a1b53669483c96fde0cc19c1e092f6ce659764e39ccc181d5901ff3923f3d00e

Analysis

max time kernel
150s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
12/03/2024, 23:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a1b53669483c96fde0cc19c1e092f6ce659764e39ccc181d5901ff3923f3d00e.exe
Size

64KB
MD5

380551e00e81498f4f7e55e7aa486ea0
SHA1

b6e8f2a5694ed9cab5bea2f7925bdd8b5cae90cc
SHA256

a1b53669483c96fde0cc19c1e092f6ce659764e39ccc181d5901ff3923f3d00e
SHA512

1bc75f3993fc0c994dca4581ac21964e8b9ded4988cadafc6e78d6db77af7b8320ddf3b6bf3b7ca0b1fb142d41b55368539cf12746fa5c2190e8bb54ed36b508
SSDEEP

1536:2x12hewQ+IxrKTWvMmM6agofKtbMYFi4eUXruCHcpzt/Idn:2n2hewQ+ordvTvfWKpWRpFwn

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jlednamo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Amgapeea.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnkgeg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dkljak32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nckndeni.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Agglboim.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajfhnjhq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Demecd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fkciihgg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qceiaa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfdhkhjj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ffgqqaip.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aqkgpedc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bhhdil32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Demecd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kbaipkbi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nckndeni.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dkifae32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jmknaell.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kmkfhc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lffhfh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Llgjjnlj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ajanck32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kpeiioac.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ldleel32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mipcob32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ndaggimg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hfnphn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kpgfooop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mbfkbhpa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pjjhbl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dkljak32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ghopckpi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hbeqmoji.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jpgmha32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jcllonma.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdhhdlid.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eabbjc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hbeqmoji.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nnneknob.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bcjlcn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Faihkbci.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Iiaephpc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajanck32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfabnjjp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chokikeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jbeidl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kdgljmcd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nljofl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndfqbhia.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ehnglm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Anfmjhmd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmkjkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnicfe32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Himldi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hecmijim.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jidklf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kmdqgd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kimnbd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Melnob32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oddmdf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhkjej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hmfkoh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Agoabn32.exe

Executes dropped EXE 64 IoCs

pid	Process
208	Dekhneap.exe
2404	Dkgqfl32.exe
1148	Dboigi32.exe
2548	Demecd32.exe
4052	Dhkapp32.exe
3604	Dkjmlk32.exe
3100	Ddbbeade.exe
4672	Dkljak32.exe
2568	Dafbne32.exe
4932	Dddojq32.exe
3140	Dojcgi32.exe
2152	Dahode32.exe
1136	Dhbgqohi.exe
4268	Echknh32.exe
2240	Ehedfo32.exe
4896	Ekcpbj32.exe
1764	Ecjhcg32.exe
4900	Eeidoc32.exe
1976	Ehgqln32.exe
2348	Eoaihhlp.exe
2196	Eapedd32.exe
5044	Eleiam32.exe
4928	Eocenh32.exe
4760	Eabbjc32.exe
4296	Elgfgl32.exe
4936	Eadopc32.exe
2476	Ehnglm32.exe
4256	Fohoigfh.exe
2512	Fkopnh32.exe
388	Fcfhof32.exe
1536	Faihkbci.exe
4516	Fkalchij.exe
4200	Ffgqqaip.exe
4596	Fkciihgg.exe
2120	Fbnafb32.exe
4568	Fdlnbm32.exe
1316	Fkffog32.exe
3328	Fbpnkama.exe
1916	Fhjfhl32.exe
3872	Gdqgmmjb.exe
5076	Glhonj32.exe
1696	Gofkje32.exe
564	Gfpcgpae.exe
1812	Ghopckpi.exe
2648	Gbgdlq32.exe
2888	Gdeqhl32.exe
3488	Gkoiefmj.exe
3628	Gokdeeec.exe
1528	Gbiaapdf.exe
4420	Gicinj32.exe
1808	Gkaejf32.exe
1360	Gcimkc32.exe
2984	Gdjjckag.exe
3840	Hmabdibj.exe
3756	Hopnqdan.exe
3496	Hbnjmp32.exe
5080	Helfik32.exe
2948	Hmcojh32.exe
2960	Hobkfd32.exe
628	Hijooifk.exe
2188	Hmfkoh32.exe
3080	Hcpclbfa.exe
3676	Hfnphn32.exe
1860	Himldi32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Mpablkhc.exe	Mmbfpp32.exe
File opened for modification	C:\Windows\SysWOW64\Hbnjmp32.exe	Hopnqdan.exe
File opened for modification	C:\Windows\SysWOW64\Ifjodl32.exe	Ickchq32.exe
File created	C:\Windows\SysWOW64\Qncbfk32.dll	Lbdolh32.exe
File created	C:\Windows\SysWOW64\Mbfkbhpa.exe	Lphoelqn.exe
File created	C:\Windows\SysWOW64\Mlampmdo.exe	Mibpda32.exe
File created	C:\Windows\SysWOW64\Eghpcp32.dll	Mgimcebb.exe
File opened for modification	C:\Windows\SysWOW64\Gofkje32.exe	Glhonj32.exe
File opened for modification	C:\Windows\SysWOW64\Gcimkc32.exe	Gkaejf32.exe
File created	C:\Windows\SysWOW64\Ahioknai.dll	Ndaggimg.exe
File opened for modification	C:\Windows\SysWOW64\Djdmffnn.exe	Dfiafg32.exe
File opened for modification	C:\Windows\SysWOW64\Mbfkbhpa.exe	Lphoelqn.exe
File opened for modification	C:\Windows\SysWOW64\Dkgqfl32.exe	Dekhneap.exe
File opened for modification	C:\Windows\SysWOW64\Iikhfg32.exe	Ifllil32.exe
File opened for modification	C:\Windows\SysWOW64\Qmkadgpo.exe	Pfaigm32.exe
File created	C:\Windows\SysWOW64\Bbloam32.dll	Cjkjpgfi.exe
File opened for modification	C:\Windows\SysWOW64\Gkoiefmj.exe	Gdeqhl32.exe
File created	C:\Windows\SysWOW64\Donfhp32.dll	Ognpebpj.exe
File created	C:\Windows\SysWOW64\Fbnafb32.exe	Fkciihgg.exe
File created	C:\Windows\SysWOW64\Mkfdhbpg.dll	Bhhdil32.exe
File created	C:\Windows\SysWOW64\Pjhlml32.exe	Pgioqq32.exe
File opened for modification	C:\Windows\SysWOW64\Jedeph32.exe	Jbeidl32.exe
File created	C:\Windows\SysWOW64\Ocljjj32.dll	Ncianepl.exe
File opened for modification	C:\Windows\SysWOW64\Cenahpha.exe	Cfmajipb.exe
File opened for modification	C:\Windows\SysWOW64\Melnob32.exe	Mgimcebb.exe
File opened for modification	C:\Windows\SysWOW64\Pqmjog32.exe	Pnonbk32.exe
File created	C:\Windows\SysWOW64\Mkoqfnpl.dll	Jfhlejnh.exe
File created	C:\Windows\SysWOW64\Cegdnopg.exe	Cmqmma32.exe
File created	C:\Windows\SysWOW64\Pdmpje32.exe	Pmfhig32.exe
File created	C:\Windows\SysWOW64\Bebblb32.exe	Bmkjkd32.exe
File opened for modification	C:\Windows\SysWOW64\Eoaihhlp.exe	Ehgqln32.exe
File created	C:\Windows\SysWOW64\Oadacmff.dll	Oflgep32.exe
File created	C:\Windows\SysWOW64\Kjpgii32.dll	Ojaelm32.exe
File created	C:\Windows\SysWOW64\Ofcmfodb.exe	Oqfdnhfk.exe
File created	C:\Windows\SysWOW64\Hppdbdbc.dll	Ofcmfodb.exe
File created	C:\Windows\SysWOW64\Odaoecld.dll	Pgllfp32.exe
File created	C:\Windows\SysWOW64\Onjegled.exe	Ofcmfodb.exe
File created	C:\Windows\SysWOW64\Bcjlcn32.exe	Balpgb32.exe
File created	C:\Windows\SysWOW64\Hmjdjgjo.exe	Hecmijim.exe
File created	C:\Windows\SysWOW64\Jcjpfk32.dll	Lgmngglp.exe
File created	C:\Windows\SysWOW64\Deagdn32.exe	Dmjocp32.exe
File opened for modification	C:\Windows\SysWOW64\Kfjhkjle.exe	Jcllonma.exe
File opened for modification	C:\Windows\SysWOW64\Pjhlml32.exe	Pgioqq32.exe
File created	C:\Windows\SysWOW64\Iblfnn32.exe	Ipnjab32.exe
File created	C:\Windows\SysWOW64\Jidklf32.exe	Jfeopj32.exe
File created	C:\Windows\SysWOW64\Bnbmefbg.exe	Bhhdil32.exe
File created	C:\Windows\SysWOW64\Dkifae32.exe	Dhkjej32.exe
File created	C:\Windows\SysWOW64\Hbbhclmi.dll	Gkaejf32.exe
File created	C:\Windows\SysWOW64\Nekfmb32.dll	Hijooifk.exe
File created	C:\Windows\SysWOW64\Kgldjcmk.dll	Qmkadgpo.exe
File opened for modification	C:\Windows\SysWOW64\Ipdqba32.exe	Iikhfg32.exe
File created	C:\Windows\SysWOW64\Kmkfhc32.exe	Kbfbkj32.exe
File created	C:\Windows\SysWOW64\Nljofl32.exe	Nngokoej.exe
File created	C:\Windows\SysWOW64\Aqkgpedc.exe	Ajanck32.exe
File opened for modification	C:\Windows\SysWOW64\Imoneg32.exe	Iehfdi32.exe
File opened for modification	C:\Windows\SysWOW64\Lbdolh32.exe	Lljfpnjg.exe
File created	C:\Windows\SysWOW64\Fkopnh32.exe	Fohoigfh.exe
File opened for modification	C:\Windows\SysWOW64\Ngbpidjh.exe	Nphhmj32.exe
File opened for modification	C:\Windows\SysWOW64\Qmmnjfnl.exe	Qjoankoi.exe
File created	C:\Windows\SysWOW64\Jholncde.dll	Mdhdajea.exe
File created	C:\Windows\SysWOW64\Gbmgladp.dll	Njnpppkn.exe
File created	C:\Windows\SysWOW64\Bnmcjg32.exe	Bffkij32.exe
File opened for modification	C:\Windows\SysWOW64\Dmllipeg.exe	Dknpmdfc.exe
File created	C:\Windows\SysWOW64\Eabbjc32.exe	Eocenh32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
8220	9120	WerFault.exe	382

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lfkaag32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pgioqq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjqaij32.dll"	Dddojq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ickchq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pfhfan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Eleiam32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ippggbck.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mnbcedcn.dll"	Icnpmp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dlkhie32.dll"	Ipdqba32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jbjcolha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Miemjaci.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nknjccol.dll"	Eabbjc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iledokkp.dll"	Ippggbck.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjdlbifk.dll"	Jbjcolha.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kmfmmcbo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nphhmj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Najmlf32.dll"	Odkjng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fkciihgg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Onhhamgg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gcdmai32.dll"	Oqfdnhfk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Danecp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ddakjkqi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dekhneap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Iblfnn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lbmhlihl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Llemdo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Chfgkj32.dll"	Nngokoej.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dkjmlk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Liimncmf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lmiciaaj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Iihkpg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjhmqf32.dll"	Himldi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ipknlb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kmkfhc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Odkjng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pgllfp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gdeqhl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Glhonj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ghopckpi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipeomnnj.dll"	Fbnafb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ljodkeij.dll"	Ldleel32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fcfhof32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jlednamo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ofqpqo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Amgapeea.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ehedfo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hcpclbfa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jbeidl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lpnlpnih.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mlampmdo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nnjlpo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fhjfhl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ghopckpi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cegdnopg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hdhpgj32.dll"	Dfiafg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jbgkimpf.dll"	Dkgqfl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ffcnippo.dll"	Aeklkchg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pmoahijl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jbhfjljd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mpablkhc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ehaaclak.dll"	Pdkcde32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dojcgi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lbdolh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ncianepl.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3208 wrote to memory of 208	3208	a1b53669483c96fde0cc19c1e092f6ce659764e39ccc181d5901ff3923f3d00e.exe	89
PID 3208 wrote to memory of 208	3208	a1b53669483c96fde0cc19c1e092f6ce659764e39ccc181d5901ff3923f3d00e.exe	89
PID 3208 wrote to memory of 208	3208	a1b53669483c96fde0cc19c1e092f6ce659764e39ccc181d5901ff3923f3d00e.exe	89
PID 208 wrote to memory of 2404	208	Dekhneap.exe	90
PID 208 wrote to memory of 2404	208	Dekhneap.exe	90
PID 208 wrote to memory of 2404	208	Dekhneap.exe	90
PID 2404 wrote to memory of 1148	2404	Dkgqfl32.exe	91
PID 2404 wrote to memory of 1148	2404	Dkgqfl32.exe	91
PID 2404 wrote to memory of 1148	2404	Dkgqfl32.exe	91
PID 1148 wrote to memory of 2548	1148	Dboigi32.exe	92
PID 1148 wrote to memory of 2548	1148	Dboigi32.exe	92
PID 1148 wrote to memory of 2548	1148	Dboigi32.exe	92
PID 2548 wrote to memory of 4052	2548	Demecd32.exe	93
PID 2548 wrote to memory of 4052	2548	Demecd32.exe	93
PID 2548 wrote to memory of 4052	2548	Demecd32.exe	93
PID 4052 wrote to memory of 3604	4052	Dhkapp32.exe	94
PID 4052 wrote to memory of 3604	4052	Dhkapp32.exe	94
PID 4052 wrote to memory of 3604	4052	Dhkapp32.exe	94
PID 3604 wrote to memory of 3100	3604	Dkjmlk32.exe	95
PID 3604 wrote to memory of 3100	3604	Dkjmlk32.exe	95
PID 3604 wrote to memory of 3100	3604	Dkjmlk32.exe	95
PID 3100 wrote to memory of 4672	3100	Ddbbeade.exe	96
PID 3100 wrote to memory of 4672	3100	Ddbbeade.exe	96
PID 3100 wrote to memory of 4672	3100	Ddbbeade.exe	96
PID 4672 wrote to memory of 2568	4672	Dkljak32.exe	97
PID 4672 wrote to memory of 2568	4672	Dkljak32.exe	97
PID 4672 wrote to memory of 2568	4672	Dkljak32.exe	97
PID 2568 wrote to memory of 4932	2568	Dafbne32.exe	98
PID 2568 wrote to memory of 4932	2568	Dafbne32.exe	98
PID 2568 wrote to memory of 4932	2568	Dafbne32.exe	98
PID 4932 wrote to memory of 3140	4932	Dddojq32.exe	99
PID 4932 wrote to memory of 3140	4932	Dddojq32.exe	99
PID 4932 wrote to memory of 3140	4932	Dddojq32.exe	99
PID 3140 wrote to memory of 2152	3140	Dojcgi32.exe	100
PID 3140 wrote to memory of 2152	3140	Dojcgi32.exe	100
PID 3140 wrote to memory of 2152	3140	Dojcgi32.exe	100
PID 2152 wrote to memory of 1136	2152	Dahode32.exe	101
PID 2152 wrote to memory of 1136	2152	Dahode32.exe	101
PID 2152 wrote to memory of 1136	2152	Dahode32.exe	101
PID 1136 wrote to memory of 4268	1136	Dhbgqohi.exe	102
PID 1136 wrote to memory of 4268	1136	Dhbgqohi.exe	102
PID 1136 wrote to memory of 4268	1136	Dhbgqohi.exe	102
PID 4268 wrote to memory of 2240	4268	Echknh32.exe	103
PID 4268 wrote to memory of 2240	4268	Echknh32.exe	103
PID 4268 wrote to memory of 2240	4268	Echknh32.exe	103
PID 2240 wrote to memory of 4896	2240	Ehedfo32.exe	104
PID 2240 wrote to memory of 4896	2240	Ehedfo32.exe	104
PID 2240 wrote to memory of 4896	2240	Ehedfo32.exe	104
PID 4896 wrote to memory of 1764	4896	Ekcpbj32.exe	105
PID 4896 wrote to memory of 1764	4896	Ekcpbj32.exe	105
PID 4896 wrote to memory of 1764	4896	Ekcpbj32.exe	105
PID 1764 wrote to memory of 4900	1764	Ecjhcg32.exe	106
PID 1764 wrote to memory of 4900	1764	Ecjhcg32.exe	106
PID 1764 wrote to memory of 4900	1764	Ecjhcg32.exe	106
PID 4900 wrote to memory of 1976	4900	Eeidoc32.exe	107
PID 4900 wrote to memory of 1976	4900	Eeidoc32.exe	107
PID 4900 wrote to memory of 1976	4900	Eeidoc32.exe	107
PID 1976 wrote to memory of 2348	1976	Ehgqln32.exe	108
PID 1976 wrote to memory of 2348	1976	Ehgqln32.exe	108
PID 1976 wrote to memory of 2348	1976	Ehgqln32.exe	108
PID 2348 wrote to memory of 2196	2348	Eoaihhlp.exe	109
PID 2348 wrote to memory of 2196	2348	Eoaihhlp.exe	109
PID 2348 wrote to memory of 2196	2348	Eoaihhlp.exe	109
PID 2196 wrote to memory of 5044	2196	Eapedd32.exe	110

C:\Users\Admin\AppData\Local\Temp\a1b53669483c96fde0cc19c1e092f6ce659764e39ccc181d5901ff3923f3d00e.exe
"C:\Users\Admin\AppData\Local\Temp\a1b53669483c96fde0cc19c1e092f6ce659764e39ccc181d5901ff3923f3d00e.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3208
- C:\Windows\SysWOW64\Dekhneap.exe
  C:\Windows\system32\Dekhneap.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:208
- - C:\Windows\SysWOW64\Dkgqfl32.exe
    C:\Windows\system32\Dkgqfl32.exe
    3⤵
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2404
  - - C:\Windows\SysWOW64\Dboigi32.exe
      C:\Windows\system32\Dboigi32.exe
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:1148
    - - C:\Windows\SysWOW64\Demecd32.exe
        
        C:\Windows\system32\Demecd32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2548
      - C:\Windows\SysWOW64\Dhkapp32.exe
        
        C:\Windows\system32\Dhkapp32.exe
        6⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4052
        
        C:\Windows\SysWOW64\Dkjmlk32.exe
        
        C:\Windows\system32\Dkjmlk32.exe
        7⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3604
        
        C:\Windows\SysWOW64\Ddbbeade.exe
        
        C:\Windows\system32\Ddbbeade.exe
        8⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3100
        
        C:\Windows\SysWOW64\Dkljak32.exe
        
        C:\Windows\system32\Dkljak32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4672
        
        C:\Windows\SysWOW64\Dafbne32.exe
        
        C:\Windows\system32\Dafbne32.exe
        10⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2568
        
        C:\Windows\SysWOW64\Dddojq32.exe
        
        C:\Windows\system32\Dddojq32.exe
        11⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4932
        
        C:\Windows\SysWOW64\Dojcgi32.exe
        
        C:\Windows\system32\Dojcgi32.exe
        12⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3140
        
        C:\Windows\SysWOW64\Dahode32.exe
        
        C:\Windows\system32\Dahode32.exe
        13⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2152
        
        C:\Windows\SysWOW64\Dhbgqohi.exe
        
        C:\Windows\system32\Dhbgqohi.exe
        14⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1136
        
        C:\Windows\SysWOW64\Echknh32.exe
        
        C:\Windows\system32\Echknh32.exe
        15⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4268
        
        C:\Windows\SysWOW64\Ehedfo32.exe
        
        C:\Windows\system32\Ehedfo32.exe
        16⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2240
        
        C:\Windows\SysWOW64\Ekcpbj32.exe
        
        C:\Windows\system32\Ekcpbj32.exe
        17⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4896
        
        C:\Windows\SysWOW64\Ecjhcg32.exe
        
        C:\Windows\system32\Ecjhcg32.exe
        18⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1764
        
        C:\Windows\SysWOW64\Eeidoc32.exe
        
        C:\Windows\system32\Eeidoc32.exe
        19⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4900
        
        C:\Windows\SysWOW64\Ehgqln32.exe
        
        C:\Windows\system32\Ehgqln32.exe
        20⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1976
        
        C:\Windows\SysWOW64\Eoaihhlp.exe
        
        C:\Windows\system32\Eoaihhlp.exe
        21⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2348
        
        C:\Windows\SysWOW64\Eapedd32.exe
        
        C:\Windows\system32\Eapedd32.exe
        22⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2196
        
        C:\Windows\SysWOW64\Eleiam32.exe
        
        C:\Windows\system32\Eleiam32.exe
        23⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:5044
        
        C:\Windows\SysWOW64\Eocenh32.exe
        
        C:\Windows\system32\Eocenh32.exe
        24⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4928
        
        C:\Windows\SysWOW64\Eabbjc32.exe
        
        C:\Windows\system32\Eabbjc32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4760
        
        C:\Windows\SysWOW64\Elgfgl32.exe
        
        C:\Windows\system32\Elgfgl32.exe
        26⤵
        Executes dropped EXE
        
        PID:4296
        
        C:\Windows\SysWOW64\Eadopc32.exe
        
        C:\Windows\system32\Eadopc32.exe
        27⤵
        Executes dropped EXE
        
        PID:4936
        
        C:\Windows\SysWOW64\Ehnglm32.exe
        
        C:\Windows\system32\Ehnglm32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2476
        
        C:\Windows\SysWOW64\Fohoigfh.exe
        
        C:\Windows\system32\Fohoigfh.exe
        29⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4256
        
        C:\Windows\SysWOW64\Fkopnh32.exe
        
        C:\Windows\system32\Fkopnh32.exe
        30⤵
        Executes dropped EXE
        
        PID:2512
        
        C:\Windows\SysWOW64\Fcfhof32.exe
        
        C:\Windows\system32\Fcfhof32.exe
        31⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:388
        
        C:\Windows\SysWOW64\Faihkbci.exe
        
        C:\Windows\system32\Faihkbci.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1536
        
        C:\Windows\SysWOW64\Fkalchij.exe
        
        C:\Windows\system32\Fkalchij.exe
        33⤵
        Executes dropped EXE
        
        PID:4516
        
        C:\Windows\SysWOW64\Ffgqqaip.exe
        
        C:\Windows\system32\Ffgqqaip.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4200
        
        C:\Windows\SysWOW64\Fkciihgg.exe
        
        C:\Windows\system32\Fkciihgg.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4596
        
        C:\Windows\SysWOW64\Fbnafb32.exe
        
        C:\Windows\system32\Fbnafb32.exe
        36⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2120
        
        C:\Windows\SysWOW64\Fdlnbm32.exe
        
        C:\Windows\system32\Fdlnbm32.exe
        37⤵
        Executes dropped EXE
        
        PID:4568
        
        C:\Windows\SysWOW64\Fkffog32.exe
        
        C:\Windows\system32\Fkffog32.exe
        38⤵
        Executes dropped EXE
        
        PID:1316
        
        C:\Windows\SysWOW64\Fbpnkama.exe
        
        C:\Windows\system32\Fbpnkama.exe
        39⤵
        Executes dropped EXE
        
        PID:3328
        
        C:\Windows\SysWOW64\Fhjfhl32.exe
        
        C:\Windows\system32\Fhjfhl32.exe
        40⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1916
        
        C:\Windows\SysWOW64\Gdqgmmjb.exe
        
        C:\Windows\system32\Gdqgmmjb.exe
        41⤵
        Executes dropped EXE
        
        PID:3872
        
        C:\Windows\SysWOW64\Glhonj32.exe
        
        C:\Windows\system32\Glhonj32.exe
        42⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5076
        
        C:\Windows\SysWOW64\Gofkje32.exe
        
        C:\Windows\system32\Gofkje32.exe
        43⤵
        Executes dropped EXE
        
        PID:1696
        
        C:\Windows\SysWOW64\Gfpcgpae.exe
        
        C:\Windows\system32\Gfpcgpae.exe
        44⤵
        Executes dropped EXE
        
        PID:564
        
        C:\Windows\SysWOW64\Ghopckpi.exe
        
        C:\Windows\system32\Ghopckpi.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1812
        
        C:\Windows\SysWOW64\Gbgdlq32.exe
        
        C:\Windows\system32\Gbgdlq32.exe
        46⤵
        Executes dropped EXE
        
        PID:2648
        
        C:\Windows\SysWOW64\Gdeqhl32.exe
        
        C:\Windows\system32\Gdeqhl32.exe
        47⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2888
        
        C:\Windows\SysWOW64\Gkoiefmj.exe
        
        C:\Windows\system32\Gkoiefmj.exe
        48⤵
        Executes dropped EXE
        
        PID:3488
        
        C:\Windows\SysWOW64\Gokdeeec.exe
        
        C:\Windows\system32\Gokdeeec.exe
        49⤵
        Executes dropped EXE
        
        PID:3628
        
        C:\Windows\SysWOW64\Gbiaapdf.exe
        
        C:\Windows\system32\Gbiaapdf.exe
        50⤵
        Executes dropped EXE
        
        PID:1528
        
        C:\Windows\SysWOW64\Gicinj32.exe
        
        C:\Windows\system32\Gicinj32.exe
        51⤵
        Executes dropped EXE
        
        PID:4420
        
        C:\Windows\SysWOW64\Gkaejf32.exe
        
        C:\Windows\system32\Gkaejf32.exe
        52⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1808
        
        C:\Windows\SysWOW64\Gcimkc32.exe
        
        C:\Windows\system32\Gcimkc32.exe
        53⤵
        Executes dropped EXE
        
        PID:1360
        
        C:\Windows\SysWOW64\Gdjjckag.exe
        
        C:\Windows\system32\Gdjjckag.exe
        54⤵
        Executes dropped EXE
        
        PID:2984
        
        C:\Windows\SysWOW64\Hmabdibj.exe
        
        C:\Windows\system32\Hmabdibj.exe
        55⤵
        Executes dropped EXE
        
        PID:3840
        
        C:\Windows\SysWOW64\Hopnqdan.exe
        
        C:\Windows\system32\Hopnqdan.exe
        56⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3756
        
        C:\Windows\SysWOW64\Hbnjmp32.exe
        
        C:\Windows\system32\Hbnjmp32.exe
        57⤵
        Executes dropped EXE
        
        PID:3496
        
        C:\Windows\SysWOW64\Helfik32.exe
        
        C:\Windows\system32\Helfik32.exe
        58⤵
        Executes dropped EXE
        
        PID:5080
        
        C:\Windows\SysWOW64\Hmcojh32.exe
        
        C:\Windows\system32\Hmcojh32.exe
        59⤵
        Executes dropped EXE
        
        PID:2948
        
        C:\Windows\SysWOW64\Hobkfd32.exe
        
        C:\Windows\system32\Hobkfd32.exe
        60⤵
        Executes dropped EXE
        
        PID:2960
        
        C:\Windows\SysWOW64\Hijooifk.exe
        
        C:\Windows\system32\Hijooifk.exe
        61⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:628
        
        C:\Windows\SysWOW64\Hmfkoh32.exe
        
        C:\Windows\system32\Hmfkoh32.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2188
        
        C:\Windows\SysWOW64\Hcpclbfa.exe
        
        C:\Windows\system32\Hcpclbfa.exe
        63⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3080
        
        C:\Windows\SysWOW64\Hfnphn32.exe
        
        C:\Windows\system32\Hfnphn32.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3676
        
        C:\Windows\SysWOW64\Himldi32.exe
        
        C:\Windows\system32\Himldi32.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1860
        
        C:\Windows\SysWOW64\Hkkhqd32.exe
        
        C:\Windows\system32\Hkkhqd32.exe
        66⤵
        
        PID:4872
        
        C:\Windows\SysWOW64\Hbeqmoji.exe
        
        C:\Windows\system32\Hbeqmoji.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4464
        
        C:\Windows\SysWOW64\Hecmijim.exe
        
        C:\Windows\system32\Hecmijim.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:316
        
        C:\Windows\SysWOW64\Hmjdjgjo.exe
        
        C:\Windows\system32\Hmjdjgjo.exe
        69⤵
        
        PID:956
        
        C:\Windows\SysWOW64\Hkmefd32.exe
        
        C:\Windows\system32\Hkmefd32.exe
        70⤵
        
        PID:1268
        
        C:\Windows\SysWOW64\Hoiafcic.exe
        
        C:\Windows\system32\Hoiafcic.exe
        71⤵
        
        PID:1212
        
        C:\Windows\SysWOW64\Hfcicmqp.exe
        
        C:\Windows\system32\Hfcicmqp.exe
        72⤵
        
        PID:392
        
        C:\Windows\SysWOW64\Iiaephpc.exe
        
        C:\Windows\system32\Iiaephpc.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3528
        
        C:\Windows\SysWOW64\Immapg32.exe
        
        C:\Windows\system32\Immapg32.exe
        74⤵
        
        PID:4648
        
        C:\Windows\SysWOW64\Ipknlb32.exe
        
        C:\Windows\system32\Ipknlb32.exe
        75⤵
        Modifies registry class
        
        PID:4364
        
        C:\Windows\SysWOW64\Ibjjhn32.exe
        
        C:\Windows\system32\Ibjjhn32.exe
        76⤵
        
        PID:4768
        
        C:\Windows\SysWOW64\Iehfdi32.exe
        
        C:\Windows\system32\Iehfdi32.exe
        77⤵
        Drops file in System32 directory
        
        PID:1664
        
        C:\Windows\SysWOW64\Imoneg32.exe
        
        C:\Windows\system32\Imoneg32.exe
        78⤵
        
        PID:2032
        
        C:\Windows\SysWOW64\Ipnjab32.exe
        
        C:\Windows\system32\Ipnjab32.exe
        79⤵
        Drops file in System32 directory
        
        PID:2872
        
        C:\Windows\SysWOW64\Iblfnn32.exe
        
        C:\Windows\system32\Iblfnn32.exe
        80⤵
        Modifies registry class
        
        PID:1600
        
        C:\Windows\SysWOW64\Iejcji32.exe
        
        C:\Windows\system32\Iejcji32.exe
        81⤵
        
        PID:2228
        
        C:\Windows\SysWOW64\Imakkfdg.exe
        
        C:\Windows\system32\Imakkfdg.exe
        82⤵
        
        PID:5140
        
        C:\Windows\SysWOW64\Ippggbck.exe
        
        C:\Windows\system32\Ippggbck.exe
        83⤵
        Modifies registry class
        
        PID:5184
        
        C:\Windows\SysWOW64\Ickchq32.exe
        
        C:\Windows\system32\Ickchq32.exe
        84⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5220
        
        C:\Windows\SysWOW64\Ifjodl32.exe
        
        C:\Windows\system32\Ifjodl32.exe
        85⤵
        
        PID:5268
        
        C:\Windows\SysWOW64\Iihkpg32.exe
        
        C:\Windows\system32\Iihkpg32.exe
        86⤵
        Modifies registry class
        
        PID:5304
        
        C:\Windows\SysWOW64\Ilghlc32.exe
        
        C:\Windows\system32\Ilghlc32.exe
        87⤵
        
        PID:5352
        
        C:\Windows\SysWOW64\Icnpmp32.exe
        
        C:\Windows\system32\Icnpmp32.exe
        88⤵
        Modifies registry class
        
        PID:5388
        
        C:\Windows\SysWOW64\Ifllil32.exe
        
        C:\Windows\system32\Ifllil32.exe
        89⤵
        Drops file in System32 directory
        
        PID:5452
        
        C:\Windows\SysWOW64\Iikhfg32.exe
        
        C:\Windows\system32\Iikhfg32.exe
        90⤵
        Drops file in System32 directory
        
        PID:5500
        
        C:\Windows\SysWOW64\Ipdqba32.exe
        
        C:\Windows\system32\Ipdqba32.exe
        91⤵
        Modifies registry class
        
        PID:5552
        
        C:\Windows\SysWOW64\Ibcmom32.exe
        
        C:\Windows\system32\Ibcmom32.exe
        92⤵
        
        PID:5596
        
        C:\Windows\SysWOW64\Jfoiokfb.exe
        
        C:\Windows\system32\Jfoiokfb.exe
        93⤵
        
        PID:5632
        
        C:\Windows\SysWOW64\Jpgmha32.exe
        
        C:\Windows\system32\Jpgmha32.exe
        94⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5684
        
        C:\Windows\SysWOW64\Jbeidl32.exe
        
        C:\Windows\system32\Jbeidl32.exe
        95⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5720
        
        C:\Windows\SysWOW64\Jedeph32.exe
        
        C:\Windows\system32\Jedeph32.exe
        96⤵
        
        PID:5768
        
        C:\Windows\SysWOW64\Jmknaell.exe
        
        C:\Windows\system32\Jmknaell.exe
        97⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5808
        
        C:\Windows\SysWOW64\Jcefno32.exe
        
        C:\Windows\system32\Jcefno32.exe
        98⤵
        
        PID:5852
        
        C:\Windows\SysWOW64\Jbhfjljd.exe
        
        C:\Windows\system32\Jbhfjljd.exe
        99⤵
        Modifies registry class
        
        PID:5896
        
        C:\Windows\SysWOW64\Jefbfgig.exe
        
        C:\Windows\system32\Jefbfgig.exe
        100⤵
        
        PID:5932
        
        C:\Windows\SysWOW64\Jlpkba32.exe
        
        C:\Windows\system32\Jlpkba32.exe
        101⤵
        
        PID:5984
        
        C:\Windows\SysWOW64\Jbjcolha.exe
        
        C:\Windows\system32\Jbjcolha.exe
        102⤵
        Modifies registry class
        
        PID:6028
        
        C:\Windows\SysWOW64\Jfeopj32.exe
        
        C:\Windows\system32\Jfeopj32.exe
        103⤵
        Drops file in System32 directory
        
        PID:6068
        
        C:\Windows\SysWOW64\Jidklf32.exe
        
        C:\Windows\system32\Jidklf32.exe
        104⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6112
        
        C:\Windows\SysWOW64\Jlbgha32.exe
        
        C:\Windows\system32\Jlbgha32.exe
        105⤵
        
        PID:5132
        
        C:\Windows\SysWOW64\Jcioiood.exe
        
        C:\Windows\system32\Jcioiood.exe
        106⤵
        
        PID:5212
        
        C:\Windows\SysWOW64\Jfhlejnh.exe
        
        C:\Windows\system32\Jfhlejnh.exe
        107⤵
        Drops file in System32 directory
        
        PID:5288
        
        C:\Windows\SysWOW64\Jmbdbd32.exe
        
        C:\Windows\system32\Jmbdbd32.exe
        108⤵
        
        PID:5348
        
        C:\Windows\SysWOW64\Jlednamo.exe
        
        C:\Windows\system32\Jlednamo.exe
        109⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5428
        
        C:\Windows\SysWOW64\Jcllonma.exe
        
        C:\Windows\system32\Jcllonma.exe
        110⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5512
        
        C:\Windows\SysWOW64\Kfjhkjle.exe
        
        C:\Windows\system32\Kfjhkjle.exe
        111⤵
        
        PID:5576
        
        C:\Windows\SysWOW64\Kiidgeki.exe
        
        C:\Windows\system32\Kiidgeki.exe
        112⤵
        
        PID:5640
        
        C:\Windows\SysWOW64\Kmdqgd32.exe
        
        C:\Windows\system32\Kmdqgd32.exe
        113⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5712
        
        C:\Windows\SysWOW64\Kpbmco32.exe
        
        C:\Windows\system32\Kpbmco32.exe
        114⤵
        
        PID:5784
        
        C:\Windows\SysWOW64\Kbaipkbi.exe
        
        C:\Windows\system32\Kbaipkbi.exe
        115⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5840
        
        C:\Windows\SysWOW64\Kepelfam.exe
        
        C:\Windows\system32\Kepelfam.exe
        116⤵
        
        PID:5920
        
        C:\Windows\SysWOW64\Kmfmmcbo.exe
        
        C:\Windows\system32\Kmfmmcbo.exe
        117⤵
        Modifies registry class
        
        PID:6008
        
        C:\Windows\SysWOW64\Kpeiioac.exe
        
        C:\Windows\system32\Kpeiioac.exe
        118⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6040
        
        C:\Windows\SysWOW64\Kimnbd32.exe
        
        C:\Windows\system32\Kimnbd32.exe
        119⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5128
        
        C:\Windows\SysWOW64\Klljnp32.exe
        
        C:\Windows\system32\Klljnp32.exe
        120⤵
        
        PID:5204
        
        C:\Windows\SysWOW64\Kpgfooop.exe
        
        C:\Windows\system32\Kpgfooop.exe
        121⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5312
        
        C:\Windows\SysWOW64\Kbfbkj32.exe
        
        C:\Windows\system32\Kbfbkj32.exe
        122⤵
        Drops file in System32 directory
        
        PID:5464
        
        C:\Windows\SysWOW64\Kmkfhc32.exe
        
        C:\Windows\system32\Kmkfhc32.exe
        123⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5532
        
        C:\Windows\SysWOW64\Kefkme32.exe
        
        C:\Windows\system32\Kefkme32.exe
        124⤵
        
        PID:5668
        
        C:\Windows\SysWOW64\Kmncnb32.exe
        
        C:\Windows\system32\Kmncnb32.exe
        125⤵
        
        PID:5764
        
        C:\Windows\SysWOW64\Klqcioba.exe
        
        C:\Windows\system32\Klqcioba.exe
        126⤵
        
        PID:5884
        
        C:\Windows\SysWOW64\Kdgljmcd.exe
        
        C:\Windows\system32\Kdgljmcd.exe
        127⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5972
        
        C:\Windows\SysWOW64\Lffhfh32.exe
        
        C:\Windows\system32\Lffhfh32.exe
        128⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6120
        
        C:\Windows\SysWOW64\Liddbc32.exe
        
        C:\Windows\system32\Liddbc32.exe
        129⤵
        
        PID:5200
        
        C:\Windows\SysWOW64\Lmppcbjd.exe
        
        C:\Windows\system32\Lmppcbjd.exe
        130⤵
        
        PID:5432
        
        C:\Windows\SysWOW64\Lpnlpnih.exe
        
        C:\Windows\system32\Lpnlpnih.exe
        131⤵
        Modifies registry class
        
        PID:5628
        
        C:\Windows\SysWOW64\Lbmhlihl.exe
        
        C:\Windows\system32\Lbmhlihl.exe
        132⤵
        Modifies registry class
        
        PID:5832
        
        C:\Windows\SysWOW64\Ligqhc32.exe
        
        C:\Windows\system32\Ligqhc32.exe
        133⤵
        
        PID:6036
        
        C:\Windows\SysWOW64\Llemdo32.exe
        
        C:\Windows\system32\Llemdo32.exe
        134⤵
        Modifies registry class
        
        PID:1552
        
        C:\Windows\SysWOW64\Ldleel32.exe
        
        C:\Windows\system32\Ldleel32.exe
        135⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5524
        
        C:\Windows\SysWOW64\Lfkaag32.exe
        
        C:\Windows\system32\Lfkaag32.exe
        136⤵
        Modifies registry class
        
        PID:5824
        
        C:\Windows\SysWOW64\Liimncmf.exe
        
        C:\Windows\system32\Liimncmf.exe
        137⤵
        Modifies registry class
        
        PID:6056
        
        C:\Windows\SysWOW64\Llgjjnlj.exe
        
        C:\Windows\system32\Llgjjnlj.exe
        138⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5444
        
        C:\Windows\SysWOW64\Lpcfkm32.exe
        
        C:\Windows\system32\Lpcfkm32.exe
        139⤵
        
        PID:5964
        
        C:\Windows\SysWOW64\Lgmngglp.exe
        
        C:\Windows\system32\Lgmngglp.exe
        140⤵
        Drops file in System32 directory
        
        PID:5260
        
        C:\Windows\SysWOW64\Likjcbkc.exe
        
        C:\Windows\system32\Likjcbkc.exe
        141⤵
        
        PID:5584
        
        C:\Windows\SysWOW64\Lljfpnjg.exe
        
        C:\Windows\system32\Lljfpnjg.exe
        142⤵
        Drops file in System32 directory
        
        PID:6172
        
        C:\Windows\SysWOW64\Lbdolh32.exe
        
        C:\Windows\system32\Lbdolh32.exe
        143⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6216
        
        C:\Windows\SysWOW64\Lgokmgjm.exe
        
        C:\Windows\system32\Lgokmgjm.exe
        144⤵
        
        PID:6256
        
        C:\Windows\SysWOW64\Lmiciaaj.exe
        
        C:\Windows\system32\Lmiciaaj.exe
        145⤵
        Modifies registry class
        
        PID:6304
        
        C:\Windows\SysWOW64\Lphoelqn.exe
        
        C:\Windows\system32\Lphoelqn.exe
        146⤵
        Drops file in System32 directory
        
        PID:6348
        
        C:\Windows\SysWOW64\Mbfkbhpa.exe
        
        C:\Windows\system32\Mbfkbhpa.exe
        147⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6396
        
        C:\Windows\SysWOW64\Mipcob32.exe
        
        C:\Windows\system32\Mipcob32.exe
        148⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6444
        
        C:\Windows\SysWOW64\Mpjlklok.exe
        
        C:\Windows\system32\Mpjlklok.exe
        149⤵
        
        PID:6488
        
        C:\Windows\SysWOW64\Mgddhf32.exe
        
        C:\Windows\system32\Mgddhf32.exe
        150⤵
        
        PID:6524
        
        C:\Windows\SysWOW64\Mibpda32.exe
        
        C:\Windows\system32\Mibpda32.exe
        151⤵
        Drops file in System32 directory
        
        PID:6572
        
        C:\Windows\SysWOW64\Mlampmdo.exe
        
        C:\Windows\system32\Mlampmdo.exe
        152⤵
        Modifies registry class
        
        PID:6620
        
        C:\Windows\SysWOW64\Mdhdajea.exe
        
        C:\Windows\system32\Mdhdajea.exe
        153⤵
        Drops file in System32 directory
        
        PID:6664
        
        C:\Windows\SysWOW64\Miemjaci.exe
        
        C:\Windows\system32\Miemjaci.exe
        154⤵
        Modifies registry class
        
        PID:6700
        
        C:\Windows\SysWOW64\Mdjagjco.exe
        
        C:\Windows\system32\Mdjagjco.exe
        155⤵
        
        PID:6748
        
        C:\Windows\SysWOW64\Mgimcebb.exe
        
        C:\Windows\system32\Mgimcebb.exe
        156⤵
        Drops file in System32 directory
        
        PID:6788
        
        C:\Windows\SysWOW64\Melnob32.exe
        
        C:\Windows\system32\Melnob32.exe
        157⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6828
        
        C:\Windows\SysWOW64\Mmbfpp32.exe
        
        C:\Windows\system32\Mmbfpp32.exe
        158⤵
        Drops file in System32 directory
        
        PID:6864
        
        C:\Windows\SysWOW64\Mpablkhc.exe
        
        C:\Windows\system32\Mpablkhc.exe
        159⤵
        Modifies registry class
        
        PID:6908
        
        C:\Windows\SysWOW64\Mdmnlj32.exe
        
        C:\Windows\system32\Mdmnlj32.exe
        160⤵
        
        PID:6956
        
        C:\Windows\SysWOW64\Mgkjhe32.exe
        
        C:\Windows\system32\Mgkjhe32.exe
        161⤵
        
        PID:6996
        
        C:\Windows\SysWOW64\Menjdbgj.exe
        
        C:\Windows\system32\Menjdbgj.exe
        162⤵
        
        PID:7040
        
        C:\Windows\SysWOW64\Mlhbal32.exe
        
        C:\Windows\system32\Mlhbal32.exe
        163⤵
        
        PID:7076
        
        C:\Windows\SysWOW64\Npcoakfp.exe
        
        C:\Windows\system32\Npcoakfp.exe
        164⤵
        
        PID:7124
        
        C:\Windows\SysWOW64\Ncbknfed.exe
        
        C:\Windows\system32\Ncbknfed.exe
        165⤵
        
        PID:6088
        
        C:\Windows\SysWOW64\Nepgjaeg.exe
        
        C:\Windows\system32\Nepgjaeg.exe
        166⤵
        
        PID:6184
        
        C:\Windows\SysWOW64\Nngokoej.exe
        
        C:\Windows\system32\Nngokoej.exe
        167⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6252
        
        C:\Windows\SysWOW64\Nljofl32.exe
        
        C:\Windows\system32\Nljofl32.exe
        168⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6320
        
        C:\Windows\SysWOW64\Ndaggimg.exe
        
        C:\Windows\system32\Ndaggimg.exe
        169⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6384
        
        C:\Windows\SysWOW64\Njnpppkn.exe
        
        C:\Windows\system32\Njnpppkn.exe
        170⤵
        Drops file in System32 directory
        
        PID:6440
        
        C:\Windows\SysWOW64\Nnjlpo32.exe
        
        C:\Windows\system32\Nnjlpo32.exe
        171⤵
        Modifies registry class
        
        PID:6508
        
        C:\Windows\SysWOW64\Nphhmj32.exe
        
        C:\Windows\system32\Nphhmj32.exe
        172⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6580
        
        C:\Windows\SysWOW64\Ngbpidjh.exe
        
        C:\Windows\system32\Ngbpidjh.exe
        173⤵
        
        PID:6644
        
        C:\Windows\SysWOW64\Neeqea32.exe
        
        C:\Windows\system32\Neeqea32.exe
        174⤵
        
        PID:6692
        
        C:\Windows\SysWOW64\Nloiakho.exe
        
        C:\Windows\system32\Nloiakho.exe
        175⤵
        
        PID:6772
        
        C:\Windows\SysWOW64\Ndfqbhia.exe
        
        C:\Windows\system32\Ndfqbhia.exe
        176⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6848
        
        C:\Windows\SysWOW64\Ncianepl.exe
        
        C:\Windows\system32\Ncianepl.exe
        177⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6904
        
        C:\Windows\SysWOW64\Njciko32.exe
        
        C:\Windows\system32\Njciko32.exe
        178⤵
        
        PID:6976
        
        C:\Windows\SysWOW64\Nnneknob.exe
        
        C:\Windows\system32\Nnneknob.exe
        179⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7036
        
        C:\Windows\SysWOW64\Ndhmhh32.exe
        
        C:\Windows\system32\Ndhmhh32.exe
        180⤵
        
        PID:7100
        
        C:\Windows\SysWOW64\Nckndeni.exe
        
        C:\Windows\system32\Nckndeni.exe
        181⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5400
        
        C:\Windows\SysWOW64\Nggjdc32.exe
        
        C:\Windows\system32\Nggjdc32.exe
        182⤵
        
        PID:6240
        
        C:\Windows\SysWOW64\Nnqbanmo.exe
        
        C:\Windows\system32\Nnqbanmo.exe
        183⤵
        
        PID:6344
        
        C:\Windows\SysWOW64\Odkjng32.exe
        
        C:\Windows\system32\Odkjng32.exe
        184⤵
        Modifies registry class
        
        PID:6500
        
        C:\Windows\SysWOW64\Ocnjidkf.exe
        
        C:\Windows\system32\Ocnjidkf.exe
        185⤵
        
        PID:6540
        
        C:\Windows\SysWOW64\Oflgep32.exe
        
        C:\Windows\system32\Oflgep32.exe
        186⤵
        Drops file in System32 directory
        
        PID:6688
        
        C:\Windows\SysWOW64\Opakbi32.exe
        
        C:\Windows\system32\Opakbi32.exe
        187⤵
        
        PID:6796
        
        C:\Windows\SysWOW64\Ogkcpbam.exe
        
        C:\Windows\system32\Ogkcpbam.exe
        188⤵
        
        PID:6896
        
        C:\Windows\SysWOW64\Ognpebpj.exe
        
        C:\Windows\system32\Ognpebpj.exe
        189⤵
        Drops file in System32 directory
        
        PID:7052
        
        C:\Windows\SysWOW64\Ofqpqo32.exe
        
        C:\Windows\system32\Ofqpqo32.exe
        190⤵
        Modifies registry class
        
        PID:6156
        
        C:\Windows\SysWOW64\Onhhamgg.exe
        
        C:\Windows\system32\Onhhamgg.exe
        191⤵
        Modifies registry class
        
        PID:6268
        
        C:\Windows\SysWOW64\Oqfdnhfk.exe
        
        C:\Windows\system32\Oqfdnhfk.exe
        192⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6468
        
        C:\Windows\SysWOW64\Ofcmfodb.exe
        
        C:\Windows\system32\Ofcmfodb.exe
        193⤵
        Drops file in System32 directory
        
        PID:6728
        
        C:\Windows\SysWOW64\Onjegled.exe
        
        C:\Windows\system32\Onjegled.exe
        194⤵
        
        PID:6856
        
        C:\Windows\SysWOW64\Oddmdf32.exe
        
        C:\Windows\system32\Oddmdf32.exe
        195⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7148
        
        C:\Windows\SysWOW64\Ojaelm32.exe
        
        C:\Windows\system32\Ojaelm32.exe
        196⤵
        Drops file in System32 directory
        
        PID:6432
        
        C:\Windows\SysWOW64\Pnlaml32.exe
        
        C:\Windows\system32\Pnlaml32.exe
        197⤵
        
        PID:6740
        
        C:\Windows\SysWOW64\Pmoahijl.exe
        
        C:\Windows\system32\Pmoahijl.exe
        198⤵
        Modifies registry class
        
        PID:7112
        
        C:\Windows\SysWOW64\Pdfjifjo.exe
        
        C:\Windows\system32\Pdfjifjo.exe
        199⤵
        
        PID:6628
        
        C:\Windows\SysWOW64\Pfhfan32.exe
        
        C:\Windows\system32\Pfhfan32.exe
        200⤵
        Modifies registry class
        
        PID:6456
        
        C:\Windows\SysWOW64\Pnonbk32.exe
        
        C:\Windows\system32\Pnonbk32.exe
        201⤵
        Drops file in System32 directory
        
        PID:6952
        
        C:\Windows\SysWOW64\Pqmjog32.exe
        
        C:\Windows\system32\Pqmjog32.exe
        202⤵
        
        PID:7208
        
        C:\Windows\SysWOW64\Pfjcgn32.exe
        
        C:\Windows\system32\Pfjcgn32.exe
        203⤵
        
        PID:7252
        
        C:\Windows\SysWOW64\Pmdkch32.exe
        
        C:\Windows\system32\Pmdkch32.exe
        204⤵
        
        PID:7292
        
        C:\Windows\SysWOW64\Pdkcde32.exe
        
        C:\Windows\system32\Pdkcde32.exe
        205⤵
        Modifies registry class
        
        PID:7332
        
        C:\Windows\SysWOW64\Pgioqq32.exe
        
        C:\Windows\system32\Pgioqq32.exe
        206⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:7372
        
        C:\Windows\SysWOW64\Pjhlml32.exe
        
        C:\Windows\system32\Pjhlml32.exe
        207⤵
        
        PID:7420
        
        C:\Windows\SysWOW64\Pmfhig32.exe
        
        C:\Windows\system32\Pmfhig32.exe
        208⤵
        Drops file in System32 directory
        
        PID:7456
        
        C:\Windows\SysWOW64\Pdmpje32.exe
        
        C:\Windows\system32\Pdmpje32.exe
        209⤵
        
        PID:7500
        
        C:\Windows\SysWOW64\Pgllfp32.exe
        
        C:\Windows\system32\Pgllfp32.exe
        210⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:7544
        
        C:\Windows\SysWOW64\Pjjhbl32.exe
        
        C:\Windows\system32\Pjjhbl32.exe
        211⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7584
        
        C:\Windows\SysWOW64\Pmidog32.exe
        
        C:\Windows\system32\Pmidog32.exe
        212⤵
        
        PID:7628
        
        C:\Windows\SysWOW64\Pqdqof32.exe
        
        C:\Windows\system32\Pqdqof32.exe
        213⤵
        
        PID:7664
        
        C:\Windows\SysWOW64\Pcbmka32.exe
        
        C:\Windows\system32\Pcbmka32.exe
        214⤵
        
        PID:7712
        
        C:\Windows\SysWOW64\Pfaigm32.exe
        
        C:\Windows\system32\Pfaigm32.exe
        215⤵
        Drops file in System32 directory
        
        PID:7752
        
        C:\Windows\SysWOW64\Qmkadgpo.exe
        
        C:\Windows\system32\Qmkadgpo.exe
        216⤵
        Drops file in System32 directory
        
        PID:7788
        
        C:\Windows\SysWOW64\Qdbiedpa.exe
        
        C:\Windows\system32\Qdbiedpa.exe
        217⤵
        
        PID:7832
        
        C:\Windows\SysWOW64\Qceiaa32.exe
        
        C:\Windows\system32\Qceiaa32.exe
        218⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7880
        
        C:\Windows\SysWOW64\Qjoankoi.exe
        
        C:\Windows\system32\Qjoankoi.exe
        219⤵
        Drops file in System32 directory
        
        PID:7924
        
        C:\Windows\SysWOW64\Qmmnjfnl.exe
        
        C:\Windows\system32\Qmmnjfnl.exe
        220⤵
        
        PID:7964
        
        C:\Windows\SysWOW64\Qddfkd32.exe
        
        C:\Windows\system32\Qddfkd32.exe
        221⤵
        
        PID:8020
        
        C:\Windows\SysWOW64\Qcgffqei.exe
        
        C:\Windows\system32\Qcgffqei.exe
        222⤵
        
        PID:8072
        
        C:\Windows\SysWOW64\Ajanck32.exe
        
        C:\Windows\system32\Ajanck32.exe
        223⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:8136
        
        C:\Windows\SysWOW64\Aqkgpedc.exe
        
        C:\Windows\system32\Aqkgpedc.exe
        224⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7092
        
        C:\Windows\SysWOW64\Acjclpcf.exe
        
        C:\Windows\system32\Acjclpcf.exe
        225⤵
        
        PID:7244
        
        C:\Windows\SysWOW64\Aqncedbp.exe
        
        C:\Windows\system32\Aqncedbp.exe
        226⤵
        
        PID:7356
        
        C:\Windows\SysWOW64\Agglboim.exe
        
        C:\Windows\system32\Agglboim.exe
        227⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7416
        
        C:\Windows\SysWOW64\Ajfhnjhq.exe
        
        C:\Windows\system32\Ajfhnjhq.exe
        228⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7488
        
        C:\Windows\SysWOW64\Aeklkchg.exe
        
        C:\Windows\system32\Aeklkchg.exe
        229⤵
        Modifies registry class
        
        PID:7552
        
        C:\Windows\SysWOW64\Agjhgngj.exe
        
        C:\Windows\system32\Agjhgngj.exe
        230⤵
        
        PID:7660
        
        C:\Windows\SysWOW64\Ajhddjfn.exe
        
        C:\Windows\system32\Ajhddjfn.exe
        231⤵
        
        PID:7760
        
        C:\Windows\SysWOW64\Amgapeea.exe
        
        C:\Windows\system32\Amgapeea.exe
        232⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:7860
        
        C:\Windows\SysWOW64\Acqimo32.exe
        
        C:\Windows\system32\Acqimo32.exe
        233⤵
        
        PID:7952
        
        C:\Windows\SysWOW64\Anfmjhmd.exe
        
        C:\Windows\system32\Anfmjhmd.exe
        234⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8028
        
        C:\Windows\SysWOW64\Agoabn32.exe
        
        C:\Windows\system32\Agoabn32.exe
        235⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8120
        
        C:\Windows\SysWOW64\Bfabnjjp.exe
        
        C:\Windows\system32\Bfabnjjp.exe
        236⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7196
        
        C:\Windows\SysWOW64\Bmkjkd32.exe
        
        C:\Windows\system32\Bmkjkd32.exe
        237⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:7316
        
        C:\Windows\SysWOW64\Bebblb32.exe
        
        C:\Windows\system32\Bebblb32.exe
        238⤵
        
        PID:7452
        
        C:\Windows\SysWOW64\Bcebhoii.exe
        
        C:\Windows\system32\Bcebhoii.exe
        239⤵
        
        PID:7612
        
        C:\Windows\SysWOW64\Bfdodjhm.exe
        
        C:\Windows\system32\Bfdodjhm.exe
        240⤵
        
        PID:7688
        
        C:\Windows\SysWOW64\Bnkgeg32.exe
        
        C:\Windows\system32\Bnkgeg32.exe
        241⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7932
        
        C:\Windows\SysWOW64\Baicac32.exe
        
        C:\Windows\system32\Baicac32.exe
        242⤵
        
        PID:8084
        
        C:\Windows\SysWOW64\Beeoaapl.exe
        
        C:\Windows\system32\Beeoaapl.exe
        243⤵
        
        PID:7248
        
        C:\Windows\SysWOW64\Bffkij32.exe
        
        C:\Windows\system32\Bffkij32.exe
        244⤵
        Drops file in System32 directory
        
        PID:7440
        
        C:\Windows\SysWOW64\Bnmcjg32.exe
        
        C:\Windows\system32\Bnmcjg32.exe
        245⤵
        
        PID:7888
        
        C:\Windows\SysWOW64\Balpgb32.exe
        
        C:\Windows\system32\Balpgb32.exe
        246⤵
        Drops file in System32 directory
        
        PID:7180
        
        C:\Windows\SysWOW64\Bcjlcn32.exe
        
        C:\Windows\system32\Bcjlcn32.exe
        247⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7720
        
        C:\Windows\SysWOW64\Bfhhoi32.exe
        
        C:\Windows\system32\Bfhhoi32.exe
        248⤵
        
        PID:8088
        
        C:\Windows\SysWOW64\Bnpppgdj.exe
        
        C:\Windows\system32\Bnpppgdj.exe
        249⤵
        
        PID:7348
        
        C:\Windows\SysWOW64\Bhhdil32.exe
        
        C:\Windows\system32\Bhhdil32.exe
        250⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:7408
        
        C:\Windows\SysWOW64\Bnbmefbg.exe
        
        C:\Windows\system32\Bnbmefbg.exe
        251⤵
        
        PID:8188
        
        C:\Windows\SysWOW64\Bcoenmao.exe
        
        C:\Windows\system32\Bcoenmao.exe
        252⤵
        
        PID:8240
        
        C:\Windows\SysWOW64\Chjaol32.exe
        
        C:\Windows\system32\Chjaol32.exe
        253⤵
        
        PID:8276
        
        C:\Windows\SysWOW64\Cfmajipb.exe
        
        C:\Windows\system32\Cfmajipb.exe
        254⤵
        Drops file in System32 directory
        
        PID:8324
        
        C:\Windows\SysWOW64\Cenahpha.exe
        
        C:\Windows\system32\Cenahpha.exe
        255⤵
        
        PID:8376
        
        C:\Windows\SysWOW64\Cjkjpgfi.exe
        
        C:\Windows\system32\Cjkjpgfi.exe
        256⤵
        Drops file in System32 directory
        
        PID:8420
        
        C:\Windows\SysWOW64\Cmiflbel.exe
        
        C:\Windows\system32\Cmiflbel.exe
        257⤵
        
        PID:8464
        
        C:\Windows\SysWOW64\Ceqnmpfo.exe
        
        C:\Windows\system32\Ceqnmpfo.exe
        258⤵
        
        PID:8500
        
        C:\Windows\SysWOW64\Chokikeb.exe
        
        C:\Windows\system32\Chokikeb.exe
        259⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8540
        
        C:\Windows\SysWOW64\Cfbkeh32.exe
        
        C:\Windows\system32\Cfbkeh32.exe
        260⤵
        
        PID:8580
        
        C:\Windows\SysWOW64\Cnicfe32.exe
        
        C:\Windows\system32\Cnicfe32.exe
        261⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8624
        
        C:\Windows\SysWOW64\Ceckcp32.exe
        
        C:\Windows\system32\Ceckcp32.exe
        262⤵
        
        PID:8664
        
        C:\Windows\SysWOW64\Cdfkolkf.exe
        
        C:\Windows\system32\Cdfkolkf.exe
        263⤵
        
        PID:8704
        
        C:\Windows\SysWOW64\Cfdhkhjj.exe
        
        C:\Windows\system32\Cfdhkhjj.exe
        264⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8744
        
        C:\Windows\SysWOW64\Cdhhdlid.exe
        
        C:\Windows\system32\Cdhhdlid.exe
        265⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8780
        
        C:\Windows\SysWOW64\Cjbpaf32.exe
        
        C:\Windows\system32\Cjbpaf32.exe
        266⤵
        
        PID:8828
        
        C:\Windows\SysWOW64\Cmqmma32.exe
        
        C:\Windows\system32\Cmqmma32.exe
        267⤵
        Drops file in System32 directory
        
        PID:8868
        
        C:\Windows\SysWOW64\Cegdnopg.exe
        
        C:\Windows\system32\Cegdnopg.exe
        268⤵
        Modifies registry class
        
        PID:8912
        
        C:\Windows\SysWOW64\Ddjejl32.exe
        
        C:\Windows\system32\Ddjejl32.exe
        269⤵
        
        PID:8964
        
        C:\Windows\SysWOW64\Dfiafg32.exe
        
        C:\Windows\system32\Dfiafg32.exe
        270⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:9004
        
        C:\Windows\SysWOW64\Djdmffnn.exe
        
        C:\Windows\system32\Djdmffnn.exe
        271⤵
        
        PID:9048
        
        C:\Windows\SysWOW64\Danecp32.exe
        
        C:\Windows\system32\Danecp32.exe
        272⤵
        Modifies registry class
        
        PID:9096
        
        C:\Windows\SysWOW64\Dejacond.exe
        
        C:\Windows\system32\Dejacond.exe
        273⤵
        
        PID:9132
        
        C:\Windows\SysWOW64\Dhhnpjmh.exe
        
        C:\Windows\system32\Dhhnpjmh.exe
        274⤵
        
        PID:9180
        
        C:\Windows\SysWOW64\Dmefhako.exe
        
        C:\Windows\system32\Dmefhako.exe
        275⤵
        
        PID:7524
        
        C:\Windows\SysWOW64\Delnin32.exe
        
        C:\Windows\system32\Delnin32.exe
        276⤵
        
        PID:8272
        
        C:\Windows\SysWOW64\Dhkjej32.exe
        
        C:\Windows\system32\Dhkjej32.exe
        277⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:8340
        
        C:\Windows\SysWOW64\Dkifae32.exe
        
        C:\Windows\system32\Dkifae32.exe
        278⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8388
        
        C:\Windows\SysWOW64\Dmgbnq32.exe
        
        C:\Windows\system32\Dmgbnq32.exe
        279⤵
        
        PID:8496
        
        C:\Windows\SysWOW64\Deokon32.exe
        
        C:\Windows\system32\Deokon32.exe
        280⤵
        
        PID:8576
        
        C:\Windows\SysWOW64\Ddakjkqi.exe
        
        C:\Windows\system32\Ddakjkqi.exe
        281⤵
        Modifies registry class
        
        PID:8648
        
        C:\Windows\SysWOW64\Dfpgffpm.exe
        
        C:\Windows\system32\Dfpgffpm.exe
        282⤵
        
        PID:8684
        
        C:\Windows\SysWOW64\Dogogcpo.exe
        
        C:\Windows\system32\Dogogcpo.exe
        283⤵
        
        PID:8760
        
        C:\Windows\SysWOW64\Dmjocp32.exe
        
        C:\Windows\system32\Dmjocp32.exe
        284⤵
        Drops file in System32 directory
        
        PID:8864
        
        C:\Windows\SysWOW64\Deagdn32.exe
        
        C:\Windows\system32\Deagdn32.exe
        285⤵
        
        PID:8952
        
        C:\Windows\SysWOW64\Dgbdlf32.exe
        
        C:\Windows\system32\Dgbdlf32.exe
        286⤵
        
        PID:9000
        
        C:\Windows\SysWOW64\Dknpmdfc.exe
        
        C:\Windows\system32\Dknpmdfc.exe
        287⤵
        Drops file in System32 directory
        
        PID:9056
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        288⤵
        
        PID:9120
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 9120 -s 212
        289⤵
        Program crash
        
        PID:8220

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 9120 -ip 9120
1⤵
PID:9212

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Dafbne32.exe

Filesize
64KB

MD5
565793aa4c5e06f9ac8b40bcc9ceed89

SHA1
2a803ccb6824c43e1d0b86b6eb1f8babf55919ef

SHA256
a4808d08d949b8fc02300d2a310c98bb7ae8b3444e165182b01be23d8700acc2

SHA512
52a42cd3bc0557a98b2fae5c220dccb61bc667702029263dea97aedce44b003fae1b2092992bd61b451ebe62e00c8bcb9050651f3404643e451f9aae72926b32

Download Submit
C:\Windows\SysWOW64\Dahode32.exe

Filesize
64KB

MD5
b6888704a2d3be692c65f6f1c418ada5

SHA1
78a364d413d7e4354aedf9f73bae41d5729e7d30

SHA256
1d86e09ac82a2f62309fb8349a065a63ff13a8c44f335f5dfdaac607c7f2d275

SHA512
ccafd6e2386fcc04422c414faa608dfebf570379422bdd0e98ddb0d3f47d4cdf6cc09ba28607dedf2d1c8ba850d8bfb24341fc6a82d010bcf1448d8116bc2fa7

Download Submit
C:\Windows\SysWOW64\Dboigi32.exe

Filesize
64KB

MD5
7f948c3576adc33089b90444c4fbe41a

SHA1
d1fd2808d9c2ba270ae1f137d49a0ad0ee05f21d

SHA256
24b684e7af67bec5ddbcdfd02f49a5ba1dcdd50dc0c48a4660d411a423f7ea89

SHA512
6152ce48d66c96467325ee3453e91792522acedd30664fa4500d49b10d9b0c1dc220e0a7893b527881b9382f9b80d4e9eb1c129faddf8bb16fa2e55c0d74a416

Download Submit
C:\Windows\SysWOW64\Ddbbeade.exe

Filesize
64KB

MD5
c6cfbf16dedb2fde134c1a0acbc2ad3b

SHA1
272f48243e03f470f879b08a8b13c64317144d50

SHA256
cbf5418523744ffa601140f4d98b385c733f00637fe12ab3aa00bbae56904a6b

SHA512
93fad20eda8a7c3935fc575e8fe872214cf8eb3afc1710a9b4ed01c0d2dd4ec22d306e1215828b09c858bab61d53c5e24d6be562bef431e4829e757d28be8515

Download Submit
C:\Windows\SysWOW64\Dddojq32.exe

Filesize
64KB

MD5
b47d0d592f8d59a351ab1bed62112161

SHA1
a0c97219ffd70403dd90454705d1586d7f2cc263

SHA256
301445ae35870628f0b7582319f06e1ae8e9254ec99e26dd7c06862807143ff0

SHA512
fa9ac12be54dfa9a24a7cc40fac9154697df7071cf76189006cfab4c5fab87b0812d49861fd30e99ab7d4d5fe02778eb5ea020d3f1188c8bbf3b5a4cbcb61d3a

Download Submit
C:\Windows\SysWOW64\Dekhneap.exe

Filesize
64KB

MD5
fe8c248d06fdb2ddd5fc4da4d6d10e64

SHA1
64a2e38151814d1c66a3605624ef4355f9e12c67

SHA256
3b5a42faf646de27439172b1011d0092c948373b69cfb11600c15da5a22cde5f

SHA512
dac4e76e22188870a143660c7fb110e82e152d365b20fe089f66856aa40a9f9214fae23817c05edb61c6eabb9e41ed2e944b0cfdf9a017aed876ce755334936e

Download Submit
C:\Windows\SysWOW64\Demecd32.exe

Filesize
64KB

MD5
468d0dad9f52d6306b178adc0756138f

SHA1
c0a1cf8de9c419db3dfc3073503612af610e67ec

SHA256
230d8f7d6bfe5ec91f416ee0b74b232d5628c75e8cbbfadabc30d50a471d46e7

SHA512
e9333ae49beddcc3ee1e5d44abff4c5eff0c8fd4fa2b86069710edefc8eced336f49d6abd9454bde258e2d9c2f2786a2c0601b99df6001d4b4e3558f117c6399

Download Submit
C:\Windows\SysWOW64\Dhbgqohi.exe

Filesize
64KB

MD5
1d693fc888516cbdd8be8ff5c995bc17

SHA1
07fbb43215b93233ef11685a1f22078a9c7a1be6

SHA256
220c7916ac6a91f96d50a25d60d8552de6971032150b7bbf2932145357c879b6

SHA512
9642ad078fcb0ad4fd42d1fe44acc8390082859c106300e89b324a1a9dc83480cda847cb81e66c60096aff947c6fd43e7690b9989b525ff58ebb79894267e62b

Download Submit
C:\Windows\SysWOW64\Dhkapp32.exe

Filesize
64KB

MD5
76d1b9a58a7883b92666b60e11ec7fbe

SHA1
09dc0eeeb8e946127decf7355ec0ce08d0a763c7

SHA256
a314f776cacaae915d1c51772fe4d76700b662745c9c3fb89532ccb678617b17

SHA512
2288d6667042659d2c97da89a7e15eace1acf57c589cfbf40e1296c363f277ee46a7fc5df1d331d6249e47e3820b9df9db4f813b3cd31876ab53f77ed95a8960

Download Submit
C:\Windows\SysWOW64\Dkgqfl32.exe

Filesize
64KB

MD5
218ec838c494cbce3ae62b983a836b6c

SHA1
5d05edd84ad939baca52aa60d4b5ac2ec439c7ac

SHA256
b0325788e62cb860759d33439c72360e81826d82320b850f83cdbf404e9278e4

SHA512
f02f7260b8079533357a69ec06cf332f85033688dd72de8bcb0c07b00c4185d9c8e0fe10f96815253d0e878365e6f2b832557434f552fd3eed00a3ef38ec030e

Download Submit
C:\Windows\SysWOW64\Dkjmlk32.exe

Filesize
64KB

MD5
ae73c176dd70b916303e8dc362f30451

SHA1
ea52319189ee18cbe4a73f99ab60a65322ef5997

SHA256
c148b7cf3305f98b326e4026ad54a40201b4000aeca8dbd2934b4ea944ebda82

SHA512
18cd110d57ae5d896b27cd2ac5decc479de7b1ec0ba53282a6f7d3c82e3c3f38a25692391240edda27cc75d85c34cd583b93b6b70ffcc4cda38301e58f4054fd

Download Submit
C:\Windows\SysWOW64\Dkljak32.exe

Filesize
64KB

MD5
35ef089bcc6f349868dd9bd9c05044bd

SHA1
373a34ad5431a2b8b468470cadfcd77a3596b9bf

SHA256
506822fbd7fe340872d22adb1fa88118152bd6d463240df7978c4688a2352a6a

SHA512
1fdbb6fbdab53bc7f8fb50eaa4dd8f4445fabe9e87f7ee3765aff72e535579e0ecf6fcaa3c5f9e256d0546bd103aced199867c1e88378101dcd3719477b66a0b

Download Submit
C:\Windows\SysWOW64\Dojcgi32.exe

Filesize
64KB

MD5
4514b242034e66b06b439fdfc6693af6

SHA1
f75a2835e1bc83d5a2b9def84d0316eb733405af

SHA256
aff3bf4e1585829eea896e4131ec99d01feaaed1a48eadb8e8478f1f4467d495

SHA512
e597378568ce5323972eb04478ae6de611b969e4da410ac986d88291cebaca1be2d520ebe25b5dc77ca34997748f8ab47ff25c9e6dc5dbaf2fee71e1762b10e2

Download Submit
C:\Windows\SysWOW64\Eabbjc32.exe

Filesize
64KB

MD5
2701230002bdacfaae860b790039fb70

SHA1
1a439294e7ffcd0366ea9491bd9e263f8d1c9997

SHA256
96be27e9f37e28b1311032277348ac45e2b21257211ef8daee65f6057115da66

SHA512
0ac031003ee5ea939939ee680f17d5a77b57bdbc5a3dce307508af3329a6d833607cba8f3cf8d2f2f8f6a4bdfab4c47ce3c9ae015d2ffd7f47d7916a9a1e022f

Download Submit
C:\Windows\SysWOW64\Eadopc32.exe

Filesize
64KB

MD5
cc1b629c10b61f9da61550d0f77a537d

SHA1
e614499658c9db95f20ce9b0b26f255d0e51020a

SHA256
b6d4851ac564e3b323a1b476180a7514841cf3a04c00e2247d4ba1a6430371de

SHA512
6ead88e1db896695bfa27c0d4f8c2e4c0cf7d346998b1ebecc3fd0e4051050135f934a9d4ed3d8b8f49cb6b86bfae4fb08eb999a969e77e1a2b7749157e8a91d

Download Submit
C:\Windows\SysWOW64\Eapedd32.exe

Filesize
64KB

MD5
3a815cf813f2c248d41b45dfb4954ce9

SHA1
198704dbe438b2105c7802e865e2c7c24f7e63d4

SHA256
c724acc99d0470de8382b14eb88a604320c9abd6355320fc6a228578771e3eb7

SHA512
cbb7e7808c9f109475a1a1b4dacb1ec52e56661f306e926592172201206a048ab0695dd3950720b1b05bbe2f8d051955d2582f58d16c752edd99a6fbb88845fe

Download Submit
C:\Windows\SysWOW64\Echknh32.exe

Filesize
64KB

MD5
8e0af1d8c231652e3d5f292b4a2af05e

SHA1
91553f47cc609f39f3a3af064fc30e31adc32e62

SHA256
ce7d705d452caaa868e231cdccbe2168846fe4304bba3429715cf242a50f59c7

SHA512
fa389cea4d980c8157b1d60e3cce7aaf70d05f971fe58dd1c2d7b03efef73c8e50792fa4e860e3279443a7bea20de9b798063dfe8690daf387b9b2c57ca7426d

Download Submit
C:\Windows\SysWOW64\Ecjhcg32.exe

Filesize
64KB

MD5
a4cf113e00c7ae44568f66ed5d913945

SHA1
240e9edce38c855bab80c121c6da91f5b18cfc43

SHA256
11bcff1ea1145ff236c5f4ec4d1b234ace7f9eed8a1016740507638a3731209f

SHA512
8f1e26080b26586a1eb0aaa65b0fd824d9669b739b4e481ca66009e51cf144d6715057e6357fec4f5086088bc57fe8cff46ce971c3e44e6c49f3b526a6315be0

Download Submit
C:\Windows\SysWOW64\Eeidoc32.exe

Filesize
64KB

MD5
d6298aa937bb0cac6174c852f76441c6

SHA1
5438f352e409dc914b52295a7cc510db75b60ba8

SHA256
fbaeff934193a3e01eff054e450a529e393d1162a90831f4951309580271e17a

SHA512
b7dd256bda3572505770fb7421704e3b6f2a01241f5c8251afae2016888f6879370575be85840f42e9910bded67a10e3597920c128358f67fe137e6f8b827a5a

Download Submit
C:\Windows\SysWOW64\Ehedfo32.exe

Filesize
64KB

MD5
a902174dd5daaaab01a52c6c62f298d6

SHA1
1096d4298895fdd17e11ff865f778308dd4a5b31

SHA256
6458a6b97edde1be5b766a201172cf152541b4343c5dfa9e6708e030a7d4b82a

SHA512
49eef47c8789057d1e446083cd503a2264c09ac64d1b45f8dd5f8312967c854b198e9030b85930c47fdc206dc29e514a37441fead81645bac8fc23556cebb0fe

Download Submit
C:\Windows\SysWOW64\Ehgqln32.exe

Filesize
64KB

MD5
1a8ac3d9f828d045fc98dd64c2934f4d

SHA1
2f311b2b28a3bc60b349b2ab3564db9dbe98e505

SHA256
44ac7f604e8705f8803525649255efcfa525050108b43fc0b7d762defb111c46

SHA512
369b02676c160e560f44667e7748127847ea65c10f549a1206c7c4d4471fd81eae4932dae588585560fd3c9714d0f40289a5336d419caa1d948ef9db3d493fa2

Download Submit
C:\Windows\SysWOW64\Ehnglm32.exe

Filesize
64KB

MD5
d1e1370ad9ba9d7fc25d4efcc8af7127

SHA1
f116081f38fd294901cdaa2eda55206647ad7322

SHA256
9398f171c4754051289cd8a847a9616c1b9078eb295488cad5f2c87e7a07af8d

SHA512
03c1ba9574f6cba61ebeab3eedcffa446754888774dffbffb4d9ec16a0ec213f10d2af5b3289c984d3626536076e4e54d9056db2f184c4755f6d421d11580250

Download Submit
C:\Windows\SysWOW64\Ekcpbj32.exe

Filesize
64KB

MD5
cab97f63aebd3ae46ded9b11e356eab0

SHA1
82270b6555f10720381e3216a956fef8a27a1d05

SHA256
d013a8ee272085ad7e55dc7f48fcb33cdde37e7adf8fe879616497a1aa76534c

SHA512
e96724a6e06c2d415121e75c5e7f2b5c795ecfd384c294d5832e2d707eec0ba92edb091feabda817b27684deb02be3c9ffa1968e992a65252223c780835bfddd

Download Submit
C:\Windows\SysWOW64\Eleiam32.exe

Filesize
64KB

MD5
3a8087b355d008107872fb113bc4619c

SHA1
b3972a08aa528ade0bc7b7bc45342c1561f2f19c

SHA256
d23f3ea33cc9328f8daa3e1af4fe56a3e783c7fe7677aa70314a3db036a90558

SHA512
f5025760ad409a162e91d10e02adabc49746c29263633312ec9fa86ec5db20f649c0d3574100d6499d2e41822ffded11ffd418776e29c53725847d0bab8b6057

Download Submit
C:\Windows\SysWOW64\Elgfgl32.exe

Filesize
64KB

MD5
7ec05443602187a3df0944f9c475e92e

SHA1
966b1031ddb93c8e0376d7c469c7b07796d6d61f

SHA256
564e2c33d30c9f1ff5751e48149e57ed2f51ae72804d0a6d293d00130b170751

SHA512
95ab9be19874f78296c2dbbe449795d1791c7c8d56b1fe61b38fff1820b68590d9ec8fff312df3f0157c51489e41aca9b7e990f96b765761a40c08f7aabe56ac

Download Submit
C:\Windows\SysWOW64\Eoaihhlp.exe

Filesize
64KB

MD5
38b653f121a0b8fa4af7b137d0045fab

SHA1
84e8b2dcebae7fbfeb4de3e42fdc5b9f295a0069

SHA256
3dad48d23eaeda00465376deab9c3eb89e23e4a768462ff4c10919ffb42a917e

SHA512
e6d96d58e5dc7b42452d741bea37bd2dcba478d22beb37a24662a100c28877d1b7abed70dc02002a0420646df8db3199d63fb79807beabd57880182ed9f9d6f6

Download Submit
C:\Windows\SysWOW64\Eocenh32.exe

Filesize
64KB

MD5
2364571a049f3c01817bab831fd77a9c

SHA1
1b57ac548a5727c2ede53f6fc0a60445460c7e33

SHA256
b5b9247668b5a064186cb7662f4051eaab35559cfccbde3db6460861198d458d

SHA512
6754558e71c6ce18eb6eed95d5409df3b1fd86841c1bc4ffc470232191301eb424a7a9e0af432e65f6fe7eb18338acf3678965ba64690c5e6052bce3ba844d51

Download Submit
C:\Windows\SysWOW64\Faihkbci.exe

Filesize
64KB

MD5
90285eecb056ceb63c9dbaf02d550528

SHA1
d87a2895d7c294d82e324834a3694761ca07b7f9

SHA256
9f13985013885ad625d7f8e187504fa525d5ba0eef96b586629d8b5474347a6e

SHA512
76388612f18aab55e220c08ee5f945e30cd107c9f5c4d49392d628da612b9b741d9313bf1ee8a7f3ef57683d32e49e299b497251751ba84a153bec781ea673e7

Download Submit
C:\Windows\SysWOW64\Fcfhof32.exe

Filesize
64KB

MD5
9379665243f98e132915f4224df33a0d

SHA1
a7cbfa19a4c25c3ec5dadc37aea4c98dd07fc89a

SHA256
a1ea38af5b340d8267f6c9fab334a2cd9de566eb6b92d29fa27cafa9c51458f9

SHA512
ea81b98a78cd2600f85ddb24ae72e00d31f59bd28cde0f542107c312a41f9a2a1d5abe9c0b09a2c175669ddc38bf995f3232ca901b63aa71f9555242f1291727

Download Submit
C:\Windows\SysWOW64\Fkalchij.exe

Filesize
64KB

MD5
d2e86df7e49cb5db21d7586add9a5142

SHA1
7a3cb8ff83f1887a6a23e56ee80b914e10b84591

SHA256
d6f30e03c46deac05e9cca2a758ddea28cf921c9757e2dd8b53e8e8b080628b8

SHA512
22efb8a6e63fbe8acfa082ea8f6957b6f6e6aa4d56fd3ef0109aae1d070fa94bfc7387deb4ff43b0f0e1f14ead83a58f049b876021d60fe4d38b714a464dc05a

Download Submit
C:\Windows\SysWOW64\Fkopnh32.exe

Filesize
64KB

MD5
afc16415a90703afd61964d42b0e9aa2

SHA1
b1f762ddd2ffc487f7e3bb3e7ffabacd1f1aaa1c

SHA256
7e0e925558ac636eb83534fd9c58900e4df65f9b9f3344af2f1d7ab5ef647cc1

SHA512
45d16bd537ab177e49bb8db9734be3736fcf4d0e567f6b22763e827c877d8e4987aeacc650649b0e266b5c635dde19e0dbcf24da6d1403d0359a199cab8acbbc

Download Submit
C:\Windows\SysWOW64\Fohoigfh.exe

Filesize
64KB

MD5
e0c4f0f952a45814ce361271f3516438

SHA1
9ed385168d3a3592ffb4c8f38e785d3a881559d6

SHA256
471ac3d98b24d8dd886398d1f32c7665f98bb58a4291d46fb9a383b4f1431abf

SHA512
3ff72431eb7c76d2b4c38cf0abc18ca03a91955fe2a7214618893ed73fa657d674e2256c3711057fb3a4c9d936c5f5ded11043b7e55985c198fa1d4883dc5127

Download Submit
C:\Windows\SysWOW64\Neeqea32.exe

Filesize
64KB

MD5
335615ba46d6fb9c889d54ae647588f0

SHA1
fc467c5ce227ccaab924edaf34678de531f30dce

SHA256
d014f599d1eae6823a0a0cfd6902deb52fa06c20df4616bbd36b14e978caad5f

SHA512
c1ae20af7b56c1e3c482e8c60fac3f246e3841ba55d11fedf48e0f7dea1ee55ae01c259aa9e33df7b156d334a1fa504045994019518aef59165fe27947565755

Download Submit
C:\Windows\SysWOW64\Oddmdf32.exe

Filesize
64KB

MD5
79f16bd4a70e878dca945e9da2139edc

SHA1
6705f164c1bcc43909d561f86b23b805553984dd

SHA256
08e2928e41c73bff79eaf3f116645386aa34e6520f4a0b2aafd92ef0556f8fd1

SHA512
051c6d332632336a6a846a444a06a7a9dca983e1d4472038f58890b1e1af9f668585f550d7c10a57ec8faeec694ae3df1ede10cfc214e69ff608b4c29ec80a7c

Download Submit
C:\Windows\SysWOW64\Pmdkch32.exe

Filesize
64KB

MD5
9a85447127e569bc015918c517a11a05

SHA1
70ef1b28ef6e1b32e1b4bb131170c18ab80cf73b

SHA256
99d8122cdce3cd174c9426894f50ce285866ec12d80015787cbcbef01debedf5

SHA512
ab1559c259575d4104ef2877d561e6ad6546e8ff063bdb992360444ca099bc722ca1949af22819dd13e97dd95484f448965cfb3092d979ef2dd8ee1de0f7cd34

Download Submit
memory/208-97-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/208-8-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/388-255-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/564-345-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1136-111-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1148-103-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1148-24-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1316-300-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1536-259-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1536-330-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1696-334-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1764-144-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1916-314-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1976-165-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2120-290-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2152-106-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2196-182-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2240-128-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2348-173-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2404-20-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2476-230-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2476-297-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2512-242-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2512-313-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2548-39-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2568-174-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2568-72-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3100-55-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3100-148-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3140-207-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3140-89-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3208-87-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3208-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3328-307-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3604-48-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3604-137-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3872-320-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4052-44-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4200-273-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4200-340-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4256-306-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4256-233-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4268-115-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4268-225-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4296-209-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4296-285-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4516-267-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4516-333-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4568-298-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4596-279-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4596-347-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4672-157-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4672-64-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4760-208-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4896-138-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4900-149-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4900-254-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4928-197-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4932-79-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4932-194-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4936-217-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4936-292-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5044-190-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5076-332-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads