a7a19e57a98

SHA256
6227151d75cc17222d3ff9e5d929b9b01089a7fb6d36f6b4c7de0bf38751ca39

SHA512
b6f04b881b49bfe1807ebf7101c4cae1816a1b7ac34bdbfc0e5ff2c42f0e55a90f6006fbc39caf39fe3a4c4b88c6d9fe441335d072b7b9634d2fa4ec36964630

Download Submit
C:\Windows\SysWOW64\Ehljfnpn.exe

Filesize
96KB

MD5
3c3d77104eb78cc255964f1909a2ae76

SHA1
bc56920f8d9935267c5dc1023e2a1859332edfe0

SHA256
782f4f05076dca448f792d4f06101cc5b8b528855be9c55ed0bb4bcd9a635290

SHA512
c4cca803b5341ac4ab1ee59dcfd6dcbe8a5ba03fbdc83e528d0ac146e131375536a3f8ec4512e7cbfdb72496fd543c907a8a621713d5eea16b2eaab0fa8a1dd5

Download Submit
C:\Windows\SysWOW64\Ekcpbj32.exe

Filesize
96KB

MD5
3b8458eac5c61c0146f3913c71659d59

SHA1
4c4bbdbd62326dcc963bdfac04587512a1a4148d

SHA256
132d719c9ac0650f3a4ef77faa54ce298466a159669ced2205e53dba242d6eca

SHA512
dcb8f7835eaf280e0d497df09d590eec89ed00437380699e203491923862ee684e71cd507bbcaf4d89e1e92e1aa8adc5e58535e325226384d8f4ab9d9c58d9fc

Download Submit
C:\Windows\SysWOW64\Ekemhj32.exe

Filesize
96KB

MD5
e198c5cf2ca8daaa0d93f218d48d010e

SHA1
ca90c627430cfacf29756083e00400c43e6837a9

SHA256
b3ff14086508f64100d9f662b32d6c2bd813d4f3bd03b5d1832902c60c1e393f

SHA512
a8b8082e1849e8bec108d418d4ac7dfa641a9a88ee2194b5c9c35b447d32e8af1f4ab4ee5efabadaee33b6aa372ddab5ed3765940104b93d0738e7db4ab16c9e

Download Submit
C:\Windows\SysWOW64\Ekhjmiad.exe

Filesize
96KB

MD5
bc3a54c20843c75f880e1f3d0546c1c0

SHA1
906fea72e8309f66ded80757845e65ebacf288c6

SHA256
1ca9de442cee9ade8ec68907a9e3537745df42cfcabf7ee8e5818558b37b9220

SHA512
cc399478dea58786129a0eba854f9c1eecaf96560d74811ee67c74e19caba9f6dffb3b7704b6482eb1567c9eff6fe8363401de41b930b07243b4d615edaa2750

Download Submit
C:\Windows\SysWOW64\Elgfgl32.exe

Filesize
96KB

MD5
87287e19034b68142f1e3b8f5e91523f

SHA1
6e2bc8b132e180cb9cbafe7c5ab736bc96f78ad9

SHA256
ea97687c90c169d138fb3ace35eadaf9c596175dcb8a685c5055df4e3a2b3986

SHA512
76b557646a30abe00f2aaf0c0ba9ec2d6ea7da967b65df36a8e548f142d566bbbc55b3b225056baee0053e6f47bd1834e679fe79c55b7824bf0a3d20aa4c1816

Download Submit
C:\Windows\SysWOW64\Eolpmi32.exe

Filesize
96KB

MD5
02f1f728be5763d0b7596df15f3c13fb

SHA1
39d1705e5e2f5bf21b28cdaa33f47698bd964d5f

SHA256
74d78e01f70f9ee1c00f1e2679feded9cb0081eb9b26bdda3f125bdade118b5a

SHA512
46ee98b7ba40b656cbfdf82dc2562ea0bf577c338f55154c1502a730747dfc5ed97b98225f4d973a9330595026f1ba53777c9aaf5cfc49abe611a2be76cbf943

Download Submit
C:\Windows\SysWOW64\Faihkbci.exe

Filesize
96KB

MD5
1bde5060d110042650a5a0d4a60808f0

SHA1
be63974181f51e87950aa2f22a28e0f0ef39cd02

SHA256
f82075ce72585ab54b8fdae3c74e68efc6bbf4db21203a04878cd3cb98dac515

SHA512
0ccf8b1b32b59c0061fcd790320195f230bbbc8c9341c0738613426835b740ee68500fdcec80286c6e71b2248d733864ec22a10ff6f15df44c23fba88de4a4c2

Download Submit
C:\Windows\SysWOW64\Fdgdgnbm.exe

Filesize
96KB

MD5
f4ecec9f18e5697848696253a6ed555a

SHA1
238e1d577549b7408ea1c6503d420cd00c7746c7

SHA256
ed926ac88e218b68b8a5f71c2dfb9606667bb180f73ba3a87d5d7cad32f3c269

SHA512
c1e2ed600a58ce805ae43a25aa2e1993ad0a87dd6899dd2eb74dcf94c537090044e833d695d01a6dbf8d3076c386a8df80b3c87b655251200ba82fa4b7727b56

Download Submit
C:\Windows\SysWOW64\Febgea32.exe

Filesize
96KB

MD5
33f885570f4590b945e9760f633bd930

SHA1
16e6abf3b455a34e42e71a72aaa717c203ad7f9f

SHA256
6d49fe0c0142e3c5400341813fe1df0a53fcfebfb742a8e506bd8fc4e2d04dac

SHA512
15da394ccc3953b86db908a906e4027f4c6ecae990a60c85dd4fe5a334c310202a91b21badfda64dc66dae8072dd85c5294ed38e36f40d3130418912c94fe6ff

Download Submit
C:\Windows\SysWOW64\Ffgqqaip.exe

Filesize
96KB

MD5
3c7c572caeca3e3e6bfae4d5623c540c

SHA1
524d2521a9f124fcaa704df714f230e3ada88ce8

SHA256
a3fb4d50ad1d57b8359b8372e48f614f6e6bcb25f886093d6e09154d090634ea

SHA512
2cda630561133af1dc8571488e440055ada9b47899ab73fcb83dd5475b974b7d33cd4e736405a24f9aae4cec999b248ff9c18417386091b8bc893dafda587675

Download Submit
C:\Windows\SysWOW64\Fhqcam32.exe

Filesize
96KB

MD5
dd9cc3fa83b2dd60f22c23b1e8eb317a

SHA1
570f50954b92b506e7f686ed8c803c62fc445c49

SHA256
75c792971076ba0bda92c83b6d5ccac4e79d724f3b37cb46dbd176af81ef8dee

SHA512
93f742d731a22698ca4b066c9e0a89e87509e72a84c3575ac8ee123067a466b2e82bfa67e251c00a720162a2a1a669b73f1ab7d153e5b6fe2c2594ef6d62efff

Download Submit
C:\Windows\SysWOW64\Fljcmlfd.exe

Filesize
96KB

MD5
187b9796e80516cd45f998fff761fc9d

SHA1
3b2ba31c133cc188747ccc1409c3521dd16402ca

SHA256
0fc7295de04429fdb23100904a54f8d80b48d53f49b642b521fda4290183f34f

SHA512
e5ea8c8300da658324fc877a6604563444cad95d4efe1574ff596ad71dd35abd70aac39dc7d4025e244d7fcb3d83123600516b96c85a3c1ed105e4a3c3b54b39

Download Submit
C:\Windows\SysWOW64\Flqimk32.exe

Filesize
96KB

MD5
d770912f3661350312afa235201f1226

SHA1
c5ee2107dc700c26c66ced9ac99ecf428848795c

SHA256
6d2436d16addf6bb29012288fc1458ebe5ebf246f2cae85eeca6e1c883fbd8c0

SHA512
5914d36dcbdffe348c82260ed2231f3143db3d4abe02b9979915924dbe55d9fcf06134bc2a37e0c0d657550f808bd511cdfb5598aa78a987cbb4a7d8e07e55a6

Download Submit
C:\Windows\SysWOW64\Fohoigfh.exe

Filesize
96KB

MD5
9cc9dbd4f5d73c58b83d7b1d973ba225

SHA1
c169b3641d6142e1fe7a2788c50c985bc5d049b2

SHA256
37ba286f2638efad770f1bbfe47c8175a9576727bdb02217fc3e131ea1021adb

SHA512
22162027a7dd5db4dae29be5b3fbef82b70a7d0370b7ef9386fe3b12206d03e0fc9cc68c23ee5b5e187b9d2dfe6da7de150adfa94f4377ab9c06365b8eb07ba8

Download Submit
C:\Windows\SysWOW64\Fomhdg32.exe

Filesize
96KB

MD5
a1b0288ebc1bc46b3265d95b6d7ee06e

SHA1
cd9a810b1204b9f1eb2369e71e0240f7dc3fc7ea

SHA256
89653751ad85c6983ad6eed57ea780078f0a665dab20a4d01cbd8c9ac35317ee

SHA512
8dfa0e5c5e94a17803616a1e694c784317f991b57e25b3654e24193ca01b3f9993a279222fe74ee6bf197c8310b378300e614e235e4e2d9a22a831076097087e

Download Submit
C:\Windows\SysWOW64\Fooeif32.exe

Filesize
96KB

MD5
64277d101c8c8553c3ed485bc3c56744

SHA1
e230e7ce88a540acbe344dce6e7e35c98c3bb532

SHA256
13ae994eb589d1d51317a93be9f21bdb702984f340a3b368b0a48b3490ae8bc7

SHA512
f61fdfd901c73d22595b3c6f386048e4f731fa0a8baf331c688419788fdce31e44d01df9d72a0942e72d26c5e627c6316d1f264d5d8f9ac44704cc3506d3c803

Download Submit
C:\Windows\SysWOW64\Gokdeeec.exe

Filesize
96KB

MD5
8dfa7b10c529fc93b77e66ed89c24bfe

SHA1
5a87ad8cf11bc4587fa8cf3aac5036ab4a5a69ca

SHA256
542888f6859fe93a5c972e4ecbd1cad5bdbf9624d7fd75830134efb80bb576dc

SHA512
4cdf203702d218c4765dfefc635799ea720e97902709d426a2ecc833c9b218000e954a192b0a972721c0b81f8b4760198ef147a5defa6282f7ccb2f3e8194041

Download Submit
C:\Windows\SysWOW64\Ickchq32.exe

Filesize
96KB

MD5
8001403195acfd7f433d0bedb40f47c4

SHA1
4072ff2d6d771098b53c379bbedc7275e3d35f75

SHA256
38c4af9acdf3d48253b0041affc47c978b06e457eb861f845f45c1cf7f4f02ab

SHA512
fb00173f45e41939c3d78cebb1711acba649f1a8a6a5b61ad0d18c7208ec73d83a791715e4826fa73fe1a2118f83144666d9643e935b2e350d25151e67575606

Download Submit
C:\Windows\SysWOW64\Iikhfg32.exe

Filesize
96KB

MD5
7e7576b84d2d067f5261ac6bbea6e2d6

SHA1
3ff247ab981b93b1cf19c74d3e4e4187b31da1a4

SHA256
26e31c5a89e9e6a4bb794005969d353f89f1d71c76f0e66df34afd28e9470bd7

SHA512
053bf9813702d07686bf6b8b33aa0968410a0a18887436ad25306ff40d6e5662fe8aa382e5e291528a4713797e8a7d85b3d0dc65caf4d43189ef0b2ef00445cb

Download Submit
C:\Windows\SysWOW64\Olmeci32.exe

Filesize
96KB

MD5
96c2b1e48d222f366e0ed009434f65d9

SHA1
721e8c9f14d61de6a9bc9da927fd7b9856383d7d

SHA256
bf3b7280025d21256b511b939372fefc35a800b0e27deafa6e1a98b3e6b56634

SHA512
b1afa9a63552db2cc12cb6b21580fb362390326b973a9047e0ae0f81d5026871a6846c96c7f1e32be4d912ef5ea56d208445fdcd5ef1d10b2df5843584fcd672

Download Submit
C:\Windows\SysWOW64\Pmoahijl.exe

Filesize
96KB

MD5
f7aad88c38507ae155cc2b214905ccef

SHA1
ec77892629c120c2ec407220735102b92fa604f3

SHA256
389768017dfafde575069373443e1f8e837614777905cfd79e650077dfd9578e

SHA512
866286206c95448d600d5616ebff830befae0954e97f6953dbfcf015f6ba542e522111622acaedb220b6ce997c04b3d7c72c2e0930f02da0403c54ea885b84fa

Download Submit
memory/384-370-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/396-364-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/572-240-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/984-220-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1064-172-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1120-207-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1192-292-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1248-52-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1300-120-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1560-24-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1608-356-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1624-169-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1768-310-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1836-152-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1848-56-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1860-88-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1884-316-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2032-32-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2124-358-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2132-112-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2192-290-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2260-268-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2284-376-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2328-184-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2336-334-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2384-418-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2488-132-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2528-400-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2532-322-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2536-104-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2688-39-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2744-340-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2804-424-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2872-144-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2888-262-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2944-232-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3064-224-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3124-346-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3264-248-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3452-388-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3528-274-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3612-140-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3792-412-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3840-256-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3876-328-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3900-96-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3960-430-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4000-8-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4168-436-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4248-71-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4308-80-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4492-280-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4512-394-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4544-304-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4768-0-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4828-200-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4864-406-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4872-15-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4916-192-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4928-382-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5000-298-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5076-442-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5088-176-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5092-64-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Request

HTTP Request

HTTP Response

HTTP Response

HTTP Request

HTTP Response

HTTP Response

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Response

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Response

DNS Response

DNS Request

DNS Request

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.