c32650f9950f1e7c08b3e3004d3ba8b0fdb3355085f697c2ececf5d01c36391a

Analysis

max time kernel
93s
max time network
96s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
09/04/2024, 22:07

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

34d1924177a3c219d1708d075724cf6b.exe
Size

428KB
MD5

34d1924177a3c219d1708d075724cf6b
SHA1

bf9df6ca5bad3a7736379a83402485cb90f36744
SHA256

c32650f9950f1e7c08b3e3004d3ba8b0fdb3355085f697c2ececf5d01c36391a
SHA512

d4b695f25a7b1cb7869b19c9c98d9e094ad9a95c16b09e0296dda846eee3a1551f28c3d75ec473f9f2078783002af39d9e546ee6a212a87afbc60c988093c6d7
SSDEEP

12288:8vlU5hjtFrNF5h0EJtws15tPWu5Ls15tw:8NU5hjLZF5h0E/Tge

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hcnnaikp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lnhmng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nkqpjidj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mglack32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Booaodnd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Blbaihmn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgghhlhq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Majopeii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bbofkbbh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Badcln32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Diihojkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mpdelajl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hjhfnccl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jjpeepnb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lalcng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mnapdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ehonfc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fbqefhpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gjjjle32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Imdnklfp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jaedgjjd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fbgbpihg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hjmoibog.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iannfk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hboagf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ipqnahgf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpkbebbf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chphoh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ehjdldfl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gqkhjn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lalcng32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hjhfnccl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ijkljp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jmkdlkph.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lkiqbl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Boegpc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hpenfjad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kcifkp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gmkbnp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jpjqhgol.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjqjih32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mgghhlhq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bifbbllg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eoifcnid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hjjbcbqj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ipnalhii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ahppgjjl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ehhgfdho.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mkpgck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lklnhlfb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Apndbici.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bifbbllg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fjepaecb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gmaioo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Haggelfd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lpocjdld.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lkgdml32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Apndbici.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Djnaji32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gbjhlfhb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nqmhbpba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bpcgdfaa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ejbkehcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hmfbjnbp.exe

Executes dropped EXE 64 IoCs

pid	Process
2736	Apndbici.exe
2856	Ablaodbm.exe
5044	Aifiko32.exe
1568	Aocace32.exe
4256	Abnnddpj.exe
2088	Aemjpp32.exe
4580	Apbnnh32.exe
3220	Aoeniefo.exe
3320	Aackeqeb.exe
4536	Aikbfnfd.exe
2900	Aliobieh.exe
5032	Apekch32.exe
2416	Aogkoedl.exe
992	Aafgkpcp.exe
3176	Aeacko32.exe
4432	Aimoln32.exe
4776	Ahppgjjl.exe
1516	Apggihko.exe
320	Aojhdd32.exe
3996	Aahdqp32.exe
3040	Aedpaoif.exe
1860	Aiolam32.exe
924	Blnhni32.exe
3700	Bpidngil.exe
1808	Boldjd32.exe
4976	Bibigmpl.exe
3024	Bhdibj32.exe
3884	Bpladg32.exe
4068	Booaodnd.exe
2068	Bbjmpb32.exe
2348	Behiln32.exe
864	Bidemmnj.exe
4808	Blbaihmn.exe
1404	Bpnnig32.exe
2480	Bbljeb32.exe
4512	Bekfan32.exe
4376	Bifbbllg.exe
4420	Blennh32.exe
3444	Bockjc32.exe
348	Bbofkbbh.exe
1584	Bemcgmak.exe
4972	Biiohl32.exe
3860	Bhlocipo.exe
5100	Bpcgdfaa.exe
1444	Boegpc32.exe
3692	Bbacqape.exe
2400	Badcln32.exe
4404	Bikkml32.exe
1312	Clihig32.exe
5036	Cpedjf32.exe
3632	Cccpfa32.exe
3540	Ceblbm32.exe
336	Cimhckeo.exe
3156	Chphoh32.exe
1932	Cpgqpe32.exe
512	Cojqkbdf.exe
3688	Cedihl32.exe
5060	Cipehkcl.exe
2476	Clnadfbp.exe
4904	Commqb32.exe
3432	Cefemliq.exe
4504	Cpljkdig.exe
3268	Camfbm32.exe
1020	Cidncj32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Fomonm32.exe	Fmocba32.exe
File created	C:\Windows\SysWOW64\Kgmlkp32.exe	Kpccnefa.exe
File created	C:\Windows\SysWOW64\Mjhqjg32.exe	Mgidml32.exe
File opened for modification	C:\Windows\SysWOW64\Cccpfa32.exe	Cpedjf32.exe
File created	C:\Windows\SysWOW64\Hpbaqj32.exe	Hihicplj.exe
File created	C:\Windows\SysWOW64\Ldooifgl.dll	Hcnnaikp.exe
File created	C:\Windows\SysWOW64\Lpdcae32.dll	Fmapha32.exe
File created	C:\Windows\SysWOW64\Cedihl32.exe	Cojqkbdf.exe
File created	C:\Windows\SysWOW64\Gjjjle32.exe	Gbcakg32.exe
File opened for modification	C:\Windows\SysWOW64\Blennh32.exe	Bifbbllg.exe
File created	C:\Windows\SysWOW64\Dephckaf.exe	Dcalgo32.exe
File opened for modification	C:\Windows\SysWOW64\Hbeghene.exe	Hpgkkioa.exe
File created	C:\Windows\SysWOW64\Jdcpcf32.exe	Jpgdbg32.exe
File created	C:\Windows\SysWOW64\Fokbim32.exe	Fmmfmbhn.exe
File created	C:\Windows\SysWOW64\Hjolnb32.exe	Hfcpncdk.exe
File opened for modification	C:\Windows\SysWOW64\Jdcpcf32.exe	Jpgdbg32.exe
File created	C:\Windows\SysWOW64\Ndninjfg.dll	Jmkdlkph.exe
File opened for modification	C:\Windows\SysWOW64\Mjqjih32.exe	Lddbqa32.exe
File created	C:\Windows\SysWOW64\Apggihko.exe	Ahppgjjl.exe
File opened for modification	C:\Windows\SysWOW64\Jpgdbg32.exe	Jaedgjjd.exe
File opened for modification	C:\Windows\SysWOW64\Mpkbebbf.exe	Mjqjih32.exe
File opened for modification	C:\Windows\SysWOW64\Hboagf32.exe	Hclakimb.exe
File created	C:\Windows\SysWOW64\Bfhehdem.dll	Cimhckeo.exe
File created	C:\Windows\SysWOW64\Odhibo32.dll	Giacca32.exe
File created	C:\Windows\SysWOW64\Hpihai32.exe	Haggelfd.exe
File created	C:\Windows\SysWOW64\Ibmmhdhm.exe	Icjmmg32.exe
File created	C:\Windows\SysWOW64\Diblfl32.dll	Bpidngil.exe
File opened for modification	C:\Windows\SysWOW64\Ipqnahgf.exe	Iannfk32.exe
File created	C:\Windows\SysWOW64\Blennh32.exe	Bifbbllg.exe
File created	C:\Windows\SysWOW64\Aoeniefo.exe	Apbnnh32.exe
File created	C:\Windows\SysWOW64\Nkbkiioa.dll	Ebbidj32.exe
File created	C:\Windows\SysWOW64\Ecbenm32.exe	Elhmablc.exe
File created	C:\Windows\SysWOW64\Iabgaklg.exe	Iikopmkd.exe
File opened for modification	C:\Windows\SysWOW64\Liekmj32.exe	Kgfoan32.exe
File opened for modification	C:\Windows\SysWOW64\Aikbfnfd.exe	Aackeqeb.exe
File opened for modification	C:\Windows\SysWOW64\Imdnklfp.exe	Ijfboafl.exe
File opened for modification	C:\Windows\SysWOW64\Mciobn32.exe	Mpkbebbf.exe
File created	C:\Windows\SysWOW64\Cpgqpe32.exe	Chphoh32.exe
File created	C:\Windows\SysWOW64\Ckfliccm.dll	Fjqgff32.exe
File opened for modification	C:\Windows\SysWOW64\Iakaql32.exe	Iidipnal.exe
File opened for modification	C:\Windows\SysWOW64\Lnhmng32.exe	Lkiqbl32.exe
File opened for modification	C:\Windows\SysWOW64\Eoocmoao.exe	Elagacbk.exe
File opened for modification	C:\Windows\SysWOW64\Jaedgjjd.exe	Iinlemia.exe
File created	C:\Windows\SysWOW64\Anmklllo.dll	Jaimbj32.exe
File opened for modification	C:\Windows\SysWOW64\Lpappc32.exe	Lmccchkn.exe
File created	C:\Windows\SysWOW64\Aamgnn32.dll	Clihig32.exe
File created	C:\Windows\SysWOW64\Cccpfa32.exe	Cpedjf32.exe
File created	C:\Windows\SysWOW64\Hbckbepg.exe	Hpenfjad.exe
File created	C:\Windows\SysWOW64\Hibljoco.exe	Hjolnb32.exe
File opened for modification	C:\Windows\SysWOW64\Chphoh32.exe	Cimhckeo.exe
File created	C:\Windows\SysWOW64\Cichoi32.dll	Ehhgfdho.exe
File created	C:\Windows\SysWOW64\Oimhnoch.dll	Kcifkp32.exe
File created	C:\Windows\SysWOW64\Gnkchm32.dll	Bpnnig32.exe
File created	C:\Windows\SysWOW64\Lnohlokp.dll	Mkpgck32.exe
File created	C:\Windows\SysWOW64\Kkihknfg.exe	Kgmlkp32.exe
File created	C:\Windows\SysWOW64\Jlnpomfk.dll	Nafokcol.exe
File opened for modification	C:\Windows\SysWOW64\Hpbaqj32.exe	Hihicplj.exe
File created	C:\Windows\SysWOW64\Hmfbjnbp.exe	Hjhfnccl.exe
File created	C:\Windows\SysWOW64\Ebaqkk32.dll	Ljnnch32.exe
File created	C:\Windows\SysWOW64\Mkpgck32.exe	Mciobn32.exe
File created	C:\Windows\SysWOW64\Pipfna32.dll	Nddkgonp.exe
File created	C:\Windows\SysWOW64\Camfbm32.exe	Cpljkdig.exe
File created	C:\Windows\SysWOW64\Ogaodjbe.dll	Fbgbpihg.exe
File created	C:\Windows\SysWOW64\Eenphlji.dll	Cedihl32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
7648	7264	WerFault.exe	349

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gefncbmc.dll"	Lklnhlfb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gbenqg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gqkhjn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibilnj32.dll"	Hbanme32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hpenfjad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fkpjfn32.dll"	Bekfan32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nqmhbpba.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gfcgge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hpbaqj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mpkbebbf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Haidklda.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iochpo32.dll"	Aifiko32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Eoocmoao.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ebbidj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fjepaecb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qgejif32.dll"	Lgikfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ebaqkk32.dll"	Ljnnch32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aafgkpcp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bppheeep.dll"	Eoifcnid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gbenqg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hlcqelac.dll"	Gjapmdid.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nqklmpdd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qgenhgdd.dll"	Fodeolof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jaimbj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kmlnbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jfaloa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kgmlkp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	34d1924177a3c219d1708d075724cf6b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lifoip32.dll"	Ceblbm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bkjjjehm.dll"	Aogkoedl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fodeolof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Laefdf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nnolfdcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cimhckeo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dpjflb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fmapha32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ngedij32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Boldjd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jpqikhah.dll"	Chphoh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gameonno.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jfhbppbc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lifenaok.dll"	Mpkbebbf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ehabgbnk.dll"	Booaodnd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fbllkh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ibjqcd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ibmmhdhm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jdcpcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ljfemn32.dll"	Nnmopdep.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Apekch32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fbqefhpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdkhlo32.dll"	Gmaioo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Iidipnal.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Adakia32.dll"	Hfjmgdlf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dngdgf32.dll"	Lgkhlnbn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ejbkehcg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ecbenm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hjolnb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fbgbpihg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aemjpp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aimoln32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bhdibj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bekfan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Einnhi32.dll"	Boegpc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Iakaql32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4084 wrote to memory of 2736	4084	34d1924177a3c219d1708d075724cf6b.exe	84
PID 4084 wrote to memory of 2736	4084	34d1924177a3c219d1708d075724cf6b.exe	84
PID 4084 wrote to memory of 2736	4084	34d1924177a3c219d1708d075724cf6b.exe	84
PID 2736 wrote to memory of 2856	2736	Apndbici.exe	85
PID 2736 wrote to memory of 2856	2736	Apndbici.exe	85
PID 2736 wrote to memory of 2856	2736	Apndbici.exe	85
PID 2856 wrote to memory of 5044	2856	Ablaodbm.exe	86
PID 2856 wrote to memory of 5044	2856	Ablaodbm.exe	86
PID 2856 wrote to memory of 5044	2856	Ablaodbm.exe	86
PID 5044 wrote to memory of 1568	5044	Aifiko32.exe	88
PID 5044 wrote to memory of 1568	5044	Aifiko32.exe	88
PID 5044 wrote to memory of 1568	5044	Aifiko32.exe	88
PID 1568 wrote to memory of 4256	1568	Aocace32.exe	89
PID 1568 wrote to memory of 4256	1568	Aocace32.exe	89
PID 1568 wrote to memory of 4256	1568	Aocace32.exe	89
PID 4256 wrote to memory of 2088	4256	Abnnddpj.exe	90
PID 4256 wrote to memory of 2088	4256	Abnnddpj.exe	90
PID 4256 wrote to memory of 2088	4256	Abnnddpj.exe	90
PID 2088 wrote to memory of 4580	2088	Aemjpp32.exe	91
PID 2088 wrote to memory of 4580	2088	Aemjpp32.exe	91
PID 2088 wrote to memory of 4580	2088	Aemjpp32.exe	91
PID 4580 wrote to memory of 3220	4580	Apbnnh32.exe	92
PID 4580 wrote to memory of 3220	4580	Apbnnh32.exe	92
PID 4580 wrote to memory of 3220	4580	Apbnnh32.exe	92
PID 3220 wrote to memory of 3320	3220	Aoeniefo.exe	93
PID 3220 wrote to memory of 3320	3220	Aoeniefo.exe	93
PID 3220 wrote to memory of 3320	3220	Aoeniefo.exe	93
PID 3320 wrote to memory of 4536	3320	Aackeqeb.exe	94
PID 3320 wrote to memory of 4536	3320	Aackeqeb.exe	94
PID 3320 wrote to memory of 4536	3320	Aackeqeb.exe	94
PID 4536 wrote to memory of 2900	4536	Aikbfnfd.exe	95
PID 4536 wrote to memory of 2900	4536	Aikbfnfd.exe	95
PID 4536 wrote to memory of 2900	4536	Aikbfnfd.exe	95
PID 2900 wrote to memory of 5032	2900	Aliobieh.exe	96
PID 2900 wrote to memory of 5032	2900	Aliobieh.exe	96
PID 2900 wrote to memory of 5032	2900	Aliobieh.exe	96
PID 5032 wrote to memory of 2416	5032	Apekch32.exe	97
PID 5032 wrote to memory of 2416	5032	Apekch32.exe	97
PID 5032 wrote to memory of 2416	5032	Apekch32.exe	97
PID 2416 wrote to memory of 992	2416	Aogkoedl.exe	98
PID 2416 wrote to memory of 992	2416	Aogkoedl.exe	98
PID 2416 wrote to memory of 992	2416	Aogkoedl.exe	98
PID 992 wrote to memory of 3176	992	Aafgkpcp.exe	99
PID 992 wrote to memory of 3176	992	Aafgkpcp.exe	99
PID 992 wrote to memory of 3176	992	Aafgkpcp.exe	99
PID 3176 wrote to memory of 4432	3176	Aeacko32.exe	100
PID 3176 wrote to memory of 4432	3176	Aeacko32.exe	100
PID 3176 wrote to memory of 4432	3176	Aeacko32.exe	100
PID 4432 wrote to memory of 4776	4432	Aimoln32.exe	101
PID 4432 wrote to memory of 4776	4432	Aimoln32.exe	101
PID 4432 wrote to memory of 4776	4432	Aimoln32.exe	101
PID 4776 wrote to memory of 1516	4776	Ahppgjjl.exe	102
PID 4776 wrote to memory of 1516	4776	Ahppgjjl.exe	102
PID 4776 wrote to memory of 1516	4776	Ahppgjjl.exe	102
PID 1516 wrote to memory of 320	1516	Apggihko.exe	103
PID 1516 wrote to memory of 320	1516	Apggihko.exe	103
PID 1516 wrote to memory of 320	1516	Apggihko.exe	103
PID 320 wrote to memory of 3996	320	Aojhdd32.exe	104
PID 320 wrote to memory of 3996	320	Aojhdd32.exe	104
PID 320 wrote to memory of 3996	320	Aojhdd32.exe	104
PID 3996 wrote to memory of 3040	3996	Aahdqp32.exe	105
PID 3996 wrote to memory of 3040	3996	Aahdqp32.exe	105
PID 3996 wrote to memory of 3040	3996	Aahdqp32.exe	105
PID 3040 wrote to memory of 1860	3040	Aedpaoif.exe	106

C:\Users\Admin\AppData\Local\Temp\34d1924177a3c219d1708d075724cf6b.exe
"C:\Users\Admin\AppData\Local\Temp\34d1924177a3c219d1708d075724cf6b.exe"
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4084
- C:\Windows\SysWOW64\Apndbici.exe
  C:\Windows\system32\Apndbici.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2736
- - C:\Windows\SysWOW64\Ablaodbm.exe
    C:\Windows\system32\Ablaodbm.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2856
  - - C:\Windows\SysWOW64\Aifiko32.exe
      C:\Windows\system32\Aifiko32.exe
      4⤵
      Executes dropped EXE
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:5044
    - - C:\Windows\SysWOW64\Aocace32.exe
        
        C:\Windows\system32\Aocace32.exe
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1568
      - C:\Windows\SysWOW64\Abnnddpj.exe
        
        C:\Windows\system32\Abnnddpj.exe
        6⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4256
        
        C:\Windows\SysWOW64\Aemjpp32.exe
        
        C:\Windows\system32\Aemjpp32.exe
        7⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2088
        
        C:\Windows\SysWOW64\Apbnnh32.exe
        
        C:\Windows\system32\Apbnnh32.exe
        8⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4580
        
        C:\Windows\SysWOW64\Aoeniefo.exe
        
        C:\Windows\system32\Aoeniefo.exe
        9⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3220
        
        C:\Windows\SysWOW64\Aackeqeb.exe
        
        C:\Windows\system32\Aackeqeb.exe
        10⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3320
        
        C:\Windows\SysWOW64\Aikbfnfd.exe
        
        C:\Windows\system32\Aikbfnfd.exe
        11⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4536
        
        C:\Windows\SysWOW64\Aliobieh.exe
        
        C:\Windows\system32\Aliobieh.exe
        12⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2900
        
        C:\Windows\SysWOW64\Apekch32.exe
        
        C:\Windows\system32\Apekch32.exe
        13⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5032
        
        C:\Windows\SysWOW64\Aogkoedl.exe
        
        C:\Windows\system32\Aogkoedl.exe
        14⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2416
        
        C:\Windows\SysWOW64\Aafgkpcp.exe
        
        C:\Windows\system32\Aafgkpcp.exe
        15⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:992
        
        C:\Windows\SysWOW64\Aeacko32.exe
        
        C:\Windows\system32\Aeacko32.exe
        16⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3176
        
        C:\Windows\SysWOW64\Aimoln32.exe
        
        C:\Windows\system32\Aimoln32.exe
        17⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4432
        
        C:\Windows\SysWOW64\Ahppgjjl.exe
        
        C:\Windows\system32\Ahppgjjl.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4776
        
        C:\Windows\SysWOW64\Apggihko.exe
        
        C:\Windows\system32\Apggihko.exe
        19⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1516
        
        C:\Windows\SysWOW64\Aojhdd32.exe
        
        C:\Windows\system32\Aojhdd32.exe
        20⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:320
        
        C:\Windows\SysWOW64\Aahdqp32.exe
        
        C:\Windows\system32\Aahdqp32.exe
        21⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3996
        
        C:\Windows\SysWOW64\Aedpaoif.exe
        
        C:\Windows\system32\Aedpaoif.exe
        22⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3040
        
        C:\Windows\SysWOW64\Aiolam32.exe
        
        C:\Windows\system32\Aiolam32.exe
        23⤵
        Executes dropped EXE
        
        PID:1860
        
        C:\Windows\SysWOW64\Blnhni32.exe
        
        C:\Windows\system32\Blnhni32.exe
        24⤵
        Executes dropped EXE
        
        PID:924
        
        C:\Windows\SysWOW64\Bpidngil.exe
        
        C:\Windows\system32\Bpidngil.exe
        25⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3700
        
        C:\Windows\SysWOW64\Boldjd32.exe
        
        C:\Windows\system32\Boldjd32.exe
        26⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1808
        
        C:\Windows\SysWOW64\Bibigmpl.exe
        
        C:\Windows\system32\Bibigmpl.exe
        27⤵
        Executes dropped EXE
        
        PID:4976
        
        C:\Windows\SysWOW64\Bhdibj32.exe
        
        C:\Windows\system32\Bhdibj32.exe
        28⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3024
        
        C:\Windows\SysWOW64\Bpladg32.exe
        
        C:\Windows\system32\Bpladg32.exe
        29⤵
        Executes dropped EXE
        
        PID:3884
        
        C:\Windows\SysWOW64\Booaodnd.exe
        
        C:\Windows\system32\Booaodnd.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4068
        
        C:\Windows\SysWOW64\Bbjmpb32.exe
        
        C:\Windows\system32\Bbjmpb32.exe
        31⤵
        Executes dropped EXE
        
        PID:2068
        
        C:\Windows\SysWOW64\Behiln32.exe
        
        C:\Windows\system32\Behiln32.exe
        32⤵
        Executes dropped EXE
        
        PID:2348
        
        C:\Windows\SysWOW64\Bidemmnj.exe
        
        C:\Windows\system32\Bidemmnj.exe
        33⤵
        Executes dropped EXE
        
        PID:864
        
        C:\Windows\SysWOW64\Blbaihmn.exe
        
        C:\Windows\system32\Blbaihmn.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4808
        
        C:\Windows\SysWOW64\Bpnnig32.exe
        
        C:\Windows\system32\Bpnnig32.exe
        35⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1404
        
        C:\Windows\SysWOW64\Bbljeb32.exe
        
        C:\Windows\system32\Bbljeb32.exe
        36⤵
        Executes dropped EXE
        
        PID:2480
        
        C:\Windows\SysWOW64\Bekfan32.exe
        
        C:\Windows\system32\Bekfan32.exe
        37⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4512
        
        C:\Windows\SysWOW64\Bifbbllg.exe
        
        C:\Windows\system32\Bifbbllg.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4376
        
        C:\Windows\SysWOW64\Blennh32.exe
        
        C:\Windows\system32\Blennh32.exe
        39⤵
        Executes dropped EXE
        
        PID:4420
        
        C:\Windows\SysWOW64\Bpqjofcd.exe
        
        C:\Windows\system32\Bpqjofcd.exe
        40⤵
        
        PID:4492
        
        C:\Windows\SysWOW64\Bockjc32.exe
        
        C:\Windows\system32\Bockjc32.exe
        41⤵
        Executes dropped EXE
        
        PID:3444
        
        C:\Windows\SysWOW64\Bbofkbbh.exe
        
        C:\Windows\system32\Bbofkbbh.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:348
        
        C:\Windows\SysWOW64\Bemcgmak.exe
        
        C:\Windows\system32\Bemcgmak.exe
        43⤵
        Executes dropped EXE
        
        PID:1584
        
        C:\Windows\SysWOW64\Biiohl32.exe
        
        C:\Windows\system32\Biiohl32.exe
        44⤵
        Executes dropped EXE
        
        PID:4972
        
        C:\Windows\SysWOW64\Bhlocipo.exe
        
        C:\Windows\system32\Bhlocipo.exe
        45⤵
        Executes dropped EXE
        
        PID:3860
        
        C:\Windows\SysWOW64\Bpcgdfaa.exe
        
        C:\Windows\system32\Bpcgdfaa.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:5100
        
        C:\Windows\SysWOW64\Boegpc32.exe
        
        C:\Windows\system32\Boegpc32.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1444
        
        C:\Windows\SysWOW64\Bbacqape.exe
        
        C:\Windows\system32\Bbacqape.exe
        48⤵
        Executes dropped EXE
        
        PID:3692
        
        C:\Windows\SysWOW64\Badcln32.exe
        
        C:\Windows\system32\Badcln32.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2400
        
        C:\Windows\SysWOW64\Bikkml32.exe
        
        C:\Windows\system32\Bikkml32.exe
        50⤵
        Executes dropped EXE
        
        PID:4404
        
        C:\Windows\SysWOW64\Clihig32.exe
        
        C:\Windows\system32\Clihig32.exe
        51⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1312
        
        C:\Windows\SysWOW64\Cpedjf32.exe
        
        C:\Windows\system32\Cpedjf32.exe
        52⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5036
        
        C:\Windows\SysWOW64\Cccpfa32.exe
        
        C:\Windows\system32\Cccpfa32.exe
        53⤵
        Executes dropped EXE
        
        PID:3632
        
        C:\Windows\SysWOW64\Ceblbm32.exe
        
        C:\Windows\system32\Ceblbm32.exe
        54⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3540
        
        C:\Windows\SysWOW64\Cimhckeo.exe
        
        C:\Windows\system32\Cimhckeo.exe
        55⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:336
        
        C:\Windows\SysWOW64\Chphoh32.exe
        
        C:\Windows\system32\Chphoh32.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3156
        
        C:\Windows\SysWOW64\Cpgqpe32.exe
        
        C:\Windows\system32\Cpgqpe32.exe
        57⤵
        Executes dropped EXE
        
        PID:1932
        
        C:\Windows\SysWOW64\Cojqkbdf.exe
        
        C:\Windows\system32\Cojqkbdf.exe
        58⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:512
        
        C:\Windows\SysWOW64\Cedihl32.exe
        
        C:\Windows\system32\Cedihl32.exe
        59⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3688
        
        C:\Windows\SysWOW64\Cipehkcl.exe
        
        C:\Windows\system32\Cipehkcl.exe
        60⤵
        Executes dropped EXE
        
        PID:5060
        
        C:\Windows\SysWOW64\Clnadfbp.exe
        
        C:\Windows\system32\Clnadfbp.exe
        61⤵
        Executes dropped EXE
        
        PID:2476
        
        C:\Windows\SysWOW64\Commqb32.exe
        
        C:\Windows\system32\Commqb32.exe
        62⤵
        Executes dropped EXE
        
        PID:4904
        
        C:\Windows\SysWOW64\Cefemliq.exe
        
        C:\Windows\system32\Cefemliq.exe
        63⤵
        Executes dropped EXE
        
        PID:3432
        
        C:\Windows\SysWOW64\Cpljkdig.exe
        
        C:\Windows\system32\Cpljkdig.exe
        64⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4504
        
        C:\Windows\SysWOW64\Camfbm32.exe
        
        C:\Windows\system32\Camfbm32.exe
        65⤵
        Executes dropped EXE
        
        PID:3268
        
        C:\Windows\SysWOW64\Cidncj32.exe
        
        C:\Windows\system32\Cidncj32.exe
        66⤵
        Executes dropped EXE
        
        PID:1020
        
        C:\Windows\SysWOW64\Cpofpdgd.exe
        
        C:\Windows\system32\Cpofpdgd.exe
        67⤵
        
        PID:1228
        
        C:\Windows\SysWOW64\Ccmclp32.exe
        
        C:\Windows\system32\Ccmclp32.exe
        68⤵
        
        PID:3520
        
        C:\Windows\SysWOW64\Digkijmd.exe
        
        C:\Windows\system32\Digkijmd.exe
        69⤵
        
        PID:4836
        
        C:\Windows\SysWOW64\Doccaall.exe
        
        C:\Windows\system32\Doccaall.exe
        70⤵
        
        PID:1636
        
        C:\Windows\SysWOW64\Diihojkb.exe
        
        C:\Windows\system32\Diihojkb.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1708
        
        C:\Windows\SysWOW64\Dpcpkc32.exe
        
        C:\Windows\system32\Dpcpkc32.exe
        72⤵
        
        PID:2296
        
        C:\Windows\SysWOW64\Dcalgo32.exe
        
        C:\Windows\system32\Dcalgo32.exe
        73⤵
        Drops file in System32 directory
        
        PID:4980
        
        C:\Windows\SysWOW64\Dephckaf.exe
        
        C:\Windows\system32\Dephckaf.exe
        74⤵
        
        PID:3836
        
        C:\Windows\SysWOW64\Dohmlp32.exe
        
        C:\Windows\system32\Dohmlp32.exe
        75⤵
        
        PID:1032
        
        C:\Windows\SysWOW64\Djnaji32.exe
        
        C:\Windows\system32\Djnaji32.exe
        76⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1176
        
        C:\Windows\SysWOW64\Dphifcoi.exe
        
        C:\Windows\system32\Dphifcoi.exe
        77⤵
        
        PID:3008
        
        C:\Windows\SysWOW64\Dfdbojmq.exe
        
        C:\Windows\system32\Dfdbojmq.exe
        78⤵
        
        PID:4092
        
        C:\Windows\SysWOW64\Djpnohej.exe
        
        C:\Windows\system32\Djpnohej.exe
        79⤵
        
        PID:3800
        
        C:\Windows\SysWOW64\Dpjflb32.exe
        
        C:\Windows\system32\Dpjflb32.exe
        80⤵
        Modifies registry class
        
        PID:1744
        
        C:\Windows\SysWOW64\Ejbkehcg.exe
        
        C:\Windows\system32\Ejbkehcg.exe
        81⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:2256
        
        C:\Windows\SysWOW64\Elagacbk.exe
        
        C:\Windows\system32\Elagacbk.exe
        82⤵
        Drops file in System32 directory
        
        PID:1216
        
        C:\Windows\SysWOW64\Eoocmoao.exe
        
        C:\Windows\system32\Eoocmoao.exe
        83⤵
        Modifies registry class
        
        PID:2944
        
        C:\Windows\SysWOW64\Ejegjh32.exe
        
        C:\Windows\system32\Ejegjh32.exe
        84⤵
        
        PID:436
        
        C:\Windows\SysWOW64\Ehhgfdho.exe
        
        C:\Windows\system32\Ehhgfdho.exe
        85⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:3356
        
        C:\Windows\SysWOW64\Epopgbia.exe
        
        C:\Windows\system32\Epopgbia.exe
        86⤵
        
        PID:1156
        
        C:\Windows\SysWOW64\Ebploj32.exe
        
        C:\Windows\system32\Ebploj32.exe
        87⤵
        
        PID:2696
        
        C:\Windows\SysWOW64\Ehjdldfl.exe
        
        C:\Windows\system32\Ehjdldfl.exe
        88⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2828
        
        C:\Windows\SysWOW64\Eleplc32.exe
        
        C:\Windows\system32\Eleplc32.exe
        89⤵
        
        PID:4456
        
        C:\Windows\SysWOW64\Ebbidj32.exe
        
        C:\Windows\system32\Ebbidj32.exe
        90⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1424
        
        C:\Windows\SysWOW64\Ehlaaddj.exe
        
        C:\Windows\system32\Ehlaaddj.exe
        91⤵
        
        PID:2928
        
        C:\Windows\SysWOW64\Elhmablc.exe
        
        C:\Windows\system32\Elhmablc.exe
        92⤵
        Drops file in System32 directory
        
        PID:1792
        
        C:\Windows\SysWOW64\Ecbenm32.exe
        
        C:\Windows\system32\Ecbenm32.exe
        93⤵
        Modifies registry class
        
        PID:4540
        
        C:\Windows\SysWOW64\Efpajh32.exe
        
        C:\Windows\system32\Efpajh32.exe
        94⤵
        
        PID:4040
        
        C:\Windows\SysWOW64\Ehonfc32.exe
        
        C:\Windows\system32\Ehonfc32.exe
        95⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2932
        
        C:\Windows\SysWOW64\Eoifcnid.exe
        
        C:\Windows\system32\Eoifcnid.exe
        96⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:1752
        
        C:\Windows\SysWOW64\Fbgbpihg.exe
        
        C:\Windows\system32\Fbgbpihg.exe
        97⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:4004
        
        C:\Windows\SysWOW64\Fmmfmbhn.exe
        
        C:\Windows\system32\Fmmfmbhn.exe
        98⤵
        Drops file in System32 directory
        
        PID:5140
        
        C:\Windows\SysWOW64\Fokbim32.exe
        
        C:\Windows\system32\Fokbim32.exe
        99⤵
        
        PID:5180
        
        C:\Windows\SysWOW64\Fjqgff32.exe
        
        C:\Windows\system32\Fjqgff32.exe
        100⤵
        Drops file in System32 directory
        
        PID:5220
        
        C:\Windows\SysWOW64\Fmocba32.exe
        
        C:\Windows\system32\Fmocba32.exe
        101⤵
        Drops file in System32 directory
        
        PID:5256
        
        C:\Windows\SysWOW64\Fomonm32.exe
        
        C:\Windows\system32\Fomonm32.exe
        102⤵
        
        PID:5300
        
        C:\Windows\SysWOW64\Fbllkh32.exe
        
        C:\Windows\system32\Fbllkh32.exe
        103⤵
        Modifies registry class
        
        PID:5336
        
        C:\Windows\SysWOW64\Fjcclf32.exe
        
        C:\Windows\system32\Fjcclf32.exe
        104⤵
        
        PID:5376
        
        C:\Windows\SysWOW64\Fmapha32.exe
        
        C:\Windows\system32\Fmapha32.exe
        105⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5416
        
        C:\Windows\SysWOW64\Fopldmcl.exe
        
        C:\Windows\system32\Fopldmcl.exe
        106⤵
        
        PID:5452
        
        C:\Windows\SysWOW64\Fbnhphbp.exe
        
        C:\Windows\system32\Fbnhphbp.exe
        107⤵
        
        PID:5496
        
        C:\Windows\SysWOW64\Fjepaecb.exe
        
        C:\Windows\system32\Fjepaecb.exe
        108⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5536
        
        C:\Windows\SysWOW64\Fcnejk32.exe
        
        C:\Windows\system32\Fcnejk32.exe
        109⤵
        
        PID:5584
        
        C:\Windows\SysWOW64\Fbqefhpm.exe
        
        C:\Windows\system32\Fbqefhpm.exe
        110⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5624
        
        C:\Windows\SysWOW64\Fjhmgeao.exe
        
        C:\Windows\system32\Fjhmgeao.exe
        111⤵
        
        PID:5660
        
        C:\Windows\SysWOW64\Fodeolof.exe
        
        C:\Windows\system32\Fodeolof.exe
        112⤵
        Modifies registry class
        
        PID:5700
        
        C:\Windows\SysWOW64\Gbcakg32.exe
        
        C:\Windows\system32\Gbcakg32.exe
        113⤵
        Drops file in System32 directory
        
        PID:5740
        
        C:\Windows\SysWOW64\Gjjjle32.exe
        
        C:\Windows\system32\Gjjjle32.exe
        114⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5780
        
        C:\Windows\SysWOW64\Gqdbiofi.exe
        
        C:\Windows\system32\Gqdbiofi.exe
        115⤵
        
        PID:5816
        
        C:\Windows\SysWOW64\Gbenqg32.exe
        
        C:\Windows\system32\Gbenqg32.exe
        116⤵
        Modifies registry class
        
        PID:5856
        
        C:\Windows\SysWOW64\Gmkbnp32.exe
        
        C:\Windows\system32\Gmkbnp32.exe
        117⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5896
        
        C:\Windows\SysWOW64\Goiojk32.exe
        
        C:\Windows\system32\Goiojk32.exe
        118⤵
        
        PID:5936
        
        C:\Windows\SysWOW64\Gfcgge32.exe
        
        C:\Windows\system32\Gfcgge32.exe
        119⤵
        Modifies registry class
        
        PID:5980
        
        C:\Windows\SysWOW64\Giacca32.exe
        
        C:\Windows\system32\Giacca32.exe
        120⤵
        Drops file in System32 directory
        
        PID:6016
        
        C:\Windows\SysWOW64\Gmmocpjk.exe
        
        C:\Windows\system32\Gmmocpjk.exe
        121⤵
        
        PID:6056
        
        C:\Windows\SysWOW64\Gpklpkio.exe
        
        C:\Windows\system32\Gpklpkio.exe
        122⤵
        
        PID:6096
        
        C:\Windows\SysWOW64\Gbjhlfhb.exe
        
        C:\Windows\system32\Gbjhlfhb.exe
        123⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6132
        
        C:\Windows\SysWOW64\Gjapmdid.exe
        
        C:\Windows\system32\Gjapmdid.exe
        124⤵
        Modifies registry class
        
        PID:5160
        
        C:\Windows\SysWOW64\Gmoliohh.exe
        
        C:\Windows\system32\Gmoliohh.exe
        125⤵
        
        PID:5192
        
        C:\Windows\SysWOW64\Gqkhjn32.exe
        
        C:\Windows\system32\Gqkhjn32.exe
        126⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5288
        
        C:\Windows\SysWOW64\Gfhqbe32.exe
        
        C:\Windows\system32\Gfhqbe32.exe
        127⤵
        
        PID:5364
        
        C:\Windows\SysWOW64\Gmaioo32.exe
        
        C:\Windows\system32\Gmaioo32.exe
        128⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5448
        
        C:\Windows\SysWOW64\Gameonno.exe
        
        C:\Windows\system32\Gameonno.exe
        129⤵
        Modifies registry class
        
        PID:5484
        
        C:\Windows\SysWOW64\Hclakimb.exe
        
        C:\Windows\system32\Hclakimb.exe
        130⤵
        Drops file in System32 directory
        
        PID:5468
        
        C:\Windows\SysWOW64\Hboagf32.exe
        
        C:\Windows\system32\Hboagf32.exe
        131⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5608
        
        C:\Windows\SysWOW64\Hfjmgdlf.exe
        
        C:\Windows\system32\Hfjmgdlf.exe
        132⤵
        Modifies registry class
        
        PID:5692
        
        C:\Windows\SysWOW64\Hihicplj.exe
        
        C:\Windows\system32\Hihicplj.exe
        133⤵
        Drops file in System32 directory
        
        PID:5748
        
        C:\Windows\SysWOW64\Hpbaqj32.exe
        
        C:\Windows\system32\Hpbaqj32.exe
        134⤵
        Modifies registry class
        
        PID:5824
        
        C:\Windows\SysWOW64\Hcnnaikp.exe
        
        C:\Windows\system32\Hcnnaikp.exe
        135⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5892
        
        C:\Windows\SysWOW64\Hbanme32.exe
        
        C:\Windows\system32\Hbanme32.exe
        136⤵
        Modifies registry class
        
        PID:5932
        
        C:\Windows\SysWOW64\Hjhfnccl.exe
        
        C:\Windows\system32\Hjhfnccl.exe
        137⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6012
        
        C:\Windows\SysWOW64\Hmfbjnbp.exe
        
        C:\Windows\system32\Hmfbjnbp.exe
        138⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6080
        
        C:\Windows\SysWOW64\Hpenfjad.exe
        
        C:\Windows\system32\Hpenfjad.exe
        139⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6120
        
        C:\Windows\SysWOW64\Hbckbepg.exe
        
        C:\Windows\system32\Hbckbepg.exe
        140⤵
        
        PID:5212
        
        C:\Windows\SysWOW64\Hjjbcbqj.exe
        
        C:\Windows\system32\Hjjbcbqj.exe
        141⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5324
        
        C:\Windows\SysWOW64\Hadkpm32.exe
        
        C:\Windows\system32\Hadkpm32.exe
        142⤵
        
        PID:3000
        
        C:\Windows\SysWOW64\Hpgkkioa.exe
        
        C:\Windows\system32\Hpgkkioa.exe
        143⤵
        Drops file in System32 directory
        
        PID:5568
        
        C:\Windows\SysWOW64\Hbeghene.exe
        
        C:\Windows\system32\Hbeghene.exe
        144⤵
        
        PID:5696
        
        C:\Windows\SysWOW64\Hjmoibog.exe
        
        C:\Windows\system32\Hjmoibog.exe
        145⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5848
        
        C:\Windows\SysWOW64\Haggelfd.exe
        
        C:\Windows\system32\Haggelfd.exe
        146⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6064
        
        C:\Windows\SysWOW64\Hpihai32.exe
        
        C:\Windows\system32\Hpihai32.exe
        147⤵
        
        PID:3848
        
        C:\Windows\SysWOW64\Hbhdmd32.exe
        
        C:\Windows\system32\Hbhdmd32.exe
        148⤵
        
        PID:5332
        
        C:\Windows\SysWOW64\Hfcpncdk.exe
        
        C:\Windows\system32\Hfcpncdk.exe
        149⤵
        Drops file in System32 directory
        
        PID:5532
        
        C:\Windows\SysWOW64\Hjolnb32.exe
        
        C:\Windows\system32\Hjolnb32.exe
        150⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5672
        
        C:\Windows\SysWOW64\Hibljoco.exe
        
        C:\Windows\system32\Hibljoco.exe
        151⤵
        
        PID:6052
        
        C:\Windows\SysWOW64\Haidklda.exe
        
        C:\Windows\system32\Haidklda.exe
        152⤵
        Modifies registry class
        
        PID:5264
        
        C:\Windows\SysWOW64\Ipldfi32.exe
        
        C:\Windows\system32\Ipldfi32.exe
        153⤵
        
        PID:5520
        
        C:\Windows\SysWOW64\Ibjqcd32.exe
        
        C:\Windows\system32\Ibjqcd32.exe
        154⤵
        Modifies registry class
        
        PID:6000
        
        C:\Windows\SysWOW64\Iffmccbi.exe
        
        C:\Windows\system32\Iffmccbi.exe
        155⤵
        
        PID:5436
        
        C:\Windows\SysWOW64\Iidipnal.exe
        
        C:\Windows\system32\Iidipnal.exe
        156⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1580
        
        C:\Windows\SysWOW64\Iakaql32.exe
        
        C:\Windows\system32\Iakaql32.exe
        157⤵
        Modifies registry class
        
        PID:5996
        
        C:\Windows\SysWOW64\Ipnalhii.exe
        
        C:\Windows\system32\Ipnalhii.exe
        158⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6192
        
        C:\Windows\SysWOW64\Icjmmg32.exe
        
        C:\Windows\system32\Icjmmg32.exe
        159⤵
        Drops file in System32 directory
        
        PID:6228
        
        C:\Windows\SysWOW64\Ibmmhdhm.exe
        
        C:\Windows\system32\Ibmmhdhm.exe
        160⤵
        Modifies registry class
        
        PID:6276
        
        C:\Windows\SysWOW64\Iannfk32.exe
        
        C:\Windows\system32\Iannfk32.exe
        161⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6320
        
        C:\Windows\SysWOW64\Ipqnahgf.exe
        
        C:\Windows\system32\Ipqnahgf.exe
        162⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6364
        
        C:\Windows\SysWOW64\Ibojncfj.exe
        
        C:\Windows\system32\Ibojncfj.exe
        163⤵
        
        PID:6408
        
        C:\Windows\SysWOW64\Ijfboafl.exe
        
        C:\Windows\system32\Ijfboafl.exe
        164⤵
        Drops file in System32 directory
        
        PID:6452
        
        C:\Windows\SysWOW64\Imdnklfp.exe
        
        C:\Windows\system32\Imdnklfp.exe
        165⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6496
        
        C:\Windows\SysWOW64\Ipckgh32.exe
        
        C:\Windows\system32\Ipckgh32.exe
        166⤵
        
        PID:6544
        
        C:\Windows\SysWOW64\Ibagcc32.exe
        
        C:\Windows\system32\Ibagcc32.exe
        167⤵
        
        PID:6584
        
        C:\Windows\SysWOW64\Ijhodq32.exe
        
        C:\Windows\system32\Ijhodq32.exe
        168⤵
        
        PID:6636
        
        C:\Windows\SysWOW64\Iikopmkd.exe
        
        C:\Windows\system32\Iikopmkd.exe
        169⤵
        Drops file in System32 directory
        
        PID:6680
        
        C:\Windows\SysWOW64\Iabgaklg.exe
        
        C:\Windows\system32\Iabgaklg.exe
        170⤵
        
        PID:6728
        
        C:\Windows\SysWOW64\Ijkljp32.exe
        
        C:\Windows\system32\Ijkljp32.exe
        171⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6772
        
        C:\Windows\SysWOW64\Iinlemia.exe
        
        C:\Windows\system32\Iinlemia.exe
        172⤵
        Drops file in System32 directory
        
        PID:6812
        
        C:\Windows\SysWOW64\Jaedgjjd.exe
        
        C:\Windows\system32\Jaedgjjd.exe
        173⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6868
        
        C:\Windows\SysWOW64\Jpgdbg32.exe
        
        C:\Windows\system32\Jpgdbg32.exe
        174⤵
        Drops file in System32 directory
        
        PID:6912
        
        C:\Windows\SysWOW64\Jdcpcf32.exe
        
        C:\Windows\system32\Jdcpcf32.exe
        175⤵
        Modifies registry class
        
        PID:6964
        
        C:\Windows\SysWOW64\Jfaloa32.exe
        
        C:\Windows\system32\Jfaloa32.exe
        176⤵
        Modifies registry class
        
        PID:7012
        
        C:\Windows\SysWOW64\Jmkdlkph.exe
        
        C:\Windows\system32\Jmkdlkph.exe
        177⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:7052
        
        C:\Windows\SysWOW64\Jpjqhgol.exe
        
        C:\Windows\system32\Jpjqhgol.exe
        178⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7096
        
        C:\Windows\SysWOW64\Jbhmdbnp.exe
        
        C:\Windows\system32\Jbhmdbnp.exe
        179⤵
        
        PID:7136
        
        C:\Windows\SysWOW64\Jjpeepnb.exe
        
        C:\Windows\system32\Jjpeepnb.exe
        180⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6104
        
        C:\Windows\SysWOW64\Jaimbj32.exe
        
        C:\Windows\system32\Jaimbj32.exe
        181⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6212
        
        C:\Windows\SysWOW64\Jmpngk32.exe
        
        C:\Windows\system32\Jmpngk32.exe
        182⤵
        
        PID:6312
        
        C:\Windows\SysWOW64\Jdjfcecp.exe
        
        C:\Windows\system32\Jdjfcecp.exe
        183⤵
        
        PID:6400
        
        C:\Windows\SysWOW64\Jfhbppbc.exe
        
        C:\Windows\system32\Jfhbppbc.exe
        184⤵
        Modifies registry class
        
        PID:6480
        
        C:\Windows\SysWOW64\Jbocea32.exe
        
        C:\Windows\system32\Jbocea32.exe
        185⤵
        
        PID:6568
        
        C:\Windows\SysWOW64\Jkfkfohj.exe
        
        C:\Windows\system32\Jkfkfohj.exe
        186⤵
        
        PID:6648
        
        C:\Windows\SysWOW64\Kmegbjgn.exe
        
        C:\Windows\system32\Kmegbjgn.exe
        187⤵
        
        PID:6720
        
        C:\Windows\SysWOW64\Kpccnefa.exe
        
        C:\Windows\system32\Kpccnefa.exe
        188⤵
        Drops file in System32 directory
        
        PID:6800
        
        C:\Windows\SysWOW64\Kgmlkp32.exe
        
        C:\Windows\system32\Kgmlkp32.exe
        189⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6848
        
        C:\Windows\SysWOW64\Kkihknfg.exe
        
        C:\Windows\system32\Kkihknfg.exe
        190⤵
        
        PID:6896
        
        C:\Windows\SysWOW64\Kmgdgjek.exe
        
        C:\Windows\system32\Kmgdgjek.exe
        191⤵
        
        PID:7020
        
        C:\Windows\SysWOW64\Kbdmpqcb.exe
        
        C:\Windows\system32\Kbdmpqcb.exe
        192⤵
        
        PID:7132
        
        C:\Windows\SysWOW64\Kgphpo32.exe
        
        C:\Windows\system32\Kgphpo32.exe
        193⤵
        
        PID:6176
        
        C:\Windows\SysWOW64\Kmjqmi32.exe
        
        C:\Windows\system32\Kmjqmi32.exe
        194⤵
        
        PID:6256
        
        C:\Windows\SysWOW64\Kdcijcke.exe
        
        C:\Windows\system32\Kdcijcke.exe
        195⤵
        
        PID:6448
        
        C:\Windows\SysWOW64\Kgbefoji.exe
        
        C:\Windows\system32\Kgbefoji.exe
        196⤵
        
        PID:6524
        
        C:\Windows\SysWOW64\Kknafn32.exe
        
        C:\Windows\system32\Kknafn32.exe
        197⤵
        
        PID:6712
        
        C:\Windows\SysWOW64\Kmlnbi32.exe
        
        C:\Windows\system32\Kmlnbi32.exe
        198⤵
        Modifies registry class
        
        PID:6836
        
        C:\Windows\SysWOW64\Kpjjod32.exe
        
        C:\Windows\system32\Kpjjod32.exe
        199⤵
        
        PID:6972
        
        C:\Windows\SysWOW64\Kcifkp32.exe
        
        C:\Windows\system32\Kcifkp32.exe
        200⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:7092
        
        C:\Windows\SysWOW64\Kmnjhioc.exe
        
        C:\Windows\system32\Kmnjhioc.exe
        201⤵
        
        PID:6200
        
        C:\Windows\SysWOW64\Kdhbec32.exe
        
        C:\Windows\system32\Kdhbec32.exe
        202⤵
        
        PID:6380
        
        C:\Windows\SysWOW64\Kckbqpnj.exe
        
        C:\Windows\system32\Kckbqpnj.exe
        203⤵
        
        PID:6664
        
        C:\Windows\SysWOW64\Kgfoan32.exe
        
        C:\Windows\system32\Kgfoan32.exe
        204⤵
        Drops file in System32 directory
        
        PID:7008
        
        C:\Windows\SysWOW64\Liekmj32.exe
        
        C:\Windows\system32\Liekmj32.exe
        205⤵
        
        PID:7164
        
        C:\Windows\SysWOW64\Lalcng32.exe
        
        C:\Windows\system32\Lalcng32.exe
        206⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6528
        
        C:\Windows\SysWOW64\Lpocjdld.exe
        
        C:\Windows\system32\Lpocjdld.exe
        207⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6784
        
        C:\Windows\SysWOW64\Lgikfn32.exe
        
        C:\Windows\system32\Lgikfn32.exe
        208⤵
        Modifies registry class
        
        PID:6220
        
        C:\Windows\SysWOW64\Lkdggmlj.exe
        
        C:\Windows\system32\Lkdggmlj.exe
        209⤵
        
        PID:7028
        
        C:\Windows\SysWOW64\Lmccchkn.exe
        
        C:\Windows\system32\Lmccchkn.exe
        210⤵
        Drops file in System32 directory
        
        PID:7212
        
        C:\Windows\SysWOW64\Lpappc32.exe
        
        C:\Windows\system32\Lpappc32.exe
        211⤵
        
        PID:7256
        
        C:\Windows\SysWOW64\Lgkhlnbn.exe
        
        C:\Windows\system32\Lgkhlnbn.exe
        212⤵
        Modifies registry class
        
        PID:7296
        
        C:\Windows\SysWOW64\Lkgdml32.exe
        
        C:\Windows\system32\Lkgdml32.exe
        213⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7332
        
        C:\Windows\SysWOW64\Lnepih32.exe
        
        C:\Windows\system32\Lnepih32.exe
        214⤵
        
        PID:7376
        
        C:\Windows\SysWOW64\Ldohebqh.exe
        
        C:\Windows\system32\Ldohebqh.exe
        215⤵
        
        PID:7420
        
        C:\Windows\SysWOW64\Lcbiao32.exe
        
        C:\Windows\system32\Lcbiao32.exe
        216⤵
        
        PID:7460
        
        C:\Windows\SysWOW64\Lkiqbl32.exe
        
        C:\Windows\system32\Lkiqbl32.exe
        217⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:7500
        
        C:\Windows\SysWOW64\Lnhmng32.exe
        
        C:\Windows\system32\Lnhmng32.exe
        218⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7540
        
        C:\Windows\SysWOW64\Lpfijcfl.exe
        
        C:\Windows\system32\Lpfijcfl.exe
        219⤵
        
        PID:7576
        
        C:\Windows\SysWOW64\Lklnhlfb.exe
        
        C:\Windows\system32\Lklnhlfb.exe
        220⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:7620
        
        C:\Windows\SysWOW64\Ljnnch32.exe
        
        C:\Windows\system32\Ljnnch32.exe
        221⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:7656
        
        C:\Windows\SysWOW64\Laefdf32.exe
        
        C:\Windows\system32\Laefdf32.exe
        222⤵
        Modifies registry class
        
        PID:7700
        
        C:\Windows\SysWOW64\Lddbqa32.exe
        
        C:\Windows\system32\Lddbqa32.exe
        223⤵
        Drops file in System32 directory
        
        PID:7740
        
        C:\Windows\SysWOW64\Mjqjih32.exe
        
        C:\Windows\system32\Mjqjih32.exe
        224⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:7780
        
        C:\Windows\SysWOW64\Mpkbebbf.exe
        
        C:\Windows\system32\Mpkbebbf.exe
        225⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:7824
        
        C:\Windows\SysWOW64\Mciobn32.exe
        
        C:\Windows\system32\Mciobn32.exe
        226⤵
        Drops file in System32 directory
        
        PID:7864
        
        C:\Windows\SysWOW64\Mkpgck32.exe
        
        C:\Windows\system32\Mkpgck32.exe
        227⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:7908
        
        C:\Windows\SysWOW64\Majopeii.exe
        
        C:\Windows\system32\Majopeii.exe
        228⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7944
        
        C:\Windows\SysWOW64\Mcklgm32.exe
        
        C:\Windows\system32\Mcklgm32.exe
        229⤵
        
        PID:7988
        
        C:\Windows\SysWOW64\Mgghhlhq.exe
        
        C:\Windows\system32\Mgghhlhq.exe
        230⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8028
        
        C:\Windows\SysWOW64\Mkbchk32.exe
        
        C:\Windows\system32\Mkbchk32.exe
        231⤵
        
        PID:8072
        
        C:\Windows\SysWOW64\Mnapdf32.exe
        
        C:\Windows\system32\Mnapdf32.exe
        232⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8112
        
        C:\Windows\SysWOW64\Mdkhapfj.exe
        
        C:\Windows\system32\Mdkhapfj.exe
        233⤵
        
        PID:8156
        
        C:\Windows\SysWOW64\Mgidml32.exe
        
        C:\Windows\system32\Mgidml32.exe
        234⤵
        Drops file in System32 directory
        
        PID:6464
        
        C:\Windows\SysWOW64\Mjhqjg32.exe
        
        C:\Windows\system32\Mjhqjg32.exe
        235⤵
        
        PID:7196
        
        C:\Windows\SysWOW64\Mncmjfmk.exe
        
        C:\Windows\system32\Mncmjfmk.exe
        236⤵
        
        PID:7248
        
        C:\Windows\SysWOW64\Mdmegp32.exe
        
        C:\Windows\system32\Mdmegp32.exe
        237⤵
        
        PID:6244
        
        C:\Windows\SysWOW64\Mglack32.exe
        
        C:\Windows\system32\Mglack32.exe
        238⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7404
        
        C:\Windows\SysWOW64\Mkgmcjld.exe
        
        C:\Windows\system32\Mkgmcjld.exe
        239⤵
        
        PID:7476
        
        C:\Windows\SysWOW64\Mpdelajl.exe
        
        C:\Windows\system32\Mpdelajl.exe
        240⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7548
        
        C:\Windows\SysWOW64\Mcbahlip.exe
        
        C:\Windows\system32\Mcbahlip.exe
        241⤵
        
        PID:7604
        
        C:\Windows\SysWOW64\Nkjjij32.exe
        
        C:\Windows\system32\Nkjjij32.exe
        242⤵
        
        PID:7668
        
        C:\Windows\SysWOW64\Nnhfee32.exe
        
        C:\Windows\system32\Nnhfee32.exe
        243⤵
        
        PID:7732
        
        C:\Windows\SysWOW64\Nacbfdao.exe
        
        C:\Windows\system32\Nacbfdao.exe
        244⤵
        
        PID:7760
        
        C:\Windows\SysWOW64\Ndbnboqb.exe
        
        C:\Windows\system32\Ndbnboqb.exe
        245⤵
        
        PID:7844
        
        C:\Windows\SysWOW64\Nceonl32.exe
        
        C:\Windows\system32\Nceonl32.exe
        246⤵
        
        PID:7932
        
        C:\Windows\SysWOW64\Nklfoi32.exe
        
        C:\Windows\system32\Nklfoi32.exe
        247⤵
        
        PID:8012
        
        C:\Windows\SysWOW64\Njogjfoj.exe
        
        C:\Windows\system32\Njogjfoj.exe
        248⤵
        
        PID:8064
        
        C:\Windows\SysWOW64\Nafokcol.exe
        
        C:\Windows\system32\Nafokcol.exe
        249⤵
        Drops file in System32 directory
        
        PID:8136
        
        C:\Windows\SysWOW64\Nddkgonp.exe
        
        C:\Windows\system32\Nddkgonp.exe
        250⤵
        Drops file in System32 directory
        
        PID:7108
        
        C:\Windows\SysWOW64\Ncgkcl32.exe
        
        C:\Windows\system32\Ncgkcl32.exe
        251⤵
        
        PID:7236
        
        C:\Windows\SysWOW64\Nkncdifl.exe
        
        C:\Windows\system32\Nkncdifl.exe
        252⤵
        
        PID:7368
        
        C:\Windows\SysWOW64\Njacpf32.exe
        
        C:\Windows\system32\Njacpf32.exe
        253⤵
        
        PID:7484
        
        C:\Windows\SysWOW64\Nnmopdep.exe
        
        C:\Windows\system32\Nnmopdep.exe
        254⤵
        Modifies registry class
        
        PID:7612
        
        C:\Windows\SysWOW64\Nqklmpdd.exe
        
        C:\Windows\system32\Nqklmpdd.exe
        255⤵
        Modifies registry class
        
        PID:7724
        
        C:\Windows\SysWOW64\Ngedij32.exe
        
        C:\Windows\system32\Ngedij32.exe
        256⤵
        Modifies registry class
        
        PID:7852
        
        C:\Windows\SysWOW64\Nkqpjidj.exe
        
        C:\Windows\system32\Nkqpjidj.exe
        257⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7904
        
        C:\Windows\SysWOW64\Nnolfdcn.exe
        
        C:\Windows\system32\Nnolfdcn.exe
        258⤵
        Modifies registry class
        
        PID:8052
        
        C:\Windows\SysWOW64\Nqmhbpba.exe
        
        C:\Windows\system32\Nqmhbpba.exe
        259⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:8148
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        260⤵
        
        PID:7264
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 7264 -s 408
        261⤵
        Program crash
        
        PID:7648

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 7264 -ip 7264
1⤵
PID:7508

C:\Windows\System32\mousocoreworker.exe
C:\Windows\System32\mousocoreworker.exe -Embedding
1⤵
PID:7604

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aackeqeb.exe

Filesize
428KB

MD5
313c772cd0bbe4f6b353f17ddfa2ecb6

SHA1
314eef9d1fec719ec6c0566acfbe7a6d4f56218d

SHA256
7e7b80b6e924f93ba0d6dc3156ccca2426c0115db7ab8a56491d14d977109095

SHA512
43075fc74ca8e34ceddcf39454977e122e6d90b03a1f8318432b35d42ca1b744c32ba2312dfea439c90843fe6d709e7bb1fbc7e71a62f93bd4f693a401fd0953

Download Submit
C:\Windows\SysWOW64\Aafgkpcp.exe

Filesize
428KB

MD5
3473a580e0f5a79aedc556ba23adea82

SHA1
930a9bc6a21dbccef481c07fe5d4f1ff9f8026ce

SHA256
3c2c830b2c633d6892dfdce13ec2065a6a20a8f8dd01c00e9434ec9884925b11

SHA512
30849c35e67b7cfe1a4792c0ac4daa26684cacfbae9698f3636906e614aab7aab152cc0cadbae586e9a3f6139085788485ae1196d8a5225d8d6b8f61b4f4716f

Download Submit
C:\Windows\SysWOW64\Aahdqp32.exe

Filesize
428KB

MD5
9a3b4d964fa70f27bfec8103a92f6331

SHA1
df5b6cc11472a77bc8de1ae3ea70f2ed25012e88

SHA256
8a1abff6bcb782ecf18a06c38f47e5569cb8259e7ceac5c0a3cf611e5f03cef4

SHA512
e689bbd71731baa0bcc761f03580121a50cd4670b59b3fdd7c635ef316aaeece0b1515a59478ae4ed21f94febf445a2ff44160d28edd3a3a0d9a4db465dee9e9

Download Submit
C:\Windows\SysWOW64\Ablaodbm.exe

Filesize
428KB

MD5
43b1b1bc57feb69d34e30fbdee59e431

SHA1
67a483ab6c5d9f628358ae1fb758207e96588be2

SHA256
2cabafa51ec49ec1e7c3c7c67804cba8b67475f39dff5ef49af3666347d88042

SHA512
506c2c3084e881612989bd67b32a5bb8507fef07bf181066faae3986bfa8629ffb5fd867378822120044efe62619bd7a30b1a269c7358502f88acbc3dada4914

Download Submit
C:\Windows\SysWOW64\Abnnddpj.exe

Filesize
428KB

MD5
2b806643b8e7115539af8b34e4688a7b

SHA1
8689d3207ed1e142ac3da4fa21bec49f8b7c9d6f

SHA256
861702f87b4b2b34881aa673bfc586fcf204f30fb894256f1e93dd43ff28e1e4

SHA512
1645b003c80cf62ba7281a548465a0a72ac5a79ba14245c464ebbcd323b61c3cc62fa27a5b166a3bb23fd9e8095dde5ffd0b934cb46ed31b6fa4a8751e914dd1

Download Submit
C:\Windows\SysWOW64\Aeacko32.exe

Filesize
428KB

MD5
d7f1a4d7353ad4c694cc597d0e0166f2

SHA1
fce61deffb379dd20ff2896a80de360977b1bcb8

SHA256
d7565e83b6a793adb36c329cd698c5aff95c4b24fb4730872f12d50634278a88

SHA512
d996334e1fb617816d673eaf8f999ac1499c2c52606b6353590287155a26a2ecf340a9bfda189c37d7b1b2e5a5f4c6d04d06c9148dcb64bb171b3341945eea62

Download Submit
C:\Windows\SysWOW64\Aedpaoif.exe

Filesize
428KB

MD5
97274daf463b7d304f0fec72bb8c53ec

SHA1
d5da3fe813fc3647db47619b367c2d62af7daaab

SHA256
1d5714cdba956724a40cddf2b6f6b2937478e5c54d7af43d6b88a88a262ef16d

SHA512
ad104f14cadb88e20447acd13b967e8a4579405cb4d0054824cbe78fd9db521817516db971b472bc99734ee0ee1af23fd7c65bdc665a568630b587012e4c6928

Download Submit
C:\Windows\SysWOW64\Aemjpp32.exe

Filesize
428KB

MD5
0c9ae130408bac6fda438455b75014e8

SHA1
20864aacfd87c2d27e8d038e765d04455472056d

SHA256
aab7f2c26fc4866f88bb43f0f2a0bc1e1caae089588aeeb823a761a09e5e6549

SHA512
779c69773e7ef8bdfb558f1bbb775d1aa63466f09b9ac04b7d166c77e14a5967509cc9f8d4a898ee9fc15d330c7b46453662a06f1317cc24033a67a6cd19ba94

Download Submit
C:\Windows\SysWOW64\Ahppgjjl.exe

Filesize
428KB

MD5
0b3c866bb8dd4014946e7a480f48772c

SHA1
f96a45781b27bbe4830e5c397bfa92b82dc166e2

SHA256
564679ce6497a6d61d58223ddfeff57f820b989f5f6cb01c55b5559ae33720a1

SHA512
ef00b2148ae766303cb8cd0dbfe9da3f24b5b20e6912d02ffe0069b48d063e327dd632440b71c9427b6b02a5deea49fe9d6571f666c374cdef0a9c8f29709ab1

Download Submit
C:\Windows\SysWOW64\Aifiko32.exe

Filesize
428KB

MD5
8fe11f12d54e1413ef8e2a181c94c8e1

SHA1
cb9bfe8c601efd7a7ec7a2f0d65530a388b09e26

SHA256
bf8ba8fffbf013f037e2a83c4112ef821f935e695a43760b034835cde87aebb0

SHA512
8d5054a0fb71cec73506205b480102d1be86b85ffa21c2172df0ebfffa9baf747e997a79759a84d32023430acad98a61790796cfc939f63ac94717d7be36e0aa

Download Submit
C:\Windows\SysWOW64\Aikbfnfd.exe

Filesize
428KB

MD5
dc52f0f110df909561939e62470c9820

SHA1
ce9b93e3bfdaf96086bda89fed72cde5f7004583

SHA256
f7ab6b3d3795dce967e390bf098a69eb6471b8d76ae35ef82b68ce3e406297ae

SHA512
59c9573ca58a2ad53ade61db675618db9e53596f8495f9493b8136fe13e6f932e27b00316b96fb9817a78e902c7e469800f8905ee28c9265c55a2d28984c97ef

Download Submit
C:\Windows\SysWOW64\Aimoln32.exe

Filesize
428KB

MD5
5967740abeb4e0e598bbd08882e6a9ac

SHA1
ad51b4ed1bb65ffb2a939030d53cc5924fa93e3f

SHA256
c2517244891e6acce067dee2bb62192ff5ab55a15e484ba0cf16559e2b896f18

SHA512
4798baa66e1a7d2250def8ee6a0f15a33686cbb52fb70b703d9bbde3777f806a323da97b650acea513112b9bbbfad5bb0cdcd148bf46ed8974bf37af7cdc7725

Download Submit
C:\Windows\SysWOW64\Aiolam32.exe

Filesize
428KB

MD5
ef78069109d0bcde14389583a9252e1b

SHA1
225aeb7307af204e84e1ecc2c67bfe5d6e12b196

SHA256
89d576e7cdd066072845529d46bbab40a29f6e5ccc7004956c21225b18d6c1da

SHA512
246eb38013232c25dc7356f800cdeade8e2edfe2397ebc19699399f21cc47a6aa0575331827e663e32887fc1cfa954b1b371da833ee6701b95b159216fa231bb

Download Submit
C:\Windows\SysWOW64\Aliobieh.exe

Filesize
428KB

MD5
abe5691d44d8caf0099b47cbcbc496ff

SHA1
b929008fa3c05330836b92fafc02d7293ed06d9b

SHA256
142ec9499fe242aff5a8f2d851b3bc3817f54a485464911d1198a68932d22d00

SHA512
21cff6f0c081af80e0e7ca75950443f91fa9616ffb5a6578ab225193f965a3597cd3d2a04d17b1c221fd5797199eaea47ade83e1ec8b35d066d6a660d3f95b56

Download Submit
C:\Windows\SysWOW64\Aocace32.exe

Filesize
428KB

MD5
ef1aea044594c815891ac9a26693ecef

SHA1
5956ea8c9aa4b35d3b0d6c7fed29450c769b84ce

SHA256
a3de05b94c4c55352778c1fe6ceb3de1f1f28822885f79ac2960aa3d2aeb6327

SHA512
1f410ef7423fbac195698432dd242a1d87b289169fa690510ea61878184416d84050d92a4a4392cf92f437ab9123846d07971f10bb81dfe706f5809f11c96404

Download Submit
C:\Windows\SysWOW64\Aoeniefo.exe

Filesize
428KB

MD5
7ef8e00015d705682f57276b1b65cbf5

SHA1
0145d5cca365f7c5752dc192989a1c97c3833e42

SHA256
1ff2138ef6fbeb3839f50e490dc0d74c16ac767237474772f547fe043bd56e03

SHA512
58b37075c5853adad81611110676cd4db2cba1b8008afa535b6fde034abf783e7b1204ed9c47a4279b8ac51deb287598895d9cd069e0a2ff1ae0b41b83ceab3c

Download Submit
C:\Windows\SysWOW64\Aogkoedl.exe

Filesize
428KB

MD5
517657b3dd5d44e90270500ed481042d

SHA1
99830f13c34ec44e142c0fe3b85edeaf63eea84e

SHA256
98136ec0362a6b82c3cfd147528419f063cc807c48e69b08dd3a671546ddc1c1

SHA512
81630e775bd7f7bf19c3b684bb4b3dfbcfad5630c923b8465e79a311f05e2035e3edb1ad82c84c1f983cd7f565c499df3e39ba769186bb072129d94fd52c1a50

Download Submit
C:\Windows\SysWOW64\Aojhdd32.exe

Filesize
428KB

MD5
bf622667f174d71c7064b9b1941fe49e

SHA1
b3bed7a602723cbd43e59cb583fb2dd9b1100ac6

SHA256
59616c064a1ad59b1f404fd9829305fbf7d51c186d362906b4ccf0007823193e

SHA512
00d739150deb2292e41d00372f4131cb462153dd8c1cecf8b6a13bc7889d8dc24affb6406126d2a1fb7b3af27263b8f8768898ded69569ec2e1983ce85d7a395

Download Submit
C:\Windows\SysWOW64\Apbnnh32.exe

Filesize
428KB

MD5
1040d7481691e0d08297a88b3574ed06

SHA1
93e7ee54e0c4fd5c4bf59dd505951521cbf312de

SHA256
77ceff0cfc1781a3f29e384b159f29bcbbef554ca23a6ca000c8e146dbcd6d5a

SHA512
01d4661cee573ac897f71da915f30747d3a200b32ea55ed95ddb47bb793db995a5153678be980d5a4fae71ca21429e0991a539fd00a4ef9b46189b30c8fe9494

Download Submit
C:\Windows\SysWOW64\Apekch32.exe

Filesize
428KB

MD5
07b4812bce7a89235844e950a55c4a33

SHA1
5649886b60864b84b2f721cd1a6e3e17cd21b34b

SHA256
4fa9d58dbb4bea5f648f9b07f178c6780ddc80f54cb902aa4233bde798b79185

SHA512
29bfdb3e942d2f2068a1b73e992e67729915fbffda60657e484f5115eb5aca3c5edc400ecd6c8ad25a8752a674987312d0ef0db10c47243b50ff4b018fe3bd1d

Download Submit
C:\Windows\SysWOW64\Apggihko.exe

Filesize
428KB

MD5
c56e3bef33fd67953406e03612af13ef

SHA1
1d6584057a14e5f3deabf691e806fb5aeb16046a

SHA256
ee2c9fc96ffdb4cc225eca567700c36871896b3ad89e3b2b8339e59e08ffa747

SHA512
2e237d538ba25425fe4dc6bb4f485f052ef61438424b85e07e95ebaa706123d746a96120418a64993267543c831052bdba596ad5dc69a79394d7e0f8569982fc

Download Submit
C:\Windows\SysWOW64\Apndbici.exe

Filesize
428KB

MD5
95e1557de51829c323430cbb54de2768

SHA1
522221a762075dbe73801c4b35230f954b560698

SHA256
4e9254f86959b1fe023c6145377a8b44099b8be9c6de39a1cc1759ea62c284f6

SHA512
843f28d4af0c258514308c37653d6d5be11aa5d4a95099af6d04c77fdafe06a945c59ad6ba8c0e1530f05f6c821b11bedf9e2d46e2313b11168885a58556474b

Download Submit
C:\Windows\SysWOW64\Bbjmpb32.exe

Filesize
428KB

MD5
0097daf711c70abb0a65c228c5a509f8

SHA1
86d2ca7a15da79e78ce2a8949fe151f6d993fcd0

SHA256
4b046b4852f9bbf58e285842e01b37a23e27e5a813f02235995249f3062245c6

SHA512
572f7e4e53983411e737af123cd63d16e67fed7cbf2ba61f348cedb4f3ed133a9b21782ee41a0ad5269653e339e875c9772d68fc9c8ad78dd40278547367673a

Download Submit
C:\Windows\SysWOW64\Behiln32.exe

Filesize
428KB

MD5
ba539363d23e81f8d9ec81fe9b022e6d

SHA1
da6092949e5c11c5ecdb31edf14be53d9a455eda

SHA256
eccc0a23b64385e7fabc63740dc09192eedee1931a6585a15a87e77951810b52

SHA512
c95120207a9c7092c638148937156b010065dfd6da4507761157ce416818c63e2bcdc59b7f59d706117f35db87b760b2f5848d7b1560b51f7e0e5c85e8dda65a

Download Submit
C:\Windows\SysWOW64\Bhdibj32.exe

Filesize
428KB

MD5
4ac2c64d795d13896561ba31945ca2b0

SHA1
5cb7464d29bb33d5da8e93bb27986f81b109d938

SHA256
8c66de304f99b626e7248659f9f24fe905920d9170f157f0d399969fe1cabc89

SHA512
bbbc2aafd69c2d07dbe3526ff2b2ac89605d998c396628700ae75d17adc2e8318a07951eac9c9ca0504725f070e7e94511284eed67575a4cc00c194e4ba71d9c

Download Submit
C:\Windows\SysWOW64\Bibigmpl.exe

Filesize
428KB

MD5
f91c33da5f789ce2e0e26f25e869510f

SHA1
624093267b85f35e62e71b4d089b6836f368659e

SHA256
37e1a49d16ca9fdacecd156e2b8784bf2a0aba33224f218c259fa67af7ff7de9

SHA512
8740c3a042be258ff9bc03b56e811df9fca5f8d9cea5d00db95cea1aee6fd9c82bb716027581430dd4ff16d11dbd85a965635382719ea99cbbb43fb50511cc4a

Download Submit
C:\Windows\SysWOW64\Bidemmnj.exe

Filesize
428KB

MD5
31aab7e864282879310d7c8b3d956160

SHA1
9a9ecd0e6fec7105573b3643197421f9506bb98f

SHA256
31f2353d8416f9c99748ccbfbb4e015660db600dbb7636220bd4a4dc632e8875

SHA512
72e2f593a6f21e83e73e8e3ee5e8b04df64ab2c42f71f36ad80f8a5f905d72663d23b19633dfd8c76fdcb1aad933cef0cc168b0f05d0f2ae56a59ea741c4bc35

Download Submit
C:\Windows\SysWOW64\Blnhni32.exe

Filesize
428KB

MD5
292ceab0025dd394fd12191676926d01

SHA1
f377d83bf4b642916af0d63b60ed9e8a3bc95a90

SHA256
0d055ee4a4fc4c6cbae580818b111744f5bd2c237b778ddacd450d9b811274ba

SHA512
a3f56d1af6110c8e80ad5edb6bee134aa66415f80616395f5de3ac4e90c24401dcc6ff49cf81ff7d1c5afff77db5a013d8d757a30fc0b0c62827934e7fd8db1d

Download Submit
C:\Windows\SysWOW64\Boldjd32.exe

Filesize
428KB

MD5
e51ca6b9cadbe02236718bca82d6f438

SHA1
02c05359fd588cb9477d360dd1694b14390c03f1

SHA256
11fcfe3539b5060cfdcca2255c7642e622132672d3f84e97e57e616761fbb5b6

SHA512
d74ccb53efa7dfc1feb0279acb814ad50806c666b99ab7358faf83473cba4048bef2c8554f637873170eb08425ad4be67bf719275e89b23be9be48836688d974

Download Submit
C:\Windows\SysWOW64\Booaodnd.exe

Filesize
428KB

MD5
dec4e33b14b6b798f732e59d42f61fc9

SHA1
305760deccde8369a549416dfe83098ccb3ad796

SHA256
44b4af80829e9c6f5fe5e55e6b803e5ea1b65fc6fadbb8f7590dae8ca2900f88

SHA512
3e2159fcb8f665159a29fc958e98f39dc239997482771b257fe4ab41f9ad47ed77ed7179fbcf265cd7fa1b84bf112efe88beda64d9d65e15aec924ac94800a34

Download Submit
C:\Windows\SysWOW64\Bpidngil.exe

Filesize
428KB

MD5
ccb629524dfdd2e8113d8ce4b5a400c5

SHA1
11adb84a7635ce88d2fb7b7e1809c7fc79db7eea

SHA256
de794ac5e3ae3fd5eff5cda7ccd26aded63ce57090bf019cf5bfbb8fb93624c5

SHA512
17e5eb92ed55b2f491c5dd4cee6ad99e4a6379343179c5b182b9925e104d1bc3065888f1e4ee468e1800df414e63884ba47dc5c62ff85fea560fbc1ae88c6143

Download Submit
C:\Windows\SysWOW64\Bpladg32.exe

Filesize
428KB

MD5
9276b918171abada9b9edc4249e1dedc

SHA1
89ae9bd488a52275a40148bf2c5e8a7f6273838f

SHA256
782f2a62820bb1b461b952a81e430a081fc3ac08a6ec308a2942bce568b0384e

SHA512
e8cd151120a1c8a7d433bb55fd991a79f6a587fec6978f76d607053a74e18fe287ec19d93557ffd7e8c2039e7b102e0740252b1262d15c6fc71d6c8148678b35

Download Submit
C:\Windows\SysWOW64\Fmmfmbhn.exe

Filesize
428KB

MD5
0d2cfcfef24d2678d08fe6fc4e3aeea1

SHA1
b68e0bb90829b8ca5f4262d954dfb557d4e1e747

SHA256
450cfa12b0678d09e7b5cc1875bebc254bb9b1f10ee401d52606e1b5109ff4d7

SHA512
3059e6f5d573890b142b79849254bfcf2790dcc264d5d5580732e77b517ea100cd42758036d983eee1e1fc61b4eea56db0a0551c1e37c5d3342083c55ac77a8b

Download Submit
C:\Windows\SysWOW64\Gmmocpjk.exe

Filesize
428KB

MD5
02304d619257a9b90d63e4484e1fc19b

SHA1
9f308da2e8bcc44429548cc85f6a80e7563c4a00

SHA256
b9c181b4d68a92ed96ef69fc9b69e692df9d81aad49679f1cd1ba48190b028ea

SHA512
166b02286c6d6691a7cdc481600e6279750df897ce51623674cff31a44bee78392059108c3f2766c47b165d245d366b136442a3de7e0c49c276311a4bc020ad3

Download Submit
C:\Windows\SysWOW64\Gqkhjn32.exe

Filesize
428KB

MD5
4a527f6ed0b6e201e2d81feb1f2299be

SHA1
3ca9dab9967c59c21efa4bab0fd44657bf90d02f

SHA256
e39d241f68b4dff444479e995e7155da48e086b84e87ef61ea5e1e14aa2944d9

SHA512
2cd481d9ebb207a592b2dd115b82793ded1b0ac69665a5d744f1ace909014990fae72ab538a81094bf9ce38861da7838ae24bf38e17fc7f2f6251755715af8fb

Download Submit
C:\Windows\SysWOW64\Mjqjih32.exe

Filesize
428KB

MD5
c1a070e96cb3e72799d7afcd45378729

SHA1
5c47410f28c40b57d48dfc5a9da75a3a5927bf9f

SHA256
4adfa54bedb9dc16b814b44a79f637291bbb5d25f49b6f011859d316d6f2d120

SHA512
6ea767a6c7d95095432d7d72da99f8539ce60dd6564860e62602f464f6853f628633f8092a2da487176b9df3968ed98ad9a6f8bf676a1e2221557dbeb1393429

Download Submit
C:\Windows\SysWOW64\Mkgmcjld.exe

Filesize
428KB

MD5
9d49217def46039b85f45e0d2245444d

SHA1
4a9471a36bab3f197a00dade9ef7284d8460312b

SHA256
212479ef29f7714607c87b5addac0784b3f248e7b2c5bd4365e2c9f8a5f12c8e

SHA512
48b652b21c418e245c62486abe3daabacdd083c5ce36bb62c8b33d5bc5d78ae7c4079507cef571a775b0dc8f3087aa1ec0eeda228211598a6ae25e88d5675b13

Download Submit
memory/320-386-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/336-462-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/348-434-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/924-398-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/992-378-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/1156-536-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/1216-517-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/1568-32-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/1708-478-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/1744-502-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/1792-570-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/1808-399-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/1932-463-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/2068-412-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/2088-47-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/2348-413-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/2400-448-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/2416-372-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/2476-469-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/2480-423-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/2736-12-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/2828-551-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/2856-16-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/2900-365-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/2928-568-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/2932-587-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/2944-519-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/3024-405-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/3040-393-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/3176-382-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/3220-352-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/3320-358-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/3356-535-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/3520-471-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/3632-456-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/3688-464-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/3692-447-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/3800-500-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/3884-406-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/4004-598-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/4040-584-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/4084-0-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/4092-495-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/4256-42-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/4376-427-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/4404-449-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/4456-553-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/4492-431-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/4512-426-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/4536-359-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/4580-350-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/4776-385-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/4808-419-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/4836-477-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/4972-440-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/4980-483-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/5032-370-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/5036-455-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/5044-24-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/5100-441-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/5140-608-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/5180-610-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/5220-620-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/5300-631-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads