73432878988dfb8c39649c3233c5e0bc559ce1871a33572ddbe32dd67d3d0e1a

Analysis

max time kernel
147s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
19/03/2024, 07:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

73432878988dfb8c39649c3233c5e0bc559ce1871a33572ddbe32dd67d3d0e1a.exe
Size

224KB
MD5

34017b809ba1c6e15cd80cde910f5903
SHA1

19d7589c155b9c5d095a33e19095ab79926ad33e
SHA256

73432878988dfb8c39649c3233c5e0bc559ce1871a33572ddbe32dd67d3d0e1a
SHA512

d4dbfed86a20ee0e2704d55bed7ba0a4618857dc3a54c766371f7ba8046cd8c182bbd51d4ba7f76a2f073db3976377ab816ae4e62601b1a5df8d93c20ef5de37
SSDEEP

3072:RCKRgG3Q+H2B1xdLm102VZjuajDMyap9jCyFsWteYCWS3:wKRBFH2B1xBm102VQlter

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pecgja32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jpjqhgol.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fcgoilpj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ipnalhii.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdpalp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ndidbn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mglack32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Phkmem32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pbekne32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fqkocpod.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Imihfl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdopod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chebighd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Idofhfmm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ophbqlea.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qajhobmm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qlpllkmc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aikbfnfd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Doccaall.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fcikolnh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cccpfa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hclakimb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Iabgaklg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Liggbi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Imihfl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lpcmec32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nbhkac32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pnplghhf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pecgja32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eqalmafo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eofinnkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ejbkehcg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gcbnejem.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hfofbd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kaemnhla.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dpcpkc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gjlfbd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mpmokb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aimoln32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cefemliq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ehekqe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Boanecla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ijhodq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ncldnkae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gimjhafg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Habnjm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jiikak32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kgfoan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gjclbc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Laopdgcg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndbnboqb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aogkoedl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fmficqpc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gcekkjcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Iiffen32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Liekmj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ldkojb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cohdebfi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Clldogdc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kdopod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kipabjil.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pacaoc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njogjfoj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Biiohl32.exe

Executes dropped EXE 64 IoCs

pid	Process
4960	Ophbqlea.exe
4164	Obgomgee.exe
3376	Olocem32.exe
3724	Onnoah32.exe
3280	Oiccoa32.exe
4336	Olapkmic.exe
3520	Pnplghhf.exe
1956	Piepdahl.exe
1600	Ppphak32.exe
4896	Pbndmf32.exe
4364	Pelaib32.exe
4372	Phkmem32.exe
4616	Pneebg32.exe
3652	Pacaoc32.exe
3796	Phmjkmka.exe
2492	Pngbhg32.exe
3192	Peajdajk.exe
4144	Pniomgpl.exe
2052	Pbekne32.exe
4672	Pecgja32.exe
2944	Qpikgj32.exe
4008	Qajhobmm.exe
4812	Qlpllkmc.exe
3372	Qbjdiedp.exe
4664	Qehqepcc.exe
4972	Qhfmalbg.exe
4464	Apndbici.exe
4548	Aaoaja32.exe
1128	Aifiko32.exe
4040	Aldegj32.exe
448	Aemjpp32.exe
1612	Ahkflk32.exe
2580	Apbnnh32.exe
4768	Aackeqeb.exe
4240	Aikbfnfd.exe
4028	Aogkoedl.exe
3864	Abcgoc32.exe
4204	Aimoln32.exe
2240	Alkkhi32.exe
3696	Aojhdd32.exe
2808	Aahdqp32.exe
1380	Ahblmjhj.exe
1552	Bpidngil.exe
4920	Bbhqjchp.exe
2128	Bibigmpl.exe
4908	Blpechop.exe
3892	Booaodnd.exe
1296	Bbjmpb32.exe
3484	Behiln32.exe
4172	Bpnnig32.exe
2084	Boanecla.exe
3628	Baojaoke.exe
2972	Bekfan32.exe
1236	Bhibni32.exe
332	Blennh32.exe
944	Bockjc32.exe
3860	Baaggo32.exe
3128	Biiohl32.exe
3252	Blgkdg32.exe
2032	Bbacqape.exe
4844	Bikkml32.exe
4444	Clihig32.exe
4176	Cohdebfi.exe
3552	Cccpfa32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Olapkmic.exe	Oiccoa32.exe
File created	C:\Windows\SysWOW64\Bikkml32.exe	Bbacqape.exe
File created	C:\Windows\SysWOW64\Ibadbaha.dll	Haggelfd.exe
File created	C:\Windows\SysWOW64\Mkpgck32.exe	Mciobn32.exe
File created	C:\Windows\SysWOW64\Maaepd32.exe	Mjjmog32.exe
File opened for modification	C:\Windows\SysWOW64\Phmjkmka.exe	Pacaoc32.exe
File opened for modification	C:\Windows\SysWOW64\Dpcpkc32.exe	Dhlhjf32.exe
File opened for modification	C:\Windows\SysWOW64\Hccglh32.exe	Hadkpm32.exe
File created	C:\Windows\SysWOW64\Kdaldd32.exe	Kpepcedo.exe
File created	C:\Windows\SysWOW64\Bebboiqi.dll	Mjjmog32.exe
File created	C:\Windows\SysWOW64\Dpemacql.exe	Djlddi32.exe
File opened for modification	C:\Windows\SysWOW64\Dcdimopp.exe	Dpemacql.exe
File created	C:\Windows\SysWOW64\Gjoceo32.dll	Lpappc32.exe
File opened for modification	C:\Windows\SysWOW64\Olocem32.exe	Obgomgee.exe
File created	C:\Windows\SysWOW64\Pakbej32.dll	Baojaoke.exe
File created	C:\Windows\SysWOW64\Camfbm32.exe	Ccjfgphj.exe
File created	C:\Windows\SysWOW64\Nddkgonp.exe	Nqiogp32.exe
File created	C:\Windows\SysWOW64\Phnelk32.dll	Pngbhg32.exe
File created	C:\Windows\SysWOW64\Eoapbo32.exe	Elccfc32.exe
File created	C:\Windows\SysWOW64\Ipnalhii.exe	Ijaida32.exe
File opened for modification	C:\Windows\SysWOW64\Laefdf32.exe	Lgpagm32.exe
File created	C:\Windows\SysWOW64\Plilol32.dll	Laefdf32.exe
File created	C:\Windows\SysWOW64\Gkillp32.dll	Icjmmg32.exe
File created	C:\Windows\SysWOW64\Lpioln32.dll	Olocem32.exe
File opened for modification	C:\Windows\SysWOW64\Behiln32.exe	Bbjmpb32.exe
File opened for modification	C:\Windows\SysWOW64\Fbllkh32.exe	Fcikolnh.exe
File opened for modification	C:\Windows\SysWOW64\Hfjmgdlf.exe	Hclakimb.exe
File created	C:\Windows\SysWOW64\Jfdida32.exe	Jpjqhgol.exe
File opened for modification	C:\Windows\SysWOW64\Mnocof32.exe	Mkpgck32.exe
File created	C:\Windows\SysWOW64\Kdigaehe.dll	Pbndmf32.exe
File created	C:\Windows\SysWOW64\Dlojkddn.exe	Daifnk32.exe
File created	C:\Windows\SysWOW64\Lcgblncm.exe	Laefdf32.exe
File created	C:\Windows\SysWOW64\Mohcka32.dll	Aogkoedl.exe
File created	C:\Windows\SysWOW64\Clnadfbp.exe	Ccfmla32.exe
File created	C:\Windows\SysWOW64\Ejgdpg32.exe	Eflhoigi.exe
File opened for modification	C:\Windows\SysWOW64\Ebbidj32.exe	Eodlho32.exe
File opened for modification	C:\Windows\SysWOW64\Nbhkac32.exe	Nkncdifl.exe
File opened for modification	C:\Windows\SysWOW64\Gjlfbd32.exe	Gcbnejem.exe
File created	C:\Windows\SysWOW64\Kmlnbi32.exe	Kipabjil.exe
File created	C:\Windows\SysWOW64\Hfcgek32.dll	Aackeqeb.exe
File created	C:\Windows\SysWOW64\Baojaoke.exe	Boanecla.exe
File opened for modification	C:\Windows\SysWOW64\Cchiaqjm.exe	Commqb32.exe
File created	C:\Windows\SysWOW64\Eoodnhmi.dll	Eoapbo32.exe
File created	C:\Windows\SysWOW64\Jkageheh.dll	Hadkpm32.exe
File opened for modification	C:\Windows\SysWOW64\Bockjc32.exe	Blennh32.exe
File created	C:\Windows\SysWOW64\Ljmpfbln.dll	Clldogdc.exe
File created	C:\Windows\SysWOW64\Digkijmd.exe	Coagla32.exe
File created	C:\Windows\SysWOW64\Lpcioj32.dll	Hclakimb.exe
File created	C:\Windows\SysWOW64\Chkede32.dll	Eckonn32.exe
File created	C:\Windows\SysWOW64\Iabgaklg.exe	Ijhodq32.exe
File created	C:\Windows\SysWOW64\Bclhoo32.dll	Jfdida32.exe
File created	C:\Windows\SysWOW64\Pellipfm.dll	Liggbi32.exe
File created	C:\Windows\SysWOW64\Homkbf32.dll	Ppphak32.exe
File created	C:\Windows\SysWOW64\Bbopfj32.dll	Dcdimopp.exe
File created	C:\Windows\SysWOW64\Lolncpam.dll	Gbgkfg32.exe
File created	C:\Windows\SysWOW64\Kbmebabl.dll	Iiffen32.exe
File created	C:\Windows\SysWOW64\Kgfoan32.exe	Kckbqpnj.exe
File created	C:\Windows\SysWOW64\Liggbi32.exe	Lkdggmlj.exe
File created	C:\Windows\SysWOW64\Lpappc32.exe	Laopdgcg.exe
File created	C:\Windows\SysWOW64\Niecpdnn.dll	Pelaib32.exe
File opened for modification	C:\Windows\SysWOW64\Cpljkdig.exe	Chebighd.exe
File created	C:\Windows\SysWOW64\Fphbondi.dll	Ejegjh32.exe
File created	C:\Windows\SysWOW64\Faqcbg32.dll	Aahdqp32.exe
File created	C:\Windows\SysWOW64\Lfhilofo.dll	Eodlho32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
8528	8368	WerFault.exe	367

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kqpaojmf.dll"	Aldegj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ebkdha32.dll"	Idofhfmm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jbfpobpb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Maohkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ahblmjhj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jdhine32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bbjmpb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Eqciba32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fmclmabe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dpcpkc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Eleplc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ocdehlgh.dll"	Gmmocpjk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kcbibebo.dll"	Mdpalp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Digkijmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dpjflb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fqkocpod.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdkhlo32.dll"	Gjclbc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Iabgaklg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Akanejnd.dll"	Kipabjil.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aackeqeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dchbhn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Elccfc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Icljbg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pneebg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Apndbici.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fbllkh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eplmgmol.dll"	Kpccnefa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jmnaakne.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mamleegg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkckjila.dll"	Ndghmo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Doccaall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dokjbp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Elhmablc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mcnhmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Peajdajk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aldegj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ijhodq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jmnaakne.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lgpagm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mpkbebbf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kdaldd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aaoaja32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cijddbon.dll"	Aimoln32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ccjfgphj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ecmlcmhe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Eflhoigi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gfhqbe32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qehqepcc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hfjmgdlf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nqfbaq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bockjc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfcbokki.dll"	Nklfoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hccglh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ejbkehcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ijaida32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ipnalhii.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Imdnklfp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lpfijcfl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cefemliq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ijfboafl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dngdgf32.dll"	Lcpllo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpcioj32.dll"	Hclakimb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mnocof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pnplghhf.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3308 wrote to memory of 4960	3308	73432878988dfb8c39649c3233c5e0bc559ce1871a33572ddbe32dd67d3d0e1a.exe	91
PID 3308 wrote to memory of 4960	3308	73432878988dfb8c39649c3233c5e0bc559ce1871a33572ddbe32dd67d3d0e1a.exe	91
PID 3308 wrote to memory of 4960	3308	73432878988dfb8c39649c3233c5e0bc559ce1871a33572ddbe32dd67d3d0e1a.exe	91
PID 4960 wrote to memory of 4164	4960	Ophbqlea.exe	92
PID 4960 wrote to memory of 4164	4960	Ophbqlea.exe	92
PID 4960 wrote to memory of 4164	4960	Ophbqlea.exe	92
PID 4164 wrote to memory of 3376	4164	Obgomgee.exe	93
PID 4164 wrote to memory of 3376	4164	Obgomgee.exe	93
PID 4164 wrote to memory of 3376	4164	Obgomgee.exe	93
PID 3376 wrote to memory of 3724	3376	Olocem32.exe	94
PID 3376 wrote to memory of 3724	3376	Olocem32.exe	94
PID 3376 wrote to memory of 3724	3376	Olocem32.exe	94
PID 3724 wrote to memory of 3280	3724	Onnoah32.exe	95
PID 3724 wrote to memory of 3280	3724	Onnoah32.exe	95
PID 3724 wrote to memory of 3280	3724	Onnoah32.exe	95
PID 3280 wrote to memory of 4336	3280	Oiccoa32.exe	96
PID 3280 wrote to memory of 4336	3280	Oiccoa32.exe	96
PID 3280 wrote to memory of 4336	3280	Oiccoa32.exe	96
PID 4336 wrote to memory of 3520	4336	Olapkmic.exe	97
PID 4336 wrote to memory of 3520	4336	Olapkmic.exe	97
PID 4336 wrote to memory of 3520	4336	Olapkmic.exe	97
PID 3520 wrote to memory of 1956	3520	Pnplghhf.exe	98
PID 3520 wrote to memory of 1956	3520	Pnplghhf.exe	98
PID 3520 wrote to memory of 1956	3520	Pnplghhf.exe	98
PID 1956 wrote to memory of 1600	1956	Piepdahl.exe	99
PID 1956 wrote to memory of 1600	1956	Piepdahl.exe	99
PID 1956 wrote to memory of 1600	1956	Piepdahl.exe	99
PID 1600 wrote to memory of 4896	1600	Ppphak32.exe	100
PID 1600 wrote to memory of 4896	1600	Ppphak32.exe	100
PID 1600 wrote to memory of 4896	1600	Ppphak32.exe	100
PID 4896 wrote to memory of 4364	4896	Pbndmf32.exe	101
PID 4896 wrote to memory of 4364	4896	Pbndmf32.exe	101
PID 4896 wrote to memory of 4364	4896	Pbndmf32.exe	101
PID 4364 wrote to memory of 4372	4364	Pelaib32.exe	102
PID 4364 wrote to memory of 4372	4364	Pelaib32.exe	102
PID 4364 wrote to memory of 4372	4364	Pelaib32.exe	102
PID 4372 wrote to memory of 4616	4372	Phkmem32.exe	103
PID 4372 wrote to memory of 4616	4372	Phkmem32.exe	103
PID 4372 wrote to memory of 4616	4372	Phkmem32.exe	103
PID 4616 wrote to memory of 3652	4616	Pneebg32.exe	104
PID 4616 wrote to memory of 3652	4616	Pneebg32.exe	104
PID 4616 wrote to memory of 3652	4616	Pneebg32.exe	104
PID 3652 wrote to memory of 3796	3652	Pacaoc32.exe	105
PID 3652 wrote to memory of 3796	3652	Pacaoc32.exe	105
PID 3652 wrote to memory of 3796	3652	Pacaoc32.exe	105
PID 3796 wrote to memory of 2492	3796	Phmjkmka.exe	106
PID 3796 wrote to memory of 2492	3796	Phmjkmka.exe	106
PID 3796 wrote to memory of 2492	3796	Phmjkmka.exe	106
PID 2492 wrote to memory of 3192	2492	Pngbhg32.exe	107
PID 2492 wrote to memory of 3192	2492	Pngbhg32.exe	107
PID 2492 wrote to memory of 3192	2492	Pngbhg32.exe	107
PID 3192 wrote to memory of 4144	3192	Peajdajk.exe	108
PID 3192 wrote to memory of 4144	3192	Peajdajk.exe	108
PID 3192 wrote to memory of 4144	3192	Peajdajk.exe	108
PID 4144 wrote to memory of 2052	4144	Pniomgpl.exe	109
PID 4144 wrote to memory of 2052	4144	Pniomgpl.exe	109
PID 4144 wrote to memory of 2052	4144	Pniomgpl.exe	109
PID 2052 wrote to memory of 4672	2052	Pbekne32.exe	110
PID 2052 wrote to memory of 4672	2052	Pbekne32.exe	110
PID 2052 wrote to memory of 4672	2052	Pbekne32.exe	110
PID 4672 wrote to memory of 2944	4672	Pecgja32.exe	111
PID 4672 wrote to memory of 2944	4672	Pecgja32.exe	111
PID 4672 wrote to memory of 2944	4672	Pecgja32.exe	111
PID 2944 wrote to memory of 4008	2944	Qpikgj32.exe	112

C:\Users\Admin\AppData\Local\Temp\73432878988dfb8c39649c3233c5e0bc559ce1871a33572ddbe32dd67d3d0e1a.exe
"C:\Users\Admin\AppData\Local\Temp\73432878988dfb8c39649c3233c5e0bc559ce1871a33572ddbe32dd67d3d0e1a.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3308
- C:\Windows\SysWOW64\Ophbqlea.exe
  C:\Windows\system32\Ophbqlea.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4960
- - C:\Windows\SysWOW64\Obgomgee.exe
    C:\Windows\system32\Obgomgee.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious use of WriteProcessMemory
    PID:4164
  - - C:\Windows\SysWOW64\Olocem32.exe
      C:\Windows\system32\Olocem32.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious use of WriteProcessMemory
      PID:3376
    - - C:\Windows\SysWOW64\Onnoah32.exe
        
        C:\Windows\system32\Onnoah32.exe
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3724
      - C:\Windows\SysWOW64\Oiccoa32.exe
        
        C:\Windows\system32\Oiccoa32.exe
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3280
        
        C:\Windows\SysWOW64\Olapkmic.exe
        
        C:\Windows\system32\Olapkmic.exe
        7⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4336
        
        C:\Windows\SysWOW64\Pnplghhf.exe
        
        C:\Windows\system32\Pnplghhf.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3520
        
        C:\Windows\SysWOW64\Piepdahl.exe
        
        C:\Windows\system32\Piepdahl.exe
        9⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1956
        
        C:\Windows\SysWOW64\Ppphak32.exe
        
        C:\Windows\system32\Ppphak32.exe
        10⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1600
        
        C:\Windows\SysWOW64\Pbndmf32.exe
        
        C:\Windows\system32\Pbndmf32.exe
        11⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4896
        
        C:\Windows\SysWOW64\Pelaib32.exe
        
        C:\Windows\system32\Pelaib32.exe
        12⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4364
        
        C:\Windows\SysWOW64\Phkmem32.exe
        
        C:\Windows\system32\Phkmem32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4372
        
        C:\Windows\SysWOW64\Pneebg32.exe
        
        C:\Windows\system32\Pneebg32.exe
        14⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4616
        
        C:\Windows\SysWOW64\Pacaoc32.exe
        
        C:\Windows\system32\Pacaoc32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3652
        
        C:\Windows\SysWOW64\Phmjkmka.exe
        
        C:\Windows\system32\Phmjkmka.exe
        16⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3796
        
        C:\Windows\SysWOW64\Pngbhg32.exe
        
        C:\Windows\system32\Pngbhg32.exe
        17⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2492
        
        C:\Windows\SysWOW64\Peajdajk.exe
        
        C:\Windows\system32\Peajdajk.exe
        18⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3192
        
        C:\Windows\SysWOW64\Pniomgpl.exe
        
        C:\Windows\system32\Pniomgpl.exe
        19⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4144
        
        C:\Windows\SysWOW64\Pbekne32.exe
        
        C:\Windows\system32\Pbekne32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2052
        
        C:\Windows\SysWOW64\Pecgja32.exe
        
        C:\Windows\system32\Pecgja32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4672
        
        C:\Windows\SysWOW64\Qpikgj32.exe
        
        C:\Windows\system32\Qpikgj32.exe
        22⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2944
        
        C:\Windows\SysWOW64\Qajhobmm.exe
        
        C:\Windows\system32\Qajhobmm.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4008
        
        C:\Windows\SysWOW64\Qlpllkmc.exe
        
        C:\Windows\system32\Qlpllkmc.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4812
        
        C:\Windows\SysWOW64\Qbjdiedp.exe
        
        C:\Windows\system32\Qbjdiedp.exe
        25⤵
        Executes dropped EXE
        
        PID:3372
        
        C:\Windows\SysWOW64\Qehqepcc.exe
        
        C:\Windows\system32\Qehqepcc.exe
        26⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4664
        
        C:\Windows\SysWOW64\Qhfmalbg.exe
        
        C:\Windows\system32\Qhfmalbg.exe
        27⤵
        Executes dropped EXE
        
        PID:4972
        
        C:\Windows\SysWOW64\Apndbici.exe
        
        C:\Windows\system32\Apndbici.exe
        28⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4464
        
        C:\Windows\SysWOW64\Aaoaja32.exe
        
        C:\Windows\system32\Aaoaja32.exe
        29⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4548
        
        C:\Windows\SysWOW64\Aifiko32.exe
        
        C:\Windows\system32\Aifiko32.exe
        30⤵
        Executes dropped EXE
        
        PID:1128
        
        C:\Windows\SysWOW64\Aldegj32.exe
        
        C:\Windows\system32\Aldegj32.exe
        31⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4040
        
        C:\Windows\SysWOW64\Aemjpp32.exe
        
        C:\Windows\system32\Aemjpp32.exe
        32⤵
        Executes dropped EXE
        
        PID:448
        
        C:\Windows\SysWOW64\Ahkflk32.exe
        
        C:\Windows\system32\Ahkflk32.exe
        33⤵
        Executes dropped EXE
        
        PID:1612
        
        C:\Windows\SysWOW64\Apbnnh32.exe
        
        C:\Windows\system32\Apbnnh32.exe
        34⤵
        Executes dropped EXE
        
        PID:2580
        
        C:\Windows\SysWOW64\Aackeqeb.exe
        
        C:\Windows\system32\Aackeqeb.exe
        35⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4768
        
        C:\Windows\SysWOW64\Aikbfnfd.exe
        
        C:\Windows\system32\Aikbfnfd.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4240
        
        C:\Windows\SysWOW64\Aogkoedl.exe
        
        C:\Windows\system32\Aogkoedl.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4028
        
        C:\Windows\SysWOW64\Abcgoc32.exe
        
        C:\Windows\system32\Abcgoc32.exe
        38⤵
        Executes dropped EXE
        
        PID:3864
        
        C:\Windows\SysWOW64\Aimoln32.exe
        
        C:\Windows\system32\Aimoln32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4204
        
        C:\Windows\SysWOW64\Alkkhi32.exe
        
        C:\Windows\system32\Alkkhi32.exe
        40⤵
        Executes dropped EXE
        
        PID:2240
        
        C:\Windows\SysWOW64\Aojhdd32.exe
        
        C:\Windows\system32\Aojhdd32.exe
        41⤵
        Executes dropped EXE
        
        PID:3696
        
        C:\Windows\SysWOW64\Aahdqp32.exe
        
        C:\Windows\system32\Aahdqp32.exe
        42⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2808
        
        C:\Windows\SysWOW64\Ahblmjhj.exe
        
        C:\Windows\system32\Ahblmjhj.exe
        43⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1380
        
        C:\Windows\SysWOW64\Bpidngil.exe
        
        C:\Windows\system32\Bpidngil.exe
        44⤵
        Executes dropped EXE
        
        PID:1552
        
        C:\Windows\SysWOW64\Bbhqjchp.exe
        
        C:\Windows\system32\Bbhqjchp.exe
        45⤵
        Executes dropped EXE
        
        PID:4920
        
        C:\Windows\SysWOW64\Bibigmpl.exe
        
        C:\Windows\system32\Bibigmpl.exe
        46⤵
        Executes dropped EXE
        
        PID:2128
        
        C:\Windows\SysWOW64\Blpechop.exe
        
        C:\Windows\system32\Blpechop.exe
        47⤵
        Executes dropped EXE
        
        PID:4908
        
        C:\Windows\SysWOW64\Booaodnd.exe
        
        C:\Windows\system32\Booaodnd.exe
        48⤵
        Executes dropped EXE
        
        PID:3892
        
        C:\Windows\SysWOW64\Bbjmpb32.exe
        
        C:\Windows\system32\Bbjmpb32.exe
        49⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1296
        
        C:\Windows\SysWOW64\Behiln32.exe
        
        C:\Windows\system32\Behiln32.exe
        50⤵
        Executes dropped EXE
        
        PID:3484
        
        C:\Windows\SysWOW64\Bpnnig32.exe
        
        C:\Windows\system32\Bpnnig32.exe
        51⤵
        Executes dropped EXE
        
        PID:4172
        
        C:\Windows\SysWOW64\Boanecla.exe
        
        C:\Windows\system32\Boanecla.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2084
        
        C:\Windows\SysWOW64\Baojaoke.exe
        
        C:\Windows\system32\Baojaoke.exe
        53⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3628
        
        C:\Windows\SysWOW64\Bekfan32.exe
        
        C:\Windows\system32\Bekfan32.exe
        54⤵
        Executes dropped EXE
        
        PID:2972
        
        C:\Windows\SysWOW64\Bhibni32.exe
        
        C:\Windows\system32\Bhibni32.exe
        55⤵
        Executes dropped EXE
        
        PID:1236
        
        C:\Windows\SysWOW64\Blennh32.exe
        
        C:\Windows\system32\Blennh32.exe
        56⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:332
        
        C:\Windows\SysWOW64\Bockjc32.exe
        
        C:\Windows\system32\Bockjc32.exe
        57⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:944
        
        C:\Windows\SysWOW64\Baaggo32.exe
        
        C:\Windows\system32\Baaggo32.exe
        58⤵
        Executes dropped EXE
        
        PID:3860
        
        C:\Windows\SysWOW64\Biiohl32.exe
        
        C:\Windows\system32\Biiohl32.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3128
        
        C:\Windows\SysWOW64\Blgkdg32.exe
        
        C:\Windows\system32\Blgkdg32.exe
        60⤵
        Executes dropped EXE
        
        PID:3252
        
        C:\Windows\SysWOW64\Bbacqape.exe
        
        C:\Windows\system32\Bbacqape.exe
        61⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2032
        
        C:\Windows\SysWOW64\Bikkml32.exe
        
        C:\Windows\system32\Bikkml32.exe
        62⤵
        Executes dropped EXE
        
        PID:4844
        
        C:\Windows\SysWOW64\Clihig32.exe
        
        C:\Windows\system32\Clihig32.exe
        63⤵
        Executes dropped EXE
        
        PID:4444
        
        C:\Windows\SysWOW64\Cohdebfi.exe
        
        C:\Windows\system32\Cohdebfi.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4176
        
        C:\Windows\SysWOW64\Cccpfa32.exe
        
        C:\Windows\system32\Cccpfa32.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3552
        
        C:\Windows\SysWOW64\Cimhckeo.exe
        
        C:\Windows\system32\Cimhckeo.exe
        66⤵
        
        PID:3788
        
        C:\Windows\SysWOW64\Clldogdc.exe
        
        C:\Windows\system32\Clldogdc.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:3152
        
        C:\Windows\SysWOW64\Cojqkbdf.exe
        
        C:\Windows\system32\Cojqkbdf.exe
        68⤵
        
        PID:3260
        
        C:\Windows\SysWOW64\Ccfmla32.exe
        
        C:\Windows\system32\Ccfmla32.exe
        69⤵
        Drops file in System32 directory
        
        PID:1632
        
        C:\Windows\SysWOW64\Clnadfbp.exe
        
        C:\Windows\system32\Clnadfbp.exe
        70⤵
        
        PID:3804
        
        C:\Windows\SysWOW64\Commqb32.exe
        
        C:\Windows\system32\Commqb32.exe
        71⤵
        Drops file in System32 directory
        
        PID:5100
        
        C:\Windows\SysWOW64\Cchiaqjm.exe
        
        C:\Windows\system32\Cchiaqjm.exe
        72⤵
        
        PID:2472
        
        C:\Windows\SysWOW64\Cefemliq.exe
        
        C:\Windows\system32\Cefemliq.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4892
        
        C:\Windows\SysWOW64\Chebighd.exe
        
        C:\Windows\system32\Chebighd.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5132
        
        C:\Windows\SysWOW64\Cpljkdig.exe
        
        C:\Windows\system32\Cpljkdig.exe
        75⤵
        
        PID:5176
        
        C:\Windows\SysWOW64\Ccjfgphj.exe
        
        C:\Windows\system32\Ccjfgphj.exe
        76⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5216
        
        C:\Windows\SysWOW64\Camfbm32.exe
        
        C:\Windows\system32\Camfbm32.exe
        77⤵
        
        PID:5256
        
        C:\Windows\SysWOW64\Cidncj32.exe
        
        C:\Windows\system32\Cidncj32.exe
        78⤵
        
        PID:5296
        
        C:\Windows\SysWOW64\Chgoogfa.exe
        
        C:\Windows\system32\Chgoogfa.exe
        79⤵
        
        PID:5344
        
        C:\Windows\SysWOW64\Coagla32.exe
        
        C:\Windows\system32\Coagla32.exe
        80⤵
        Drops file in System32 directory
        
        PID:5388
        
        C:\Windows\SysWOW64\Digkijmd.exe
        
        C:\Windows\system32\Digkijmd.exe
        81⤵
        Modifies registry class
        
        PID:5424
        
        C:\Windows\SysWOW64\Dlegeemh.exe
        
        C:\Windows\system32\Dlegeemh.exe
        82⤵
        
        PID:5468
        
        C:\Windows\SysWOW64\Doccaall.exe
        
        C:\Windows\system32\Doccaall.exe
        83⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5504
        
        C:\Windows\SysWOW64\Dabpnlkp.exe
        
        C:\Windows\system32\Dabpnlkp.exe
        84⤵
        
        PID:5544
        
        C:\Windows\SysWOW64\Dhlhjf32.exe
        
        C:\Windows\system32\Dhlhjf32.exe
        85⤵
        Drops file in System32 directory
        
        PID:5588
        
        C:\Windows\SysWOW64\Dpcpkc32.exe
        
        C:\Windows\system32\Dpcpkc32.exe
        86⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5628
        
        C:\Windows\SysWOW64\Dephckaf.exe
        
        C:\Windows\system32\Dephckaf.exe
        87⤵
        
        PID:5672
        
        C:\Windows\SysWOW64\Djlddi32.exe
        
        C:\Windows\system32\Djlddi32.exe
        88⤵
        Drops file in System32 directory
        
        PID:5716
        
        C:\Windows\SysWOW64\Dpemacql.exe
        
        C:\Windows\system32\Dpemacql.exe
        89⤵
        Drops file in System32 directory
        
        PID:5764
        
        C:\Windows\SysWOW64\Dcdimopp.exe
        
        C:\Windows\system32\Dcdimopp.exe
        90⤵
        Drops file in System32 directory
        
        PID:5812
        
        C:\Windows\SysWOW64\Dhqaefng.exe
        
        C:\Windows\system32\Dhqaefng.exe
        91⤵
        
        PID:5872
        
        C:\Windows\SysWOW64\Dphifcoi.exe
        
        C:\Windows\system32\Dphifcoi.exe
        92⤵
        
        PID:5916
        
        C:\Windows\SysWOW64\Dokjbp32.exe
        
        C:\Windows\system32\Dokjbp32.exe
        93⤵
        Modifies registry class
        
        PID:5956
        
        C:\Windows\SysWOW64\Daifnk32.exe
        
        C:\Windows\system32\Daifnk32.exe
        94⤵
        Drops file in System32 directory
        
        PID:6000
        
        C:\Windows\SysWOW64\Dlojkddn.exe
        
        C:\Windows\system32\Dlojkddn.exe
        95⤵
        
        PID:6048
        
        C:\Windows\SysWOW64\Dpjflb32.exe
        
        C:\Windows\system32\Dpjflb32.exe
        96⤵
        Modifies registry class
        
        PID:6092
        
        C:\Windows\SysWOW64\Domfgpca.exe
        
        C:\Windows\system32\Domfgpca.exe
        97⤵
        
        PID:6128
        
        C:\Windows\SysWOW64\Dchbhn32.exe
        
        C:\Windows\system32\Dchbhn32.exe
        98⤵
        Modifies registry class
        
        PID:3136
        
        C:\Windows\SysWOW64\Efgodj32.exe
        
        C:\Windows\system32\Efgodj32.exe
        99⤵
        
        PID:5200
        
        C:\Windows\SysWOW64\Ejbkehcg.exe
        
        C:\Windows\system32\Ejbkehcg.exe
        100⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5264
        
        C:\Windows\SysWOW64\Ehekqe32.exe
        
        C:\Windows\system32\Ehekqe32.exe
        101⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5336
        
        C:\Windows\SysWOW64\Eckonn32.exe
        
        C:\Windows\system32\Eckonn32.exe
        102⤵
        Drops file in System32 directory
        
        PID:5400
        
        C:\Windows\SysWOW64\Ebnoikqb.exe
        
        C:\Windows\system32\Ebnoikqb.exe
        103⤵
        
        PID:5460
        
        C:\Windows\SysWOW64\Ejegjh32.exe
        
        C:\Windows\system32\Ejegjh32.exe
        104⤵
        Drops file in System32 directory
        
        PID:5532
        
        C:\Windows\SysWOW64\Elccfc32.exe
        
        C:\Windows\system32\Elccfc32.exe
        105⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5600
        
        C:\Windows\SysWOW64\Eoapbo32.exe
        
        C:\Windows\system32\Eoapbo32.exe
        106⤵
        Drops file in System32 directory
        
        PID:5656
        
        C:\Windows\SysWOW64\Ecmlcmhe.exe
        
        C:\Windows\system32\Ecmlcmhe.exe
        107⤵
        Modifies registry class
        
        PID:5728
        
        C:\Windows\SysWOW64\Eflhoigi.exe
        
        C:\Windows\system32\Eflhoigi.exe
        108⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5796
        
        C:\Windows\SysWOW64\Ejgdpg32.exe
        
        C:\Windows\system32\Ejgdpg32.exe
        109⤵
        
        PID:5908
        
        C:\Windows\SysWOW64\Eleplc32.exe
        
        C:\Windows\system32\Eleplc32.exe
        110⤵
        Modifies registry class
        
        PID:5952
        
        C:\Windows\SysWOW64\Eqalmafo.exe
        
        C:\Windows\system32\Eqalmafo.exe
        111⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6012
        
        C:\Windows\SysWOW64\Eodlho32.exe
        
        C:\Windows\system32\Eodlho32.exe
        112⤵
        Drops file in System32 directory
        
        PID:6080
        
        C:\Windows\SysWOW64\Ebbidj32.exe
        
        C:\Windows\system32\Ebbidj32.exe
        113⤵
        
        PID:4828
        
        C:\Windows\SysWOW64\Ejjqeg32.exe
        
        C:\Windows\system32\Ejjqeg32.exe
        114⤵
        
        PID:5248
        
        C:\Windows\SysWOW64\Elhmablc.exe
        
        C:\Windows\system32\Elhmablc.exe
        115⤵
        Modifies registry class
        
        PID:5292
        
        C:\Windows\SysWOW64\Eqciba32.exe
        
        C:\Windows\system32\Eqciba32.exe
        116⤵
        Modifies registry class
        
        PID:5432
        
        C:\Windows\SysWOW64\Eofinnkf.exe
        
        C:\Windows\system32\Eofinnkf.exe
        117⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5596
        
        C:\Windows\SysWOW64\Ebeejijj.exe
        
        C:\Windows\system32\Ebeejijj.exe
        118⤵
        
        PID:5616
        
        C:\Windows\SysWOW64\Efpajh32.exe
        
        C:\Windows\system32\Efpajh32.exe
        119⤵
        
        PID:5788
        
        C:\Windows\SysWOW64\Ehonfc32.exe
        
        C:\Windows\system32\Ehonfc32.exe
        120⤵
        
        PID:5912
        
        C:\Windows\SysWOW64\Eoifcnid.exe
        
        C:\Windows\system32\Eoifcnid.exe
        121⤵
        
        PID:6040
        
        C:\Windows\SysWOW64\Ecdbdl32.exe
        
        C:\Windows\system32\Ecdbdl32.exe
        122⤵
        
        PID:5168
        
        C:\Windows\SysWOW64\Ffbnph32.exe
        
        C:\Windows\system32\Ffbnph32.exe
        123⤵
        
        PID:5304
        
        C:\Windows\SysWOW64\Fhajlc32.exe
        
        C:\Windows\system32\Fhajlc32.exe
        124⤵
        
        PID:5524
        
        C:\Windows\SysWOW64\Fcgoilpj.exe
        
        C:\Windows\system32\Fcgoilpj.exe
        125⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5700
        
        C:\Windows\SysWOW64\Ffekegon.exe
        
        C:\Windows\system32\Ffekegon.exe
        126⤵
        
        PID:5944
        
        C:\Windows\SysWOW64\Fjqgff32.exe
        
        C:\Windows\system32\Fjqgff32.exe
        127⤵
        
        PID:6136
        
        C:\Windows\SysWOW64\Fqkocpod.exe
        
        C:\Windows\system32\Fqkocpod.exe
        128⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5372
        
        C:\Windows\SysWOW64\Fcikolnh.exe
        
        C:\Windows\system32\Fcikolnh.exe
        129⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5704
        
        C:\Windows\SysWOW64\Fbllkh32.exe
        
        C:\Windows\system32\Fbllkh32.exe
        130⤵
        Modifies registry class
        
        PID:5992
        
        C:\Windows\SysWOW64\Fifdgblo.exe
        
        C:\Windows\system32\Fifdgblo.exe
        131⤵
        
        PID:5480
        
        C:\Windows\SysWOW64\Fopldmcl.exe
        
        C:\Windows\system32\Fopldmcl.exe
        132⤵
        
        PID:3648
        
        C:\Windows\SysWOW64\Ffjdqg32.exe
        
        C:\Windows\system32\Ffjdqg32.exe
        133⤵
        
        PID:5968
        
        C:\Windows\SysWOW64\Fjepaecb.exe
        
        C:\Windows\system32\Fjepaecb.exe
        134⤵
        
        PID:5452
        
        C:\Windows\SysWOW64\Fmclmabe.exe
        
        C:\Windows\system32\Fmclmabe.exe
        135⤵
        Modifies registry class
        
        PID:6180
        
        C:\Windows\SysWOW64\Fcnejk32.exe
        
        C:\Windows\system32\Fcnejk32.exe
        136⤵
        
        PID:6224
        
        C:\Windows\SysWOW64\Fjhmgeao.exe
        
        C:\Windows\system32\Fjhmgeao.exe
        137⤵
        
        PID:6268
        
        C:\Windows\SysWOW64\Fmficqpc.exe
        
        C:\Windows\system32\Fmficqpc.exe
        138⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6308
        
        C:\Windows\SysWOW64\Fodeolof.exe
        
        C:\Windows\system32\Fodeolof.exe
        139⤵
        
        PID:6344
        
        C:\Windows\SysWOW64\Gcpapkgp.exe
        
        C:\Windows\system32\Gcpapkgp.exe
        140⤵
        
        PID:6388
        
        C:\Windows\SysWOW64\Gfnnlffc.exe
        
        C:\Windows\system32\Gfnnlffc.exe
        141⤵
        
        PID:6440
        
        C:\Windows\SysWOW64\Gimjhafg.exe
        
        C:\Windows\system32\Gimjhafg.exe
        142⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6480
        
        C:\Windows\SysWOW64\Gogbdl32.exe
        
        C:\Windows\system32\Gogbdl32.exe
        143⤵
        
        PID:6520
        
        C:\Windows\SysWOW64\Gcbnejem.exe
        
        C:\Windows\system32\Gcbnejem.exe
        144⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6560
        
        C:\Windows\SysWOW64\Gjlfbd32.exe
        
        C:\Windows\system32\Gjlfbd32.exe
        145⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6604
        
        C:\Windows\SysWOW64\Gcekkjcj.exe
        
        C:\Windows\system32\Gcekkjcj.exe
        146⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6660
        
        C:\Windows\SysWOW64\Gbgkfg32.exe
        
        C:\Windows\system32\Gbgkfg32.exe
        147⤵
        Drops file in System32 directory
        
        PID:6708
        
        C:\Windows\SysWOW64\Gjocgdkg.exe
        
        C:\Windows\system32\Gjocgdkg.exe
        148⤵
        
        PID:6760
        
        C:\Windows\SysWOW64\Gmmocpjk.exe
        
        C:\Windows\system32\Gmmocpjk.exe
        149⤵
        Modifies registry class
        
        PID:6816
        
        C:\Windows\SysWOW64\Gpklpkio.exe
        
        C:\Windows\system32\Gpklpkio.exe
        150⤵
        
        PID:6868
        
        C:\Windows\SysWOW64\Gcggpj32.exe
        
        C:\Windows\system32\Gcggpj32.exe
        151⤵
        
        PID:6912
        
        C:\Windows\SysWOW64\Gidphq32.exe
        
        C:\Windows\system32\Gidphq32.exe
        152⤵
        
        PID:6960
        
        C:\Windows\SysWOW64\Gcidfi32.exe
        
        C:\Windows\system32\Gcidfi32.exe
        153⤵
        
        PID:7004
        
        C:\Windows\SysWOW64\Gfhqbe32.exe
        
        C:\Windows\system32\Gfhqbe32.exe
        154⤵
        Modifies registry class
        
        PID:7040
        
        C:\Windows\SysWOW64\Gjclbc32.exe
        
        C:\Windows\system32\Gjclbc32.exe
        155⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:7080
        
        C:\Windows\SysWOW64\Gameonno.exe
        
        C:\Windows\system32\Gameonno.exe
        156⤵
        
        PID:7128
        
        C:\Windows\SysWOW64\Hclakimb.exe
        
        C:\Windows\system32\Hclakimb.exe
        157⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5580
        
        C:\Windows\SysWOW64\Hfjmgdlf.exe
        
        C:\Windows\system32\Hfjmgdlf.exe
        158⤵
        Modifies registry class
        
        PID:6176
        
        C:\Windows\SysWOW64\Hmdedo32.exe
        
        C:\Windows\system32\Hmdedo32.exe
        159⤵
        
        PID:6256
        
        C:\Windows\SysWOW64\Hpbaqj32.exe
        
        C:\Windows\system32\Hpbaqj32.exe
        160⤵
        
        PID:6316
        
        C:\Windows\SysWOW64\Hbanme32.exe
        
        C:\Windows\system32\Hbanme32.exe
        161⤵
        
        PID:6364
        
        C:\Windows\SysWOW64\Hikfip32.exe
        
        C:\Windows\system32\Hikfip32.exe
        162⤵
        
        PID:6464
        
        C:\Windows\SysWOW64\Habnjm32.exe
        
        C:\Windows\system32\Habnjm32.exe
        163⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6528
        
        C:\Windows\SysWOW64\Hfofbd32.exe
        
        C:\Windows\system32\Hfofbd32.exe
        164⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6600
        
        C:\Windows\SysWOW64\Hjjbcbqj.exe
        
        C:\Windows\system32\Hjjbcbqj.exe
        165⤵
        
        PID:6676
        
        C:\Windows\SysWOW64\Hadkpm32.exe
        
        C:\Windows\system32\Hadkpm32.exe
        166⤵
        Drops file in System32 directory
        
        PID:6752
        
        C:\Windows\SysWOW64\Hccglh32.exe
        
        C:\Windows\system32\Hccglh32.exe
        167⤵
        Modifies registry class
        
        PID:6856
        
        C:\Windows\SysWOW64\Hjmoibog.exe
        
        C:\Windows\system32\Hjmoibog.exe
        168⤵
        
        PID:6900
        
        C:\Windows\SysWOW64\Haggelfd.exe
        
        C:\Windows\system32\Haggelfd.exe
        169⤵
        Drops file in System32 directory
        
        PID:6992
        
        C:\Windows\SysWOW64\Hpihai32.exe
        
        C:\Windows\system32\Hpihai32.exe
        170⤵
        
        PID:7068
        
        C:\Windows\SysWOW64\Hbhdmd32.exe
        
        C:\Windows\system32\Hbhdmd32.exe
        171⤵
        
        PID:7120
        
        C:\Windows\SysWOW64\Hjolnb32.exe
        
        C:\Windows\system32\Hjolnb32.exe
        172⤵
        
        PID:6160
        
        C:\Windows\SysWOW64\Iffmccbi.exe
        
        C:\Windows\system32\Iffmccbi.exe
        173⤵
        
        PID:6296
        
        C:\Windows\SysWOW64\Ijaida32.exe
        
        C:\Windows\system32\Ijaida32.exe
        174⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6436
        
        C:\Windows\SysWOW64\Ipnalhii.exe
        
        C:\Windows\system32\Ipnalhii.exe
        175⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6568
        
        C:\Windows\SysWOW64\Icjmmg32.exe
        
        C:\Windows\system32\Icjmmg32.exe
        176⤵
        Drops file in System32 directory
        
        PID:6748
        
        C:\Windows\SysWOW64\Iiffen32.exe
        
        C:\Windows\system32\Iiffen32.exe
        177⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6892
        
        C:\Windows\SysWOW64\Iannfk32.exe
        
        C:\Windows\system32\Iannfk32.exe
        178⤵
        
        PID:7048
        
        C:\Windows\SysWOW64\Icljbg32.exe
        
        C:\Windows\system32\Icljbg32.exe
        179⤵
        Modifies registry class
        
        PID:7152
        
        C:\Windows\SysWOW64\Ijfboafl.exe
        
        C:\Windows\system32\Ijfboafl.exe
        180⤵
        Modifies registry class
        
        PID:6384
        
        C:\Windows\SysWOW64\Imdnklfp.exe
        
        C:\Windows\system32\Imdnklfp.exe
        181⤵
        Modifies registry class
        
        PID:6540
        
        C:\Windows\SysWOW64\Idofhfmm.exe
        
        C:\Windows\system32\Idofhfmm.exe
        182⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6904
        
        C:\Windows\SysWOW64\Ijhodq32.exe
        
        C:\Windows\system32\Ijhodq32.exe
        183⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6168
        
        C:\Windows\SysWOW64\Iabgaklg.exe
        
        C:\Windows\system32\Iabgaklg.exe
        184⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6396
        
        C:\Windows\SysWOW64\Ibccic32.exe
        
        C:\Windows\system32\Ibccic32.exe
        185⤵
        
        PID:7164
        
        C:\Windows\SysWOW64\Ijkljp32.exe
        
        C:\Windows\system32\Ijkljp32.exe
        186⤵
        
        PID:7172
        
        C:\Windows\SysWOW64\Imihfl32.exe
        
        C:\Windows\system32\Imihfl32.exe
        187⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7228
        
        C:\Windows\SysWOW64\Jpgdbg32.exe
        
        C:\Windows\system32\Jpgdbg32.exe
        188⤵
        
        PID:7268
        
        C:\Windows\SysWOW64\Jbfpobpb.exe
        
        C:\Windows\system32\Jbfpobpb.exe
        189⤵
        Modifies registry class
        
        PID:7312
        
        C:\Windows\SysWOW64\Jjmhppqd.exe
        
        C:\Windows\system32\Jjmhppqd.exe
        190⤵
        
        PID:7356
        
        C:\Windows\SysWOW64\Jagqlj32.exe
        
        C:\Windows\system32\Jagqlj32.exe
        191⤵
        
        PID:7400
        
        C:\Windows\SysWOW64\Jpjqhgol.exe
        
        C:\Windows\system32\Jpjqhgol.exe
        192⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:7444
        
        C:\Windows\SysWOW64\Jfdida32.exe
        
        C:\Windows\system32\Jfdida32.exe
        193⤵
        Drops file in System32 directory
        
        PID:7492
        
        C:\Windows\SysWOW64\Jibeql32.exe
        
        C:\Windows\system32\Jibeql32.exe
        194⤵
        
        PID:7540
        
        C:\Windows\SysWOW64\Jmnaakne.exe
        
        C:\Windows\system32\Jmnaakne.exe
        195⤵
        Modifies registry class
        
        PID:7592
        
        C:\Windows\SysWOW64\Jaimbj32.exe
        
        C:\Windows\system32\Jaimbj32.exe
        196⤵
        
        PID:7628
        
        C:\Windows\SysWOW64\Jdhine32.exe
        
        C:\Windows\system32\Jdhine32.exe
        197⤵
        Modifies registry class
        
        PID:7672
        
        C:\Windows\SysWOW64\Jfffjqdf.exe
        
        C:\Windows\system32\Jfffjqdf.exe
        198⤵
        
        PID:7720
        
        C:\Windows\SysWOW64\Jpojcf32.exe
        
        C:\Windows\system32\Jpojcf32.exe
        199⤵
        
        PID:7764
        
        C:\Windows\SysWOW64\Jfhbppbc.exe
        
        C:\Windows\system32\Jfhbppbc.exe
        200⤵
        
        PID:7816
        
        C:\Windows\SysWOW64\Jpaghf32.exe
        
        C:\Windows\system32\Jpaghf32.exe
        201⤵
        
        PID:7856
        
        C:\Windows\SysWOW64\Jdmcidam.exe
        
        C:\Windows\system32\Jdmcidam.exe
        202⤵
        
        PID:7892
        
        C:\Windows\SysWOW64\Jfkoeppq.exe
        
        C:\Windows\system32\Jfkoeppq.exe
        203⤵
        
        PID:7932
        
        C:\Windows\SysWOW64\Jiikak32.exe
        
        C:\Windows\system32\Jiikak32.exe
        204⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7980
        
        C:\Windows\SysWOW64\Kpccnefa.exe
        
        C:\Windows\system32\Kpccnefa.exe
        205⤵
        Modifies registry class
        
        PID:8020
        
        C:\Windows\SysWOW64\Kdopod32.exe
        
        C:\Windows\system32\Kdopod32.exe
        206⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8060
        
        C:\Windows\SysWOW64\Kbapjafe.exe
        
        C:\Windows\system32\Kbapjafe.exe
        207⤵
        
        PID:8096
        
        C:\Windows\SysWOW64\Kilhgk32.exe
        
        C:\Windows\system32\Kilhgk32.exe
        208⤵
        
        PID:8140
        
        C:\Windows\SysWOW64\Kpepcedo.exe
        
        C:\Windows\system32\Kpepcedo.exe
        209⤵
        Drops file in System32 directory
        
        PID:8184
        
        C:\Windows\SysWOW64\Kdaldd32.exe
        
        C:\Windows\system32\Kdaldd32.exe
        210⤵
        Modifies registry class
        
        PID:7212
        
        C:\Windows\SysWOW64\Kinemkko.exe
        
        C:\Windows\system32\Kinemkko.exe
        211⤵
        
        PID:7304
        
        C:\Windows\SysWOW64\Kaemnhla.exe
        
        C:\Windows\system32\Kaemnhla.exe
        212⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7384
        
        C:\Windows\SysWOW64\Kbfiep32.exe
        
        C:\Windows\system32\Kbfiep32.exe
        213⤵
        
        PID:7440
        
        C:\Windows\SysWOW64\Kgbefoji.exe
        
        C:\Windows\system32\Kgbefoji.exe
        214⤵
        
        PID:7520
        
        C:\Windows\SysWOW64\Kipabjil.exe
        
        C:\Windows\system32\Kipabjil.exe
        215⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:7612
        
        C:\Windows\SysWOW64\Kmlnbi32.exe
        
        C:\Windows\system32\Kmlnbi32.exe
        216⤵
        
        PID:7664
        
        C:\Windows\SysWOW64\Kpjjod32.exe
        
        C:\Windows\system32\Kpjjod32.exe
        217⤵
        
        PID:7728
        
        C:\Windows\SysWOW64\Kdffocib.exe
        
        C:\Windows\system32\Kdffocib.exe
        218⤵
        
        PID:7804
        
        C:\Windows\SysWOW64\Kmnjhioc.exe
        
        C:\Windows\system32\Kmnjhioc.exe
        219⤵
        
        PID:7876
        
        C:\Windows\SysWOW64\Kckbqpnj.exe
        
        C:\Windows\system32\Kckbqpnj.exe
        220⤵
        Drops file in System32 directory
        
        PID:7960
        
        C:\Windows\SysWOW64\Kgfoan32.exe
        
        C:\Windows\system32\Kgfoan32.exe
        221⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8028
        
        C:\Windows\SysWOW64\Liekmj32.exe
        
        C:\Windows\system32\Liekmj32.exe
        222⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8088
        
        C:\Windows\SysWOW64\Ldkojb32.exe
        
        C:\Windows\system32\Ldkojb32.exe
        223⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8176
        
        C:\Windows\SysWOW64\Lcmofolg.exe
        
        C:\Windows\system32\Lcmofolg.exe
        224⤵
        
        PID:7224
        
        C:\Windows\SysWOW64\Lkdggmlj.exe
        
        C:\Windows\system32\Lkdggmlj.exe
        225⤵
        Drops file in System32 directory
        
        PID:7344
        
        C:\Windows\SysWOW64\Liggbi32.exe
        
        C:\Windows\system32\Liggbi32.exe
        226⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:7432
        
        C:\Windows\SysWOW64\Laopdgcg.exe
        
        C:\Windows\system32\Laopdgcg.exe
        227⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:7588
        
        C:\Windows\SysWOW64\Lpappc32.exe
        
        C:\Windows\system32\Lpappc32.exe
        228⤵
        Drops file in System32 directory
        
        PID:7688
        
        C:\Windows\SysWOW64\Lcpllo32.exe
        
        C:\Windows\system32\Lcpllo32.exe
        229⤵
        Modifies registry class
        
        PID:7760
        
        C:\Windows\SysWOW64\Lkgdml32.exe
        
        C:\Windows\system32\Lkgdml32.exe
        230⤵
        
        PID:7852
        
        C:\Windows\SysWOW64\Laalifad.exe
        
        C:\Windows\system32\Laalifad.exe
        231⤵
        
        PID:8016
        
        C:\Windows\SysWOW64\Lpcmec32.exe
        
        C:\Windows\system32\Lpcmec32.exe
        232⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8112
        
        C:\Windows\SysWOW64\Lgneampk.exe
        
        C:\Windows\system32\Lgneampk.exe
        233⤵
        
        PID:7188
        
        C:\Windows\SysWOW64\Lnhmng32.exe
        
        C:\Windows\system32\Lnhmng32.exe
        234⤵
        
        PID:7408
        
        C:\Windows\SysWOW64\Lpfijcfl.exe
        
        C:\Windows\system32\Lpfijcfl.exe
        235⤵
        Modifies registry class
        
        PID:7576
        
        C:\Windows\SysWOW64\Lgpagm32.exe
        
        C:\Windows\system32\Lgpagm32.exe
        236⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:7756
        
        C:\Windows\SysWOW64\Laefdf32.exe
        
        C:\Windows\system32\Laefdf32.exe
        237⤵
        Drops file in System32 directory
        
        PID:8000
        
        C:\Windows\SysWOW64\Lcgblncm.exe
        
        C:\Windows\system32\Lcgblncm.exe
        238⤵
        
        PID:6644
        
        C:\Windows\SysWOW64\Mjqjih32.exe
        
        C:\Windows\system32\Mjqjih32.exe
        239⤵
        
        PID:7396
        
        C:\Windows\SysWOW64\Mnlfigcc.exe
        
        C:\Windows\system32\Mnlfigcc.exe
        240⤵
        
        PID:7696
        
        C:\Windows\SysWOW64\Mpkbebbf.exe
        
        C:\Windows\system32\Mpkbebbf.exe
        241⤵
        Modifies registry class
        
        PID:8012
        
        C:\Windows\SysWOW64\Mciobn32.exe
        
        C:\Windows\system32\Mciobn32.exe
        242⤵
        Drops file in System32 directory
        
        PID:7300
        
        C:\Windows\SysWOW64\Mkpgck32.exe
        
        C:\Windows\system32\Mkpgck32.exe
        243⤵
        Drops file in System32 directory
        
        PID:7924
        
        C:\Windows\SysWOW64\Mnocof32.exe
        
        C:\Windows\system32\Mnocof32.exe
        244⤵
        Modifies registry class
        
        PID:7372
        
        C:\Windows\SysWOW64\Mpmokb32.exe
        
        C:\Windows\system32\Mpmokb32.exe
        245⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8132
        
        C:\Windows\SysWOW64\Mnapdf32.exe
        
        C:\Windows\system32\Mnapdf32.exe
        246⤵
        
        PID:7328
        
        C:\Windows\SysWOW64\Mamleegg.exe
        
        C:\Windows\system32\Mamleegg.exe
        247⤵
        Modifies registry class
        
        PID:8232
        
        C:\Windows\SysWOW64\Mdkhapfj.exe
        
        C:\Windows\system32\Mdkhapfj.exe
        248⤵
        
        PID:8276
        
        C:\Windows\SysWOW64\Mcnhmm32.exe
        
        C:\Windows\system32\Mcnhmm32.exe
        249⤵
        Modifies registry class
        
        PID:8312
        
        C:\Windows\SysWOW64\Maohkd32.exe
        
        C:\Windows\system32\Maohkd32.exe
        250⤵
        Modifies registry class
        
        PID:8360
        
        C:\Windows\SysWOW64\Mpaifalo.exe
        
        C:\Windows\system32\Mpaifalo.exe
        251⤵
        
        PID:8392
        
        C:\Windows\SysWOW64\Mglack32.exe
        
        C:\Windows\system32\Mglack32.exe
        252⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8440
        
        C:\Windows\SysWOW64\Mkgmcjld.exe
        
        C:\Windows\system32\Mkgmcjld.exe
        253⤵
        
        PID:8484
        
        C:\Windows\SysWOW64\Mjjmog32.exe
        
        C:\Windows\system32\Mjjmog32.exe
        254⤵
        Drops file in System32 directory
        
        PID:8520
        
        C:\Windows\SysWOW64\Maaepd32.exe
        
        C:\Windows\system32\Maaepd32.exe
        255⤵
        
        PID:8568
        
        C:\Windows\SysWOW64\Mdpalp32.exe
        
        C:\Windows\system32\Mdpalp32.exe
        256⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:8604
        
        C:\Windows\SysWOW64\Njljefql.exe
        
        C:\Windows\system32\Njljefql.exe
        257⤵
        
        PID:8648
        
        C:\Windows\SysWOW64\Nqfbaq32.exe
        
        C:\Windows\system32\Nqfbaq32.exe
        258⤵
        Modifies registry class
        
        PID:8692
        
        C:\Windows\SysWOW64\Ndbnboqb.exe
        
        C:\Windows\system32\Ndbnboqb.exe
        259⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8728
        
        C:\Windows\SysWOW64\Nklfoi32.exe
        
        C:\Windows\system32\Nklfoi32.exe
        260⤵
        Modifies registry class
        
        PID:8768
        
        C:\Windows\SysWOW64\Njogjfoj.exe
        
        C:\Windows\system32\Njogjfoj.exe
        261⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8824
        
        C:\Windows\SysWOW64\Nqiogp32.exe
        
        C:\Windows\system32\Nqiogp32.exe
        262⤵
        Drops file in System32 directory
        
        PID:8872
        
        C:\Windows\SysWOW64\Nddkgonp.exe
        
        C:\Windows\system32\Nddkgonp.exe
        263⤵
        
        PID:8928
        
        C:\Windows\SysWOW64\Ngcgcjnc.exe
        
        C:\Windows\system32\Ngcgcjnc.exe
        264⤵
        
        PID:8988
        
        C:\Windows\SysWOW64\Nkncdifl.exe
        
        C:\Windows\system32\Nkncdifl.exe
        265⤵
        Drops file in System32 directory
        
        PID:9032
        
        C:\Windows\SysWOW64\Nbhkac32.exe
        
        C:\Windows\system32\Nbhkac32.exe
        266⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:9076
        
        C:\Windows\SysWOW64\Ndghmo32.exe
        
        C:\Windows\system32\Ndghmo32.exe
        267⤵
        Modifies registry class
        
        PID:9120
        
        C:\Windows\SysWOW64\Ncihikcg.exe
        
        C:\Windows\system32\Ncihikcg.exe
        268⤵
        
        PID:9160
        
        C:\Windows\SysWOW64\Nnolfdcn.exe
        
        C:\Windows\system32\Nnolfdcn.exe
        269⤵
        
        PID:9212
        
        C:\Windows\SysWOW64\Ndidbn32.exe
        
        C:\Windows\system32\Ndidbn32.exe
        270⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8240
        
        C:\Windows\SysWOW64\Ncldnkae.exe
        
        C:\Windows\system32\Ncldnkae.exe
        271⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8300
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        272⤵
        
        PID:8368
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 8368 -s 400
        273⤵
        Program crash
        
        PID:8528

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 8368 -ip 8368
1⤵
PID:8472

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aaoaja32.exe

Filesize
224KB

MD5
c0b33709e9910965e01bcb11ac98fa53

SHA1
ff03c6dec675a8865898cf5c62c253917a9c541d

SHA256
9caa93a0148f5ca60512d6454ae3bf6a10057654527bfe4370342a80598b4eda

SHA512
7ea1f6b78528250663655a8d1387cc2854b7cf4bc0cdf37da8460e969c3c16cc4bda802f59bd0a769f8d86b2eb4a56f20c1a108e56eba4c29b903b5f4e1929a6

Download Submit
C:\Windows\SysWOW64\Aemjpp32.exe

Filesize
224KB

MD5
c6f8c663f745d9fa26dd2f88098b1dd8

SHA1
70c334bcb15aab45de0292fe12266993e43742ba

SHA256
65714b9a330b9203004d5dc594378f0d94e1dc372cda711d6031ec1510ca7d64

SHA512
902d4c3aa0a68dfffdbb379ef8046fec8b213531c296f94d5390e28cec79daa6758b228154c8ff7449ce41219632ad7763a202106e29cec3911f11076a65aa07

Download Submit
C:\Windows\SysWOW64\Ahkflk32.exe

Filesize
224KB

MD5
0532ed7f12435c9e5e70dd9a5535cdc2

SHA1
8620c45ccaa40327773c4df828d2f3c9363c7714

SHA256
2c95d0a7d968d40bdc463c408e1a4a3a4709aad8e11b1cff74e1a327c383e2de

SHA512
f5c5d15612ed1d7e9fa34b8e397ba0221e9322b12e8b1a3aab88fd0f76128032055a888e14b2f71cfdc0a80e478865c20cf2a51cb59df0598c0f1b4f653ca067

Download Submit
C:\Windows\SysWOW64\Aifiko32.exe

Filesize
224KB

MD5
c30f603695e8ae2e37e78388c83b2180

SHA1
8142de5015e2a6f204263f0b53e52b9cd448c143

SHA256
89298662dab829d64158991d092edbf960c16c988fc25518506c8154e166400e

SHA512
f09f7b42fc210df160a98f5a69f7d635d79f5ceb08863ad7ba2d0719d4502e60deeb91201cbac5a6c56dc5e7717c0d2d90fbc96f3db593cdcdf52e9eb3e8854a

Download Submit
C:\Windows\SysWOW64\Aldegj32.exe

Filesize
224KB

MD5
b8b29e42798b8e2f46da0791fccb9d08

SHA1
ed17d7e4e8b72e5a00bb05a7a388379ca6d0d44b

SHA256
f1b3580b8eb8621e4e2ccc115a8b49137fe876f1649eae54aeab91593a820cfd

SHA512
7e2bf87d45c42c23cea56e979ee1f54a63352403300515ad612f8e0aaf0443151234e49f9536f74ffbaba85bda2b928bd8e0fad6519d0a45ad3f5dbd84953a64

Download Submit
C:\Windows\SysWOW64\Apndbici.exe

Filesize
224KB

MD5
ae0abbc9a9f1d11bd72992cab0372446

SHA1
d18b6cff2fccfb08e2a3c8ca93077d7d405e934e

SHA256
84e51739dcaa1c0fb1b66ef261d1e071107274f856d73be6839a08a89d8db25f

SHA512
82ed384b17a4c8b1bc6269fb6ed81ab9a9245ab349c680adcfa47b713cbaf7074225af21b89053483e73f8e0a73641ded6b47f651bd22ef1683f5b7bc2955ad6

Download Submit
C:\Windows\SysWOW64\Boanecla.exe

Filesize
224KB

MD5
0ba0987433b29e5a6447de3efd22798c

SHA1
bcbd54b0599603d7e47cf5fd6a5a8ab2fdd41237

SHA256
a86230adcae22ec3ab1738d7ff82fcd7ef5357bbe489b8f5bc688de951ceb8d6

SHA512
c8594f3e78b2a17d23ac4c7f3786653340d7b2a64ae42596d715695a300677a9a212ffcfa17369e10c1fdd6306390310a7fbdb7defa09bf9355322eefc07fde6

Download Submit
C:\Windows\SysWOW64\Hbanme32.exe

Filesize
224KB

MD5
624242974b3d752980c936866d3fbfae

SHA1
e79713a82486c8f458cdb3a9f33f137c4629b764

SHA256
d14891fbbc07fd6bfad7114a82b4567d2cf95f55680709d5dfc9e6c7d7b7d98b

SHA512
17092e819dc6a67e9184eceb230fd09625266e0d9e96c6f267a7d72995030035fb88c55841805d6c1045775e479a1763582a7c138c896ae662ee6b208ba452b3

Download Submit
C:\Windows\SysWOW64\Jbfpobpb.exe

Filesize
224KB

MD5
5612eb52434d23ec38a919cfbae05157

SHA1
08d61b71ac44b034a153ab206b653a751ac6e823

SHA256
fd2996b71db8c7606a4a858e2019977efdb044a9a849f42c3d7663736198336b

SHA512
18a956a8b7cddc3990bdd1fd99481eb4529634075b41c28fc72b30ffe402f75a28f39a00f294fca354d768f39988af3ce550781452157c1d513084dc61f71c80

Download Submit
C:\Windows\SysWOW64\Obgomgee.exe

Filesize
224KB

MD5
51397022eb9634c6bfcbbcda531f3031

SHA1
54128c531a15da669463368b4cc41af93830c9ab

SHA256
93ceac9704dcacc6e1d9f1515f117ab25848ec771b3718b401eadf40e37c7945

SHA512
f68728e356e842f285ed3c15b2927e7ae5a651accc0dc82b62f836ae430e80838f2b1cf72dd679bee265297b3e2b81c3d0977d13d870023a6bac8cfb43394263

Download Submit
C:\Windows\SysWOW64\Oiccoa32.exe

Filesize
224KB

MD5
514ba8aef1ad364e8d12e71a6d90d981

SHA1
55e17238cb5f7f1014b0bbf47818226d1c47ec17

SHA256
77fa1af62593c56f2253c4d3c3f57090862cfb97da7d62dd0ddb6dff2351b5f2

SHA512
6a0fb1c19b3968dc554a7816b5eeaa182bf28ce780a35b4ee13f4280801e3e718fb5231ab8898a1ff7db259e9751e177d3c1a16b2049bb498c61eb9ba77a9a28

Download Submit
C:\Windows\SysWOW64\Olapkmic.exe

Filesize
224KB

MD5
b8286cd7086acf3be5a3b5fd52e9aaf8

SHA1
7a591d1c44e82cc460cd3ee4b7e36577d4c0e98e

SHA256
ea2d970c21f53f1f6b6dc830b1a5b2e46f79c95f6f2c49db3d15d5f9654ef597

SHA512
982fbb68a68f3cea976e81dc2c111041e500b80872a02193c2a5d3a58eea539e77b27b8afd9fd95e453fcb56ef1c4df4bf65e471c713f8ae7c63ae5519e367ec

Download Submit
C:\Windows\SysWOW64\Olocem32.exe

Filesize
224KB

MD5
1e9b7bcfd8b6bba36b09ff009fd9a8d0

SHA1
bbab38cdc01a71fb6b5113e81abb9e7a36465e76

SHA256
4f3851d32219ce2fc5ae8ab63128a197b0b6d71f08b2d8c9f4c82bd351284461

SHA512
de01e49387bc2fa03edf290ec503f3d005f5cf3fe59f2c8cd756745bbe913ea9ad807eab1a92afba8f1d651245af1701d224d36cfe3b245b09f805cdd46429f6

Download Submit
C:\Windows\SysWOW64\Onnoah32.exe

Filesize
224KB

MD5
afafa3a47f4985ecab64b911ed24c552

SHA1
aebde8e7dda8bbdd2e29ba0654113ebe6396f6b9

SHA256
1380a88e84064ff0cbf65f5bd414550d2435d8409f1a7436f19a2426e81ea510

SHA512
86aff3d51bbb910a884b03fabd58b2b0e9c08040d115c6b56ea99c3332e8ff5125dd92c0f24d7d8013a161028461d2397d31c187803627a609c4a3bdfffbafe3

Download Submit
C:\Windows\SysWOW64\Ophbqlea.exe

Filesize
224KB

MD5
1f85ea101de65c2c3f8a0a7fcd248497

SHA1
1436d71e4fa6020967f49de16b478b01716605b5

SHA256
c4fadee7a5caa24e53c343da6a4c6dd986db3e64acc8ec8a1c52a96a20d0a65e

SHA512
2c1aa6d4ef045a05e43429e27af6e2cfab9e5509c589856540ab17d4784fdd0a9e6faaf38a2b9c718086542139c87561e3781e95f26b4dd7d65bf4a07341de50

Download Submit
C:\Windows\SysWOW64\Pacaoc32.exe

Filesize
224KB

MD5
efe2292f68b266586c4d9ead0abcd06d

SHA1
750a9b3a0500863119589db065132d60bdf08c8d

SHA256
1955d787a89c8e4aba3d6673e5d5b76012da579d0bc4a0eb0457a1e6112ec7c9

SHA512
47a0e334e84d4de319759b84ddeda00fa2f4c6977cf64967589c5945bf35d52ab49562d775231df51fee1644bdedec24f85555fae53f354ec4c2de999c4abdcc

Download Submit
C:\Windows\SysWOW64\Pbekne32.exe

Filesize
224KB

MD5
65e1a87b282ad8207f5bd9c3662f808a

SHA1
e9039d463d815f411db4103beeaf0e29e977804a

SHA256
009f761cc7d60be9ca0336163d0bf5e979ffbfb0bcf98c40dfb51961b41554fb

SHA512
6a127b86adb62d832f6c6f9314ae0892c8745e83dcaadfea8ad09a68da8540f42dcf694bf31922c2025991d37121f2c1dcefe198c6a5f94fceeead92561e0588

Download Submit
C:\Windows\SysWOW64\Pbndmf32.exe

Filesize
224KB

MD5
8b7817dfb75788876ef4d4ceb5b64c79

SHA1
a7d86c66404776f908dd2c1c86f00cbae0fae8fb

SHA256
c8f5c2d8a9d099a9983898db5866560e1579e87501db4299e779c171c4c58ddc

SHA512
6cd94dc41caf59f9c363dd6cfad80ae5e217186b595650186776e65b96b2a997bbaf720ba84ebc01a95f7915a94e1c2b24ac21cc30a870842e8b2f51ac369ded

Download Submit
C:\Windows\SysWOW64\Peajdajk.exe

Filesize
224KB

MD5
c99ce7b3b806bcd293c0b5db3607fc29

SHA1
f3c1968943cd1b28522f232a2c25ece8e112ed1c

SHA256
aba765071251084fd480d9e9f875ec51e016cf3d88c4d49b1c8973aead7bc125

SHA512
6fe39fa1fd907f0f4c17c991289d2e7d1a92d76388b25df5db9b4139d9ab7f958ccbc7f3c195c33a3b4c66d9c65785eefcb4bc3562b1da84bc43768a83ed7e0f

Download Submit
C:\Windows\SysWOW64\Pecgja32.exe

Filesize
224KB

MD5
c1073bbf5c0bccfec8b767387c4e7fef

SHA1
988bf010e28798070b887510347d7301f1a12d06

SHA256
99a35b59f3706e3085a31aef3aabda6525d1ae95febcc57fe85b20eeff09fcaa

SHA512
19bbf32a48dd1512fc6fb682c82e5b2a5efb87614a64fe6c3d5087db32da33826141e3e95431fe40ee50c2fc1ccac77cd601c9eb6141089d823c51ef2ef75f81

Download Submit
C:\Windows\SysWOW64\Pelaib32.exe

Filesize
224KB

MD5
afad812197090d2311c3292d696820a8

SHA1
ef0d371137876a9c9d39cbce9b5696235e1bd67a

SHA256
d2bc44696bfab257c76ffa70b5d2c9bfae506629af9205697be387ddd94a5498

SHA512
e717eb73276fdbc9ebc3a330f66065535ee741ad6b30dbad65600f2ddda1a8b7a74e8f2c8f855fae58a8a1422e653b2e08ad7c4d719ebff3d184ff2b36175dcf

Download Submit
C:\Windows\SysWOW64\Phkmem32.exe

Filesize
224KB

MD5
ded4716d77dfc9c1bfb2a6ec02895ab8

SHA1
27a21d9fe7bd243b820bc7c1f8a1e7e95be7c370

SHA256
ab06f91f59de6b91828e18e945f1cf42a91d3668d50d017a43558bda24b2c735

SHA512
1e12174c2bdeebb23b00d97409ec480fbf22e3bd7e3a2fa6da079f6b4f979bfc386758f783d17aaaa9375bccd42ea6ec7b3e4f136c46c2fd9431784703740919

Download Submit
C:\Windows\SysWOW64\Phmjkmka.exe

Filesize
224KB

MD5
dd7a9aaa209944e061e838ff6761fd41

SHA1
5eaad5e9db31c4e4cd1742ec32ecb5103e8d0560

SHA256
139147151c4c312e84b7f93c5af2064d5616633996056d5df5c84441b46415ab

SHA512
ebf6528660605d5ff04407823131a2fed9fbcd68ccb0cdaa32ff9eced03aa94a0b8982604429dbf2e32000af2fd48bb38b33b77fb5c8fcd361eff67c688b43a9

Download Submit
C:\Windows\SysWOW64\Piepdahl.exe

Filesize
224KB

MD5
30f8b4e12bc38ddc42507c2d34785d62

SHA1
6ca0a181872031089a6a9059e81db4c0e1813c84

SHA256
0f22227949620c218a919ee06eb34c079d021924e14088f74d088d5823d27e09

SHA512
f89ffc0cc185eb26a78529e8e6ae9ad1ca394efb1a90f27935e6f3229241785299d5a704798f75f18246a401d59d55413d7409a3894a6089ba1f1b6258389ddb

Download Submit
C:\Windows\SysWOW64\Pneebg32.exe

Filesize
224KB

MD5
8ecb44cadea190b00254ea46d9e2da11

SHA1
2e554210b31a83825afda661eeb4602ccd1d45dd

SHA256
926646d5888ecec172aeff618dbee4e2170e6a57ff36848df41b2aa79f49def7

SHA512
b4f398f5fd1f3de742638967c83fdc0d5554c0e9b546b1e9fcda82b64df87438caae0d8ecbe779b47ce3d9556336419f735afdfd150f118ada2042ee90aa0bf0

Download Submit
C:\Windows\SysWOW64\Pngbhg32.exe

Filesize
224KB

MD5
8af3a9d715723d3456b123d5f5f13c00

SHA1
c3c1b1f38d5fe1d2cb224d7079c9ce961149cf7e

SHA256
2dff9373f4ee42bae6143378f960491bbc90b116878c10f3e62be1d28321cdf9

SHA512
df6d9faf1b80a8ed960e746464dfb5ed01a16a1e70dcbecdc9818efd29a4f54fba11d395f1df4b1d26f4dda801b79a4035830b345fe985befae5d9bb37711819

Download Submit
C:\Windows\SysWOW64\Pniomgpl.exe

Filesize
224KB

MD5
7c319ef60bf4693cf711d3220cb19e8e

SHA1
e57ba21642a6b876b62fa69193558343a8122fab

SHA256
89f448b5635682900178db2f58467d6ad2c2525820311073b65a7c48fdbf3581

SHA512
f7aa54bb145c7332521d852a21cddfd721bcb39c723526a64a60add3642db579089b394b5f0c2b4357da7df2b907f0d6513bab81056154cf91bf2b108acdc684

Download Submit
C:\Windows\SysWOW64\Pnplghhf.exe

Filesize
224KB

MD5
70b22b85eccd606276d989f2af4db07c

SHA1
5452fcd4368a92c5c86fdbce5607608be10c33b5

SHA256
73aa560478ce776f63183dee296458c8e74a51fae1b8c6feb9602558035032b5

SHA512
71ec9ffcfe1e04dc4fc9dc0fab1499c047bdd0fea31e7558a187af27a3daf64e520cfd4e89058fe32cafb25c7b894782f97ddb98928577457a3392394c56c475

Download Submit
C:\Windows\SysWOW64\Ppphak32.exe

Filesize
224KB

MD5
fd3f29b72ce9039bfad2b39b3a1c71fa

SHA1
cc00b342bf105fb7e9d7ac08d5354c2854b6be90

SHA256
c8667028b4ff281ec5d2bc8c750bf5bfcc3b0e03e5e49c5f65a2c2b1e38cc7ac

SHA512
6fdac91df233f23d1afc57f0fbe425abc228c6dd9376cd7d25552740bfcd4f65efd4e7062b5b8ca9febcf15c5be95e44abb6cc798a543ef8ddf6c93d0d5aa770

Download Submit
C:\Windows\SysWOW64\Qajhobmm.exe

Filesize
224KB

MD5
964e970c221cc8e0a0aeb898fc54552c

SHA1
353ce5044594dec9a05455811c814f30a02004c9

SHA256
6f448dcf775822f92bda73162e45916ce82d486228f0aaa3c22c66ccc34d62a6

SHA512
fb13a13a64d3bce7e4d73cb3c607d5a67b1161f6a0ac85bd47862e8254ff77f92066e54f6e76e5cfaf1c4de11e6f460d4b067d25f1a36c2c5b60228864881ea5

Download Submit
C:\Windows\SysWOW64\Qbjdiedp.exe

Filesize
224KB

MD5
a752bd9e615cdcc3fb1a1f6b98ab84d3

SHA1
10ae0c647847f34ac86602633db6a294dda967dd

SHA256
9592f3fd1054c715fa9090df520dfa6ef3c7906eddf6f6e34356991918d8660d

SHA512
0683c393618cccccff6649490267bfec46bdfa0d25bcb70cd8fc599183e103af361a7b9202d7f675aa2f0fa0295d17af31b861a86f346cc086852da44ea28679

Download Submit
C:\Windows\SysWOW64\Qehqepcc.exe

Filesize
224KB

MD5
c8cf176c63d9cabcbf3b08b3ddb99d9d

SHA1
c7af47de45ffc8e4f14f5a20f57a36c4b85e46ca

SHA256
0d88397c3bca7c402c04c1da5edfd1d96b8d168d8df7bf682d5ed3258a81b070

SHA512
69129ecb1e76f09e09c36589339430ed71e5e0f191025c2f3a433aa68a5a8cad356629542db69643113bc0bf43d497231ca3afb97fe48b615e45bafe1a8c89c2

Download Submit
C:\Windows\SysWOW64\Qhfmalbg.exe

Filesize
224KB

MD5
e8c71caab70516e54ae87e0430c90c54

SHA1
028426cf33cc712b17db4b20e93eb55de4fda2c6

SHA256
db869613772191dfd005e44a542834829748f06135a2bd716ab0b6c12c89bdee

SHA512
030b5b4ab9f0a093f26350d0e28bae8e1d9dd5a85565f1bbda803c46037536a695d010f1e67b0e19c0ccd76c1088f8aa8148ff059635f396330a319bd3548d50

Download Submit
C:\Windows\SysWOW64\Qlpllkmc.exe

Filesize
224KB

MD5
e8126a7c53b968bae3f82547c2ee7f3e

SHA1
cdfdbeccd1238b487384b861a13a11c9d6366da7

SHA256
33a611f7c3e2b0e68bbaa1f9ce4bd9b84253efa4cb6add0fd2932fe0b8b0df58

SHA512
4fc572bcdd706530731f0163593f5a097f76ff7f5da03e1191ff22e5eea01c16dd80cf21e90e9b034ce88149c4f194b778044bd24dec67dfe7178e14136a1425

Download Submit
C:\Windows\SysWOW64\Qpikgj32.exe

Filesize
224KB

MD5
6cdaab6dd70a93842996c6ed2705b39a

SHA1
bb878948a3da653fb64cdad6715081562a0fd677

SHA256
926418bdc3628a12b9af62ae010af5270658fa48cd063702918be2933e714c11

SHA512
8dd7a65922922afe65e36bb8d871609082ceda5f4e717ff0b067fb8993e2671f63064862d66d3e5aaf5cb851eefcae0ebd11ea806704b9db38da8a4ab9ea6900

Download Submit
memory/448-266-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1128-244-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1128-318-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1600-167-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1600-73-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1612-275-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1956-64-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1956-152-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2052-166-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2240-324-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2492-138-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2580-277-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2808-332-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2944-183-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2944-260-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3192-148-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3280-40-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3280-133-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3308-5-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3308-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3372-283-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3372-203-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3376-25-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3376-113-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3520-143-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3520-57-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3652-120-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3696-330-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3724-123-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3724-32-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3796-130-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3864-305-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4008-269-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4008-187-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4028-303-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4040-325-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4040-251-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4144-160-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4164-17-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4164-102-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4204-316-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4240-295-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4336-140-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4336-49-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4364-95-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4372-106-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4464-227-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4464-304-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4548-311-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4548-234-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4616-112-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4664-290-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4664-211-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4672-178-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4672-243-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4768-288-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4812-195-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4812-276-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4896-81-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4896-170-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4960-9-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4960-89-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4972-297-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4972-219-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/8240-1814-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/8300-1813-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/8928-1821-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/9032-1819-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/9076-1818-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/9160-1816-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/9212-1815-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads