667a5a992f57c8749f09d62fbf77789970bd8cb32ea3163c6adec114d3544c6d

Analysis

max time kernel
149s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
09-03-2024 22:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

667a5a992f57c8749f09d62fbf77789970bd8cb32ea3163c6adec114d3544c6d.exe
Size

101KB
MD5

a52f29e05041e0512c003394cf53b6db
SHA1

a106fd044e85dd990596243e98c8dabe8346d452
SHA256

667a5a992f57c8749f09d62fbf77789970bd8cb32ea3163c6adec114d3544c6d
SHA512

b17a836c30189a972e662d066a3ac5cf0af4845c471de0f188d7ffd75e3d4ac5c167d891ee5e341b5e15d1a2ff9b9266498e114080e779a84b68e47d32edadc0
SSDEEP

3072:B1qDfL6h7QrgD5E1ErOjduXqbyu0sY7q5AnrHY4vDX:3sfLeCo853Anr44vDX

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ogkcpbam.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lilanioo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Odbgim32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdkldb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bjbndobo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ghopckpi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdckfk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmkjkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Beeflhdh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fdnjgmle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jmpgldhg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qchmagie.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ocnjidkf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daekdooc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fcfhof32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bapiabak.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfpgffpm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jbhfjljd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pnfkma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fakdpb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gicinj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nepgjaeg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnkplejl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ocgdji32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pgjfkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pgmcqggf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fcckif32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kckbqpnj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ogaceh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Peljol32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ffddka32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bemlmgnp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ekacmjgl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ekemhj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmdkch32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmgbnq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kefkme32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lfhdlh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oneklm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkgmcjld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Eleiam32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dohfbj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ffddka32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jcgbco32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gkkojgao.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpjlklok.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kkbkamnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mgekbljc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddpeoafg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Oqbamo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bdmpcdfm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mpolqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Adcmmeog.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Blbknaib.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jlkagbej.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jmmjgejj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kfankifm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lcmofolg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ogjmdigk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cacmah32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ognpebpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lknjmkdo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jcefno32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nfjjppmm.exe

Executes dropped EXE 64 IoCs

pid	Process
4872	Kpjjod32.exe
632	Kcifkp32.exe
4684	Kibnhjgj.exe
640	Kajfig32.exe
3076	Kckbqpnj.exe
4552	Kkbkamnl.exe
2444	Lmqgnhmp.exe
5088	Lpocjdld.exe
1180	Lcmofolg.exe
532	Lkdggmlj.exe
4260	Laopdgcg.exe
1544	Lcpllo32.exe
1968	Lijdhiaa.exe
2288	Lnepih32.exe
2012	Ldohebqh.exe
2536	Lgneampk.exe
4632	Lilanioo.exe
1156	Laciofpa.exe
1872	Ldaeka32.exe
1876	Ljnnch32.exe
3320	Lnjjdgee.exe
1724	Lcgblncm.exe
4536	Lknjmkdo.exe
2856	Mahbje32.exe
1556	Mgekbljc.exe
4692	Majopeii.exe
316	Mjeddggd.exe
4804	Mpolqa32.exe
1660	Mcnhmm32.exe
1840	Mncmjfmk.exe
3616	Mkgmcjld.exe
2204	Mnfipekh.exe
4600	Mdpalp32.exe
4356	Nnhfee32.exe
1668	Ndbnboqb.exe
4508	Ngpjnkpf.exe
2720	Njogjfoj.exe
2344	Nafokcol.exe
3336	Nqiogp32.exe
2184	Ncgkcl32.exe
2268	Ngcgcjnc.exe
4052	Nnmopdep.exe
4028	Nqklmpdd.exe
3860	Ncihikcg.exe
3808	Nkqpjidj.exe
644	Njcpee32.exe
5080	Nbkhfc32.exe
1476	Ndidbn32.exe
2408	Nggqoj32.exe
4572	Ncnadk32.exe
5108	Ogjmdigk.exe
3920	Ojhiqefo.exe
764	Oqbamo32.exe
2552	Okhfjh32.exe
4720	Onfbfc32.exe
2952	Odpjcm32.exe
1560	Okjbpglo.exe
3056	Ojmcld32.exe
3348	Odbgim32.exe
2232	Ogaceh32.exe
3096	Odednmpm.exe
5100	Ocgdji32.exe
2972	Onmhgb32.exe
4108	Odgqdlnj.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Gcddpdpo.exe	Gkmlofol.exe
File created	C:\Windows\SysWOW64\Aceghl32.dll	Kikame32.exe
File opened for modification	C:\Windows\SysWOW64\Kcifkp32.exe	Kpjjod32.exe
File created	C:\Windows\SysWOW64\Mahbje32.exe	Lknjmkdo.exe
File created	C:\Windows\SysWOW64\Qajadlja.exe	Qnkdhpjn.exe
File created	C:\Windows\SysWOW64\Fgnjkdco.dll	Behbag32.exe
File created	C:\Windows\SysWOW64\Hioiji32.exe	Hecmijim.exe
File created	C:\Windows\SysWOW64\Ndbnboqb.exe	Nnhfee32.exe
File created	C:\Windows\SysWOW64\Hmmjhgem.dll	Pjffbc32.exe
File created	C:\Windows\SysWOW64\Fpdaoioe.dll	Ddakjkqi.exe
File created	C:\Windows\SysWOW64\Jccejahl.dll	Qchmagie.exe
File created	C:\Windows\SysWOW64\Ojdamdma.dll	Cbcilkjg.exe
File created	C:\Windows\SysWOW64\Lingibiq.exe	Lbdolh32.exe
File created	C:\Windows\SysWOW64\Fldggfbc.dll	Ljnnch32.exe
File created	C:\Windows\SysWOW64\Okhfjh32.exe	Oqbamo32.exe
File created	C:\Windows\SysWOW64\Oendmdab.dll	Jpppnp32.exe
File opened for modification	C:\Windows\SysWOW64\Pmfhig32.exe	Pjhlml32.exe
File opened for modification	C:\Windows\SysWOW64\Qqfmde32.exe	Pdpmpdbd.exe
File created	C:\Windows\SysWOW64\Pkmlea32.dll	Ajanck32.exe
File created	C:\Windows\SysWOW64\Daconoae.exe	Dmgbnq32.exe
File opened for modification	C:\Windows\SysWOW64\Edkdkplj.exe	Eamhodmf.exe
File created	C:\Windows\SysWOW64\Aogmoeik.dll	Ffddka32.exe
File created	C:\Windows\SysWOW64\Kfjhkjle.exe	Kboljk32.exe
File created	C:\Windows\SysWOW64\Mmcdaagm.dll	Ocgmpccl.exe
File opened for modification	C:\Windows\SysWOW64\Aeklkchg.exe	Ajfhnjhq.exe
File created	C:\Windows\SysWOW64\Ajbajd32.dll	Abngjnmo.exe
File opened for modification	C:\Windows\SysWOW64\Eefhjc32.exe	Ekacmjgl.exe
File created	C:\Windows\SysWOW64\Fllifblf.dll	Jfaedkdp.exe
File created	C:\Windows\SysWOW64\Lfhdlh32.exe	Lpnlpnih.exe
File created	C:\Windows\SysWOW64\Flqimk32.exe	Fdialn32.exe
File created	C:\Windows\SysWOW64\Cibifp32.dll	Hoiafcic.exe
File opened for modification	C:\Windows\SysWOW64\Fcfhof32.exe	Fojlngce.exe
File created	C:\Windows\SysWOW64\Hcbpab32.exe	Himldi32.exe
File created	C:\Windows\SysWOW64\Kefkme32.exe	Kpjcdn32.exe
File opened for modification	C:\Windows\SysWOW64\Medgncoe.exe	Mgagbf32.exe
File created	C:\Windows\SysWOW64\Pjhbgb32.exe	Pgjfkg32.exe
File created	C:\Windows\SysWOW64\Elgfgl32.exe	Eleiam32.exe
File created	C:\Windows\SysWOW64\Jidklf32.exe	Jehokgge.exe
File opened for modification	C:\Windows\SysWOW64\Kfjhkjle.exe	Kboljk32.exe
File created	C:\Windows\SysWOW64\Mibpda32.exe	Mpjlklok.exe
File opened for modification	C:\Windows\SysWOW64\Mmbfpp32.exe	Melnob32.exe
File created	C:\Windows\SysWOW64\Llmglb32.dll	Opdghh32.exe
File created	C:\Windows\SysWOW64\Bnkgeg32.exe	Bfdodjhm.exe
File opened for modification	C:\Windows\SysWOW64\Onfbfc32.exe	Okhfjh32.exe
File created	C:\Windows\SysWOW64\Ehedfo32.exe	Edihepnm.exe
File created	C:\Windows\SysWOW64\Jiglalpk.dll	Aaepqjpd.exe
File created	C:\Windows\SysWOW64\Akalojih.dll	Chbnia32.exe
File opened for modification	C:\Windows\SysWOW64\Eapedd32.exe	Ekemhj32.exe
File opened for modification	C:\Windows\SysWOW64\Npjebj32.exe	Ncfdie32.exe
File created	C:\Windows\SysWOW64\Ohjdgn32.dll	Ogkcpbam.exe
File created	C:\Windows\SysWOW64\Aoglcqao.dll	Cdabcm32.exe
File created	C:\Windows\SysWOW64\Pkckjila.dll	Nqklmpdd.exe
File created	C:\Windows\SysWOW64\Iemkcl32.dll	Odgqdlnj.exe
File opened for modification	C:\Windows\SysWOW64\Fbpnkama.exe	Fcmnpe32.exe
File created	C:\Windows\SysWOW64\Eghpcp32.dll	Mcmabg32.exe
File created	C:\Windows\SysWOW64\Odmgcgbi.exe	Olfobjbg.exe
File created	C:\Windows\SysWOW64\Abkjdnoa.exe	Alabgd32.exe
File created	C:\Windows\SysWOW64\Blbknaib.exe	Bdkcmdhp.exe
File created	C:\Windows\SysWOW64\Dmjapi32.dll	Bjagjhnc.exe
File opened for modification	C:\Windows\SysWOW64\Odednmpm.exe	Ogaceh32.exe
File created	C:\Windows\SysWOW64\Hmjehihl.dll	Dohfbj32.exe
File created	C:\Windows\SysWOW64\Nknjccol.dll	Eleiam32.exe
File created	C:\Windows\SysWOW64\Mhkngh32.dll	Kmncnb32.exe
File opened for modification	C:\Windows\SysWOW64\Mdmnlj32.exe	Mpablkhc.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
11140	10880	WerFault.exe	515

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jccejahl.dll"	Qchmagie.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ikpaldog.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jehokgge.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pdmpje32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ajfhnjhq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pjhlml32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Okhfjh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mkgldj32.dll"	Bdkcmdhp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dddojq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ehedfo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Edbklofb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nghjpm32.dll"	Gododflk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Oflgep32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Omocan32.dll"	Chmndlge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gifhkeje.dll"	Daconoae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ddpeoafg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ncbhll32.dll"	Hmfkoh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jmbdbd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Anmcpemd.dll"	Jmbdbd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Njefqo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aeniabfd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dmefhako.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	667a5a992f57c8749f09d62fbf77789970bd8cb32ea3163c6adec114d3544c6d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ldohebqh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ghopckpi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpeohm32.dll"	Hecmijim.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fhccdhqf.dll"	Kfankifm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Flfelggh.dll"	Mdhdajea.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iqjikg32.dll"	Banllbdn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elkadb32.dll"	Deagdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kkbkamnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qkmhlekj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Igoedk32.dll"	Ekcpbj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fdialn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mlampmdo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mcmabg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mmbfpp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Odmgcgbi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Odednmpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aelcfilb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fkmchi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gfpcgpae.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gfbploob.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elogmm32.dll"	Jcbihpel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qoecnk32.dll"	Kemhff32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ncgkcl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nnbnoffm.dll"	Jblpek32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jpcmfk32.dll"	Pgllfp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eeiakn32.dll"	Bmkjkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndkqipob.dll"	Cjinkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mpablkhc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nnhfee32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ojhiqefo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Odgqdlnj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aogmoeik.dll"	Ffddka32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hiefcj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipdejo32.dll"	Iicbehnq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ncmlocln.dll"	Kdgljmcd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ogkcpbam.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ooojbbid.dll"	Afoeiklb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jgilhm32.dll"	Chcddk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ljfemn32.dll"	Nnmopdep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Adcmmeog.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Eapedd32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1276 wrote to memory of 4872	1276	667a5a992f57c8749f09d62fbf77789970bd8cb32ea3163c6adec114d3544c6d.exe	89
PID 1276 wrote to memory of 4872	1276	667a5a992f57c8749f09d62fbf77789970bd8cb32ea3163c6adec114d3544c6d.exe	89
PID 1276 wrote to memory of 4872	1276	667a5a992f57c8749f09d62fbf77789970bd8cb32ea3163c6adec114d3544c6d.exe	89
PID 4872 wrote to memory of 632	4872	Kpjjod32.exe	90
PID 4872 wrote to memory of 632	4872	Kpjjod32.exe	90
PID 4872 wrote to memory of 632	4872	Kpjjod32.exe	90
PID 632 wrote to memory of 4684	632	Kcifkp32.exe	91
PID 632 wrote to memory of 4684	632	Kcifkp32.exe	91
PID 632 wrote to memory of 4684	632	Kcifkp32.exe	91
PID 4684 wrote to memory of 640	4684	Kibnhjgj.exe	92
PID 4684 wrote to memory of 640	4684	Kibnhjgj.exe	92
PID 4684 wrote to memory of 640	4684	Kibnhjgj.exe	92
PID 640 wrote to memory of 3076	640	Kajfig32.exe	93
PID 640 wrote to memory of 3076	640	Kajfig32.exe	93
PID 640 wrote to memory of 3076	640	Kajfig32.exe	93
PID 3076 wrote to memory of 4552	3076	Kckbqpnj.exe	94
PID 3076 wrote to memory of 4552	3076	Kckbqpnj.exe	94
PID 3076 wrote to memory of 4552	3076	Kckbqpnj.exe	94
PID 4552 wrote to memory of 2444	4552	Kkbkamnl.exe	95
PID 4552 wrote to memory of 2444	4552	Kkbkamnl.exe	95
PID 4552 wrote to memory of 2444	4552	Kkbkamnl.exe	95
PID 2444 wrote to memory of 5088	2444	Lmqgnhmp.exe	96
PID 2444 wrote to memory of 5088	2444	Lmqgnhmp.exe	96
PID 2444 wrote to memory of 5088	2444	Lmqgnhmp.exe	96
PID 5088 wrote to memory of 1180	5088	Lpocjdld.exe	97
PID 5088 wrote to memory of 1180	5088	Lpocjdld.exe	97
PID 5088 wrote to memory of 1180	5088	Lpocjdld.exe	97
PID 1180 wrote to memory of 532	1180	Lcmofolg.exe	98
PID 1180 wrote to memory of 532	1180	Lcmofolg.exe	98
PID 1180 wrote to memory of 532	1180	Lcmofolg.exe	98
PID 532 wrote to memory of 4260	532	Lkdggmlj.exe	99
PID 532 wrote to memory of 4260	532	Lkdggmlj.exe	99
PID 532 wrote to memory of 4260	532	Lkdggmlj.exe	99
PID 4260 wrote to memory of 1544	4260	Laopdgcg.exe	100
PID 4260 wrote to memory of 1544	4260	Laopdgcg.exe	100
PID 4260 wrote to memory of 1544	4260	Laopdgcg.exe	100
PID 1544 wrote to memory of 1968	1544	Lcpllo32.exe	101
PID 1544 wrote to memory of 1968	1544	Lcpllo32.exe	101
PID 1544 wrote to memory of 1968	1544	Lcpllo32.exe	101
PID 1968 wrote to memory of 2288	1968	Lijdhiaa.exe	102
PID 1968 wrote to memory of 2288	1968	Lijdhiaa.exe	102
PID 1968 wrote to memory of 2288	1968	Lijdhiaa.exe	102
PID 2288 wrote to memory of 2012	2288	Lnepih32.exe	103
PID 2288 wrote to memory of 2012	2288	Lnepih32.exe	103
PID 2288 wrote to memory of 2012	2288	Lnepih32.exe	103
PID 2012 wrote to memory of 2536	2012	Ldohebqh.exe	104
PID 2012 wrote to memory of 2536	2012	Ldohebqh.exe	104
PID 2012 wrote to memory of 2536	2012	Ldohebqh.exe	104
PID 2536 wrote to memory of 4632	2536	Lgneampk.exe	105
PID 2536 wrote to memory of 4632	2536	Lgneampk.exe	105
PID 2536 wrote to memory of 4632	2536	Lgneampk.exe	105
PID 4632 wrote to memory of 1156	4632	Lilanioo.exe	106
PID 4632 wrote to memory of 1156	4632	Lilanioo.exe	106
PID 4632 wrote to memory of 1156	4632	Lilanioo.exe	106
PID 1156 wrote to memory of 1872	1156	Laciofpa.exe	107
PID 1156 wrote to memory of 1872	1156	Laciofpa.exe	107
PID 1156 wrote to memory of 1872	1156	Laciofpa.exe	107
PID 1872 wrote to memory of 1876	1872	Ldaeka32.exe	108
PID 1872 wrote to memory of 1876	1872	Ldaeka32.exe	108
PID 1872 wrote to memory of 1876	1872	Ldaeka32.exe	108
PID 1876 wrote to memory of 3320	1876	Ljnnch32.exe	109
PID 1876 wrote to memory of 3320	1876	Ljnnch32.exe	109
PID 1876 wrote to memory of 3320	1876	Ljnnch32.exe	109
PID 3320 wrote to memory of 1724	3320	Lnjjdgee.exe	111

C:\Users\Admin\AppData\Local\Temp\667a5a992f57c8749f09d62fbf77789970bd8cb32ea3163c6adec114d3544c6d.exe
"C:\Users\Admin\AppData\Local\Temp\667a5a992f57c8749f09d62fbf77789970bd8cb32ea3163c6adec114d3544c6d.exe"
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1276
- C:\Windows\SysWOW64\Kpjjod32.exe
  C:\Windows\system32\Kpjjod32.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:4872
- - C:\Windows\SysWOW64\Kcifkp32.exe
    C:\Windows\system32\Kcifkp32.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:632
  - - C:\Windows\SysWOW64\Kibnhjgj.exe
      C:\Windows\system32\Kibnhjgj.exe
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:4684
    - - C:\Windows\SysWOW64\Kajfig32.exe
        
        C:\Windows\system32\Kajfig32.exe
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:640
      - C:\Windows\SysWOW64\Kckbqpnj.exe
        
        C:\Windows\system32\Kckbqpnj.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3076
        
        C:\Windows\SysWOW64\Kkbkamnl.exe
        
        C:\Windows\system32\Kkbkamnl.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4552
        
        C:\Windows\SysWOW64\Lmqgnhmp.exe
        
        C:\Windows\system32\Lmqgnhmp.exe
        8⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2444
        
        C:\Windows\SysWOW64\Lpocjdld.exe
        
        C:\Windows\system32\Lpocjdld.exe
        9⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:5088
        
        C:\Windows\SysWOW64\Lcmofolg.exe
        
        C:\Windows\system32\Lcmofolg.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1180
        
        C:\Windows\SysWOW64\Lkdggmlj.exe
        
        C:\Windows\system32\Lkdggmlj.exe
        11⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:532
        
        C:\Windows\SysWOW64\Laopdgcg.exe
        
        C:\Windows\system32\Laopdgcg.exe
        12⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4260
        
        C:\Windows\SysWOW64\Lcpllo32.exe
        
        C:\Windows\system32\Lcpllo32.exe
        13⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1544
        
        C:\Windows\SysWOW64\Lijdhiaa.exe
        
        C:\Windows\system32\Lijdhiaa.exe
        14⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1968
        
        C:\Windows\SysWOW64\Lnepih32.exe
        
        C:\Windows\system32\Lnepih32.exe
        15⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2288
        
        C:\Windows\SysWOW64\Ldohebqh.exe
        
        C:\Windows\system32\Ldohebqh.exe
        16⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2012
        
        C:\Windows\SysWOW64\Lgneampk.exe
        
        C:\Windows\system32\Lgneampk.exe
        17⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2536
        
        C:\Windows\SysWOW64\Lilanioo.exe
        
        C:\Windows\system32\Lilanioo.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4632
        
        C:\Windows\SysWOW64\Laciofpa.exe
        
        C:\Windows\system32\Laciofpa.exe
        19⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1156
        
        C:\Windows\SysWOW64\Ldaeka32.exe
        
        C:\Windows\system32\Ldaeka32.exe
        20⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1872
        
        C:\Windows\SysWOW64\Ljnnch32.exe
        
        C:\Windows\system32\Ljnnch32.exe
        21⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1876
        
        C:\Windows\SysWOW64\Lnjjdgee.exe
        
        C:\Windows\system32\Lnjjdgee.exe
        22⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3320
        
        C:\Windows\SysWOW64\Lcgblncm.exe
        
        C:\Windows\system32\Lcgblncm.exe
        23⤵
        Executes dropped EXE
        
        PID:1724
        
        C:\Windows\SysWOW64\Lknjmkdo.exe
        
        C:\Windows\system32\Lknjmkdo.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4536
        
        C:\Windows\SysWOW64\Mahbje32.exe
        
        C:\Windows\system32\Mahbje32.exe
        25⤵
        Executes dropped EXE
        
        PID:2856
        
        C:\Windows\SysWOW64\Mgekbljc.exe
        
        C:\Windows\system32\Mgekbljc.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1556
        
        C:\Windows\SysWOW64\Majopeii.exe
        
        C:\Windows\system32\Majopeii.exe
        27⤵
        Executes dropped EXE
        
        PID:4692
        
        C:\Windows\SysWOW64\Mjeddggd.exe
        
        C:\Windows\system32\Mjeddggd.exe
        28⤵
        Executes dropped EXE
        
        PID:316
        
        C:\Windows\SysWOW64\Mpolqa32.exe
        
        C:\Windows\system32\Mpolqa32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4804
        
        C:\Windows\SysWOW64\Mcnhmm32.exe
        
        C:\Windows\system32\Mcnhmm32.exe
        30⤵
        Executes dropped EXE
        
        PID:1660
        
        C:\Windows\SysWOW64\Mncmjfmk.exe
        
        C:\Windows\system32\Mncmjfmk.exe
        31⤵
        Executes dropped EXE
        
        PID:1840
        
        C:\Windows\SysWOW64\Mkgmcjld.exe
        
        C:\Windows\system32\Mkgmcjld.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3616
        
        C:\Windows\SysWOW64\Mnfipekh.exe
        
        C:\Windows\system32\Mnfipekh.exe
        33⤵
        Executes dropped EXE
        
        PID:2204
        
        C:\Windows\SysWOW64\Mdpalp32.exe
        
        C:\Windows\system32\Mdpalp32.exe
        34⤵
        Executes dropped EXE
        
        PID:4600
        
        C:\Windows\SysWOW64\Nnhfee32.exe
        
        C:\Windows\system32\Nnhfee32.exe
        35⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4356
        
        C:\Windows\SysWOW64\Ndbnboqb.exe
        
        C:\Windows\system32\Ndbnboqb.exe
        36⤵
        Executes dropped EXE
        
        PID:1668
        
        C:\Windows\SysWOW64\Ngpjnkpf.exe
        
        C:\Windows\system32\Ngpjnkpf.exe
        37⤵
        Executes dropped EXE
        
        PID:4508
        
        C:\Windows\SysWOW64\Njogjfoj.exe
        
        C:\Windows\system32\Njogjfoj.exe
        38⤵
        Executes dropped EXE
        
        PID:2720
        
        C:\Windows\SysWOW64\Nafokcol.exe
        
        C:\Windows\system32\Nafokcol.exe
        39⤵
        Executes dropped EXE
        
        PID:2344
        
        C:\Windows\SysWOW64\Nqiogp32.exe
        
        C:\Windows\system32\Nqiogp32.exe
        40⤵
        Executes dropped EXE
        
        PID:3336
        
        C:\Windows\SysWOW64\Ncgkcl32.exe
        
        C:\Windows\system32\Ncgkcl32.exe
        41⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2184
        
        C:\Windows\SysWOW64\Ngcgcjnc.exe
        
        C:\Windows\system32\Ngcgcjnc.exe
        42⤵
        Executes dropped EXE
        
        PID:2268
        
        C:\Windows\SysWOW64\Nnmopdep.exe
        
        C:\Windows\system32\Nnmopdep.exe
        43⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4052
        
        C:\Windows\SysWOW64\Nqklmpdd.exe
        
        C:\Windows\system32\Nqklmpdd.exe
        44⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4028
        
        C:\Windows\SysWOW64\Ncihikcg.exe
        
        C:\Windows\system32\Ncihikcg.exe
        45⤵
        Executes dropped EXE
        
        PID:3860
        
        C:\Windows\SysWOW64\Nkqpjidj.exe
        
        C:\Windows\system32\Nkqpjidj.exe
        46⤵
        Executes dropped EXE
        
        PID:3808
        
        C:\Windows\SysWOW64\Njcpee32.exe
        
        C:\Windows\system32\Njcpee32.exe
        47⤵
        Executes dropped EXE
        
        PID:644
        
        C:\Windows\SysWOW64\Nbkhfc32.exe
        
        C:\Windows\system32\Nbkhfc32.exe
        48⤵
        Executes dropped EXE
        
        PID:5080
        
        C:\Windows\SysWOW64\Ndidbn32.exe
        
        C:\Windows\system32\Ndidbn32.exe
        49⤵
        Executes dropped EXE
        
        PID:1476
        
        C:\Windows\SysWOW64\Nggqoj32.exe
        
        C:\Windows\system32\Nggqoj32.exe
        50⤵
        Executes dropped EXE
        
        PID:2408
        
        C:\Windows\SysWOW64\Ncnadk32.exe
        
        C:\Windows\system32\Ncnadk32.exe
        51⤵
        Executes dropped EXE
        
        PID:4572
        
        C:\Windows\SysWOW64\Ogjmdigk.exe
        
        C:\Windows\system32\Ogjmdigk.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:5108
        
        C:\Windows\SysWOW64\Ojhiqefo.exe
        
        C:\Windows\system32\Ojhiqefo.exe
        53⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3920
        
        C:\Windows\SysWOW64\Oqbamo32.exe
        
        C:\Windows\system32\Oqbamo32.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:764
        
        C:\Windows\SysWOW64\Okhfjh32.exe
        
        C:\Windows\system32\Okhfjh32.exe
        55⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2552
        
        C:\Windows\SysWOW64\Onfbfc32.exe
        
        C:\Windows\system32\Onfbfc32.exe
        56⤵
        Executes dropped EXE
        
        PID:4720
        
        C:\Windows\SysWOW64\Odpjcm32.exe
        
        C:\Windows\system32\Odpjcm32.exe
        57⤵
        Executes dropped EXE
        
        PID:2952
        
        C:\Windows\SysWOW64\Okjbpglo.exe
        
        C:\Windows\system32\Okjbpglo.exe
        58⤵
        Executes dropped EXE
        
        PID:1560
        
        C:\Windows\SysWOW64\Ojmcld32.exe
        
        C:\Windows\system32\Ojmcld32.exe
        59⤵
        Executes dropped EXE
        
        PID:3056
        
        C:\Windows\SysWOW64\Odbgim32.exe
        
        C:\Windows\system32\Odbgim32.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3348
        
        C:\Windows\SysWOW64\Ogaceh32.exe
        
        C:\Windows\system32\Ogaceh32.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2232
        
        C:\Windows\SysWOW64\Odednmpm.exe
        
        C:\Windows\system32\Odednmpm.exe
        62⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3096
        
        C:\Windows\SysWOW64\Ocgdji32.exe
        
        C:\Windows\system32\Ocgdji32.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:5100
        
        C:\Windows\SysWOW64\Onmhgb32.exe
        
        C:\Windows\system32\Onmhgb32.exe
        64⤵
        Executes dropped EXE
        
        PID:2972
        
        C:\Windows\SysWOW64\Odgqdlnj.exe
        
        C:\Windows\system32\Odgqdlnj.exe
        65⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4108
        
        C:\Windows\SysWOW64\Pjdilcla.exe
        
        C:\Windows\system32\Pjdilcla.exe
        66⤵
        
        PID:2068
        
        C:\Windows\SysWOW64\Peimil32.exe
        
        C:\Windows\system32\Peimil32.exe
        67⤵
        
        PID:2220
        
        C:\Windows\SysWOW64\Pjffbc32.exe
        
        C:\Windows\system32\Pjffbc32.exe
        68⤵
        Drops file in System32 directory
        
        PID:5116
        
        C:\Windows\SysWOW64\Peljol32.exe
        
        C:\Windows\system32\Peljol32.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3328
        
        C:\Windows\SysWOW64\Pgjfkg32.exe
        
        C:\Windows\system32\Pgjfkg32.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:3596
        
        C:\Windows\SysWOW64\Pjhbgb32.exe
        
        C:\Windows\system32\Pjhbgb32.exe
        71⤵
        
        PID:1452
        
        C:\Windows\SysWOW64\Pengdk32.exe
        
        C:\Windows\system32\Pengdk32.exe
        72⤵
        
        PID:1612
        
        C:\Windows\SysWOW64\Pgmcqggf.exe
        
        C:\Windows\system32\Pgmcqggf.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5072
        
        C:\Windows\SysWOW64\Pnfkma32.exe
        
        C:\Windows\system32\Pnfkma32.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1828
        
        C:\Windows\SysWOW64\Pbbgnpgl.exe
        
        C:\Windows\system32\Pbbgnpgl.exe
        75⤵
        
        PID:4220
        
        C:\Windows\SysWOW64\Pcccfh32.exe
        
        C:\Windows\system32\Pcccfh32.exe
        76⤵
        
        PID:2264
        
        C:\Windows\SysWOW64\Pjmlbbdg.exe
        
        C:\Windows\system32\Pjmlbbdg.exe
        77⤵
        
        PID:924
        
        C:\Windows\SysWOW64\Pbddcoei.exe
        
        C:\Windows\system32\Pbddcoei.exe
        78⤵
        
        PID:2024
        
        C:\Windows\SysWOW64\Qecppkdm.exe
        
        C:\Windows\system32\Qecppkdm.exe
        79⤵
        
        PID:2092
        
        C:\Windows\SysWOW64\Qkmhlekj.exe
        
        C:\Windows\system32\Qkmhlekj.exe
        80⤵
        Modifies registry class
        
        PID:4884
        
        C:\Windows\SysWOW64\Qnkdhpjn.exe
        
        C:\Windows\system32\Qnkdhpjn.exe
        81⤵
        Drops file in System32 directory
        
        PID:2592
        
        C:\Windows\SysWOW64\Qajadlja.exe
        
        C:\Windows\system32\Qajadlja.exe
        82⤵
        
        PID:3708
        
        C:\Windows\SysWOW64\Qchmagie.exe
        
        C:\Windows\system32\Qchmagie.exe
        83⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:3312
        
        C:\Windows\SysWOW64\Qloebdig.exe
        
        C:\Windows\system32\Qloebdig.exe
        84⤵
        
        PID:4076
        
        C:\Windows\SysWOW64\Qnnanphk.exe
        
        C:\Windows\system32\Qnnanphk.exe
        85⤵
        
        PID:5128
        
        C:\Windows\SysWOW64\Aegikj32.exe
        
        C:\Windows\system32\Aegikj32.exe
        86⤵
        
        PID:5168
        
        C:\Windows\SysWOW64\Agffge32.exe
        
        C:\Windows\system32\Agffge32.exe
        87⤵
        
        PID:5216
        
        C:\Windows\SysWOW64\Alabgd32.exe
        
        C:\Windows\system32\Alabgd32.exe
        88⤵
        Drops file in System32 directory
        
        PID:5256
        
        C:\Windows\SysWOW64\Abkjdnoa.exe
        
        C:\Windows\system32\Abkjdnoa.exe
        89⤵
        
        PID:5300
        
        C:\Windows\SysWOW64\Aejfpjne.exe
        
        C:\Windows\system32\Aejfpjne.exe
        90⤵
        
        PID:5352
        
        C:\Windows\SysWOW64\Ahhblemi.exe
        
        C:\Windows\system32\Ahhblemi.exe
        91⤵
        
        PID:5396
        
        C:\Windows\SysWOW64\Ajfoiqll.exe
        
        C:\Windows\system32\Ajfoiqll.exe
        92⤵
        
        PID:5432
        
        C:\Windows\SysWOW64\Abngjnmo.exe
        
        C:\Windows\system32\Abngjnmo.exe
        93⤵
        Drops file in System32 directory
        
        PID:5480
        
        C:\Windows\SysWOW64\Aelcfilb.exe
        
        C:\Windows\system32\Aelcfilb.exe
        94⤵
        Modifies registry class
        
        PID:5524
        
        C:\Windows\SysWOW64\Acocaf32.exe
        
        C:\Windows\system32\Acocaf32.exe
        95⤵
        
        PID:5572
        
        C:\Windows\SysWOW64\Alfkbc32.exe
        
        C:\Windows\system32\Alfkbc32.exe
        96⤵
        
        PID:5616
        
        C:\Windows\SysWOW64\Ajiknpjj.exe
        
        C:\Windows\system32\Ajiknpjj.exe
        97⤵
        
        PID:5652
        
        C:\Windows\SysWOW64\Aacckjaf.exe
        
        C:\Windows\system32\Aacckjaf.exe
        98⤵
        
        PID:5704
        
        C:\Windows\SysWOW64\Adapgfqj.exe
        
        C:\Windows\system32\Adapgfqj.exe
        99⤵
        
        PID:5748
        
        C:\Windows\SysWOW64\Alhhhcal.exe
        
        C:\Windows\system32\Alhhhcal.exe
        100⤵
        
        PID:5788
        
        C:\Windows\SysWOW64\Aaepqjpd.exe
        
        C:\Windows\system32\Aaepqjpd.exe
        101⤵
        Drops file in System32 directory
        
        PID:5832
        
        C:\Windows\SysWOW64\Adcmmeog.exe
        
        C:\Windows\system32\Adcmmeog.exe
        102⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5884
        
        C:\Windows\SysWOW64\Abemjmgg.exe
        
        C:\Windows\system32\Abemjmgg.exe
        103⤵
        
        PID:5928
        
        C:\Windows\SysWOW64\Bjpaooda.exe
        
        C:\Windows\system32\Bjpaooda.exe
        104⤵
        
        PID:5980
        
        C:\Windows\SysWOW64\Bbgipldd.exe
        
        C:\Windows\system32\Bbgipldd.exe
        105⤵
        
        PID:6032
        
        C:\Windows\SysWOW64\Beeflhdh.exe
        
        C:\Windows\system32\Beeflhdh.exe
        106⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6076
        
        C:\Windows\SysWOW64\Bhdbhcck.exe
        
        C:\Windows\system32\Bhdbhcck.exe
        107⤵
        
        PID:6120
        
        C:\Windows\SysWOW64\Bjbndobo.exe
        
        C:\Windows\system32\Bjbndobo.exe
        108⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5124
        
        C:\Windows\SysWOW64\Bnnjen32.exe
        
        C:\Windows\system32\Bnnjen32.exe
        109⤵
        
        PID:5240
        
        C:\Windows\SysWOW64\Behbag32.exe
        
        C:\Windows\system32\Behbag32.exe
        110⤵
        Drops file in System32 directory
        
        PID:5308
        
        C:\Windows\SysWOW64\Bdkcmdhp.exe
        
        C:\Windows\system32\Bdkcmdhp.exe
        111⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5380
        
        C:\Windows\SysWOW64\Blbknaib.exe
        
        C:\Windows\system32\Blbknaib.exe
        112⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5428
        
        C:\Windows\SysWOW64\Bblckl32.exe
        
        C:\Windows\system32\Bblckl32.exe
        113⤵
        
        PID:5508
        
        C:\Windows\SysWOW64\Bdmpcdfm.exe
        
        C:\Windows\system32\Bdmpcdfm.exe
        114⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5580
        
        C:\Windows\SysWOW64\Bldgdago.exe
        
        C:\Windows\system32\Bldgdago.exe
        115⤵
        
        PID:5648
        
        C:\Windows\SysWOW64\Bbnpqk32.exe
        
        C:\Windows\system32\Bbnpqk32.exe
        116⤵
        
        PID:5716
        
        C:\Windows\SysWOW64\Bemlmgnp.exe
        
        C:\Windows\system32\Bemlmgnp.exe
        117⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5780
        
        C:\Windows\SysWOW64\Cacmah32.exe
        
        C:\Windows\system32\Cacmah32.exe
        118⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5876
        
        C:\Windows\SysWOW64\Cklaknjd.exe
        
        C:\Windows\system32\Cklaknjd.exe
        119⤵
        
        PID:5944
        
        C:\Windows\SysWOW64\Cbcilkjg.exe
        
        C:\Windows\system32\Cbcilkjg.exe
        120⤵
        Drops file in System32 directory
        
        PID:6040
        
        C:\Windows\SysWOW64\Cddecc32.exe
        
        C:\Windows\system32\Cddecc32.exe
        121⤵
        
        PID:6056
        
        C:\Windows\SysWOW64\Cojjqlpk.exe
        
        C:\Windows\system32\Cojjqlpk.exe
        122⤵
        
        PID:4432
        
        C:\Windows\SysWOW64\Cahfmgoo.exe
        
        C:\Windows\system32\Cahfmgoo.exe
        123⤵
        
        PID:5228
        
        C:\Windows\SysWOW64\Chbnia32.exe
        
        C:\Windows\system32\Chbnia32.exe
        124⤵
        Drops file in System32 directory
        
        PID:5372
        
        C:\Windows\SysWOW64\Cefoce32.exe
        
        C:\Windows\system32\Cefoce32.exe
        125⤵
        
        PID:5488
        
        C:\Windows\SysWOW64\Clpgpp32.exe
        
        C:\Windows\system32\Clpgpp32.exe
        126⤵
        
        PID:5548
        
        C:\Windows\SysWOW64\Cbjoljdo.exe
        
        C:\Windows\system32\Cbjoljdo.exe
        127⤵
        
        PID:5684
        
        C:\Windows\SysWOW64\Cehkhecb.exe
        
        C:\Windows\system32\Cehkhecb.exe
        128⤵
        
        PID:5804
        
        C:\Windows\SysWOW64\Cdkldb32.exe
        
        C:\Windows\system32\Cdkldb32.exe
        129⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5924
        
        C:\Windows\SysWOW64\Ckedalaj.exe
        
        C:\Windows\system32\Ckedalaj.exe
        130⤵
        
        PID:6068
        
        C:\Windows\SysWOW64\Dekhneap.exe
        
        C:\Windows\system32\Dekhneap.exe
        131⤵
        
        PID:2484
        
        C:\Windows\SysWOW64\Dldpkoil.exe
        
        C:\Windows\system32\Dldpkoil.exe
        132⤵
        
        PID:5288
        
        C:\Windows\SysWOW64\Ddpeoafg.exe
        
        C:\Windows\system32\Ddpeoafg.exe
        133⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5456
        
        C:\Windows\SysWOW64\Dkjmlk32.exe
        
        C:\Windows\system32\Dkjmlk32.exe
        134⤵
        
        PID:5640
        
        C:\Windows\SysWOW64\Deoaid32.exe
        
        C:\Windows\system32\Deoaid32.exe
        135⤵
        
        PID:5828
        
        C:\Windows\SysWOW64\Dhnnep32.exe
        
        C:\Windows\system32\Dhnnep32.exe
        136⤵
        
        PID:6024
        
        C:\Windows\SysWOW64\Dkljak32.exe
        
        C:\Windows\system32\Dkljak32.exe
        137⤵
        
        PID:5200
        
        C:\Windows\SysWOW64\Dohfbj32.exe
        
        C:\Windows\system32\Dohfbj32.exe
        138⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5460
        
        C:\Windows\SysWOW64\Dccbbhld.exe
        
        C:\Windows\system32\Dccbbhld.exe
        139⤵
        
        PID:5864
        
        C:\Windows\SysWOW64\Deanodkh.exe
        
        C:\Windows\system32\Deanodkh.exe
        140⤵
        
        PID:5348
        
        C:\Windows\SysWOW64\Dddojq32.exe
        
        C:\Windows\system32\Dddojq32.exe
        141⤵
        Modifies registry class
        
        PID:5280
        
        C:\Windows\SysWOW64\Dkoggkjo.exe
        
        C:\Windows\system32\Dkoggkjo.exe
        142⤵
        
        PID:5964
        
        C:\Windows\SysWOW64\Dceohhja.exe
        
        C:\Windows\system32\Dceohhja.exe
        143⤵
        
        PID:5768
        
        C:\Windows\SysWOW64\Dhbgqohi.exe
        
        C:\Windows\system32\Dhbgqohi.exe
        144⤵
        
        PID:5628
        
        C:\Windows\SysWOW64\Ekacmjgl.exe
        
        C:\Windows\system32\Ekacmjgl.exe
        145⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6152
        
        C:\Windows\SysWOW64\Eefhjc32.exe
        
        C:\Windows\system32\Eefhjc32.exe
        146⤵
        
        PID:6192
        
        C:\Windows\SysWOW64\Edihepnm.exe
        
        C:\Windows\system32\Edihepnm.exe
        147⤵
        Drops file in System32 directory
        
        PID:6236
        
        C:\Windows\SysWOW64\Ehedfo32.exe
        
        C:\Windows\system32\Ehedfo32.exe
        148⤵
        Modifies registry class
        
        PID:6276
        
        C:\Windows\SysWOW64\Ekcpbj32.exe
        
        C:\Windows\system32\Ekcpbj32.exe
        149⤵
        Modifies registry class
        
        PID:6320
        
        C:\Windows\SysWOW64\Ecjhcg32.exe
        
        C:\Windows\system32\Ecjhcg32.exe
        150⤵
        
        PID:6368
        
        C:\Windows\SysWOW64\Eamhodmf.exe
        
        C:\Windows\system32\Eamhodmf.exe
        151⤵
        Drops file in System32 directory
        
        PID:6416
        
        C:\Windows\SysWOW64\Edkdkplj.exe
        
        C:\Windows\system32\Edkdkplj.exe
        152⤵
        
        PID:6460
        
        C:\Windows\SysWOW64\Ehgqln32.exe
        
        C:\Windows\system32\Ehgqln32.exe
        153⤵
        
        PID:6500
        
        C:\Windows\SysWOW64\Ekemhj32.exe
        
        C:\Windows\system32\Ekemhj32.exe
        154⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6548
        
        C:\Windows\SysWOW64\Eapedd32.exe
        
        C:\Windows\system32\Eapedd32.exe
        155⤵
        Modifies registry class
        
        PID:6588
        
        C:\Windows\SysWOW64\Eleiam32.exe
        
        C:\Windows\system32\Eleiam32.exe
        156⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6624
        
        C:\Windows\SysWOW64\Elgfgl32.exe
        
        C:\Windows\system32\Elgfgl32.exe
        157⤵
        
        PID:6676
        
        C:\Windows\SysWOW64\Eofbch32.exe
        
        C:\Windows\system32\Eofbch32.exe
        158⤵
        
        PID:6716
        
        C:\Windows\SysWOW64\Edbklofb.exe
        
        C:\Windows\system32\Edbklofb.exe
        159⤵
        Modifies registry class
        
        PID:6760
        
        C:\Windows\SysWOW64\Ehnglm32.exe
        
        C:\Windows\system32\Ehnglm32.exe
        160⤵
        
        PID:6820
        
        C:\Windows\SysWOW64\Fkmchi32.exe
        
        C:\Windows\system32\Fkmchi32.exe
        161⤵
        Modifies registry class
        
        PID:6872
        
        C:\Windows\SysWOW64\Fcckif32.exe
        
        C:\Windows\system32\Fcckif32.exe
        162⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6924
        
        C:\Windows\SysWOW64\Fafkecel.exe
        
        C:\Windows\system32\Fafkecel.exe
        163⤵
        
        PID:6968
        
        C:\Windows\SysWOW64\Febgea32.exe
        
        C:\Windows\system32\Febgea32.exe
        164⤵
        
        PID:7008
        
        C:\Windows\SysWOW64\Fllpbldb.exe
        
        C:\Windows\system32\Fllpbldb.exe
        165⤵
        
        PID:7052
        
        C:\Windows\SysWOW64\Fojlngce.exe
        
        C:\Windows\system32\Fojlngce.exe
        166⤵
        Drops file in System32 directory
        
        PID:7100
        
        C:\Windows\SysWOW64\Fcfhof32.exe
        
        C:\Windows\system32\Fcfhof32.exe
        167⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7144
        
        C:\Windows\SysWOW64\Ffddka32.exe
        
        C:\Windows\system32\Ffddka32.exe
        168⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6164
        
        C:\Windows\SysWOW64\Fhcpgmjf.exe
        
        C:\Windows\system32\Fhcpgmjf.exe
        169⤵
        
        PID:6228
        
        C:\Windows\SysWOW64\Flnlhk32.exe
        
        C:\Windows\system32\Flnlhk32.exe
        170⤵
        
        PID:6300
        
        C:\Windows\SysWOW64\Fomhdg32.exe
        
        C:\Windows\system32\Fomhdg32.exe
        171⤵
        
        PID:6360
        
        C:\Windows\SysWOW64\Fakdpb32.exe
        
        C:\Windows\system32\Fakdpb32.exe
        172⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6428
        
        C:\Windows\SysWOW64\Ffgqqaip.exe
        
        C:\Windows\system32\Ffgqqaip.exe
        173⤵
        
        PID:6492
        
        C:\Windows\SysWOW64\Fdialn32.exe
        
        C:\Windows\system32\Fdialn32.exe
        174⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6556
        
        C:\Windows\SysWOW64\Flqimk32.exe
        
        C:\Windows\system32\Flqimk32.exe
        175⤵
        
        PID:6632
        
        C:\Windows\SysWOW64\Fkciihgg.exe
        
        C:\Windows\system32\Fkciihgg.exe
        176⤵
        
        PID:6696
        
        C:\Windows\SysWOW64\Fbnafb32.exe
        
        C:\Windows\system32\Fbnafb32.exe
        177⤵
        
        PID:6800
        
        C:\Windows\SysWOW64\Fdlnbm32.exe
        
        C:\Windows\system32\Fdlnbm32.exe
        178⤵
        
        PID:6864
        
        C:\Windows\SysWOW64\Fhgjblfq.exe
        
        C:\Windows\system32\Fhgjblfq.exe
        179⤵
        
        PID:6948
        
        C:\Windows\SysWOW64\Fcmnpe32.exe
        
        C:\Windows\system32\Fcmnpe32.exe
        180⤵
        Drops file in System32 directory
        
        PID:7000
        
        C:\Windows\SysWOW64\Fbpnkama.exe
        
        C:\Windows\system32\Fbpnkama.exe
        181⤵
        
        PID:7060
        
        C:\Windows\SysWOW64\Fdnjgmle.exe
        
        C:\Windows\system32\Fdnjgmle.exe
        182⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7140
        
        C:\Windows\SysWOW64\Glebhjlg.exe
        
        C:\Windows\system32\Glebhjlg.exe
        183⤵
        
        PID:6220
        
        C:\Windows\SysWOW64\Gododflk.exe
        
        C:\Windows\system32\Gododflk.exe
        184⤵
        Modifies registry class
        
        PID:6336
        
        C:\Windows\SysWOW64\Gbbkaako.exe
        
        C:\Windows\system32\Gbbkaako.exe
        185⤵
        
        PID:6400
        
        C:\Windows\SysWOW64\Gdqgmmjb.exe
        
        C:\Windows\system32\Gdqgmmjb.exe
        186⤵
        
        PID:6540
        
        C:\Windows\SysWOW64\Glhonj32.exe
        
        C:\Windows\system32\Glhonj32.exe
        187⤵
        
        PID:6668
        
        C:\Windows\SysWOW64\Gkkojgao.exe
        
        C:\Windows\system32\Gkkojgao.exe
        188⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6756
        
        C:\Windows\SysWOW64\Gfpcgpae.exe
        
        C:\Windows\system32\Gfpcgpae.exe
        189⤵
        Modifies registry class
        
        PID:6956
        
        C:\Windows\SysWOW64\Ghopckpi.exe
        
        C:\Windows\system32\Ghopckpi.exe
        190⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:7044
        
        C:\Windows\SysWOW64\Gkmlofol.exe
        
        C:\Windows\system32\Gkmlofol.exe
        191⤵
        Drops file in System32 directory
        
        PID:7156
        
        C:\Windows\SysWOW64\Gcddpdpo.exe
        
        C:\Windows\system32\Gcddpdpo.exe
        192⤵
        
        PID:6160
        
        C:\Windows\SysWOW64\Gfbploob.exe
        
        C:\Windows\system32\Gfbploob.exe
        193⤵
        Modifies registry class
        
        PID:6472
        
        C:\Windows\SysWOW64\Ghaliknf.exe
        
        C:\Windows\system32\Ghaliknf.exe
        194⤵
        
        PID:6664
        
        C:\Windows\SysWOW64\Gkoiefmj.exe
        
        C:\Windows\system32\Gkoiefmj.exe
        195⤵
        
        PID:6920
        
        C:\Windows\SysWOW64\Gcfqfc32.exe
        
        C:\Windows\system32\Gcfqfc32.exe
        196⤵
        
        PID:7088
        
        C:\Windows\SysWOW64\Gdhmnlcj.exe
        
        C:\Windows\system32\Gdhmnlcj.exe
        197⤵
        
        PID:6216
        
        C:\Windows\SysWOW64\Gicinj32.exe
        
        C:\Windows\system32\Gicinj32.exe
        198⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6484
        
        C:\Windows\SysWOW64\Hiefcj32.exe
        
        C:\Windows\system32\Hiefcj32.exe
        199⤵
        Modifies registry class
        
        PID:6148
        
        C:\Windows\SysWOW64\Hkdbpe32.exe
        
        C:\Windows\system32\Hkdbpe32.exe
        200⤵
        
        PID:6832
        
        C:\Windows\SysWOW64\Hbnjmp32.exe
        
        C:\Windows\system32\Hbnjmp32.exe
        201⤵
        
        PID:7172
        
        C:\Windows\SysWOW64\Helfik32.exe
        
        C:\Windows\system32\Helfik32.exe
        202⤵
        
        PID:7220
        
        C:\Windows\SysWOW64\Hobkfd32.exe
        
        C:\Windows\system32\Hobkfd32.exe
        203⤵
        
        PID:7264
        
        C:\Windows\SysWOW64\Hbpgbo32.exe
        
        C:\Windows\system32\Hbpgbo32.exe
        204⤵
        
        PID:7300
        
        C:\Windows\SysWOW64\Hmfkoh32.exe
        
        C:\Windows\system32\Hmfkoh32.exe
        205⤵
        Modifies registry class
        
        PID:7364
        
        C:\Windows\SysWOW64\Hcpclbfa.exe
        
        C:\Windows\system32\Hcpclbfa.exe
        206⤵
        
        PID:7428
        
        C:\Windows\SysWOW64\Heapdjlp.exe
        
        C:\Windows\system32\Heapdjlp.exe
        207⤵
        
        PID:7484
        
        C:\Windows\SysWOW64\Himldi32.exe
        
        C:\Windows\system32\Himldi32.exe
        208⤵
        Drops file in System32 directory
        
        PID:7532
        
        C:\Windows\SysWOW64\Hcbpab32.exe
        
        C:\Windows\system32\Hcbpab32.exe
        209⤵
        
        PID:7588
        
        C:\Windows\SysWOW64\Hecmijim.exe
        
        C:\Windows\system32\Hecmijim.exe
        210⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:7652
        
        C:\Windows\SysWOW64\Hioiji32.exe
        
        C:\Windows\system32\Hioiji32.exe
        211⤵
        
        PID:7692
        
        C:\Windows\SysWOW64\Hoiafcic.exe
        
        C:\Windows\system32\Hoiafcic.exe
        212⤵
        Drops file in System32 directory
        
        PID:7744
        
        C:\Windows\SysWOW64\Hfcicmqp.exe
        
        C:\Windows\system32\Hfcicmqp.exe
        213⤵
        
        PID:7796
        
        C:\Windows\SysWOW64\Iiaephpc.exe
        
        C:\Windows\system32\Iiaephpc.exe
        214⤵
        
        PID:7832
        
        C:\Windows\SysWOW64\Ikpaldog.exe
        
        C:\Windows\system32\Ikpaldog.exe
        215⤵
        Modifies registry class
        
        PID:7876
        
        C:\Windows\SysWOW64\Ibjjhn32.exe
        
        C:\Windows\system32\Ibjjhn32.exe
        216⤵
        
        PID:7916
        
        C:\Windows\SysWOW64\Iehfdi32.exe
        
        C:\Windows\system32\Iehfdi32.exe
        217⤵
        
        PID:7960
        
        C:\Windows\SysWOW64\Iicbehnq.exe
        
        C:\Windows\system32\Iicbehnq.exe
        218⤵
        Modifies registry class
        
        PID:8004
        
        C:\Windows\SysWOW64\Icifbang.exe
        
        C:\Windows\system32\Icifbang.exe
        219⤵
        
        PID:8048
        
        C:\Windows\SysWOW64\Ifgbnlmj.exe
        
        C:\Windows\system32\Ifgbnlmj.exe
        220⤵
        
        PID:8096
        
        C:\Windows\SysWOW64\Ickchq32.exe
        
        C:\Windows\system32\Ickchq32.exe
        221⤵
        
        PID:8164
        
        C:\Windows\SysWOW64\Ifjodl32.exe
        
        C:\Windows\system32\Ifjodl32.exe
        222⤵
        
        PID:6532
        
        C:\Windows\SysWOW64\Icnpmp32.exe
        
        C:\Windows\system32\Icnpmp32.exe
        223⤵
        
        PID:7252
        
        C:\Windows\SysWOW64\Ifllil32.exe
        
        C:\Windows\system32\Ifllil32.exe
        224⤵
        
        PID:7324
        
        C:\Windows\SysWOW64\Icplcpgo.exe
        
        C:\Windows\system32\Icplcpgo.exe
        225⤵
        
        PID:7416
        
        C:\Windows\SysWOW64\Jimekgff.exe
        
        C:\Windows\system32\Jimekgff.exe
        226⤵
        
        PID:7540
        
        C:\Windows\SysWOW64\Jlkagbej.exe
        
        C:\Windows\system32\Jlkagbej.exe
        227⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7568
        
        C:\Windows\SysWOW64\Jcbihpel.exe
        
        C:\Windows\system32\Jcbihpel.exe
        228⤵
        Modifies registry class
        
        PID:7680
        
        C:\Windows\SysWOW64\Jfaedkdp.exe
        
        C:\Windows\system32\Jfaedkdp.exe
        229⤵
        Drops file in System32 directory
        
        PID:7728
        
        C:\Windows\SysWOW64\Jioaqfcc.exe
        
        C:\Windows\system32\Jioaqfcc.exe
        230⤵
        
        PID:7860
        
        C:\Windows\SysWOW64\Jcefno32.exe
        
        C:\Windows\system32\Jcefno32.exe
        231⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7912
        
        C:\Windows\SysWOW64\Jbhfjljd.exe
        
        C:\Windows\system32\Jbhfjljd.exe
        232⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7992
        
        C:\Windows\SysWOW64\Jmmjgejj.exe
        
        C:\Windows\system32\Jmmjgejj.exe
        233⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8084
        
        C:\Windows\SysWOW64\Jcgbco32.exe
        
        C:\Windows\system32\Jcgbco32.exe
        234⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8156
        
        C:\Windows\SysWOW64\Jehokgge.exe
        
        C:\Windows\system32\Jehokgge.exe
        235⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:7232
        
        C:\Windows\SysWOW64\Jidklf32.exe
        
        C:\Windows\system32\Jidklf32.exe
        236⤵
        
        PID:7420
        
        C:\Windows\SysWOW64\Jmpgldhg.exe
        
        C:\Windows\system32\Jmpgldhg.exe
        237⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7524
        
        C:\Windows\SysWOW64\Jcioiood.exe
        
        C:\Windows\system32\Jcioiood.exe
        238⤵
        
        PID:7668
        
        C:\Windows\SysWOW64\Jblpek32.exe
        
        C:\Windows\system32\Jblpek32.exe
        239⤵
        Modifies registry class
        
        PID:7736
        
        C:\Windows\SysWOW64\Jeklag32.exe
        
        C:\Windows\system32\Jeklag32.exe
        240⤵
        
        PID:7904
        
        C:\Windows\SysWOW64\Jmbdbd32.exe
        
        C:\Windows\system32\Jmbdbd32.exe
        241⤵
        Modifies registry class
        
        PID:8016
        
        C:\Windows\SysWOW64\Jpppnp32.exe
        
        C:\Windows\system32\Jpppnp32.exe
        242⤵
        Drops file in System32 directory
        
        PID:8148
        
        C:\Windows\SysWOW64\Kboljk32.exe
        
        C:\Windows\system32\Kboljk32.exe
        243⤵
        Drops file in System32 directory
        
        PID:7356
        
        C:\Windows\SysWOW64\Kfjhkjle.exe
        
        C:\Windows\system32\Kfjhkjle.exe
        244⤵
        
        PID:7660
        
        C:\Windows\SysWOW64\Kemhff32.exe
        
        C:\Windows\system32\Kemhff32.exe
        245⤵
        Modifies registry class
        
        PID:7760
        
        C:\Windows\SysWOW64\Kpbmco32.exe
        
        C:\Windows\system32\Kpbmco32.exe
        246⤵
        
        PID:7984
        
        C:\Windows\SysWOW64\Kbaipkbi.exe
        
        C:\Windows\system32\Kbaipkbi.exe
        247⤵
        
        PID:8188
        
        C:\Windows\SysWOW64\Kikame32.exe
        
        C:\Windows\system32\Kikame32.exe
        248⤵
        Drops file in System32 directory
        
        PID:7504
        
        C:\Windows\SysWOW64\Kpeiioac.exe
        
        C:\Windows\system32\Kpeiioac.exe
        249⤵
        
        PID:7844
        
        C:\Windows\SysWOW64\Kfoafi32.exe
        
        C:\Windows\system32\Kfoafi32.exe
        250⤵
        
        PID:8108
        
        C:\Windows\SysWOW64\Kmijbcpl.exe
        
        C:\Windows\system32\Kmijbcpl.exe
        251⤵
        
        PID:7640
        
        C:\Windows\SysWOW64\Klljnp32.exe
        
        C:\Windows\system32\Klljnp32.exe
        252⤵
        
        PID:8104
        
        C:\Windows\SysWOW64\Kfankifm.exe
        
        C:\Windows\system32\Kfankifm.exe
        253⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:8044
        
        C:\Windows\SysWOW64\Kipkhdeq.exe
        
        C:\Windows\system32\Kipkhdeq.exe
        254⤵
        
        PID:8196
        
        C:\Windows\SysWOW64\Kmkfhc32.exe
        
        C:\Windows\system32\Kmkfhc32.exe
        255⤵
        
        PID:8236
        
        C:\Windows\SysWOW64\Kpjcdn32.exe
        
        C:\Windows\system32\Kpjcdn32.exe
        256⤵
        Drops file in System32 directory
        
        PID:8284
        
        C:\Windows\SysWOW64\Kefkme32.exe
        
        C:\Windows\system32\Kefkme32.exe
        257⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8332
        
        C:\Windows\SysWOW64\Kibgmdcn.exe
        
        C:\Windows\system32\Kibgmdcn.exe
        258⤵
        
        PID:8368
        
        C:\Windows\SysWOW64\Kmncnb32.exe
        
        C:\Windows\system32\Kmncnb32.exe
        259⤵
        Drops file in System32 directory
        
        PID:8408
        
        C:\Windows\SysWOW64\Kdgljmcd.exe
        
        C:\Windows\system32\Kdgljmcd.exe
        260⤵
        Modifies registry class
        
        PID:8456
        
        C:\Windows\SysWOW64\Leihbeib.exe
        
        C:\Windows\system32\Leihbeib.exe
        261⤵
        
        PID:8500
        
        C:\Windows\SysWOW64\Lmppcbjd.exe
        
        C:\Windows\system32\Lmppcbjd.exe
        262⤵
        
        PID:8548
        
        C:\Windows\SysWOW64\Lpnlpnih.exe
        
        C:\Windows\system32\Lpnlpnih.exe
        263⤵
        Drops file in System32 directory
        
        PID:8588
        
        C:\Windows\SysWOW64\Lfhdlh32.exe
        
        C:\Windows\system32\Lfhdlh32.exe
        264⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8632
        
        C:\Windows\SysWOW64\Lmbmibhb.exe
        
        C:\Windows\system32\Lmbmibhb.exe
        265⤵
        
        PID:8688
        
        C:\Windows\SysWOW64\Lenamdem.exe
        
        C:\Windows\system32\Lenamdem.exe
        266⤵
        
        PID:8732
        
        C:\Windows\SysWOW64\Lmdina32.exe
        
        C:\Windows\system32\Lmdina32.exe
        267⤵
        
        PID:8772
        
        C:\Windows\SysWOW64\Lbabgh32.exe
        
        C:\Windows\system32\Lbabgh32.exe
        268⤵
        
        PID:8828
        
        C:\Windows\SysWOW64\Lpebpm32.exe
        
        C:\Windows\system32\Lpebpm32.exe
        269⤵
        
        PID:8880
        
        C:\Windows\SysWOW64\Lbdolh32.exe
        
        C:\Windows\system32\Lbdolh32.exe
        270⤵
        Drops file in System32 directory
        
        PID:8928
        
        C:\Windows\SysWOW64\Lingibiq.exe
        
        C:\Windows\system32\Lingibiq.exe
        271⤵
        
        PID:8976
        
        C:\Windows\SysWOW64\Lmiciaaj.exe
        
        C:\Windows\system32\Lmiciaaj.exe
        272⤵
        
        PID:9024
        
        C:\Windows\SysWOW64\Mdckfk32.exe
        
        C:\Windows\system32\Mdckfk32.exe
        273⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:9068
        
        C:\Windows\SysWOW64\Mgagbf32.exe
        
        C:\Windows\system32\Mgagbf32.exe
        274⤵
        Drops file in System32 directory
        
        PID:9120
        
        C:\Windows\SysWOW64\Medgncoe.exe
        
        C:\Windows\system32\Medgncoe.exe
        275⤵
        
        PID:9176
        
        C:\Windows\SysWOW64\Mmlpoqpg.exe
        
        C:\Windows\system32\Mmlpoqpg.exe
        276⤵
        
        PID:8080
        
        C:\Windows\SysWOW64\Mpjlklok.exe
        
        C:\Windows\system32\Mpjlklok.exe
        277⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:8244
        
        C:\Windows\SysWOW64\Mibpda32.exe
        
        C:\Windows\system32\Mibpda32.exe
        278⤵
        
        PID:8320
        
        C:\Windows\SysWOW64\Mlampmdo.exe
        
        C:\Windows\system32\Mlampmdo.exe
        279⤵
        Modifies registry class
        
        PID:8424
        
        C:\Windows\SysWOW64\Mdhdajea.exe
        
        C:\Windows\system32\Mdhdajea.exe
        280⤵
        Modifies registry class
        
        PID:8476
        
        C:\Windows\SysWOW64\Mgfqmfde.exe
        
        C:\Windows\system32\Mgfqmfde.exe
        281⤵
        
        PID:8564
        
        C:\Windows\SysWOW64\Miemjaci.exe
        
        C:\Windows\system32\Miemjaci.exe
        282⤵
        
        PID:8604
        
        C:\Windows\SysWOW64\Mlcifmbl.exe
        
        C:\Windows\system32\Mlcifmbl.exe
        283⤵
        
        PID:8704
        
        C:\Windows\SysWOW64\Mdjagjco.exe
        
        C:\Windows\system32\Mdjagjco.exe
        284⤵
        
        PID:8756
        
        C:\Windows\SysWOW64\Mcmabg32.exe
        
        C:\Windows\system32\Mcmabg32.exe
        285⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:8812
        
        C:\Windows\SysWOW64\Melnob32.exe
        
        C:\Windows\system32\Melnob32.exe
        286⤵
        Drops file in System32 directory
        
        PID:8868
        
        C:\Windows\SysWOW64\Mmbfpp32.exe
        
        C:\Windows\system32\Mmbfpp32.exe
        287⤵
        Modifies registry class
        
        PID:8948
        
        C:\Windows\SysWOW64\Mpablkhc.exe
        
        C:\Windows\system32\Mpablkhc.exe
        288⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:9008
        
        C:\Windows\SysWOW64\Mdmnlj32.exe
        
        C:\Windows\system32\Mdmnlj32.exe
        289⤵
        
        PID:9096
        
        C:\Windows\SysWOW64\Mgkjhe32.exe
        
        C:\Windows\system32\Mgkjhe32.exe
        290⤵
        
        PID:9172
        
        C:\Windows\SysWOW64\Miifeq32.exe
        
        C:\Windows\system32\Miifeq32.exe
        291⤵
        
        PID:8224
        
        C:\Windows\SysWOW64\Mnebeogl.exe
        
        C:\Windows\system32\Mnebeogl.exe
        292⤵
        
        PID:8316
        
        C:\Windows\SysWOW64\Npcoakfp.exe
        
        C:\Windows\system32\Npcoakfp.exe
        293⤵
        
        PID:8452
        
        C:\Windows\SysWOW64\Nepgjaeg.exe
        
        C:\Windows\system32\Nepgjaeg.exe
        294⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8540
        
        C:\Windows\SysWOW64\Npfkgjdn.exe
        
        C:\Windows\system32\Npfkgjdn.exe
        295⤵
        
        PID:8672
        
        C:\Windows\SysWOW64\Ndaggimg.exe
        
        C:\Windows\system32\Ndaggimg.exe
        296⤵
        
        PID:8716
        
        C:\Windows\SysWOW64\Nebdoa32.exe
        
        C:\Windows\system32\Nebdoa32.exe
        297⤵
        
        PID:8888
        
        C:\Windows\SysWOW64\Nlmllkja.exe
        
        C:\Windows\system32\Nlmllkja.exe
        298⤵
        
        PID:8984
        
        C:\Windows\SysWOW64\Nphhmj32.exe
        
        C:\Windows\system32\Nphhmj32.exe
        299⤵
        
        PID:9044
        
        C:\Windows\SysWOW64\Ncfdie32.exe
        
        C:\Windows\system32\Ncfdie32.exe
        300⤵
        Drops file in System32 directory
        
        PID:9204
        
        C:\Windows\SysWOW64\Npjebj32.exe
        
        C:\Windows\system32\Npjebj32.exe
        301⤵
        
        PID:8344
        
        C:\Windows\SysWOW64\Ncianepl.exe
        
        C:\Windows\system32\Ncianepl.exe
        302⤵
        
        PID:8488
        
        C:\Windows\SysWOW64\Ngdmod32.exe
        
        C:\Windows\system32\Ngdmod32.exe
        303⤵
        
        PID:8748
        
        C:\Windows\SysWOW64\Njciko32.exe
        
        C:\Windows\system32\Njciko32.exe
        304⤵
        
        PID:8808
        
        C:\Windows\SysWOW64\Nlaegk32.exe
        
        C:\Windows\system32\Nlaegk32.exe
        305⤵
        
        PID:9080
        
        C:\Windows\SysWOW64\Ndhmhh32.exe
        
        C:\Windows\system32\Ndhmhh32.exe
        306⤵
        
        PID:8260
        
        C:\Windows\SysWOW64\Nckndeni.exe
        
        C:\Windows\system32\Nckndeni.exe
        307⤵
        
        PID:8416
        
        C:\Windows\SysWOW64\Nfjjppmm.exe
        
        C:\Windows\system32\Nfjjppmm.exe
        308⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8784
        
        C:\Windows\SysWOW64\Njefqo32.exe
        
        C:\Windows\system32\Njefqo32.exe
        309⤵
        Modifies registry class
        
        PID:8992
        
        C:\Windows\SysWOW64\Olcbmj32.exe
        
        C:\Windows\system32\Olcbmj32.exe
        310⤵
        
        PID:8296
        
        C:\Windows\SysWOW64\Ocnjidkf.exe
        
        C:\Windows\system32\Ocnjidkf.exe
        311⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8616
        
        C:\Windows\SysWOW64\Ogifjcdp.exe
        
        C:\Windows\system32\Ogifjcdp.exe
        312⤵
        
        PID:9136
        
        C:\Windows\SysWOW64\Oflgep32.exe
        
        C:\Windows\system32\Oflgep32.exe
        313⤵
        Modifies registry class
        
        PID:8920
        
        C:\Windows\SysWOW64\Oncofm32.exe
        
        C:\Windows\system32\Oncofm32.exe
        314⤵
        
        PID:9264
        
        C:\Windows\SysWOW64\Olfobjbg.exe
        
        C:\Windows\system32\Olfobjbg.exe
        315⤵
        Drops file in System32 directory
        
        PID:9304
        
        C:\Windows\SysWOW64\Odmgcgbi.exe
        
        C:\Windows\system32\Odmgcgbi.exe
        316⤵
        Modifies registry class
        
        PID:9352
        
        C:\Windows\SysWOW64\Ogkcpbam.exe
        
        C:\Windows\system32\Ogkcpbam.exe
        317⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:9388
        
        C:\Windows\SysWOW64\Ojjolnaq.exe
        
        C:\Windows\system32\Ojjolnaq.exe
        318⤵
        
        PID:9432
        
        C:\Windows\SysWOW64\Oneklm32.exe
        
        C:\Windows\system32\Oneklm32.exe
        319⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:9472
        
        C:\Windows\SysWOW64\Opdghh32.exe
        
        C:\Windows\system32\Opdghh32.exe
        320⤵
        Drops file in System32 directory
        
        PID:9520
        
        C:\Windows\SysWOW64\Ocbddc32.exe
        
        C:\Windows\system32\Ocbddc32.exe
        321⤵
        
        PID:9560
        
        C:\Windows\SysWOW64\Ognpebpj.exe
        
        C:\Windows\system32\Ognpebpj.exe
        322⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:9596
        
        C:\Windows\SysWOW64\Ojllan32.exe
        
        C:\Windows\system32\Ojllan32.exe
        323⤵
        
        PID:9636
        
        C:\Windows\SysWOW64\Onhhamgg.exe
        
        C:\Windows\system32\Onhhamgg.exe
        324⤵
        
        PID:9680
        
        C:\Windows\SysWOW64\Oqfdnhfk.exe
        
        C:\Windows\system32\Oqfdnhfk.exe
        325⤵
        
        PID:9716
        
        C:\Windows\SysWOW64\Ofcmfodb.exe
        
        C:\Windows\system32\Ofcmfodb.exe
        326⤵
        
        PID:9760
        
        C:\Windows\SysWOW64\Olmeci32.exe
        
        C:\Windows\system32\Olmeci32.exe
        327⤵
        
        PID:9808
        
        C:\Windows\SysWOW64\Oqhacgdh.exe
        
        C:\Windows\system32\Oqhacgdh.exe
        328⤵
        
        PID:9848
        
        C:\Windows\SysWOW64\Ocgmpccl.exe
        
        C:\Windows\system32\Ocgmpccl.exe
        329⤵
        Drops file in System32 directory
        
        PID:9888
        
        C:\Windows\SysWOW64\Ofeilobp.exe
        
        C:\Windows\system32\Ofeilobp.exe
        330⤵
        
        PID:9928
        
        C:\Windows\SysWOW64\Pnlaml32.exe
        
        C:\Windows\system32\Pnlaml32.exe
        331⤵
        
        PID:9972
        
        C:\Windows\SysWOW64\Pqknig32.exe
        
        C:\Windows\system32\Pqknig32.exe
        332⤵
        
        PID:10012
        
        C:\Windows\SysWOW64\Pcijeb32.exe
        
        C:\Windows\system32\Pcijeb32.exe
        333⤵
        
        PID:10056
        
        C:\Windows\SysWOW64\Pfhfan32.exe
        
        C:\Windows\system32\Pfhfan32.exe
        334⤵
        
        PID:10096
        
        C:\Windows\SysWOW64\Pnonbk32.exe
        
        C:\Windows\system32\Pnonbk32.exe
        335⤵
        
        PID:10136
        
        C:\Windows\SysWOW64\Pmannhhj.exe
        
        C:\Windows\system32\Pmannhhj.exe
        336⤵
        
        PID:10176
        
        C:\Windows\SysWOW64\Pclgkb32.exe
        
        C:\Windows\system32\Pclgkb32.exe
        337⤵
        
        PID:10220
        
        C:\Windows\SysWOW64\Pfjcgn32.exe
        
        C:\Windows\system32\Pfjcgn32.exe
        338⤵
        
        PID:8352
        
        C:\Windows\SysWOW64\Pmdkch32.exe
        
        C:\Windows\system32\Pmdkch32.exe
        339⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:9272
        
        C:\Windows\SysWOW64\Pqpgdfnp.exe
        
        C:\Windows\system32\Pqpgdfnp.exe
        340⤵
        
        PID:9312
        
        C:\Windows\SysWOW64\Pcncpbmd.exe
        
        C:\Windows\system32\Pcncpbmd.exe
        341⤵
        
        PID:9396
        
        C:\Windows\SysWOW64\Pgioqq32.exe
        
        C:\Windows\system32\Pgioqq32.exe
        342⤵
        
        PID:9456
        
        C:\Windows\SysWOW64\Pjhlml32.exe
        
        C:\Windows\system32\Pjhlml32.exe
        343⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:9516
        
        C:\Windows\SysWOW64\Pmfhig32.exe
        
        C:\Windows\system32\Pmfhig32.exe
        344⤵
        
        PID:9592
        
        C:\Windows\SysWOW64\Pdmpje32.exe
        
        C:\Windows\system32\Pdmpje32.exe
        345⤵
        Modifies registry class
        
        PID:9668
        
        C:\Windows\SysWOW64\Pgllfp32.exe
        
        C:\Windows\system32\Pgllfp32.exe
        346⤵
        Modifies registry class
        
        PID:9744
        
        C:\Windows\SysWOW64\Pdpmpdbd.exe
        
        C:\Windows\system32\Pdpmpdbd.exe
        347⤵
        Drops file in System32 directory
        
        PID:9800
        
        C:\Windows\SysWOW64\Qqfmde32.exe
        
        C:\Windows\system32\Qqfmde32.exe
        348⤵
        
        PID:9876
        
        C:\Windows\SysWOW64\Qdbiedpa.exe
        
        C:\Windows\system32\Qdbiedpa.exe
        349⤵
        
        PID:9952
        
        C:\Windows\SysWOW64\Qfcfml32.exe
        
        C:\Windows\system32\Qfcfml32.exe
        350⤵
        
        PID:10020
        
        C:\Windows\SysWOW64\Qnjnnj32.exe
        
        C:\Windows\system32\Qnjnnj32.exe
        351⤵
        
        PID:10088
        
        C:\Windows\SysWOW64\Qqijje32.exe
        
        C:\Windows\system32\Qqijje32.exe
        352⤵
        
        PID:10132
        
        C:\Windows\SysWOW64\Qcgffqei.exe
        
        C:\Windows\system32\Qcgffqei.exe
        353⤵
        
        PID:10216
        
        C:\Windows\SysWOW64\Ajanck32.exe
        
        C:\Windows\system32\Ajanck32.exe
        354⤵
        Drops file in System32 directory
        
        PID:9232
        
        C:\Windows\SysWOW64\Anmjcieo.exe
        
        C:\Windows\system32\Anmjcieo.exe
        355⤵
        
        PID:9360
        
        C:\Windows\SysWOW64\Acjclpcf.exe
        
        C:\Windows\system32\Acjclpcf.exe
        356⤵
        
        PID:9416
        
        C:\Windows\SysWOW64\Anogiicl.exe
        
        C:\Windows\system32\Anogiicl.exe
        357⤵
        
        PID:9508
        
        C:\Windows\SysWOW64\Aqncedbp.exe
        
        C:\Windows\system32\Aqncedbp.exe
        358⤵
        
        PID:9580
        
        C:\Windows\SysWOW64\Agglboim.exe
        
        C:\Windows\system32\Agglboim.exe
        359⤵
        
        PID:9784
        
        C:\Windows\SysWOW64\Ajfhnjhq.exe
        
        C:\Windows\system32\Ajfhnjhq.exe
        360⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:9872
        
        C:\Windows\SysWOW64\Aeklkchg.exe
        
        C:\Windows\system32\Aeklkchg.exe
        361⤵
        
        PID:10024
        
        C:\Windows\SysWOW64\Agjhgngj.exe
        
        C:\Windows\system32\Agjhgngj.exe
        362⤵
        
        PID:10128
        
        C:\Windows\SysWOW64\Andqdh32.exe
        
        C:\Windows\system32\Andqdh32.exe
        363⤵
        
        PID:8844
        
        C:\Windows\SysWOW64\Aabmqd32.exe
        
        C:\Windows\system32\Aabmqd32.exe
        364⤵
        
        PID:9424
        
        C:\Windows\SysWOW64\Aeniabfd.exe
        
        C:\Windows\system32\Aeniabfd.exe
        365⤵
        Modifies registry class
        
        PID:9688
        
        C:\Windows\SysWOW64\Afoeiklb.exe
        
        C:\Windows\system32\Afoeiklb.exe
        366⤵
        Modifies registry class
        
        PID:9836
        
        C:\Windows\SysWOW64\Aadifclh.exe
        
        C:\Windows\system32\Aadifclh.exe
        367⤵
        
        PID:10160
        
        C:\Windows\SysWOW64\Bmkjkd32.exe
        
        C:\Windows\system32\Bmkjkd32.exe
        368⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:8924
        
        C:\Windows\SysWOW64\Bcebhoii.exe
        
        C:\Windows\system32\Bcebhoii.exe
        369⤵
        
        PID:9724
        
        C:\Windows\SysWOW64\Bfdodjhm.exe
        
        C:\Windows\system32\Bfdodjhm.exe
        370⤵
        Drops file in System32 directory
        
        PID:9980
        
        C:\Windows\SysWOW64\Bnkgeg32.exe
        
        C:\Windows\system32\Bnkgeg32.exe
        371⤵
        
        PID:8640
        
        C:\Windows\SysWOW64\Baicac32.exe
        
        C:\Windows\system32\Baicac32.exe
        372⤵
        
        PID:10008
        
        C:\Windows\SysWOW64\Bjagjhnc.exe
        
        C:\Windows\system32\Bjagjhnc.exe
        373⤵
        Drops file in System32 directory
        
        PID:9740
        
        C:\Windows\SysWOW64\Bnmcjg32.exe
        
        C:\Windows\system32\Bnmcjg32.exe
        374⤵
        
        PID:9624
        
        C:\Windows\SysWOW64\Bfhhoi32.exe
        
        C:\Windows\system32\Bfhhoi32.exe
        375⤵
        
        PID:10284
        
        C:\Windows\SysWOW64\Bmbplc32.exe
        
        C:\Windows\system32\Bmbplc32.exe
        376⤵
        
        PID:10324
        
        C:\Windows\SysWOW64\Banllbdn.exe
        
        C:\Windows\system32\Banllbdn.exe
        377⤵
        Modifies registry class
        
        PID:10364
        
        C:\Windows\SysWOW64\Bhhdil32.exe
        
        C:\Windows\system32\Bhhdil32.exe
        378⤵
        
        PID:10408
        
        C:\Windows\SysWOW64\Bjfaeh32.exe
        
        C:\Windows\system32\Bjfaeh32.exe
        379⤵
        
        PID:10444
        
        C:\Windows\SysWOW64\Bnbmefbg.exe
        
        C:\Windows\system32\Bnbmefbg.exe
        380⤵
        
        PID:10484
        
        C:\Windows\SysWOW64\Bapiabak.exe
        
        C:\Windows\system32\Bapiabak.exe
        381⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:10524
        
        C:\Windows\SysWOW64\Cjinkg32.exe
        
        C:\Windows\system32\Cjinkg32.exe
        382⤵
        Modifies registry class
        
        PID:10572
        
        C:\Windows\SysWOW64\Cabfga32.exe
        
        C:\Windows\system32\Cabfga32.exe
        383⤵
        
        PID:10608
        
        C:\Windows\SysWOW64\Cdabcm32.exe
        
        C:\Windows\system32\Cdabcm32.exe
        384⤵
        Drops file in System32 directory
        
        PID:10652
        
        C:\Windows\SysWOW64\Chmndlge.exe
        
        C:\Windows\system32\Chmndlge.exe
        385⤵
        Modifies registry class
        
        PID:10692
        
        C:\Windows\SysWOW64\Cjkjpgfi.exe
        
        C:\Windows\system32\Cjkjpgfi.exe
        386⤵
        
        PID:10732
        
        C:\Windows\SysWOW64\Cnffqf32.exe
        
        C:\Windows\system32\Cnffqf32.exe
        387⤵
        
        PID:10776
        
        C:\Windows\SysWOW64\Caebma32.exe
        
        C:\Windows\system32\Caebma32.exe
        388⤵
        
        PID:10812
        
        C:\Windows\SysWOW64\Chokikeb.exe
        
        C:\Windows\system32\Chokikeb.exe
        389⤵
        
        PID:10856
        
        C:\Windows\SysWOW64\Cjmgfgdf.exe
        
        C:\Windows\system32\Cjmgfgdf.exe
        390⤵
        
        PID:10892
        
        C:\Windows\SysWOW64\Cagobalc.exe
        
        C:\Windows\system32\Cagobalc.exe
        391⤵
        
        PID:10932
        
        C:\Windows\SysWOW64\Cdfkolkf.exe
        
        C:\Windows\system32\Cdfkolkf.exe
        392⤵
        
        PID:10976
        
        C:\Windows\SysWOW64\Cfdhkhjj.exe
        
        C:\Windows\system32\Cfdhkhjj.exe
        393⤵
        
        PID:11016
        
        C:\Windows\SysWOW64\Cnkplejl.exe
        
        C:\Windows\system32\Cnkplejl.exe
        394⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:11060
        
        C:\Windows\SysWOW64\Cajlhqjp.exe
        
        C:\Windows\system32\Cajlhqjp.exe
        395⤵
        
        PID:11100
        
        C:\Windows\SysWOW64\Cdhhdlid.exe
        
        C:\Windows\system32\Cdhhdlid.exe
        396⤵
        
        PID:11156
        
        C:\Windows\SysWOW64\Chcddk32.exe
        
        C:\Windows\system32\Chcddk32.exe
        397⤵
        Modifies registry class
        
        PID:11208
        
        C:\Windows\SysWOW64\Cjbpaf32.exe
        
        C:\Windows\system32\Cjbpaf32.exe
        398⤵
        
        PID:11252
        
        C:\Windows\SysWOW64\Cmqmma32.exe
        
        C:\Windows\system32\Cmqmma32.exe
        399⤵
        
        PID:10276
        
        C:\Windows\SysWOW64\Ddjejl32.exe
        
        C:\Windows\system32\Ddjejl32.exe
        400⤵
        
        PID:10352
        
        C:\Windows\SysWOW64\Djdmffnn.exe
        
        C:\Windows\system32\Djdmffnn.exe
        401⤵
        
        PID:10404
        
        C:\Windows\SysWOW64\Danecp32.exe
        
        C:\Windows\system32\Danecp32.exe
        402⤵
        
        PID:10480
        
        C:\Windows\SysWOW64\Ddmaok32.exe
        
        C:\Windows\system32\Ddmaok32.exe
        403⤵
        
        PID:10540
        
        C:\Windows\SysWOW64\Dfknkg32.exe
        
        C:\Windows\system32\Dfknkg32.exe
        404⤵
        
        PID:10604
        
        C:\Windows\SysWOW64\Dmefhako.exe
        
        C:\Windows\system32\Dmefhako.exe
        405⤵
        Modifies registry class
        
        PID:10676
        
        C:\Windows\SysWOW64\Daqbip32.exe
        
        C:\Windows\system32\Daqbip32.exe
        406⤵
        
        PID:10728
        
        C:\Windows\SysWOW64\Dfnjafap.exe
        
        C:\Windows\system32\Dfnjafap.exe
        407⤵
        
        PID:10840
        
        C:\Windows\SysWOW64\Dmgbnq32.exe
        
        C:\Windows\system32\Dmgbnq32.exe
        408⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:10900
        
        C:\Windows\SysWOW64\Daconoae.exe
        
        C:\Windows\system32\Daconoae.exe
        409⤵
        Modifies registry class
        
        PID:10968
        
        C:\Windows\SysWOW64\Ddakjkqi.exe
        
        C:\Windows\system32\Ddakjkqi.exe
        410⤵
        Drops file in System32 directory
        
        PID:11032
        
        C:\Windows\SysWOW64\Dhmgki32.exe
        
        C:\Windows\system32\Dhmgki32.exe
        411⤵
        
        PID:11096
        
        C:\Windows\SysWOW64\Dfpgffpm.exe
        
        C:\Windows\system32\Dfpgffpm.exe
        412⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:11216
        
        C:\Windows\SysWOW64\Dogogcpo.exe
        
        C:\Windows\system32\Dogogcpo.exe
        413⤵
        
        PID:9404
        
        C:\Windows\SysWOW64\Daekdooc.exe
        
        C:\Windows\system32\Daekdooc.exe
        414⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:10388
        
        C:\Windows\SysWOW64\Deagdn32.exe
        
        C:\Windows\system32\Deagdn32.exe
        415⤵
        Modifies registry class
        
        PID:10452
        
        C:\Windows\SysWOW64\Dhocqigp.exe
        
        C:\Windows\system32\Dhocqigp.exe
        416⤵
        
        PID:10592
        
        C:\Windows\SysWOW64\Dgbdlf32.exe
        
        C:\Windows\system32\Dgbdlf32.exe
        417⤵
        
        PID:10640
        
        C:\Windows\SysWOW64\Doilmc32.exe
        
        C:\Windows\system32\Doilmc32.exe
        418⤵
        
        PID:10768
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        419⤵
        
        PID:10880
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 10880 -s 404
        420⤵
        Program crash
        
        PID:11140

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 10880 -ip 10880
1⤵
PID:11044

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Abemjmgg.exe

Filesize
101KB

MD5
4147e45a6547bf9903085a9a03879167

SHA1
20d382f760c58d7269412694075e8eb306f295ad

SHA256
4a4adbb113b4908def4baeff9ce3723b37161659662d3da1534a56d045460dba

SHA512
6d893a43489141232383d20d3ff5da4a5b4fe38f16565a4c3df570221ef3f286b6b0746f3ec79ae838629ce7a9144b17f1d60d1a3757ed13772d1607b4783382

Download Submit
C:\Windows\SysWOW64\Glebhjlg.exe

Filesize
101KB

MD5
83c6b8abbd3c7f9733ccd799dd57ccb1

SHA1
82949538d15a4a88e20490d0b4f205d7d37771ab

SHA256
a83b8a3cb5f4e05339110b2919bcbbc7d19ab349d1ac2ac00fb077989c456cec

SHA512
e7f9a587d6de258656697a0b1d4f82b813cab27f9a0763898531bbdef54f148a474e887bbf247ff0af77e50437475171d9d279774091262ec6ba542a9d876937

Download Submit
C:\Windows\SysWOW64\Kajfig32.exe

Filesize
101KB

MD5
d259471e36b6abac808866e8b4b699f3

SHA1
601758b5780f3c341816a17509c82cfc5a2c2548

SHA256
faec35e413b0e40c2d4a377f98f5a363f697fd84c21618fd9dfe10a14bb4b2c1

SHA512
db18ec273186ff32da2ae3050c4ba7d069810cc4390822c159f8965dbf1be00fae1280381648ff33bf0a2742cac0795ac4a5376c65d84bfd471bff77fa51f931

Download Submit
C:\Windows\SysWOW64\Kcifkp32.exe

Filesize
101KB

MD5
3725d94e9cfd01d36ae2403f3ba46bea

SHA1
b0307a71942c330b8703e672ea31d6e4f25e42a5

SHA256
cd28e7ae2b593a19b882cd6116edf3b7b795e417da1960430b2e3cabe86c0bf0

SHA512
3c849cd508fa4275e7bf8aea5240f33117b010af992cb7ed40b7eebfdbeabb4ffdba353d55df601b83bc57da1b22284c143d12e1fe08b60ce66838b364b3bf4f

Download Submit
C:\Windows\SysWOW64\Kckbqpnj.exe

Filesize
101KB

MD5
4474d164f3e8af1fcfcc290fbe709c6e

SHA1
249388b25d6a786d75f08c45641cfb742ad2293d

SHA256
1963bf0199021181e00a3cf4fc3b72a0dab3480ab00bf8a578ec1fd947f5df71

SHA512
b9bfae6841d9b934338ed9dc74e1de8d06d2844842c6f3c1c8bd8b2adf33c622c9e53437bb8eef5af204a8f9ccc9f1fd6a8654a5d26079b02a50611f3a1fd8e5

Download Submit
C:\Windows\SysWOW64\Kibnhjgj.exe

Filesize
101KB

MD5
01076dc84f88d11b09e71d3aa39f88b2

SHA1
fcb85671c8d07918130fd0454dabb2711cf3b3a1

SHA256
a0bd63b95d556e11a7edf3aca9565dc6b96b8e197f4169d5758f2b77d7122681

SHA512
35e127c3eeaa257723f1821e6d53f8dd4e5f54354ff5628f7c56e94d44822e75461164901c8b589e75aa013de4e6d9be835fefe92a5f6b7b16211fddaa1be391

Download Submit
C:\Windows\SysWOW64\Kkbkamnl.exe

Filesize
101KB

MD5
f5db22dc945fb7aed3fb74376c840fb8

SHA1
d4dea7823048952398f7f2cdbc88bdf974600da6

SHA256
be4e405f29343e463985d25e579f293734026671dc717b61769c113f0fa0403b

SHA512
c28a05551da0243d7e04d9a6e82126252626c0a57baadabed5093f044a06c2525ecd08ec5a0a6fc360827de1fffaeb93ca6dd80b61dfd470e676b28b81fdb3b9

Download Submit
C:\Windows\SysWOW64\Kpjjod32.exe

Filesize
101KB

MD5
4a3aa7366deea5bcabd30fa922429618

SHA1
d3fcc75f2924d6c7305e1ebd0230077507534f47

SHA256
fae03cbfd90010e62bfd8bd3c24ecc64edd54d8fdab6683e0a25330d1efd9d7b

SHA512
b15359edf139c73b13e0bb9ad7f46eb7f35a7045ac73bee2daaf1a05aadd1f0b122ba3dfccc719c37cd574563b4c7adb86a723f350f02f81434869157c184400

Download Submit
C:\Windows\SysWOW64\Laciofpa.exe

Filesize
101KB

MD5
9bd905221a14e2734874fec2c4378309

SHA1
03e32a6b1e1f94ddb322eaa81e8b73ae2a9c11a3

SHA256
1381797a76952d1465974a47251622895b88f50d1aaed24e6a8b840a11aae2aa

SHA512
066adeff6a867774742312fd74dda340f9123c6521179878f4d410d06d273c3e441e7b3ec79330029bd3da6859972609316d108861c157496a66569685142885

Download Submit
C:\Windows\SysWOW64\Laopdgcg.exe

Filesize
101KB

MD5
920f0bb751cd4d4fa48bc5e00e272a33

SHA1
7a8cac6bda4c483602f526ae45571473bda46079

SHA256
519e6b84bdc31ffb504f7dfd5768dab1737958929cb396453232494968a44e3f

SHA512
cff080c95cfebd80971b3addb0fa962dc052e6e484aa4cf066b1726c1c8f97c137e763baef5972e505651fad043736ab5230a088ff7ebc082c39785eb1ab58aa

Download Submit
C:\Windows\SysWOW64\Lcgblncm.exe

Filesize
101KB

MD5
ea17c6a6bfdf6c97a1100d78dbdc84fd

SHA1
b3244a2e4aa1be1c6f127c5bc2247ffb46bfd1ba

SHA256
ee899782761fff10ce546a5e5205af472d91fea378680eb56e9adfd78c78fefa

SHA512
520323cef6c8a70b99488ee789913b88adc3bf05223ef9b5568ecebaffe782eea89b5d1dd375e38ca4094cb0f3e4746cc5176c8875961cfefaf3393575f16abc

Download Submit
C:\Windows\SysWOW64\Lcmofolg.exe

Filesize
101KB

MD5
9e6176f8138304968c66075ecc7e7b08

SHA1
793f27320ce60dc8b82b6d62123d2a4a0cde100f

SHA256
520ce3b60ce568dc62ad5947278ba58dcb390eefb29bbd0730a829a2183b6135

SHA512
813188b6d3ae3227b37e4d840bd949c48cc3a809cba41fa22b71663009b3420b5919357b3f94acb97eb3b10a3d100c2d5f0256c0b0db6ca07a7ba3bade55cd98

Download Submit
C:\Windows\SysWOW64\Lcpllo32.exe

Filesize
101KB

MD5
3b7683092baf3fd2ed0e26c82ba8af3d

SHA1
d16bdf0d6ab1fc0c42b23e9bf745d16f8d6806e6

SHA256
9ed937304920368818239895b52fe42df25c64b1be659bb327b05dfd09e3a013

SHA512
d5a808918e5f2f3ab9f3ad217631f179b16164a3a8793c16e5ede2b5d21dd4942784f3ba994dd611cd91e43ee02c2443092ffaac5cd7f54b227df29da2b3618a

Download Submit
C:\Windows\SysWOW64\Ldaeka32.exe

Filesize
101KB

MD5
6f2fefa2ba2b2d9ff84200ec53a053d4

SHA1
726a2a86fce0a820086493da2a42dc24fb4257dd

SHA256
b1fae5e986e1f386fba3a871a05ddb42b80e16aebb4722a0f9409f388e3e5def

SHA512
4168e25f83c75456ae718c4f4e059fef726ab39207325880e24b0328b0b2911919466e8442d3e8e3a0b8578d896ac0c0df7b3f4a1030c422a2778fa6ded1dac0

Download Submit
C:\Windows\SysWOW64\Ldohebqh.exe

Filesize
101KB

MD5
c4a2fb1a79300b3c9b8801ca5a257316

SHA1
86b216620611487630074188c22bea0e46edc924

SHA256
4e71e77317b69d3234545ba6ff3300146d5e81753468f8f79dd39676e8855c26

SHA512
a59dc9d5ac9a5364ca1d1259c602792707e01dae513ec05bf9850e1e9331a0023b4c0cf36fa677f0d4112bec8117b7217ed80f6b9e5b6812b483b98d620e369e

Download Submit
C:\Windows\SysWOW64\Lgneampk.exe

Filesize
101KB

MD5
ae5ead10edd87d9b02db735755ef0240

SHA1
d1e98e736bf61bffbb766354d18862b54b63f27f

SHA256
7d2c17ccfcd7f24906c8d2600cd1dc10e7f515dc5026841eb164370d53ecc2d5

SHA512
5b9cfa069b30c39708e77a955fa5fd5dc1331ee10afa247a1f23497922580c07ffedcffb2be1d99e3e2a9cc4a69ea77103baa9c99595b246a3d6e35787e72dac

Download Submit
C:\Windows\SysWOW64\Lijdhiaa.exe

Filesize
101KB

MD5
9ad3d56e2d1b3df5784d3d8bf4463c63

SHA1
984de9534b5a414f9746f41e085ef9252860c1f4

SHA256
3802d212b3d2ca2bf49553dc9fbf79f4a8c6cfb43453b24ee070715dc6e2d809

SHA512
d6d6d8f9a0464b547622b19b2b00e2a87fb6a659bbaed9639a4b5f82317423c197122d47c42bbcb0bda6e2c094401a35633e87591b65672597a248f834f469f9

Download Submit
C:\Windows\SysWOW64\Lilanioo.exe

Filesize
101KB

MD5
2a8ef0dc965b2bb2be0cd9376978b16e

SHA1
fdbeafa605448f58d6c98c5c2816521f0b690565

SHA256
fa4b27d8162a01996e3e9f5b64eb502912a1f2ee66d15431e143aab043a14fdb

SHA512
af3aa3e688e79774de2458e82c93df14b57ceb3c1f01bcbea7c8be17066f83f6fb1d2332d98efffcea9a1b0385781b7eec08af084669b95d36a364030787a5f0

Download Submit
C:\Windows\SysWOW64\Ljnnch32.exe

Filesize
101KB

MD5
f80e6df40d6213ce14836cd2ef134748

SHA1
f1dbb8887b090fe645a619081a17dfddf0cc7961

SHA256
49e39a2bff971e74d9dff91d98e6446429514066a88e316c4526e8bbe85787d1

SHA512
1c38c1e77a240ac56d22a71866aef7793c150a94537f265ad12b588bf507dd4cc5b240acaba672aed40398b5fad6a99310a7e16311da717ce59e170947421a3d

Download Submit
C:\Windows\SysWOW64\Lkdggmlj.exe

Filesize
101KB

MD5
d8b49e2e8cc18cd005704cd6ed3ef8dc

SHA1
fdf9c21b53c720a76372aee157eb1d1d73f6781b

SHA256
b5f3d40c82877bc88d2ba299791e8110378ac185f3612e3da26fb9600b6880bb

SHA512
60dfa7b440ac94b4e9c992080b8a911ace50b7e9a2a65fba0ed773911e2e9ddf0eba5f0f393de681e888acd4a1ccd50c314826932b2a0a60e67b9fa1f50bd896

Download Submit
C:\Windows\SysWOW64\Lknjmkdo.exe

Filesize
101KB

MD5
e9bb4483e823d3e1b8cffe4c43d9dff4

SHA1
bf97e6c1de4ea64ff5b3bbf0c96767dabf6a2654

SHA256
bdfcbad5fc85bf799c602af2af81b1f7195107ee2367b6e0512dfeed2ceb50f1

SHA512
3f3cd86d183419a7dcd7f1d1fbf4696149741f31638020f90ce1e982e342a319da6def7de72a6b89ad3f8135a6cd6fe391c80143633b6f03fb24d2d6c43b44a3

Download Submit
C:\Windows\SysWOW64\Lmqgnhmp.exe

Filesize
101KB

MD5
df0e29388b22d13c4c7ea90265fb66cf

SHA1
d206d7f7ee6c7c8d267d0e2b6b11035bc8446904

SHA256
554bd4f9f1e96bbc45552941ceca76dca8340f96bf88c928eeb2989a331bb893

SHA512
40df13bdaea5433f0d283ab1e58978ef7469dfef4d4e291b2a739fe32175d284935ef8f923cb84d2fd3a191f2688282c26b75908952bbe0a8e29780749a05b84

Download Submit
C:\Windows\SysWOW64\Lnepih32.exe

Filesize
101KB

MD5
eaf3bde908f70b7ccaa2868fa8a80159

SHA1
a6a10e21c8635cda65f9e0a72546c72f02fb96ae

SHA256
1ba3c3457297124629e67993aa57c8e239eefb8c67e05a012468d88bea288986

SHA512
5fc6ae236ffea3a9875c6f4cc7d5614fd7e9642db1f7d852219f8ce666295709cc2e90ae16dd6798cddcd3c53dddc037f89b9f26e010f0185a3558decc17340a

Download Submit
C:\Windows\SysWOW64\Lnjjdgee.exe

Filesize
101KB

MD5
36552a9004a9d4fbf4a714867165bcc0

SHA1
2ea75db3b119088410d23302b5534ec17c71c067

SHA256
689ae1f99f33a35e8c48ba6ea1772c0100afc3afebb50f2e273007097f62f492

SHA512
0441a051eda7eb7dd80cc088c0cb303d56f54b267e5e29edb2ecb60cc3d2019cc21c3214dcc8650109389cf277bdbfa0773126cae6c75ea573fcf765f92caace

Download Submit
C:\Windows\SysWOW64\Lpocjdld.exe

Filesize
101KB

MD5
fb605561532b5514bd64f025e2f93327

SHA1
519ef9c693ab20079638a3777518d7c31a12565b

SHA256
add3ff996fa9ccca4b0ced4afe7db906fcc658f34006d256a2c7b1b7a0f6ddec

SHA512
5392ff9202325932949dbde649f3d0fcd5c573f845c6b688baf5899a0e82cb91607a1fef356fd84235ae918895ff4928bebbe407c8fba9a79075fa6aefe51e72

Download Submit
C:\Windows\SysWOW64\Mahbje32.exe

Filesize
101KB

MD5
b26cee8ab01aee4ac12e2de5b76fde86

SHA1
006f06271489c1899196ffc737187e9c31563631

SHA256
141af577e1beaeb14496a9379323cf44b798dfb229890a4ad430ffcb270749c9

SHA512
793f3a937efa34a128bff03b9ca497b50fe6ae96298235998a65301e1b7d8e4c65aa08368e5fd396f173e3302e7ff3684ae51e80b6faed359b65339d3c098fe1

Download Submit
C:\Windows\SysWOW64\Majopeii.exe

Filesize
101KB

MD5
e46d019136f41dc441c2f19524819940

SHA1
08407455427227f635c9986736b02b70744acaa3

SHA256
7df947ebf50f90e4da4dc463270c829d374d518c28f3f6831ab2aac49bf00c39

SHA512
2f72ea47fa17d697dba5d1253eceb18c641cde9935313e7465dc061473c71496465a51ef11418c9a415ceace415658f57be281d04061bee4e342ce5ede4ddf63

Download Submit
C:\Windows\SysWOW64\Mcnhmm32.exe

Filesize
101KB

MD5
ea468070f0ccaaad1787c15afeee4dcd

SHA1
9be57773245f68d0b70baea4cc7f7eba443f668b

SHA256
1b6736008224763f6660c384092f70c57cf27f60f42a342442f71977eef7888e

SHA512
54b500bcc0ebb08ebd081f009a34c2dc2ca458d4fada788c5ec1f1e2aa0c655cc846d818c0a21c89853ee22213ad89ddb35a49a06c8284ab0dfc00474f1bb93a

Download Submit
C:\Windows\SysWOW64\Mgekbljc.exe

Filesize
101KB

MD5
0037605844361f0029058983994bcd1f

SHA1
b5985709ee814e7ea07371ff42365fb36fba6c64

SHA256
cd397d19f0f76f2a51272a9877741ff250b4ee4813d03ce9b2ae4a1103b2dcca

SHA512
ec4ac20a6a9dc283d37ede473f3f61ac15128d4d6f8e75b356453bc03dc724da6900793c470e17960c1c06a3a260221ebad3d35272db68073fbb6b92bb9ad23e

Download Submit
C:\Windows\SysWOW64\Mjeddggd.exe

Filesize
101KB

MD5
cd8c1865657ad165920e50cc5617e99f

SHA1
383ace6fb9ec3a584c640033d4b1151df41edaf5

SHA256
fe021853adab4bce8cc432d0d3f52ed1e1d2dd00b3e7347d219ff11766a58a48

SHA512
daa4b16ab9d53029cc15214b13d1481b3b4933433723893f14d073854896fcbd84d20ed4b2526be25cb5c197d90e4df9e45555776c151d12581aae09cf58c609

Download Submit
C:\Windows\SysWOW64\Mkgmcjld.exe

Filesize
101KB

MD5
03d6474ff02e0253ea8cca1af89343b0

SHA1
614c127806985c602cfec20541165674bdc119a1

SHA256
6692d21f4a98bad061c8362a2c86b8bc24085e252335a811862950cd88d5b2ab

SHA512
22e651aa80330411c6e1c9f58221845547d9467762c2e838ac6fafe5a864386b4a3f85b6074d5ac9e3b65cab65358683273403033544563e281647c17300e339

Download Submit
C:\Windows\SysWOW64\Mncmjfmk.exe

Filesize
101KB

MD5
c0e5c448983916703e012c26dcc6174d

SHA1
aceee961d9d1bb9257b5a582411934f25aa70015

SHA256
9c41d5be61541a13db6296489f55e8413ff1f530b0b923dd3ed09ff737c1a454

SHA512
d29bf9a98aaee9f229cc0b9f8f1a9935ca7127009d9ae342e8114501825efec30d452b10c346695dea0a1e5ad5089bb7ed3829b7997f93871941b481a17fa2cf

Download Submit
C:\Windows\SysWOW64\Mnfipekh.exe

Filesize
101KB

MD5
256a796f98b9d5dc7949df06ee14cb79

SHA1
02056f37033dbaec402a6e1fd4ce22afda493dc8

SHA256
81f58db3ce7cf84745c681d3acecd5915794f3101f755590d18d68a643966c2e

SHA512
18a24771b483fbd3736dd76974e64ce83001df9873a5c8a90ca62a89fd572ab6d22501c42f5e11f8f4386f708cd7c4652ac1c5f27b3ef30316d270d447df95f8

Download Submit
C:\Windows\SysWOW64\Mpolqa32.exe

Filesize
101KB

MD5
b8a881422a0fb8fb50b9675b714f89f8

SHA1
e8a1b77b75904a11e5ca2b9374763ea2b4339dd1

SHA256
7c81942832de2a1651cdb377191fe444e48058eaba57b781bd71107286d2b4e2

SHA512
bd98d7cd8b97e87eaaaa0788ba33fc3bee17c585d9e4ed8ea9463430e1331d324a43a789c161a2baf410b4c61e02c451a7e66b397618454ef7c37241b689c575

Download Submit
C:\Windows\SysWOW64\Ognpebpj.exe

Filesize
101KB

MD5
0e2c8cf2fd09d64427d7380c207b40c0

SHA1
0e8f52a720d028ae10a7b2c90ab40a8ecc72b2fc

SHA256
2627aaf6cce8f4fa9e4464ee23ab540922cc4272f9317606338cbbdc3805d323

SHA512
e59e5eab763c949d29f6432e62f37970aecc2e96d195295dd53525e8709b344e75809187dc7590f3e0eed101c9bd86d0d0951d7fba88b3a9250ac0f1cd99ca43

Download Submit
memory/316-216-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/532-84-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/632-16-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/640-31-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/644-341-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/764-382-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1156-148-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1180-72-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1276-0-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1476-352-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1544-95-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1556-200-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1560-410-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1660-231-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1668-274-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1724-176-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1840-239-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1872-151-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1876-160-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1968-104-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2012-120-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2184-304-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2204-256-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2232-424-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2268-310-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2288-112-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2344-296-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2408-358-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2444-56-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2536-128-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2552-388-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2720-286-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2856-196-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2952-400-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2972-447-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3056-417-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3076-40-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3096-430-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3320-167-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3336-298-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3348-418-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3616-252-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3808-334-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3860-328-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3920-380-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4028-326-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4052-316-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4260-88-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4356-271-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4508-280-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4536-184-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4552-48-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4572-364-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4600-262-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4632-140-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4684-23-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4692-207-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4720-399-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4804-224-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4872-8-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5080-346-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5088-64-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5100-440-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5108-374-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/10276-2774-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/10388-2759-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/10404-2772-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/10452-2758-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/10540-2770-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/10640-2756-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/10728-2767-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/10768-2755-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/10840-2766-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/10856-2784-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/10892-2783-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/10976-2781-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/11016-2780-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/11060-2779-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/11096-2762-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/11156-2777-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/11208-2776-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/11252-2619-0x00000000760F0000-0x0000000076210000-memory.dmp

Filesize
1.1MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads