00e7e61d2a55b8ce791edbf662b7f12e64a3518e6bb46dafa385291809f36584

Analysis

max time kernel
93s
max time network
113s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
29/03/2024, 17:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

00e7e61d2a55b8ce791edbf662b7f12e64a3518e6bb46dafa385291809f36584.exe
Size

148KB
MD5

423b229a4bc34e2a5f491ea6483e12cf
SHA1

cbb3cb94e4b027149dce272334043fb56ca6cdce
SHA256

00e7e61d2a55b8ce791edbf662b7f12e64a3518e6bb46dafa385291809f36584
SHA512

7e2b68c6249ae7501e6b59f4f2a51687a2409822aa723d9cc96d558e8555742274626ccdbfcc19f97f24dc9b75f301b5adca4c5e68f3620bb8a458d94820ad45
SSDEEP

3072:UyXb98bMn1XJQZriY5OdzOdjKtlDoNQQ9wlHOdj+UCRQKOdj+U:UyXb98bM15qiKOdzOdkOdezOd

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gmaioo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hjolnb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pldlqlgp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cojqkbdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fomonm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fflaff32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gjapmdid.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gidphq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kajfig32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lphfpbdi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mglack32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngedij32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Maaepd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhjkdg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dcfebonm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Emjjgbjp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgneampk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mnlfigcc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mpaifalo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Blbaihmn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bemcgmak.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dephckaf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Eoifcnid.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gfhqbe32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hmdedo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Albibj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aeacko32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bockjc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ibagcc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jfffjqdf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gppekj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Plmogkoe.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bhdibj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jfdida32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ljnnch32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ijaida32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Liekmj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bbhqjchp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bhibni32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Camfbm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hmmhjm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hmmhjm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ijaida32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cpedjf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Epopgbia.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gjapmdid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jaimbj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kphmie32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mjjmog32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bbacqape.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Epmcab32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jmkdlkph.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kdaldd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lddbqa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqklmpdd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qnnhhflf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chgoogfa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jaljgidl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkpgck32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eckonn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fomonm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gbgkfg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jigollag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lkiqbl32.exe

Executes dropped EXE 64 IoCs

pid	Process
4304	Paohccgj.exe
4440	Piepdahl.exe
784	Pldlqlgp.exe
3316	Pnbimhfd.exe
1660	Paaeiceg.exe
4556	Pihmjqfj.exe
2776	Phkmem32.exe
2892	Pneebg32.exe
884	Pacaoc32.exe
4680	Pijjpp32.exe
4536	Pngbhg32.exe
3804	Peajdajk.exe
1216	Plkbak32.exe
4056	Ppgobjia.exe
2112	Pecgja32.exe
4432	Plmogkoe.exe
1116	Qnlkcfni.exe
1388	Qiappono.exe
1616	Qlpllkmc.exe
2664	Qnnhhflf.exe
4500	Qiclfo32.exe
1828	Albibj32.exe
4140	Ablaodbm.exe
4080	Aejmkpaq.exe
4284	Appahiag.exe
1488	Abnnddpj.exe
1068	Aemjpp32.exe
4620	Ahkflk32.exe
1480	Aoeniefo.exe
4380	Aeoffo32.exe
3328	Ahncbk32.exe
1608	Apekch32.exe
408	Aeacko32.exe
1996	Abedecjb.exe
3436	Aedpaoif.exe
3172	Ahblmjhj.exe
2848	Boldjd32.exe
3056	Bbhqjchp.exe
3504	Bhdibj32.exe
1372	Booaodnd.exe
5052	Blbaihmn.exe
2244	Boanecla.exe
4724	Baojaoke.exe
1920	Bekfan32.exe
3792	Bhibni32.exe
5000	Bpqjofcd.exe
3824	Bockjc32.exe
5092	Bbofkbbh.exe
3212	Bemcgmak.exe
2772	Blgkdg32.exe
4764	Boegpc32.exe
4288	Bbacqape.exe
1728	Bikkml32.exe
3560	Cpedjf32.exe
2308	Ceblbm32.exe
4996	Chphoh32.exe
2492	Clldogdc.exe
3136	Cojqkbdf.exe
2140	Cedihl32.exe
1064	Clnadfbp.exe
2732	Cakjmm32.exe
3720	Cibank32.exe
3540	Clqnjf32.exe
1264	Camfbm32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Hboagf32.exe	Gppekj32.exe
File created	C:\Windows\SysWOW64\Lnhmng32.exe	Lkiqbl32.exe
File opened for modification	C:\Windows\SysWOW64\Qiclfo32.exe	Qnnhhflf.exe
File created	C:\Windows\SysWOW64\Lppbbf32.dll	Ahncbk32.exe
File created	C:\Windows\SysWOW64\Gbgkfg32.exe	Gcekkjcj.exe
File opened for modification	C:\Windows\SysWOW64\Gidphq32.exe	Gjapmdid.exe
File opened for modification	C:\Windows\SysWOW64\Kgphpo32.exe	Kdaldd32.exe
File opened for modification	C:\Windows\SysWOW64\Mkpgck32.exe	Mgekbljc.exe
File created	C:\Windows\SysWOW64\Geegicjl.dll	Mglack32.exe
File created	C:\Windows\SysWOW64\Dbcojmgm.dll	Aejmkpaq.exe
File created	C:\Windows\SysWOW64\Icpdfeeb.dll	Bhibni32.exe
File created	C:\Windows\SysWOW64\Hndnbj32.dll	Fqkocpod.exe
File opened for modification	C:\Windows\SysWOW64\Impepm32.exe	Ijaida32.exe
File opened for modification	C:\Windows\SysWOW64\Lnepih32.exe	Lkgdml32.exe
File created	C:\Windows\SysWOW64\Paohccgj.exe	00e7e61d2a55b8ce791edbf662b7f12e64a3518e6bb46dafa385291809f36584.exe
File opened for modification	C:\Windows\SysWOW64\Bbofkbbh.exe	Bockjc32.exe
File created	C:\Windows\SysWOW64\Ibilnj32.dll	Hmdedo32.exe
File created	C:\Windows\SysWOW64\Gefncbmc.dll	Lklnhlfb.exe
File opened for modification	C:\Windows\SysWOW64\Mcklgm32.exe	Mdiklqhm.exe
File created	C:\Windows\SysWOW64\Cdcbljie.dll	Ijdeiaio.exe
File created	C:\Windows\SysWOW64\Jiphkm32.exe	Jpgdbg32.exe
File opened for modification	C:\Windows\SysWOW64\Pacaoc32.exe	Pneebg32.exe
File opened for modification	C:\Windows\SysWOW64\Aeoffo32.exe	Aoeniefo.exe
File created	C:\Windows\SysWOW64\Mncmjfmk.exe	Mkepnjng.exe
File created	C:\Windows\SysWOW64\Hhapkbgi.dll	Mpaifalo.exe
File opened for modification	C:\Windows\SysWOW64\Dhnepfpj.exe	Dephckaf.exe
File created	C:\Windows\SysWOW64\Fmapha32.exe	Ffggkgmk.exe
File created	C:\Windows\SysWOW64\Fjepaecb.exe	Fckhdk32.exe
File opened for modification	C:\Windows\SysWOW64\Eoifcnid.exe	Emjjgbjp.exe
File opened for modification	C:\Windows\SysWOW64\Ibojncfj.exe	Imbaemhc.exe
File opened for modification	C:\Windows\SysWOW64\Kcifkp32.exe	Kdffocib.exe
File created	C:\Windows\SysWOW64\Albibj32.exe	Qiclfo32.exe
File created	C:\Windows\SysWOW64\Hippdo32.exe	Hjmoibog.exe
File opened for modification	C:\Windows\SysWOW64\Mgnnhk32.exe	Mpdelajl.exe
File opened for modification	C:\Windows\SysWOW64\Ffggkgmk.exe	Fomonm32.exe
File created	C:\Windows\SysWOW64\Gqkhjn32.exe	Gidphq32.exe
File created	C:\Windows\SysWOW64\Iabgaklg.exe	Imgkql32.exe
File opened for modification	C:\Windows\SysWOW64\Kbfiep32.exe	Kphmie32.exe
File created	C:\Windows\SysWOW64\Dhnepfpj.exe	Dephckaf.exe
File created	C:\Windows\SysWOW64\Geekfi32.dll	Himcoo32.exe
File created	C:\Windows\SysWOW64\Ijdeiaio.exe	Icjmmg32.exe
File created	C:\Windows\SysWOW64\Olmeac32.dll	Jaimbj32.exe
File created	C:\Windows\SysWOW64\Gjlfbd32.exe	Gfqjafdq.exe
File opened for modification	C:\Windows\SysWOW64\Jigollag.exe	Jfhbppbc.exe
File opened for modification	C:\Windows\SysWOW64\Lgkhlnbn.exe	Ldmlpbbj.exe
File opened for modification	C:\Windows\SysWOW64\Booaodnd.exe	Bhdibj32.exe
File created	C:\Windows\SysWOW64\Jkageheh.dll	Hadkpm32.exe
File opened for modification	C:\Windows\SysWOW64\Jibeql32.exe	Jfdida32.exe
File opened for modification	C:\Windows\SysWOW64\Pnbimhfd.exe	Pldlqlgp.exe
File created	C:\Windows\SysWOW64\Heaacc32.dll	Appahiag.exe
File opened for modification	C:\Windows\SysWOW64\Chphoh32.exe	Ceblbm32.exe
File created	C:\Windows\SysWOW64\Eoifcnid.exe	Emjjgbjp.exe
File created	C:\Windows\SysWOW64\Ppgjkamf.dll	Emjjgbjp.exe
File created	C:\Windows\SysWOW64\Ehifigof.dll	Jaljgidl.exe
File created	C:\Windows\SysWOW64\Oaehlf32.dll	Mcpebmkb.exe
File opened for modification	C:\Windows\SysWOW64\Bikkml32.exe	Bbacqape.exe
File created	C:\Windows\SysWOW64\Coagla32.exe	Cpofpdgd.exe
File opened for modification	C:\Windows\SysWOW64\Dcopbp32.exe	Dpacfd32.exe
File created	C:\Windows\SysWOW64\Bbhqjchp.exe	Boldjd32.exe
File created	C:\Windows\SysWOW64\Bebboiqi.dll	Mjjmog32.exe
File created	C:\Windows\SysWOW64\Nfmmni32.dll	Aemjpp32.exe
File opened for modification	C:\Windows\SysWOW64\Eflhoigi.exe	Ecmlcmhe.exe
File created	C:\Windows\SysWOW64\Emhmioko.dll	Gmmocpjk.exe
File opened for modification	C:\Windows\SysWOW64\Kpjjod32.exe	Kipabjil.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
8480	8384	WerFault.exe	365

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jpgdbg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Iinlemia.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjcfkp32.dll"	Hccglh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lnhmng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lalcng32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aeacko32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dofpgqji.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Odhibo32.dll"	Gjocgdkg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lphfpbdi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mncmjfmk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Boegpc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Albibj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dcopbp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hpbjkl32.dll"	Fcnejk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fjhmgeao.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pldlqlgp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oaehlf32.dll"	Mcpebmkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hbhdmd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bpqjofcd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bemcgmak.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Iabgaklg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Habnjm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Majknlkd.dll"	Nqiogp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbajhpfb.dll"	Gidphq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Clqnjf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fopfdhej.dll"	Cojqkbdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iebapp32.dll"	Gcekkjcj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gcggpj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Impepm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jibpdc32.dll"	Iinlemia.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jibeql32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lmccchkn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Imihfl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kbfiep32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nkjjij32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Iabgaklg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aeoffo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ijdeiaio.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdiihjon.dll"	Kgphpo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ofdhdf32.dll"	Liekmj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Plkbak32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qgenhgdd.dll"	Fodeolof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hadkpm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Leqcod32.dll"	Jibeql32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kphmie32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Epmcab32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kbfiep32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mdfofakp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dglajema.dll"	Chphoh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fqaeco32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gbcakg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Boldjd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fmmfmbhn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gmkbnp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lkbhbe32.dll"	Hbhdmd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kkdeek32.dll"	Kgmlkp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Haidklda.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Laopdgcg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nbkhfc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Himcoo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Adijolgl.dll"	Gqkhjn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oddojp32.dll"	Apekch32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cmlnpc32.dll"	Chgoogfa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ggdddife.dll"	Gcggpj32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3168 wrote to memory of 4304	3168	00e7e61d2a55b8ce791edbf662b7f12e64a3518e6bb46dafa385291809f36584.exe	87
PID 3168 wrote to memory of 4304	3168	00e7e61d2a55b8ce791edbf662b7f12e64a3518e6bb46dafa385291809f36584.exe	87
PID 3168 wrote to memory of 4304	3168	00e7e61d2a55b8ce791edbf662b7f12e64a3518e6bb46dafa385291809f36584.exe	87
PID 4304 wrote to memory of 4440	4304	Paohccgj.exe	88
PID 4304 wrote to memory of 4440	4304	Paohccgj.exe	88
PID 4304 wrote to memory of 4440	4304	Paohccgj.exe	88
PID 4440 wrote to memory of 784	4440	Piepdahl.exe	89
PID 4440 wrote to memory of 784	4440	Piepdahl.exe	89
PID 4440 wrote to memory of 784	4440	Piepdahl.exe	89
PID 784 wrote to memory of 3316	784	Pldlqlgp.exe	90
PID 784 wrote to memory of 3316	784	Pldlqlgp.exe	90
PID 784 wrote to memory of 3316	784	Pldlqlgp.exe	90
PID 3316 wrote to memory of 1660	3316	Pnbimhfd.exe	91
PID 3316 wrote to memory of 1660	3316	Pnbimhfd.exe	91
PID 3316 wrote to memory of 1660	3316	Pnbimhfd.exe	91
PID 1660 wrote to memory of 4556	1660	Paaeiceg.exe	92
PID 1660 wrote to memory of 4556	1660	Paaeiceg.exe	92
PID 1660 wrote to memory of 4556	1660	Paaeiceg.exe	92
PID 4556 wrote to memory of 2776	4556	Pihmjqfj.exe	94
PID 4556 wrote to memory of 2776	4556	Pihmjqfj.exe	94
PID 4556 wrote to memory of 2776	4556	Pihmjqfj.exe	94
PID 2776 wrote to memory of 2892	2776	Phkmem32.exe	95
PID 2776 wrote to memory of 2892	2776	Phkmem32.exe	95
PID 2776 wrote to memory of 2892	2776	Phkmem32.exe	95
PID 2892 wrote to memory of 884	2892	Pneebg32.exe	96
PID 2892 wrote to memory of 884	2892	Pneebg32.exe	96
PID 2892 wrote to memory of 884	2892	Pneebg32.exe	96
PID 884 wrote to memory of 4680	884	Pacaoc32.exe	97
PID 884 wrote to memory of 4680	884	Pacaoc32.exe	97
PID 884 wrote to memory of 4680	884	Pacaoc32.exe	97
PID 4680 wrote to memory of 4536	4680	Pijjpp32.exe	98
PID 4680 wrote to memory of 4536	4680	Pijjpp32.exe	98
PID 4680 wrote to memory of 4536	4680	Pijjpp32.exe	98
PID 4536 wrote to memory of 3804	4536	Pngbhg32.exe	99
PID 4536 wrote to memory of 3804	4536	Pngbhg32.exe	99
PID 4536 wrote to memory of 3804	4536	Pngbhg32.exe	99
PID 3804 wrote to memory of 1216	3804	Peajdajk.exe	100
PID 3804 wrote to memory of 1216	3804	Peajdajk.exe	100
PID 3804 wrote to memory of 1216	3804	Peajdajk.exe	100
PID 1216 wrote to memory of 4056	1216	Plkbak32.exe	101
PID 1216 wrote to memory of 4056	1216	Plkbak32.exe	101
PID 1216 wrote to memory of 4056	1216	Plkbak32.exe	101
PID 4056 wrote to memory of 2112	4056	Ppgobjia.exe	102
PID 4056 wrote to memory of 2112	4056	Ppgobjia.exe	102
PID 4056 wrote to memory of 2112	4056	Ppgobjia.exe	102
PID 2112 wrote to memory of 4432	2112	Pecgja32.exe	103
PID 2112 wrote to memory of 4432	2112	Pecgja32.exe	103
PID 2112 wrote to memory of 4432	2112	Pecgja32.exe	103
PID 4432 wrote to memory of 1116	4432	Plmogkoe.exe	104
PID 4432 wrote to memory of 1116	4432	Plmogkoe.exe	104
PID 4432 wrote to memory of 1116	4432	Plmogkoe.exe	104
PID 1116 wrote to memory of 1388	1116	Qnlkcfni.exe	105
PID 1116 wrote to memory of 1388	1116	Qnlkcfni.exe	105
PID 1116 wrote to memory of 1388	1116	Qnlkcfni.exe	105
PID 1388 wrote to memory of 1616	1388	Qiappono.exe	106
PID 1388 wrote to memory of 1616	1388	Qiappono.exe	106
PID 1388 wrote to memory of 1616	1388	Qiappono.exe	106
PID 1616 wrote to memory of 2664	1616	Qlpllkmc.exe	107
PID 1616 wrote to memory of 2664	1616	Qlpllkmc.exe	107
PID 1616 wrote to memory of 2664	1616	Qlpllkmc.exe	107
PID 2664 wrote to memory of 4500	2664	Qnnhhflf.exe	109
PID 2664 wrote to memory of 4500	2664	Qnnhhflf.exe	109
PID 2664 wrote to memory of 4500	2664	Qnnhhflf.exe	109
PID 4500 wrote to memory of 1828	4500	Qiclfo32.exe	110

C:\Users\Admin\AppData\Local\Temp\00e7e61d2a55b8ce791edbf662b7f12e64a3518e6bb46dafa385291809f36584.exe
"C:\Users\Admin\AppData\Local\Temp\00e7e61d2a55b8ce791edbf662b7f12e64a3518e6bb46dafa385291809f36584.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3168
- C:\Windows\SysWOW64\Paohccgj.exe
  C:\Windows\system32\Paohccgj.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4304
- - C:\Windows\SysWOW64\Piepdahl.exe
    C:\Windows\system32\Piepdahl.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:4440
  - - C:\Windows\SysWOW64\Pldlqlgp.exe
      C:\Windows\system32\Pldlqlgp.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:784
    - - C:\Windows\SysWOW64\Pnbimhfd.exe
        
        C:\Windows\system32\Pnbimhfd.exe
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3316
      - C:\Windows\SysWOW64\Paaeiceg.exe
        
        C:\Windows\system32\Paaeiceg.exe
        6⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1660
        
        C:\Windows\SysWOW64\Pihmjqfj.exe
        
        C:\Windows\system32\Pihmjqfj.exe
        7⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4556
        
        C:\Windows\SysWOW64\Phkmem32.exe
        
        C:\Windows\system32\Phkmem32.exe
        8⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2776
        
        C:\Windows\SysWOW64\Pneebg32.exe
        
        C:\Windows\system32\Pneebg32.exe
        9⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2892
        
        C:\Windows\SysWOW64\Pacaoc32.exe
        
        C:\Windows\system32\Pacaoc32.exe
        10⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:884
        
        C:\Windows\SysWOW64\Pijjpp32.exe
        
        C:\Windows\system32\Pijjpp32.exe
        11⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4680
        
        C:\Windows\SysWOW64\Pngbhg32.exe
        
        C:\Windows\system32\Pngbhg32.exe
        12⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4536
        
        C:\Windows\SysWOW64\Peajdajk.exe
        
        C:\Windows\system32\Peajdajk.exe
        13⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3804
        
        C:\Windows\SysWOW64\Plkbak32.exe
        
        C:\Windows\system32\Plkbak32.exe
        14⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1216
        
        C:\Windows\SysWOW64\Ppgobjia.exe
        
        C:\Windows\system32\Ppgobjia.exe
        15⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4056
        
        C:\Windows\SysWOW64\Pecgja32.exe
        
        C:\Windows\system32\Pecgja32.exe
        16⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2112
        
        C:\Windows\SysWOW64\Plmogkoe.exe
        
        C:\Windows\system32\Plmogkoe.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4432
        
        C:\Windows\SysWOW64\Qnlkcfni.exe
        
        C:\Windows\system32\Qnlkcfni.exe
        18⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1116
        
        C:\Windows\SysWOW64\Qiappono.exe
        
        C:\Windows\system32\Qiappono.exe
        19⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1388
        
        C:\Windows\SysWOW64\Qlpllkmc.exe
        
        C:\Windows\system32\Qlpllkmc.exe
        20⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1616
        
        C:\Windows\SysWOW64\Qnnhhflf.exe
        
        C:\Windows\system32\Qnnhhflf.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2664
        
        C:\Windows\SysWOW64\Qiclfo32.exe
        
        C:\Windows\system32\Qiclfo32.exe
        22⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4500
        
        C:\Windows\SysWOW64\Albibj32.exe
        
        C:\Windows\system32\Albibj32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1828
        
        C:\Windows\SysWOW64\Ablaodbm.exe
        
        C:\Windows\system32\Ablaodbm.exe
        24⤵
        Executes dropped EXE
        
        PID:4140
        
        C:\Windows\SysWOW64\Aejmkpaq.exe
        
        C:\Windows\system32\Aejmkpaq.exe
        25⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4080
        
        C:\Windows\SysWOW64\Appahiag.exe
        
        C:\Windows\system32\Appahiag.exe
        26⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4284
        
        C:\Windows\SysWOW64\Abnnddpj.exe
        
        C:\Windows\system32\Abnnddpj.exe
        27⤵
        Executes dropped EXE
        
        PID:1488
        
        C:\Windows\SysWOW64\Aemjpp32.exe
        
        C:\Windows\system32\Aemjpp32.exe
        28⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1068
        
        C:\Windows\SysWOW64\Ahkflk32.exe
        
        C:\Windows\system32\Ahkflk32.exe
        29⤵
        Executes dropped EXE
        
        PID:4620
        
        C:\Windows\SysWOW64\Aoeniefo.exe
        
        C:\Windows\system32\Aoeniefo.exe
        30⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1480
        
        C:\Windows\SysWOW64\Aeoffo32.exe
        
        C:\Windows\system32\Aeoffo32.exe
        31⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4380
        
        C:\Windows\SysWOW64\Ahncbk32.exe
        
        C:\Windows\system32\Ahncbk32.exe
        32⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3328
        
        C:\Windows\SysWOW64\Apekch32.exe
        
        C:\Windows\system32\Apekch32.exe
        33⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1608
        
        C:\Windows\SysWOW64\Aeacko32.exe
        
        C:\Windows\system32\Aeacko32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:408
        
        C:\Windows\SysWOW64\Abedecjb.exe
        
        C:\Windows\system32\Abedecjb.exe
        35⤵
        Executes dropped EXE
        
        PID:1996
        
        C:\Windows\SysWOW64\Aedpaoif.exe
        
        C:\Windows\system32\Aedpaoif.exe
        36⤵
        Executes dropped EXE
        
        PID:3436
        
        C:\Windows\SysWOW64\Ahblmjhj.exe
        
        C:\Windows\system32\Ahblmjhj.exe
        37⤵
        Executes dropped EXE
        
        PID:3172
        
        C:\Windows\SysWOW64\Boldjd32.exe
        
        C:\Windows\system32\Boldjd32.exe
        38⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2848
        
        C:\Windows\SysWOW64\Bbhqjchp.exe
        
        C:\Windows\system32\Bbhqjchp.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3056
        
        C:\Windows\SysWOW64\Bhdibj32.exe
        
        C:\Windows\system32\Bhdibj32.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3504
        
        C:\Windows\SysWOW64\Booaodnd.exe
        
        C:\Windows\system32\Booaodnd.exe
        41⤵
        Executes dropped EXE
        
        PID:1372
        
        C:\Windows\SysWOW64\Blbaihmn.exe
        
        C:\Windows\system32\Blbaihmn.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:5052
        
        C:\Windows\SysWOW64\Boanecla.exe
        
        C:\Windows\system32\Boanecla.exe
        43⤵
        Executes dropped EXE
        
        PID:2244
        
        C:\Windows\SysWOW64\Baojaoke.exe
        
        C:\Windows\system32\Baojaoke.exe
        44⤵
        Executes dropped EXE
        
        PID:4724
        
        C:\Windows\SysWOW64\Bekfan32.exe
        
        C:\Windows\system32\Bekfan32.exe
        45⤵
        Executes dropped EXE
        
        PID:1920
        
        C:\Windows\SysWOW64\Bhibni32.exe
        
        C:\Windows\system32\Bhibni32.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3792
        
        C:\Windows\SysWOW64\Bpqjofcd.exe
        
        C:\Windows\system32\Bpqjofcd.exe
        47⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:5000
        
        C:\Windows\SysWOW64\Bockjc32.exe
        
        C:\Windows\system32\Bockjc32.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3824
        
        C:\Windows\SysWOW64\Bbofkbbh.exe
        
        C:\Windows\system32\Bbofkbbh.exe
        49⤵
        Executes dropped EXE
        
        PID:5092
        
        C:\Windows\SysWOW64\Bemcgmak.exe
        
        C:\Windows\system32\Bemcgmak.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3212
        
        C:\Windows\SysWOW64\Blgkdg32.exe
        
        C:\Windows\system32\Blgkdg32.exe
        51⤵
        Executes dropped EXE
        
        PID:2772
        
        C:\Windows\SysWOW64\Boegpc32.exe
        
        C:\Windows\system32\Boegpc32.exe
        52⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4764
        
        C:\Windows\SysWOW64\Bbacqape.exe
        
        C:\Windows\system32\Bbacqape.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4288
        
        C:\Windows\SysWOW64\Bikkml32.exe
        
        C:\Windows\system32\Bikkml32.exe
        54⤵
        Executes dropped EXE
        
        PID:1728
        
        C:\Windows\SysWOW64\Cpedjf32.exe
        
        C:\Windows\system32\Cpedjf32.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3560
        
        C:\Windows\SysWOW64\Ceblbm32.exe
        
        C:\Windows\system32\Ceblbm32.exe
        56⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2308
        
        C:\Windows\SysWOW64\Chphoh32.exe
        
        C:\Windows\system32\Chphoh32.exe
        57⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4996
        
        C:\Windows\SysWOW64\Clldogdc.exe
        
        C:\Windows\system32\Clldogdc.exe
        58⤵
        Executes dropped EXE
        
        PID:2492
        
        C:\Windows\SysWOW64\Cojqkbdf.exe
        
        C:\Windows\system32\Cojqkbdf.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3136
        
        C:\Windows\SysWOW64\Cedihl32.exe
        
        C:\Windows\system32\Cedihl32.exe
        60⤵
        Executes dropped EXE
        
        PID:2140
        
        C:\Windows\SysWOW64\Clnadfbp.exe
        
        C:\Windows\system32\Clnadfbp.exe
        61⤵
        Executes dropped EXE
        
        PID:1064
        
        C:\Windows\SysWOW64\Cakjmm32.exe
        
        C:\Windows\system32\Cakjmm32.exe
        62⤵
        Executes dropped EXE
        
        PID:2732
        
        C:\Windows\SysWOW64\Cibank32.exe
        
        C:\Windows\system32\Cibank32.exe
        63⤵
        Executes dropped EXE
        
        PID:3720
        
        C:\Windows\SysWOW64\Clqnjf32.exe
        
        C:\Windows\system32\Clqnjf32.exe
        64⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3540
        
        C:\Windows\SysWOW64\Camfbm32.exe
        
        C:\Windows\system32\Camfbm32.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1264
        
        C:\Windows\SysWOW64\Chgoogfa.exe
        
        C:\Windows\system32\Chgoogfa.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:1220
        
        C:\Windows\SysWOW64\Cpofpdgd.exe
        
        C:\Windows\system32\Cpofpdgd.exe
        67⤵
        Drops file in System32 directory
        
        PID:1292
        
        C:\Windows\SysWOW64\Coagla32.exe
        
        C:\Windows\system32\Coagla32.exe
        68⤵
        
        PID:2516
        
        C:\Windows\SysWOW64\Cekohk32.exe
        
        C:\Windows\system32\Cekohk32.exe
        69⤵
        
        PID:3648
        
        C:\Windows\SysWOW64\Dhjkdg32.exe
        
        C:\Windows\system32\Dhjkdg32.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2784
        
        C:\Windows\SysWOW64\Dpacfd32.exe
        
        C:\Windows\system32\Dpacfd32.exe
        71⤵
        Drops file in System32 directory
        
        PID:2328
        
        C:\Windows\SysWOW64\Dcopbp32.exe
        
        C:\Windows\system32\Dcopbp32.exe
        72⤵
        Modifies registry class
        
        PID:956
        
        C:\Windows\SysWOW64\Diihojkb.exe
        
        C:\Windows\system32\Diihojkb.exe
        73⤵
        
        PID:4876
        
        C:\Windows\SysWOW64\Dofpgqji.exe
        
        C:\Windows\system32\Dofpgqji.exe
        74⤵
        Modifies registry class
        
        PID:3092
        
        C:\Windows\SysWOW64\Dephckaf.exe
        
        C:\Windows\system32\Dephckaf.exe
        75⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:452
        
        C:\Windows\SysWOW64\Dhnepfpj.exe
        
        C:\Windows\system32\Dhnepfpj.exe
        76⤵
        
        PID:1040
        
        C:\Windows\SysWOW64\Dpemacql.exe
        
        C:\Windows\system32\Dpemacql.exe
        77⤵
        
        PID:3568
        
        C:\Windows\SysWOW64\Dcdimopp.exe
        
        C:\Windows\system32\Dcdimopp.exe
        78⤵
        
        PID:1972
        
        C:\Windows\SysWOW64\Debeijoc.exe
        
        C:\Windows\system32\Debeijoc.exe
        79⤵
        
        PID:3068
        
        C:\Windows\SysWOW64\Djnaji32.exe
        
        C:\Windows\system32\Djnaji32.exe
        80⤵
        
        PID:4228
        
        C:\Windows\SysWOW64\Dcfebonm.exe
        
        C:\Windows\system32\Dcfebonm.exe
        81⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2572
        
        C:\Windows\SysWOW64\Dhcnke32.exe
        
        C:\Windows\system32\Dhcnke32.exe
        82⤵
        
        PID:3116
        
        C:\Windows\SysWOW64\Dpjflb32.exe
        
        C:\Windows\system32\Dpjflb32.exe
        83⤵
        
        PID:4588
        
        C:\Windows\SysWOW64\Domfgpca.exe
        
        C:\Windows\system32\Domfgpca.exe
        84⤵
        
        PID:984
        
        C:\Windows\SysWOW64\Efgodj32.exe
        
        C:\Windows\system32\Efgodj32.exe
        85⤵
        
        PID:324
        
        C:\Windows\SysWOW64\Ehekqe32.exe
        
        C:\Windows\system32\Ehekqe32.exe
        86⤵
        
        PID:3956
        
        C:\Windows\SysWOW64\Epmcab32.exe
        
        C:\Windows\system32\Epmcab32.exe
        87⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:3368
        
        C:\Windows\SysWOW64\Eckonn32.exe
        
        C:\Windows\system32\Eckonn32.exe
        88⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5104
        
        C:\Windows\SysWOW64\Efikji32.exe
        
        C:\Windows\system32\Efikji32.exe
        89⤵
        
        PID:2932
        
        C:\Windows\SysWOW64\Ehhgfdho.exe
        
        C:\Windows\system32\Ehhgfdho.exe
        90⤵
        
        PID:2692
        
        C:\Windows\SysWOW64\Epopgbia.exe
        
        C:\Windows\system32\Epopgbia.exe
        91⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4576
        
        C:\Windows\SysWOW64\Ecmlcmhe.exe
        
        C:\Windows\system32\Ecmlcmhe.exe
        92⤵
        Drops file in System32 directory
        
        PID:1852
        
        C:\Windows\SysWOW64\Eflhoigi.exe
        
        C:\Windows\system32\Eflhoigi.exe
        93⤵
        
        PID:5124
        
        C:\Windows\SysWOW64\Eqalmafo.exe
        
        C:\Windows\system32\Eqalmafo.exe
        94⤵
        
        PID:5176
        
        C:\Windows\SysWOW64\Ecphimfb.exe
        
        C:\Windows\system32\Ecphimfb.exe
        95⤵
        
        PID:5220
        
        C:\Windows\SysWOW64\Ejjqeg32.exe
        
        C:\Windows\system32\Ejjqeg32.exe
        96⤵
        
        PID:5272
        
        C:\Windows\SysWOW64\Elhmablc.exe
        
        C:\Windows\system32\Elhmablc.exe
        97⤵
        
        PID:5316
        
        C:\Windows\SysWOW64\Efpajh32.exe
        
        C:\Windows\system32\Efpajh32.exe
        98⤵
        
        PID:5380
        
        C:\Windows\SysWOW64\Emjjgbjp.exe
        
        C:\Windows\system32\Emjjgbjp.exe
        99⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5428
        
        C:\Windows\SysWOW64\Eoifcnid.exe
        
        C:\Windows\system32\Eoifcnid.exe
        100⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5472
        
        C:\Windows\SysWOW64\Ecdbdl32.exe
        
        C:\Windows\system32\Ecdbdl32.exe
        101⤵
        
        PID:5512
        
        C:\Windows\SysWOW64\Fjnjqfij.exe
        
        C:\Windows\system32\Fjnjqfij.exe
        102⤵
        
        PID:5552
        
        C:\Windows\SysWOW64\Fmmfmbhn.exe
        
        C:\Windows\system32\Fmmfmbhn.exe
        103⤵
        Modifies registry class
        
        PID:5588
        
        C:\Windows\SysWOW64\Fcgoilpj.exe
        
        C:\Windows\system32\Fcgoilpj.exe
        104⤵
        
        PID:5636
        
        C:\Windows\SysWOW64\Fqkocpod.exe
        
        C:\Windows\system32\Fqkocpod.exe
        105⤵
        Drops file in System32 directory
        
        PID:5684
        
        C:\Windows\SysWOW64\Fomonm32.exe
        
        C:\Windows\system32\Fomonm32.exe
        106⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5728
        
        C:\Windows\SysWOW64\Ffggkgmk.exe
        
        C:\Windows\system32\Ffggkgmk.exe
        107⤵
        Drops file in System32 directory
        
        PID:5768
        
        C:\Windows\SysWOW64\Fmapha32.exe
        
        C:\Windows\system32\Fmapha32.exe
        108⤵
        
        PID:5812
        
        C:\Windows\SysWOW64\Fckhdk32.exe
        
        C:\Windows\system32\Fckhdk32.exe
        109⤵
        Drops file in System32 directory
        
        PID:5848
        
        C:\Windows\SysWOW64\Fjepaecb.exe
        
        C:\Windows\system32\Fjepaecb.exe
        110⤵
        
        PID:5888
        
        C:\Windows\SysWOW64\Fmclmabe.exe
        
        C:\Windows\system32\Fmclmabe.exe
        111⤵
        
        PID:5928
        
        C:\Windows\SysWOW64\Fqohnp32.exe
        
        C:\Windows\system32\Fqohnp32.exe
        112⤵
        
        PID:5968
        
        C:\Windows\SysWOW64\Fcnejk32.exe
        
        C:\Windows\system32\Fcnejk32.exe
        113⤵
        Modifies registry class
        
        PID:6016
        
        C:\Windows\SysWOW64\Fflaff32.exe
        
        C:\Windows\system32\Fflaff32.exe
        114⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6056
        
        C:\Windows\SysWOW64\Fjhmgeao.exe
        
        C:\Windows\system32\Fjhmgeao.exe
        115⤵
        Modifies registry class
        
        PID:6096
        
        C:\Windows\SysWOW64\Fmficqpc.exe
        
        C:\Windows\system32\Fmficqpc.exe
        116⤵
        
        PID:6136
        
        C:\Windows\SysWOW64\Fqaeco32.exe
        
        C:\Windows\system32\Fqaeco32.exe
        117⤵
        Modifies registry class
        
        PID:5172
        
        C:\Windows\SysWOW64\Fodeolof.exe
        
        C:\Windows\system32\Fodeolof.exe
        118⤵
        Modifies registry class
        
        PID:5208
        
        C:\Windows\SysWOW64\Gbcakg32.exe
        
        C:\Windows\system32\Gbcakg32.exe
        119⤵
        Modifies registry class
        
        PID:5300
        
        C:\Windows\SysWOW64\Gimjhafg.exe
        
        C:\Windows\system32\Gimjhafg.exe
        120⤵
        
        PID:5388
        
        C:\Windows\SysWOW64\Gmhfhp32.exe
        
        C:\Windows\system32\Gmhfhp32.exe
        121⤵
        
        PID:5440
        
        C:\Windows\SysWOW64\Gogbdl32.exe
        
        C:\Windows\system32\Gogbdl32.exe
        122⤵
        
        PID:5520
        
        C:\Windows\SysWOW64\Gcbnejem.exe
        
        C:\Windows\system32\Gcbnejem.exe
        123⤵
        
        PID:5576
        
        C:\Windows\SysWOW64\Gfqjafdq.exe
        
        C:\Windows\system32\Gfqjafdq.exe
        124⤵
        Drops file in System32 directory
        
        PID:4528
        
        C:\Windows\SysWOW64\Gjlfbd32.exe
        
        C:\Windows\system32\Gjlfbd32.exe
        125⤵
        
        PID:5708
        
        C:\Windows\SysWOW64\Gmkbnp32.exe
        
        C:\Windows\system32\Gmkbnp32.exe
        126⤵
        Modifies registry class
        
        PID:5804
        
        C:\Windows\SysWOW64\Gcekkjcj.exe
        
        C:\Windows\system32\Gcekkjcj.exe
        127⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5876
        
        C:\Windows\SysWOW64\Gbgkfg32.exe
        
        C:\Windows\system32\Gbgkfg32.exe
        128⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5952
        
        C:\Windows\SysWOW64\Gjocgdkg.exe
        
        C:\Windows\system32\Gjocgdkg.exe
        129⤵
        Modifies registry class
        
        PID:6044
        
        C:\Windows\SysWOW64\Gmmocpjk.exe
        
        C:\Windows\system32\Gmmocpjk.exe
        130⤵
        Drops file in System32 directory
        
        PID:6128
        
        C:\Windows\SysWOW64\Gcggpj32.exe
        
        C:\Windows\system32\Gcggpj32.exe
        131⤵
        Modifies registry class
        
        PID:5280
        
        C:\Windows\SysWOW64\Gbjhlfhb.exe
        
        C:\Windows\system32\Gbjhlfhb.exe
        132⤵
        
        PID:5376
        
        C:\Windows\SysWOW64\Gjapmdid.exe
        
        C:\Windows\system32\Gjapmdid.exe
        133⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5504
        
        C:\Windows\SysWOW64\Gidphq32.exe
        
        C:\Windows\system32\Gidphq32.exe
        134⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5568
        
        C:\Windows\SysWOW64\Gqkhjn32.exe
        
        C:\Windows\system32\Gqkhjn32.exe
        135⤵
        Modifies registry class
        
        PID:5800
        
        C:\Windows\SysWOW64\Gcidfi32.exe
        
        C:\Windows\system32\Gcidfi32.exe
        136⤵
        
        PID:5976
        
        C:\Windows\SysWOW64\Gfhqbe32.exe
        
        C:\Windows\system32\Gfhqbe32.exe
        137⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6000
        
        C:\Windows\SysWOW64\Gifmnpnl.exe
        
        C:\Windows\system32\Gifmnpnl.exe
        138⤵
        
        PID:5212
        
        C:\Windows\SysWOW64\Gmaioo32.exe
        
        C:\Windows\system32\Gmaioo32.exe
        139⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5424
        
        C:\Windows\SysWOW64\Gppekj32.exe
        
        C:\Windows\system32\Gppekj32.exe
        140⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5872
        
        C:\Windows\SysWOW64\Hboagf32.exe
        
        C:\Windows\system32\Hboagf32.exe
        141⤵
        
        PID:5044
        
        C:\Windows\SysWOW64\Hmdedo32.exe
        
        C:\Windows\system32\Hmdedo32.exe
        142⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5720
        
        C:\Windows\SysWOW64\Hjhfnccl.exe
        
        C:\Windows\system32\Hjhfnccl.exe
        143⤵
        
        PID:5368
        
        C:\Windows\SysWOW64\Hikfip32.exe
        
        C:\Windows\system32\Hikfip32.exe
        144⤵
        
        PID:5580
        
        C:\Windows\SysWOW64\Habnjm32.exe
        
        C:\Windows\system32\Habnjm32.exe
        145⤵
        Modifies registry class
        
        PID:6160
        
        C:\Windows\SysWOW64\Hpenfjad.exe
        
        C:\Windows\system32\Hpenfjad.exe
        146⤵
        
        PID:6196
        
        C:\Windows\SysWOW64\Hbckbepg.exe
        
        C:\Windows\system32\Hbckbepg.exe
        147⤵
        
        PID:6248
        
        C:\Windows\SysWOW64\Himcoo32.exe
        
        C:\Windows\system32\Himcoo32.exe
        148⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6296
        
        C:\Windows\SysWOW64\Hadkpm32.exe
        
        C:\Windows\system32\Hadkpm32.exe
        149⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6352
        
        C:\Windows\SysWOW64\Hccglh32.exe
        
        C:\Windows\system32\Hccglh32.exe
        150⤵
        Modifies registry class
        
        PID:6388
        
        C:\Windows\SysWOW64\Hbeghene.exe
        
        C:\Windows\system32\Hbeghene.exe
        151⤵
        
        PID:6424
        
        C:\Windows\SysWOW64\Hjmoibog.exe
        
        C:\Windows\system32\Hjmoibog.exe
        152⤵
        Drops file in System32 directory
        
        PID:6472
        
        C:\Windows\SysWOW64\Hippdo32.exe
        
        C:\Windows\system32\Hippdo32.exe
        153⤵
        
        PID:6512
        
        C:\Windows\SysWOW64\Hmklen32.exe
        
        C:\Windows\system32\Hmklen32.exe
        154⤵
        
        PID:6552
        
        C:\Windows\SysWOW64\Haggelfd.exe
        
        C:\Windows\system32\Haggelfd.exe
        155⤵
        
        PID:6588
        
        C:\Windows\SysWOW64\Hcedaheh.exe
        
        C:\Windows\system32\Hcedaheh.exe
        156⤵
        
        PID:6624
        
        C:\Windows\SysWOW64\Hbhdmd32.exe
        
        C:\Windows\system32\Hbhdmd32.exe
        157⤵
        Modifies registry class
        
        PID:6664
        
        C:\Windows\SysWOW64\Hjolnb32.exe
        
        C:\Windows\system32\Hjolnb32.exe
        158⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6700
        
        C:\Windows\SysWOW64\Hmmhjm32.exe
        
        C:\Windows\system32\Hmmhjm32.exe
        159⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6744
        
        C:\Windows\SysWOW64\Haidklda.exe
        
        C:\Windows\system32\Haidklda.exe
        160⤵
        Modifies registry class
        
        PID:6780
        
        C:\Windows\SysWOW64\Ibjqcd32.exe
        
        C:\Windows\system32\Ibjqcd32.exe
        161⤵
        
        PID:6820
        
        C:\Windows\SysWOW64\Ijaida32.exe
        
        C:\Windows\system32\Ijaida32.exe
        162⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6868
        
        C:\Windows\SysWOW64\Impepm32.exe
        
        C:\Windows\system32\Impepm32.exe
        163⤵
        Modifies registry class
        
        PID:6904
        
        C:\Windows\SysWOW64\Icjmmg32.exe
        
        C:\Windows\system32\Icjmmg32.exe
        164⤵
        Drops file in System32 directory
        
        PID:6948
        
        C:\Windows\SysWOW64\Ijdeiaio.exe
        
        C:\Windows\system32\Ijdeiaio.exe
        165⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6988
        
        C:\Windows\SysWOW64\Imbaemhc.exe
        
        C:\Windows\system32\Imbaemhc.exe
        166⤵
        Drops file in System32 directory
        
        PID:7032
        
        C:\Windows\SysWOW64\Ibojncfj.exe
        
        C:\Windows\system32\Ibojncfj.exe
        167⤵
        
        PID:7076
        
        C:\Windows\SysWOW64\Ijfboafl.exe
        
        C:\Windows\system32\Ijfboafl.exe
        168⤵
        
        PID:7124
        
        C:\Windows\SysWOW64\Imdnklfp.exe
        
        C:\Windows\system32\Imdnklfp.exe
        169⤵
        
        PID:7164
        
        C:\Windows\SysWOW64\Iapjlk32.exe
        
        C:\Windows\system32\Iapjlk32.exe
        170⤵
        
        PID:6184
        
        C:\Windows\SysWOW64\Ibagcc32.exe
        
        C:\Windows\system32\Ibagcc32.exe
        171⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6244
        
        C:\Windows\SysWOW64\Imgkql32.exe
        
        C:\Windows\system32\Imgkql32.exe
        172⤵
        Drops file in System32 directory
        
        PID:6336
        
        C:\Windows\SysWOW64\Iabgaklg.exe
        
        C:\Windows\system32\Iabgaklg.exe
        173⤵
        Modifies registry class
        
        PID:6408
        
        C:\Windows\SysWOW64\Idacmfkj.exe
        
        C:\Windows\system32\Idacmfkj.exe
        174⤵
        
        PID:6468
        
        C:\Windows\SysWOW64\Ifopiajn.exe
        
        C:\Windows\system32\Ifopiajn.exe
        175⤵
        
        PID:6524
        
        C:\Windows\SysWOW64\Iinlemia.exe
        
        C:\Windows\system32\Iinlemia.exe
        176⤵
        Modifies registry class
        
        PID:6572
        
        C:\Windows\SysWOW64\Imihfl32.exe
        
        C:\Windows\system32\Imihfl32.exe
        177⤵
        Modifies registry class
        
        PID:6648
        
        C:\Windows\SysWOW64\Jpgdbg32.exe
        
        C:\Windows\system32\Jpgdbg32.exe
        178⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6708
        
        C:\Windows\SysWOW64\Jiphkm32.exe
        
        C:\Windows\system32\Jiphkm32.exe
        179⤵
        
        PID:6768
        
        C:\Windows\SysWOW64\Jmkdlkph.exe
        
        C:\Windows\system32\Jmkdlkph.exe
        180⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6844
        
        C:\Windows\SysWOW64\Jpjqhgol.exe
        
        C:\Windows\system32\Jpjqhgol.exe
        181⤵
        
        PID:6900
        
        C:\Windows\SysWOW64\Jbhmdbnp.exe
        
        C:\Windows\system32\Jbhmdbnp.exe
        182⤵
        
        PID:6976
        
        C:\Windows\SysWOW64\Jfdida32.exe
        
        C:\Windows\system32\Jfdida32.exe
        183⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:7040
        
        C:\Windows\SysWOW64\Jibeql32.exe
        
        C:\Windows\system32\Jibeql32.exe
        184⤵
        Modifies registry class
        
        PID:7092
        
        C:\Windows\SysWOW64\Jaimbj32.exe
        
        C:\Windows\system32\Jaimbj32.exe
        185⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:7152
        
        C:\Windows\SysWOW64\Jfffjqdf.exe
        
        C:\Windows\system32\Jfffjqdf.exe
        186⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6232
        
        C:\Windows\SysWOW64\Jmpngk32.exe
        
        C:\Windows\system32\Jmpngk32.exe
        187⤵
        
        PID:6396
        
        C:\Windows\SysWOW64\Jaljgidl.exe
        
        C:\Windows\system32\Jaljgidl.exe
        188⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6464
        
        C:\Windows\SysWOW64\Jdjfcecp.exe
        
        C:\Windows\system32\Jdjfcecp.exe
        189⤵
        
        PID:6576
        
        C:\Windows\SysWOW64\Jfhbppbc.exe
        
        C:\Windows\system32\Jfhbppbc.exe
        190⤵
        Drops file in System32 directory
        
        PID:6692
        
        C:\Windows\SysWOW64\Jigollag.exe
        
        C:\Windows\system32\Jigollag.exe
        191⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6828
        
        C:\Windows\SysWOW64\Jangmibi.exe
        
        C:\Windows\system32\Jangmibi.exe
        192⤵
        
        PID:6896
        
        C:\Windows\SysWOW64\Jpaghf32.exe
        
        C:\Windows\system32\Jpaghf32.exe
        193⤵
        
        PID:7012
        
        C:\Windows\SysWOW64\Jfkoeppq.exe
        
        C:\Windows\system32\Jfkoeppq.exe
        194⤵
        
        PID:7132
        
        C:\Windows\SysWOW64\Jiikak32.exe
        
        C:\Windows\system32\Jiikak32.exe
        195⤵
        
        PID:6192
        
        C:\Windows\SysWOW64\Kaqcbi32.exe
        
        C:\Windows\system32\Kaqcbi32.exe
        196⤵
        
        PID:6456
        
        C:\Windows\SysWOW64\Kdopod32.exe
        
        C:\Windows\system32\Kdopod32.exe
        197⤵
        
        PID:6620
        
        C:\Windows\SysWOW64\Kgmlkp32.exe
        
        C:\Windows\system32\Kgmlkp32.exe
        198⤵
        Modifies registry class
        
        PID:6884
        
        C:\Windows\SysWOW64\Kilhgk32.exe
        
        C:\Windows\system32\Kilhgk32.exe
        199⤵
        
        PID:7072
        
        C:\Windows\SysWOW64\Kdaldd32.exe
        
        C:\Windows\system32\Kdaldd32.exe
        200⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6228
        
        C:\Windows\SysWOW64\Kgphpo32.exe
        
        C:\Windows\system32\Kgphpo32.exe
        201⤵
        Modifies registry class
        
        PID:6584
        
        C:\Windows\SysWOW64\Kinemkko.exe
        
        C:\Windows\system32\Kinemkko.exe
        202⤵
        
        PID:6772
        
        C:\Windows\SysWOW64\Kphmie32.exe
        
        C:\Windows\system32\Kphmie32.exe
        203⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6376
        
        C:\Windows\SysWOW64\Kbfiep32.exe
        
        C:\Windows\system32\Kbfiep32.exe
        204⤵
        Modifies registry class
        
        PID:6788
        
        C:\Windows\SysWOW64\Kipabjil.exe
        
        C:\Windows\system32\Kipabjil.exe
        205⤵
        Drops file in System32 directory
        
        PID:6500
        
        C:\Windows\SysWOW64\Kpjjod32.exe
        
        C:\Windows\system32\Kpjjod32.exe
        206⤵
        
        PID:6760
        
        C:\Windows\SysWOW64\Kdffocib.exe
        
        C:\Windows\system32\Kdffocib.exe
        207⤵
        Drops file in System32 directory
        
        PID:7204
        
        C:\Windows\SysWOW64\Kcifkp32.exe
        
        C:\Windows\system32\Kcifkp32.exe
        208⤵
        
        PID:7252
        
        C:\Windows\SysWOW64\Kkpnlm32.exe
        
        C:\Windows\system32\Kkpnlm32.exe
        209⤵
        
        PID:7288
        
        C:\Windows\SysWOW64\Kajfig32.exe
        
        C:\Windows\system32\Kajfig32.exe
        210⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7332
        
        C:\Windows\SysWOW64\Kdhbec32.exe
        
        C:\Windows\system32\Kdhbec32.exe
        211⤵
        
        PID:7372
        
        C:\Windows\SysWOW64\Liekmj32.exe
        
        C:\Windows\system32\Liekmj32.exe
        212⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:7408
        
        C:\Windows\SysWOW64\Lmqgnhmp.exe
        
        C:\Windows\system32\Lmqgnhmp.exe
        213⤵
        
        PID:7448
        
        C:\Windows\SysWOW64\Lalcng32.exe
        
        C:\Windows\system32\Lalcng32.exe
        214⤵
        Modifies registry class
        
        PID:7488
        
        C:\Windows\SysWOW64\Ldkojb32.exe
        
        C:\Windows\system32\Ldkojb32.exe
        215⤵
        
        PID:7524
        
        C:\Windows\SysWOW64\Lcmofolg.exe
        
        C:\Windows\system32\Lcmofolg.exe
        216⤵
        
        PID:7564
        
        C:\Windows\SysWOW64\Lgikfn32.exe
        
        C:\Windows\system32\Lgikfn32.exe
        217⤵
        
        PID:7600
        
        C:\Windows\SysWOW64\Lkdggmlj.exe
        
        C:\Windows\system32\Lkdggmlj.exe
        218⤵
        
        PID:7640
        
        C:\Windows\SysWOW64\Lmccchkn.exe
        
        C:\Windows\system32\Lmccchkn.exe
        219⤵
        Modifies registry class
        
        PID:7676
        
        C:\Windows\SysWOW64\Laopdgcg.exe
        
        C:\Windows\system32\Laopdgcg.exe
        220⤵
        Modifies registry class
        
        PID:7716
        
        C:\Windows\SysWOW64\Lpappc32.exe
        
        C:\Windows\system32\Lpappc32.exe
        221⤵
        
        PID:7760
        
        C:\Windows\SysWOW64\Ldmlpbbj.exe
        
        C:\Windows\system32\Ldmlpbbj.exe
        222⤵
        Drops file in System32 directory
        
        PID:7800
        
        C:\Windows\SysWOW64\Lgkhlnbn.exe
        
        C:\Windows\system32\Lgkhlnbn.exe
        223⤵
        
        PID:7836
        
        C:\Windows\SysWOW64\Lkgdml32.exe
        
        C:\Windows\system32\Lkgdml32.exe
        224⤵
        Drops file in System32 directory
        
        PID:7876
        
        C:\Windows\SysWOW64\Lnepih32.exe
        
        C:\Windows\system32\Lnepih32.exe
        225⤵
        
        PID:7936
        
        C:\Windows\SysWOW64\Lpcmec32.exe
        
        C:\Windows\system32\Lpcmec32.exe
        226⤵
        
        PID:7980
        
        C:\Windows\SysWOW64\Lcbiao32.exe
        
        C:\Windows\system32\Lcbiao32.exe
        227⤵
        
        PID:8032
        
        C:\Windows\SysWOW64\Lgneampk.exe
        
        C:\Windows\system32\Lgneampk.exe
        228⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8068
        
        C:\Windows\SysWOW64\Lkiqbl32.exe
        
        C:\Windows\system32\Lkiqbl32.exe
        229⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:8104
        
        C:\Windows\SysWOW64\Lnhmng32.exe
        
        C:\Windows\system32\Lnhmng32.exe
        230⤵
        Modifies registry class
        
        PID:8148
        
        C:\Windows\SysWOW64\Lpfijcfl.exe
        
        C:\Windows\system32\Lpfijcfl.exe
        231⤵
        
        PID:8184
        
        C:\Windows\SysWOW64\Lgpagm32.exe
        
        C:\Windows\system32\Lgpagm32.exe
        232⤵
        
        PID:7188
        
        C:\Windows\SysWOW64\Lklnhlfb.exe
        
        C:\Windows\system32\Lklnhlfb.exe
        233⤵
        Drops file in System32 directory
        
        PID:7240
        
        C:\Windows\SysWOW64\Ljnnch32.exe
        
        C:\Windows\system32\Ljnnch32.exe
        234⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7320
        
        C:\Windows\SysWOW64\Laefdf32.exe
        
        C:\Windows\system32\Laefdf32.exe
        235⤵
        
        PID:7380
        
        C:\Windows\SysWOW64\Lphfpbdi.exe
        
        C:\Windows\system32\Lphfpbdi.exe
        236⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:7456
        
        C:\Windows\SysWOW64\Lddbqa32.exe
        
        C:\Windows\system32\Lddbqa32.exe
        237⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7516
        
        C:\Windows\SysWOW64\Lcgblncm.exe
        
        C:\Windows\system32\Lcgblncm.exe
        238⤵
        
        PID:7584
        
        C:\Windows\SysWOW64\Mjqjih32.exe
        
        C:\Windows\system32\Mjqjih32.exe
        239⤵
        
        PID:7648
        
        C:\Windows\SysWOW64\Mnlfigcc.exe
        
        C:\Windows\system32\Mnlfigcc.exe
        240⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7712
        
        C:\Windows\SysWOW64\Mdfofakp.exe
        
        C:\Windows\system32\Mdfofakp.exe
        241⤵
        Modifies registry class
        
        PID:7792
        
        C:\Windows\SysWOW64\Mgekbljc.exe
        
        C:\Windows\system32\Mgekbljc.exe
        242⤵
        Drops file in System32 directory
        
        PID:7860
        
        C:\Windows\SysWOW64\Mkpgck32.exe
        
        C:\Windows\system32\Mkpgck32.exe
        243⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7916
        
        C:\Windows\SysWOW64\Mnocof32.exe
        
        C:\Windows\system32\Mnocof32.exe
        244⤵
        
        PID:8008
        
        C:\Windows\SysWOW64\Majopeii.exe
        
        C:\Windows\system32\Majopeii.exe
        245⤵
        
        PID:8076
        
        C:\Windows\SysWOW64\Mdiklqhm.exe
        
        C:\Windows\system32\Mdiklqhm.exe
        246⤵
        Drops file in System32 directory
        
        PID:8140
        
        C:\Windows\SysWOW64\Mcklgm32.exe
        
        C:\Windows\system32\Mcklgm32.exe
        247⤵
        
        PID:7184
        
        C:\Windows\SysWOW64\Mkbchk32.exe
        
        C:\Windows\system32\Mkbchk32.exe
        248⤵
        
        PID:7284
        
        C:\Windows\SysWOW64\Mnapdf32.exe
        
        C:\Windows\system32\Mnapdf32.exe
        249⤵
        
        PID:7440
        
        C:\Windows\SysWOW64\Mkepnjng.exe
        
        C:\Windows\system32\Mkepnjng.exe
        250⤵
        Drops file in System32 directory
        
        PID:7508
        
        C:\Windows\SysWOW64\Mncmjfmk.exe
        
        C:\Windows\system32\Mncmjfmk.exe
        251⤵
        Modifies registry class
        
        PID:7628
        
        C:\Windows\SysWOW64\Mpaifalo.exe
        
        C:\Windows\system32\Mpaifalo.exe
        252⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:7704
        
        C:\Windows\SysWOW64\Mcpebmkb.exe
        
        C:\Windows\system32\Mcpebmkb.exe
        253⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:7832
        
        C:\Windows\SysWOW64\Mglack32.exe
        
        C:\Windows\system32\Mglack32.exe
        254⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:7976
        
        C:\Windows\SysWOW64\Mjjmog32.exe
        
        C:\Windows\system32\Mjjmog32.exe
        255⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:8096
        
        C:\Windows\SysWOW64\Maaepd32.exe
        
        C:\Windows\system32\Maaepd32.exe
        256⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7176
        
        C:\Windows\SysWOW64\Mpdelajl.exe
        
        C:\Windows\system32\Mpdelajl.exe
        257⤵
        Drops file in System32 directory
        
        PID:7364
        
        C:\Windows\SysWOW64\Mgnnhk32.exe
        
        C:\Windows\system32\Mgnnhk32.exe
        258⤵
        
        PID:7496
        
        C:\Windows\SysWOW64\Nkjjij32.exe
        
        C:\Windows\system32\Nkjjij32.exe
        259⤵
        Modifies registry class
        
        PID:7636
        
        C:\Windows\SysWOW64\Nacbfdao.exe
        
        C:\Windows\system32\Nacbfdao.exe
        260⤵
        
        PID:7920
        
        C:\Windows\SysWOW64\Nqfbaq32.exe
        
        C:\Windows\system32\Nqfbaq32.exe
        261⤵
        
        PID:8052
        
        C:\Windows\SysWOW64\Nceonl32.exe
        
        C:\Windows\system32\Nceonl32.exe
        262⤵
        
        PID:6684
        
        C:\Windows\SysWOW64\Nklfoi32.exe
        
        C:\Windows\system32\Nklfoi32.exe
        263⤵
        
        PID:7624
        
        C:\Windows\SysWOW64\Nnjbke32.exe
        
        C:\Windows\system32\Nnjbke32.exe
        264⤵
        
        PID:8004
        
        C:\Windows\SysWOW64\Nqiogp32.exe
        
        C:\Windows\system32\Nqiogp32.exe
        265⤵
        Modifies registry class
        
        PID:7432
        
        C:\Windows\SysWOW64\Ngcgcjnc.exe
        
        C:\Windows\system32\Ngcgcjnc.exe
        266⤵
        
        PID:7884
        
        C:\Windows\SysWOW64\Nnmopdep.exe
        
        C:\Windows\system32\Nnmopdep.exe
        267⤵
        
        PID:6340
        
        C:\Windows\SysWOW64\Nqklmpdd.exe
        
        C:\Windows\system32\Nqklmpdd.exe
        268⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7684
        
        C:\Windows\SysWOW64\Ngedij32.exe
        
        C:\Windows\system32\Ngedij32.exe
        269⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8224
        
        C:\Windows\SysWOW64\Nnolfdcn.exe
        
        C:\Windows\system32\Nnolfdcn.exe
        270⤵
        
        PID:8268
        
        C:\Windows\SysWOW64\Nbkhfc32.exe
        
        C:\Windows\system32\Nbkhfc32.exe
        271⤵
        Modifies registry class
        
        PID:8308
        
        C:\Windows\SysWOW64\Ndidbn32.exe
        
        C:\Windows\system32\Ndidbn32.exe
        272⤵
        
        PID:8348
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        273⤵
        
        PID:8384
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 8384 -s 408
        274⤵
        Program crash
        
        PID:8480

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 8384 -ip 8384
1⤵
PID:8448

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Ablaodbm.exe

Filesize
148KB

MD5
778c3d3c4958408830f68002b4e24a88

SHA1
5dd285a1983b68007fd0dcf273ff3f0b03c4269d

SHA256
e77afe55f3cee0e9db90a1dbf1d7c839306aada3821e035dfacd5ab43f63e113

SHA512
b33618554279d43b482cbb190a18824ed1e731921a0e89164d333777a155f3f675395e345d3a7a9c6947abeaef3341cc40b6fdc7d7704862bbb852c4fa09e39d

Download Submit
C:\Windows\SysWOW64\Abnnddpj.exe

Filesize
148KB

MD5
0295ba7bef14fbfff88faad6fac1a8a8

SHA1
a99c20a648656ec20784ef67e85a3bd9745676ff

SHA256
1ae10201560936fe53abb90ba7ca0f02cb7bf28d11767728aa1432576c78bfa5

SHA512
8f298c363adc654bac66c82213debb857ab241f0292b542883a8e4c33152eb3276000b704ae00e8241950dc5383a7acc2b6c96d31b20b2f902806561727430cd

Download Submit
C:\Windows\SysWOW64\Aejmkpaq.exe

Filesize
148KB

MD5
3bca0ab918da4dd40a8ab707d91b33c8

SHA1
2e9a3574eb20b7033064622e606cbeba2adc190d

SHA256
2b7dc01604bd3ac9b3c444bedffa7d94b58f16df0616b7d860ffdd7e7c9d8b63

SHA512
d8f67e0233faab009491bcb57a3f5f61529106a59a87bd91600ab2534d4ec1b5d9f189e0857862d636b22f59b89911529ec99d2acae07e887fad4a7ee0bbb50f

Download Submit
C:\Windows\SysWOW64\Aemjpp32.exe

Filesize
148KB

MD5
2348318bfc48ff2d0505f12300ca8670

SHA1
b5124044944ae2aaed827a7faf86bf90887d43c4

SHA256
94cf2276a0a60b732a7128d7a4fb3b449ff198b38d46f57c83d212770b85601b

SHA512
4855887f476ba9d557d6fffa18cd97c7bb38e00dfb490eda5daea64b9629c8cb5c1fb74d14620412eadf9151b8c4fc904cbb5d8f9925e6b1da35fcad153055de

Download Submit
C:\Windows\SysWOW64\Aeoffo32.exe

Filesize
148KB

MD5
59767d45f151ff1093a483d92a35c424

SHA1
c1e3b3b71f5cd6d136084cbc357404415c7ad276

SHA256
021ae57deaee2bfcd93d360913e9a350d5ef719d8cfa16273bd3deb8b41d8d4c

SHA512
eeae3c87666bb30e5768d59da70b87587ec61cdaff4b04d9cebbdf972b248afc96b2db831928d385078d19f864daf9756198de0a7848f9aead28821843f8a58e

Download Submit
C:\Windows\SysWOW64\Ahkflk32.exe

Filesize
148KB

MD5
359869802b2ea24adc42d909d9919911

SHA1
2ca1264c9767c2c18453b11b65834cde478ae9f4

SHA256
e765a36965331230d84daa23d0491bf919ea384f530fb65ad1452c6400cc5e92

SHA512
b5402bdf95d7b0d253e65bc5c59c314265af86be42f35814db7a66c53f29e8a5ecdbef6b6f7ad1c01713fdbd911556f6ab81272fa0ee42a03b92b730a6973a08

Download Submit
C:\Windows\SysWOW64\Ahncbk32.exe

Filesize
148KB

MD5
335792a394a1a8ecf2d4603ce128071d

SHA1
ca949458a2f1300509723af803f462c457136533

SHA256
0e17df9e1de6fb7198d372e84c7dbaf9a002ae1aa1ebc84414cda08481d5e6f2

SHA512
89cb7109c8bd2108b9ae016ee5ba93ac720771b10938ed8cc38d8adcba6c0e2ee7fd417adb94b641ad0c74369dd05f496f2685fa05cd22cc3a7b4d920d67fe78

Download Submit
C:\Windows\SysWOW64\Albibj32.exe

Filesize
148KB

MD5
bf45611d3cd0c43b3bda241c7c0c644c

SHA1
ba7258c8745a5febba882ae5f9f3078662af32c0

SHA256
ef759544e2312ce235d540d58212af261440dde5d3f8d3abee2017a211cfe700

SHA512
2f9ae0ee3c5e4baa6597d4e476836ecd5b08161a6e6ad83fa25ea2b78808a75cf898ed3877988956ecafaf8261aedffe0d891957339a94673587382709730fb6

Download Submit
C:\Windows\SysWOW64\Aoeniefo.exe

Filesize
148KB

MD5
104483dcffcbe4d210053ff7520f4cf5

SHA1
c8c8a88f5f214ea49f22531170f553e0bc12c393

SHA256
756c9096ee68f1f449c4610a1ccf800871f7233be411c8cbcfb057c2d7e20970

SHA512
34c3581ce48322d52ddd37fd388d4e32d6905652004b8c8db85870217297fc0ab9e96b26caa487c50aaa09874e13134ebccf89cb1c6e57af7d51a587eb469c50

Download Submit
C:\Windows\SysWOW64\Apekch32.exe

Filesize
148KB

MD5
b2c92fc960f5b8d8cd611b903621f30d

SHA1
8eff3b0fe74272da50d1f4eb7ad1dbca5b19466b

SHA256
41bb242eda57913c68277eeb4d8f2678074519123ee588c41dff944e0f5fd8e7

SHA512
8d6df094fb90ed5aa93e3bf028ccaf4f0ef91512c24e9977f722a9e48992063d5f497062b6bf3bf40235dadbf4e78a9a594d9345eef2a5497896205d63a14b09

Download Submit
C:\Windows\SysWOW64\Appahiag.exe

Filesize
148KB

MD5
36c643f915e8f479fb778b2ee802b017

SHA1
4d38c3cc7ac07efb7282a719c7a1b386d3cba7dd

SHA256
3e2a379bab225d3aaa6f10b9981f5318b7e76850e0d650ca560e075eeca1f388

SHA512
411ad77d4999b2abbfb341a23e424ab726fd8181a59facaebbf8a82b1288d94a235eb677ea7dbd546ede85e84d59e4d499fc766f26562a03e2dc45b8d4a0b18e

Download Submit
C:\Windows\SysWOW64\Clldogdc.exe

Filesize
148KB

MD5
9571f70f6a24a31597a07c8d6376e7cc

SHA1
a44fc82d2eb37000b883c47d386dfebc8ebb297e

SHA256
4e78dfe9a710ed233b68d3a613ad0e24db854301e175305d9c6d0947f9298f81

SHA512
bb4801f35b770941f9474b2f36decaf644fcca687e423b69d4796005593a928fd6246418e7ec66d91dbb194deb6fd3149df16d205133d0bf6ae466299d2862a4

Download Submit
C:\Windows\SysWOW64\Dhjkdg32.exe

Filesize
148KB

MD5
20cf87ee6d109f96861c45a24ed13550

SHA1
5dc77446090099002a80a89d0ab0bc9e9d21aa42

SHA256
3c8915c42726295dc48399a4c086c85aa08a5fbbc0b9268bb814ea2140200b10

SHA512
edb030bb946afebe24268eb173d49d6abea7c76c37ee65b4502ca4a7493af21989cacd09a215f7584f5cedcf201d75f457b154346138d9c927f802a8258d2df9

Download Submit
C:\Windows\SysWOW64\Mkepnjng.exe

Filesize
148KB

MD5
bc6e9a110f36f90f463b767b8d40812e

SHA1
3b50fbef47199f29df6fcc94edf210447c508c74

SHA256
81403a8a725632acd0785dc9aeff204e923e4b761d96f4f9951a226cb8b356a7

SHA512
3aba944e3e3685fdaa078fa468b9b0518f774c392a8580f46eef5ed7689fead54d3b5f3e088cd8dfe014e2c61e966bb42a818f0dde594a28b7c40a31e1a846ae

Download Submit
C:\Windows\SysWOW64\Paaeiceg.exe

Filesize
148KB

MD5
27055ba5eba9b6248f07ba723a473db2

SHA1
0a6771b6342a4673056fc54ea77d5b3b665db325

SHA256
804cab13c8d28f3751373e1398c18f3434f2ded088e526339333bf910bc84f38

SHA512
e807b94c9c536526d447439fb0a5e653f4afe0ad29ec1cc3d92b5b5d6f90d213eafb78d92e77bd7bcf0539d1b08aff116674e6c59f0620c45a4f77ca6391a9e8

Download Submit
C:\Windows\SysWOW64\Pacaoc32.exe

Filesize
148KB

MD5
ad407b4da5d7d3f3b081180999fd03f0

SHA1
1e0c94bd016ada1d1d824d05ff2cc4877cdf7c0c

SHA256
8ba325d85e4fbe2a1f6ca6e456e2ffca40baae2961e4001336706b638490f372

SHA512
05ad36a4d95a5b8e6ea92b91bd004de333e5bc747c8ea95236cb641f43e70779140bcb9b88807ae3a1f9c8ac5f9d8606a4be41379391a7e3b747748087c65b0a

Download Submit
C:\Windows\SysWOW64\Paohccgj.exe

Filesize
148KB

MD5
7c60da4ca0a13fcba5d4f96ab41cb900

SHA1
c8c0cb89d09da5ea41c79c86585cc6c9404a5ee8

SHA256
272f03ea3a747a73f961d4b30cd8acd3975292e9297c88183d4777313bcaae30

SHA512
a99c8776aa7756178e6e659569b5d5dba935736e719006acced1b64630d48583ed58277c83132951425fb2085ad38107012005e72abe0c652ba062f720a3fbad

Download Submit
C:\Windows\SysWOW64\Peajdajk.exe

Filesize
148KB

MD5
9444f787db896346b14f1acb153e0491

SHA1
78b34814072a877e73a727011eff09af21ebbf16

SHA256
553ff334cbd93abe60499544b876d3bae260053852236296ab9710870739d6cb

SHA512
6599bfbc739ada213b7fc5fe2aca263c1c5644e62147e6227d93d1dcfabc499faefd3369a6e1e6a1d1ca082b0b8e5b703377cf4fa3ae5cf90c47a54c7396b6a7

Download Submit
C:\Windows\SysWOW64\Pecgja32.exe

Filesize
148KB

MD5
9df0be2e58b90cf0829fd34f5fa50aec

SHA1
357acd5e493709ec5903cac72ec3c070a63d5367

SHA256
81a449ae38ea9d9c9630a5bb271c159f813af5eb819f3096dc4fac7ae4425cee

SHA512
63fa27f0938f7caefd1f943b6a3e641c97dfeecf290e6ebdeeeec15238be230a9b0bc971b7dfecf4737812a62a091ed688e60a4931cf798674a02641c048604c

Download Submit
C:\Windows\SysWOW64\Phkmem32.exe

Filesize
148KB

MD5
1ea05e2fece9862e46dddf34c6f98652

SHA1
4f739a7684490a08e2299004939e980938a5a139

SHA256
ef5954501eadfe57222d4787a95f5ace22430edcad475d98e6fbd4562e932139

SHA512
fb8318bf04f6b4e8b1929d88c6b816aa2f50c503cdcdd49f4e8321523603ac351df91359f441a7aa11178bc8a5d40bb83853dddfd2d49355d9e5ce5e017ee55e

Download Submit
C:\Windows\SysWOW64\Piepdahl.exe

Filesize
148KB

MD5
d96646fc73a2f7cbf0fa02c03b4cfc16

SHA1
aefcd9e6a0fc953354745f137c073b76b1239464

SHA256
04577525eb651567e97e5cec9f62e6220fa3cd4029a5261f6826e2a6308450ef

SHA512
195fa98a6436852a4c9d4b01252435dbd81b0034d08087cdeddd56e3c0064118ac47bdeed122e85a7df6da087dd812843bb5e421924c90a2558a8c4587aefa3e

Download Submit
C:\Windows\SysWOW64\Pihmjqfj.exe

Filesize
148KB

MD5
d6c75b988b678e825329fcf776539f66

SHA1
d74f38b473a96267574864a58bab3faf190ca924

SHA256
7737cc112741fbf543eeac9db393178cf2d9d471a90bc09e305811797e9ec469

SHA512
8c0ad3455ccbe7bdc3aa5f367de8b362a8cff0cdedc14c3be7be001440bf302207038afe1dc08d458e0a725bf28ff412c8797a5d418ba0e1a1a3cf8026038d7e

Download Submit
C:\Windows\SysWOW64\Pijjpp32.exe

Filesize
148KB

MD5
99f6a36d919c280f858a0693402a3859

SHA1
4c50728b86c5e1868d408c92cc7c3aff4d2079c7

SHA256
840eb4167ecc3a64bf629effe7b8ed6dc1cbfac3323e884c060385b4347ea59e

SHA512
09eac75619306b6b6c6222182cf325068b3f46a28f46f8399d309fdf733ec9da9e5afb2b8e34fe02871095ac51101c242229eeffa3a85e0164e4e5dd541c8615

Download Submit
C:\Windows\SysWOW64\Pldlqlgp.exe

Filesize
148KB

MD5
9137bdbfcca4d8397e3475844064e79b

SHA1
56e54e489ebf0f47240f8c7f24fafa354c787764

SHA256
f466f3891b4ff9c1e8107c1386f3fd8a13875250e0888319e72c20faa4c36bb8

SHA512
86bff8cf7fe50df5d4696793bb692240fa77f0cbaa2214f8cd841bf1ce600c6d89688a286ce8a888b39abd27664b1560d34367047aebe259bdcfe147e5845fe2

Download Submit
C:\Windows\SysWOW64\Plkbak32.exe

Filesize
148KB

MD5
0255bad1d5affb903e906d321f395d8c

SHA1
cb28e0cbbeb01a6babc136bd49410b8e78863108

SHA256
491a6cf31fd01c60023ab1399fb4adfeace4350bda1616f339b41d90ef6dfc83

SHA512
1c2748ae7bd48b371b8ce41bd84af91a3058de99a956ed38dbb9b6841ba988bf6b90413e2630244469d88b95ccc75f7cc5a60e0762b8a6ab987947a2642fc3c0

Download Submit
C:\Windows\SysWOW64\Plmogkoe.exe

Filesize
148KB

MD5
2da3a1855df177dfa6c3f5a7c7379963

SHA1
84371fa0b00ad6909b4a85f35674a9e220d21967

SHA256
9c00341c9fe4752c05a38fbeccb0bd4beac1c4f0039afdc13ce2599546c8ae1d

SHA512
982f156df35067f3785a29e2f8c92ef18bc2450a9f67d5fc1f69ed7f38e9884d2b7123d578d853347e57f556aac7af2ad77721beb18d72aab774aa45c9c31974

Download Submit
C:\Windows\SysWOW64\Pnbimhfd.exe

Filesize
148KB

MD5
3acd8e706a9545bdc73ef01b964fe653

SHA1
bb24abb87751784645ab821d29c97a59f753a113

SHA256
3dc05a1f643ef9a8d70c62e183ad815e907d6c8425289e443dd221c2a9613d19

SHA512
758fb0e96babc023488627c922f2fbc8351c88f29a9ff45807c7c89b1a3b2211d829e161a2e40cf60603767a199916077a8aff730e9aeb5ed05c9731e813f76a

Download Submit
C:\Windows\SysWOW64\Pneebg32.exe

Filesize
148KB

MD5
e2d68b4a2c2835fefbcd37de1bde6247

SHA1
0b55f9caec8d74351b037091857265b7912efce1

SHA256
0ecaf1e98debaff641650907dd3883938377e66f95d0407561edff47526a19db

SHA512
faca4313469ae1b9e37f3061ab5635f6d51f48f2240f9e3ff1d641ccddcd263d37309019adc0955ddccac2115d314beb0ccdd9056173001085f009e28f3372ad

Download Submit
C:\Windows\SysWOW64\Pngbhg32.exe

Filesize
148KB

MD5
164c6e87ebf16acfdf2c6a41d6b7b445

SHA1
397409a4ca24d1c89b554d8a1915c135043ba99f

SHA256
48857d9171eefa4e47f850606d5c8869c114e0b8e1cb7a39833d19e101614322

SHA512
45aaacf9aa90fe0a13fd60f381f98dbdd15b1b4ed61623c5653e335cbe444dfae009add77f28c00ff71455ec2885e8595dfbe58c1db0bbb5dd75c244c0a4120f

Download Submit
C:\Windows\SysWOW64\Ppgobjia.exe

Filesize
148KB

MD5
fe097278e45cf7b780cfb562ccb369cd

SHA1
8294fe59721c59687c46753e4a51ce579907e229

SHA256
48654424baacb4b23b01cb3325c6c1caa2710227a23df680a4b356e34d0e08e7

SHA512
e8e0faaad592b685044a0840653b3d598c32c7c7e4924637c6da364c984aa8869edd30fa808d9115cb61406e966703b3677ec21380a14fc286256aec8eeb8bf9

Download Submit
C:\Windows\SysWOW64\Qiappono.exe

Filesize
148KB

MD5
98b4870eba11af3c00f0e9db479210c0

SHA1
2bb995fe1a40d265a123cd82df7cf691d95e0faa

SHA256
a4a48566c62225072c6e22e4245939d3deff5157630b970e672361a8ed3bc022

SHA512
258072de9ab729b40dbc87a3a2129077d7ab0cbbcf96a71cbc6492046db16d38330271c390f5fd183824112890e2f30ecd94b64987808f1237f479fca4962b70

Download Submit
C:\Windows\SysWOW64\Qiclfo32.exe

Filesize
148KB

MD5
abd0ff33c476f061e7de22061d29186d

SHA1
410b672713a3f2a2344ca0601add9081a9166217

SHA256
300b07ae150f3fa1e95e4f801a60baee4e7b8c52d90d3a50a6f910cbc2a7236d

SHA512
9e2f2c2bf3355aa31fceae2fcce808a132040f0ce5156988083e51670253a1b2d8d313244916f5f51cbf39228719553c2c82d55888380118800eda291ba14923

Download Submit
C:\Windows\SysWOW64\Qlpllkmc.exe

Filesize
148KB

MD5
b732aa7dc7debb9f1ce34cb04eb84f5b

SHA1
892387032e545be4480ce7ff65f0ba2ec5d3e0f1

SHA256
62c65b954240a3793e0f1bacc5570ba826de3f7809e5b95fa8e79b1a2d43a911

SHA512
565a3c08eda7d237abd6c3915bd367d55b9673a7ac9d1880dab7166cebbf92fc5f4cac73045a85bafb73636682462d807c589ca5b02d502687c8b1741e51d609

Download Submit
C:\Windows\SysWOW64\Qnlkcfni.exe

Filesize
148KB

MD5
ac18b40c021ab9f1a3d2c13a71e0dacd

SHA1
8964cec8e3674c42303788dbacb7e0cd9e1502f6

SHA256
dbd1a48cafb57ff21d47021611a13801903aceaef7c20540335ab33bbba7a661

SHA512
23baedb1e484418c4ac27f2effa54ae71cc5e94c77a0187d25033a50acfbfef34eb6d19d292cb155528a26aa54fa5e062813bc46788cadc3edd5a272585b05c4

Download Submit
C:\Windows\SysWOW64\Qnnhhflf.exe

Filesize
148KB

MD5
ffb24d07f715aa8a280a9c110b68ee1a

SHA1
80f63eb7d710903339cf367442775254375d64b9

SHA256
b753f8bf2c96e4869311c223b1cec1e755b5e78906ed1be587828c9939c963ce

SHA512
7b3f3594bbe4b5a7b033daae8fec103e487dc47a87216c0e12fb507eeefd8e26b163a7c2ab65f31e46426ad90079c4308687ac4202930f9b5ba71c89084be91b

Download Submit
memory/408-263-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/784-25-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/884-76-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/1064-418-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/1068-217-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/1116-137-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/1216-111-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/1220-453-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/1264-442-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/1292-458-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/1372-304-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/1388-145-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/1480-233-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/1488-213-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/1608-261-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/1616-153-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/1660-45-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/1728-382-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/1828-177-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/1920-331-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/1996-273-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/2112-121-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/2140-416-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/2244-316-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/2492-400-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/2516-460-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/2664-161-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/2732-424-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/2776-56-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/2784-472-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/2848-291-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/2892-64-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/3056-297-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/3136-406-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/3168-0-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/3168-80-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/3168-5-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/3212-359-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/3328-253-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/3436-275-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/3504-298-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/3540-436-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/3560-384-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/3648-466-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/3720-430-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/3804-97-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/4056-117-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/4080-197-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/4140-185-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/4284-206-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/4288-372-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/4304-13-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/4380-240-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/4432-129-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/4440-17-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/4500-169-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/4536-89-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/4556-48-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/4620-225-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/4680-85-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/4764-371-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/5000-342-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/5052-310-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/5092-349-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads