e13f628d55ad9d32024f4677cd20ca27808e383493c0bd5a02cbb2343b018449

Analysis

max time kernel
147s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
09-04-2024 19:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

051eba86155865043a89584f014b83f5.exe
Size

79KB
MD5

051eba86155865043a89584f014b83f5
SHA1

78e73031aec9a34c6ed07b1864ace05eaf4190ee
SHA256

e13f628d55ad9d32024f4677cd20ca27808e383493c0bd5a02cbb2343b018449
SHA512

6b05daa2ae9056a34bb08af1db613ff58e2ad86af117f21658b703af266d16b81bd45cdd8ca9cdd9fc03e9e08f08224b4821821a6068d0889470f195480dbe5a
SSDEEP

1536:9Y5C0vTGKWAHVIQlmUOJKGYyAwkMsAF1UExiFkSIgiItKq9v6DK:9W6KWAHVIQlROYHbxAXUExixtBtKq9vV

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jfhlejnh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnkgeg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gkkojgao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ndfqbhia.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aclpap32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdabcm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ajckij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hmjdjgjo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ifjodl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nlmllkja.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pggbkagp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qgqeappe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hmabdibj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kmkfhc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lffhfh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ngmgne32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cagobalc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pdifoehl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfabnjjp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kibgmdcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ojgbfocc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Odmgcgbi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ofqpqo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Olkhmi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Imoneg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kdcbom32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ldleel32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ambgef32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pnakhkol.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pjjhbl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pcbmka32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ffkjlp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iehfdi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jblpek32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lmgfda32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ofcmfodb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bebblb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjmgfgdf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Liimncmf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nlmllkja.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kdgljmcd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ogifjcdp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aqkgpedc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Melnob32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chcddk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gkaejf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jpnchp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Miifeq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nfgmjqop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Daekdooc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Afjlnk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhkjej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jehokgge.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kmfmmcbo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bclhhnca.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bfkedibe.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdfkolkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hbbdholl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jianff32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mibpda32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfdhkhjj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fhcpgmjf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Flqimk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hfqlnm32.exe

Executes dropped EXE 64 IoCs

pid	Process
940	Eadopc32.exe
1400	Fljcmlfd.exe
1592	Fafkecel.exe
532	Fhqcam32.exe
2792	Fojlngce.exe
4736	Fhcpgmjf.exe
3684	Fomhdg32.exe
3952	Ffgqqaip.exe
504	Flqimk32.exe
916	Fooeif32.exe
3624	Fdlnbm32.exe
1936	Flceckoj.exe
1616	Foabofnn.exe
2396	Ffkjlp32.exe
4336	Fhjfhl32.exe
2216	Gfngap32.exe
2912	Gkkojgao.exe
4864	Gcagkdba.exe
4020	Gdcdbl32.exe
5080	Ghopckpi.exe
3176	Gohhpe32.exe
2100	Gfbploob.exe
3376	Ghaliknf.exe
5088	Gcfqfc32.exe
4352	Gicinj32.exe
4976	Gkaejf32.exe
1008	Gblngpbd.exe
1572	Hmabdibj.exe
2296	Hopnqdan.exe
984	Hfifmnij.exe
2904	Hbpgbo32.exe
280	Heocnk32.exe
4856	Hkikkeeo.exe
1516	Hbbdholl.exe
3680	Hkkhqd32.exe
396	Hofdacke.exe
384	Hfqlnm32.exe
388	Hecmijim.exe
2868	Hmjdjgjo.exe
4200	Hbgmcnhf.exe
772	Iefioj32.exe
2368	Immapg32.exe
1716	Ibjjhn32.exe
492	Iehfdi32.exe
3612	Imoneg32.exe
1472	Ifgbnlmj.exe
552	Ildkgc32.exe
456	Ifjodl32.exe
4092	Imdgqfbd.exe
5068	Ilghlc32.exe
4168	Iikhfg32.exe
760	Ilidbbgl.exe
872	Icplcpgo.exe
3208	Jfoiokfb.exe
3604	Jmhale32.exe
1584	Jpgmha32.exe
5020	Jfaedkdp.exe
4508	Jioaqfcc.exe
4240	Jpijnqkp.exe
3020	Jbhfjljd.exe
3840	Jianff32.exe
4284	Jplfcpin.exe
4344	Jbjcolha.exe
2008	Jehokgge.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Jblpek32.exe	Jpnchp32.exe
File created	C:\Windows\SysWOW64\Gallfmbn.dll	Bfkedibe.exe
File created	C:\Windows\SysWOW64\Echdno32.dll	Cjmgfgdf.exe
File opened for modification	C:\Windows\SysWOW64\Fomhdg32.exe	Fhcpgmjf.exe
File opened for modification	C:\Windows\SysWOW64\Klqcioba.exe	Kibgmdcn.exe
File created	C:\Windows\SysWOW64\Mdckfk32.exe	Lllcen32.exe
File opened for modification	C:\Windows\SysWOW64\Mmbfpp32.exe	Melnob32.exe
File created	C:\Windows\SysWOW64\Qffbbldm.exe	Qcgffqei.exe
File created	C:\Windows\SysWOW64\Fojlngce.exe	Fhqcam32.exe
File opened for modification	C:\Windows\SysWOW64\Cmgjgcgo.exe	Cfmajipb.exe
File opened for modification	C:\Windows\SysWOW64\Chjaol32.exe	Belebq32.exe
File created	C:\Windows\SysWOW64\Daekdooc.exe	Dogogcpo.exe
File opened for modification	C:\Windows\SysWOW64\Ffkjlp32.exe	Foabofnn.exe
File opened for modification	C:\Windows\SysWOW64\Lllcen32.exe	Lingibiq.exe
File created	C:\Windows\SysWOW64\Ehaaclak.dll	Pdkcde32.exe
File opened for modification	C:\Windows\SysWOW64\Dejacond.exe	Danecp32.exe
File created	C:\Windows\SysWOW64\Elikfp32.dll	Ghaliknf.exe
File opened for modification	C:\Windows\SysWOW64\Kipkhdeq.exe	Kfankifm.exe
File opened for modification	C:\Windows\SysWOW64\Ojgbfocc.exe	Ogifjcdp.exe
File opened for modification	C:\Windows\SysWOW64\Dfknkg32.exe	Ddmaok32.exe
File created	C:\Windows\SysWOW64\Iefioj32.exe	Hbgmcnhf.exe
File opened for modification	C:\Windows\SysWOW64\Jplfcpin.exe	Jianff32.exe
File opened for modification	C:\Windows\SysWOW64\Fljcmlfd.exe	Eadopc32.exe
File created	C:\Windows\SysWOW64\Mjljbfog.dll	Flqimk32.exe
File created	C:\Windows\SysWOW64\Naekcf32.dll	Olkhmi32.exe
File opened for modification	C:\Windows\SysWOW64\Afmhck32.exe	Acnlgp32.exe
File created	C:\Windows\SysWOW64\Klqcioba.exe	Kibgmdcn.exe
File created	C:\Windows\SysWOW64\Melnob32.exe	Mcmabg32.exe
File created	C:\Windows\SysWOW64\Hmmblqfc.dll	Pcppfaka.exe
File opened for modification	C:\Windows\SysWOW64\Cagobalc.exe	Cjmgfgdf.exe
File created	C:\Windows\SysWOW64\Fhqcam32.exe	Fafkecel.exe
File opened for modification	C:\Windows\SysWOW64\Fhjfhl32.exe	Ffkjlp32.exe
File created	C:\Windows\SysWOW64\Pkbbae32.dll	Hofdacke.exe
File opened for modification	C:\Windows\SysWOW64\Hopnqdan.exe	Hmabdibj.exe
File created	C:\Windows\SysWOW64\Pgefeajb.exe	Pcijeb32.exe
File created	C:\Windows\SysWOW64\Ejfenk32.dll	Pcijeb32.exe
File created	C:\Windows\SysWOW64\Ajckij32.exe	Ageolo32.exe
File created	C:\Windows\SysWOW64\Mipcob32.exe	Mgagbf32.exe
File opened for modification	C:\Windows\SysWOW64\Nepgjaeg.exe	Ngmgne32.exe
File opened for modification	C:\Windows\SysWOW64\Nnlhfn32.exe	Neeqea32.exe
File opened for modification	C:\Windows\SysWOW64\Chcddk32.exe	Cnkplejl.exe
File created	C:\Windows\SysWOW64\Mjelcfha.dll	Daqbip32.exe
File created	C:\Windows\SysWOW64\Jmnoof32.dll	Gkaejf32.exe
File created	C:\Windows\SysWOW64\Jfaklh32.dll	Kemhff32.exe
File created	C:\Windows\SysWOW64\Neimdg32.dll	Mchhggno.exe
File created	C:\Windows\SysWOW64\Pdkcde32.exe	Pnakhkol.exe
File created	C:\Windows\SysWOW64\Nnjaqjfh.dll	Bclhhnca.exe
File created	C:\Windows\SysWOW64\Dnieoofh.dll	Ceqnmpfo.exe
File created	C:\Windows\SysWOW64\Nloiakho.exe	Nnlhfn32.exe
File opened for modification	C:\Windows\SysWOW64\Ocbddc32.exe	Opdghh32.exe
File opened for modification	C:\Windows\SysWOW64\Baicac32.exe	Bnkgeg32.exe
File created	C:\Windows\SysWOW64\Edgbbfnk.dll	Kdeoemeg.exe
File created	C:\Windows\SysWOW64\Njnpppkn.exe	Ngpccdlj.exe
File created	C:\Windows\SysWOW64\Olhlhjpd.exe	Ofnckp32.exe
File opened for modification	C:\Windows\SysWOW64\Afjlnk32.exe	Aclpap32.exe
File created	C:\Windows\SysWOW64\Imbajm32.dll	Chjaol32.exe
File created	C:\Windows\SysWOW64\Pldhcm32.dll	Iefioj32.exe
File opened for modification	C:\Windows\SysWOW64\Odmgcgbi.exe	Opakbi32.exe
File opened for modification	C:\Windows\SysWOW64\Pcppfaka.exe	Pqbdjfln.exe
File opened for modification	C:\Windows\SysWOW64\Gkaejf32.exe	Gicinj32.exe
File opened for modification	C:\Windows\SysWOW64\Ocpgod32.exe	Odmgcgbi.exe
File created	C:\Windows\SysWOW64\Danecp32.exe	Dopigd32.exe
File created	C:\Windows\SysWOW64\Knkffk32.dll	Fomhdg32.exe
File created	C:\Windows\SysWOW64\Hmabdibj.exe	Gblngpbd.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
8432	8336	WerFault.exe	365

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kdqejn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qffbbldm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bganhm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hfgefhai.dll"	Hfifmnij.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kmkfhc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bhbopgfn.dll"	Nloiakho.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kipkhdeq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mdckfk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bebblb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Njohbh32.dll"	Ibjjhn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkbbae32.dll"	Hofdacke.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Keblci32.dll"	Immapg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kdqejn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qkkdmeko.dll"	Fhcpgmjf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fdlnbm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cnkplejl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Liimncmf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lpebpm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hecmijim.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mmnldp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bnkgeg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hmmblqfc.dll"	Pcppfaka.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hkikkeeo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lpnlpnih.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dapgdeib.dll"	Npfkgjdn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Panfqmhb.dll"	Pgefeajb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qamhhedg.dll"	Kdqejn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mcmabg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ojaelm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Halpnqlq.dll"	Pqknig32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pdkcde32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oekgfqeg.dll"	Hkikkeeo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jpgmha32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jmpgldhg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Afoeiklb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kdqjac32.dll"	Cmiflbel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Eadopc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nlplhfon.dll"	Kmfmmcbo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mipcob32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ngpccdlj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmmfbg32.dll"	Lbabgh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qfbgbeai.dll"	Odapnf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kfoafi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Odkjng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pgllfp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fljcmlfd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nniadn32.dll"	Mdckfk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ngpccdlj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Debdld32.dll"	Odmgcgbi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Deeiam32.dll"	Pflplnlg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mbpfgbfp.dll"	Anadoi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gcfqfc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hmabdibj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nepgjaeg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ogpmjb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Belebq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kfoafi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mplhql32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pcijeb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Iefioj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bagplp32.dll"	Jblpek32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Npfkgjdn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ghopckpi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jplfcpin.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2808 wrote to memory of 940	2808	051eba86155865043a89584f014b83f5.exe	86
PID 2808 wrote to memory of 940	2808	051eba86155865043a89584f014b83f5.exe	86
PID 2808 wrote to memory of 940	2808	051eba86155865043a89584f014b83f5.exe	86
PID 940 wrote to memory of 1400	940	Eadopc32.exe	87
PID 940 wrote to memory of 1400	940	Eadopc32.exe	87
PID 940 wrote to memory of 1400	940	Eadopc32.exe	87
PID 1400 wrote to memory of 1592	1400	Fljcmlfd.exe	88
PID 1400 wrote to memory of 1592	1400	Fljcmlfd.exe	88
PID 1400 wrote to memory of 1592	1400	Fljcmlfd.exe	88
PID 1592 wrote to memory of 532	1592	Fafkecel.exe	89
PID 1592 wrote to memory of 532	1592	Fafkecel.exe	89
PID 1592 wrote to memory of 532	1592	Fafkecel.exe	89
PID 532 wrote to memory of 2792	532	Fhqcam32.exe	90
PID 532 wrote to memory of 2792	532	Fhqcam32.exe	90
PID 532 wrote to memory of 2792	532	Fhqcam32.exe	90
PID 2792 wrote to memory of 4736	2792	Fojlngce.exe	91
PID 2792 wrote to memory of 4736	2792	Fojlngce.exe	91
PID 2792 wrote to memory of 4736	2792	Fojlngce.exe	91
PID 4736 wrote to memory of 3684	4736	Fhcpgmjf.exe	92
PID 4736 wrote to memory of 3684	4736	Fhcpgmjf.exe	92
PID 4736 wrote to memory of 3684	4736	Fhcpgmjf.exe	92
PID 3684 wrote to memory of 3952	3684	Fomhdg32.exe	93
PID 3684 wrote to memory of 3952	3684	Fomhdg32.exe	93
PID 3684 wrote to memory of 3952	3684	Fomhdg32.exe	93
PID 3952 wrote to memory of 504	3952	Ffgqqaip.exe	95
PID 3952 wrote to memory of 504	3952	Ffgqqaip.exe	95
PID 3952 wrote to memory of 504	3952	Ffgqqaip.exe	95
PID 504 wrote to memory of 916	504	Flqimk32.exe	96
PID 504 wrote to memory of 916	504	Flqimk32.exe	96
PID 504 wrote to memory of 916	504	Flqimk32.exe	96
PID 916 wrote to memory of 3624	916	Fooeif32.exe	97
PID 916 wrote to memory of 3624	916	Fooeif32.exe	97
PID 916 wrote to memory of 3624	916	Fooeif32.exe	97
PID 3624 wrote to memory of 1936	3624	Fdlnbm32.exe	98
PID 3624 wrote to memory of 1936	3624	Fdlnbm32.exe	98
PID 3624 wrote to memory of 1936	3624	Fdlnbm32.exe	98
PID 1936 wrote to memory of 1616	1936	Flceckoj.exe	99
PID 1936 wrote to memory of 1616	1936	Flceckoj.exe	99
PID 1936 wrote to memory of 1616	1936	Flceckoj.exe	99
PID 1616 wrote to memory of 2396	1616	Foabofnn.exe	100
PID 1616 wrote to memory of 2396	1616	Foabofnn.exe	100
PID 1616 wrote to memory of 2396	1616	Foabofnn.exe	100
PID 2396 wrote to memory of 4336	2396	Ffkjlp32.exe	101
PID 2396 wrote to memory of 4336	2396	Ffkjlp32.exe	101
PID 2396 wrote to memory of 4336	2396	Ffkjlp32.exe	101
PID 4336 wrote to memory of 2216	4336	Fhjfhl32.exe	103
PID 4336 wrote to memory of 2216	4336	Fhjfhl32.exe	103
PID 4336 wrote to memory of 2216	4336	Fhjfhl32.exe	103
PID 2216 wrote to memory of 2912	2216	Gfngap32.exe	104
PID 2216 wrote to memory of 2912	2216	Gfngap32.exe	104
PID 2216 wrote to memory of 2912	2216	Gfngap32.exe	104
PID 2912 wrote to memory of 4864	2912	Gkkojgao.exe	105
PID 2912 wrote to memory of 4864	2912	Gkkojgao.exe	105
PID 2912 wrote to memory of 4864	2912	Gkkojgao.exe	105
PID 4864 wrote to memory of 4020	4864	Gcagkdba.exe	106
PID 4864 wrote to memory of 4020	4864	Gcagkdba.exe	106
PID 4864 wrote to memory of 4020	4864	Gcagkdba.exe	106
PID 4020 wrote to memory of 5080	4020	Gdcdbl32.exe	107
PID 4020 wrote to memory of 5080	4020	Gdcdbl32.exe	107
PID 4020 wrote to memory of 5080	4020	Gdcdbl32.exe	107
PID 5080 wrote to memory of 3176	5080	Ghopckpi.exe	108
PID 5080 wrote to memory of 3176	5080	Ghopckpi.exe	108
PID 5080 wrote to memory of 3176	5080	Ghopckpi.exe	108
PID 3176 wrote to memory of 2100	3176	Gohhpe32.exe	109

C:\Users\Admin\AppData\Local\Temp\051eba86155865043a89584f014b83f5.exe
"C:\Users\Admin\AppData\Local\Temp\051eba86155865043a89584f014b83f5.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2808
- C:\Windows\SysWOW64\Eadopc32.exe
  C:\Windows\system32\Eadopc32.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:940
- - C:\Windows\SysWOW64\Fljcmlfd.exe
    C:\Windows\system32\Fljcmlfd.exe
    3⤵
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:1400
  - - C:\Windows\SysWOW64\Fafkecel.exe
      C:\Windows\system32\Fafkecel.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious use of WriteProcessMemory
      PID:1592
    - - C:\Windows\SysWOW64\Fhqcam32.exe
        
        C:\Windows\system32\Fhqcam32.exe
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:532
      - C:\Windows\SysWOW64\Fojlngce.exe
        
        C:\Windows\system32\Fojlngce.exe
        6⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2792
        
        C:\Windows\SysWOW64\Fhcpgmjf.exe
        
        C:\Windows\system32\Fhcpgmjf.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4736
        
        C:\Windows\SysWOW64\Fomhdg32.exe
        
        C:\Windows\system32\Fomhdg32.exe
        8⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3684
        
        C:\Windows\SysWOW64\Ffgqqaip.exe
        
        C:\Windows\system32\Ffgqqaip.exe
        9⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3952
        
        C:\Windows\SysWOW64\Flqimk32.exe
        
        C:\Windows\system32\Flqimk32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:504
        
        C:\Windows\SysWOW64\Fooeif32.exe
        
        C:\Windows\system32\Fooeif32.exe
        11⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:916
        
        C:\Windows\SysWOW64\Fdlnbm32.exe
        
        C:\Windows\system32\Fdlnbm32.exe
        12⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3624
        
        C:\Windows\SysWOW64\Flceckoj.exe
        
        C:\Windows\system32\Flceckoj.exe
        13⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1936
        
        C:\Windows\SysWOW64\Foabofnn.exe
        
        C:\Windows\system32\Foabofnn.exe
        14⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1616
        
        C:\Windows\SysWOW64\Ffkjlp32.exe
        
        C:\Windows\system32\Ffkjlp32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2396
        
        C:\Windows\SysWOW64\Fhjfhl32.exe
        
        C:\Windows\system32\Fhjfhl32.exe
        16⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4336
        
        C:\Windows\SysWOW64\Gfngap32.exe
        
        C:\Windows\system32\Gfngap32.exe
        17⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2216
        
        C:\Windows\SysWOW64\Gkkojgao.exe
        
        C:\Windows\system32\Gkkojgao.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2912
        
        C:\Windows\SysWOW64\Gcagkdba.exe
        
        C:\Windows\system32\Gcagkdba.exe
        19⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4864
        
        C:\Windows\SysWOW64\Gdcdbl32.exe
        
        C:\Windows\system32\Gdcdbl32.exe
        20⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4020
        
        C:\Windows\SysWOW64\Ghopckpi.exe
        
        C:\Windows\system32\Ghopckpi.exe
        21⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5080
        
        C:\Windows\SysWOW64\Gohhpe32.exe
        
        C:\Windows\system32\Gohhpe32.exe
        22⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3176
        
        C:\Windows\SysWOW64\Gfbploob.exe
        
        C:\Windows\system32\Gfbploob.exe
        23⤵
        Executes dropped EXE
        
        PID:2100
        
        C:\Windows\SysWOW64\Ghaliknf.exe
        
        C:\Windows\system32\Ghaliknf.exe
        24⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3376
        
        C:\Windows\SysWOW64\Gcfqfc32.exe
        
        C:\Windows\system32\Gcfqfc32.exe
        25⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:5088
        
        C:\Windows\SysWOW64\Gicinj32.exe
        
        C:\Windows\system32\Gicinj32.exe
        26⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4352
        
        C:\Windows\SysWOW64\Gkaejf32.exe
        
        C:\Windows\system32\Gkaejf32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4976
        
        C:\Windows\SysWOW64\Gblngpbd.exe
        
        C:\Windows\system32\Gblngpbd.exe
        28⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1008
        
        C:\Windows\SysWOW64\Hmabdibj.exe
        
        C:\Windows\system32\Hmabdibj.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1572
        
        C:\Windows\SysWOW64\Hopnqdan.exe
        
        C:\Windows\system32\Hopnqdan.exe
        30⤵
        Executes dropped EXE
        
        PID:2296
        
        C:\Windows\SysWOW64\Hfifmnij.exe
        
        C:\Windows\system32\Hfifmnij.exe
        31⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:984
        
        C:\Windows\SysWOW64\Hbpgbo32.exe
        
        C:\Windows\system32\Hbpgbo32.exe
        32⤵
        Executes dropped EXE
        
        PID:2904
        
        C:\Windows\SysWOW64\Heocnk32.exe
        
        C:\Windows\system32\Heocnk32.exe
        33⤵
        Executes dropped EXE
        
        PID:280
        
        C:\Windows\SysWOW64\Hkikkeeo.exe
        
        C:\Windows\system32\Hkikkeeo.exe
        34⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4856
        
        C:\Windows\SysWOW64\Hbbdholl.exe
        
        C:\Windows\system32\Hbbdholl.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1516
        
        C:\Windows\SysWOW64\Hkkhqd32.exe
        
        C:\Windows\system32\Hkkhqd32.exe
        36⤵
        Executes dropped EXE
        
        PID:3680
        
        C:\Windows\SysWOW64\Hofdacke.exe
        
        C:\Windows\system32\Hofdacke.exe
        37⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:396
        
        C:\Windows\SysWOW64\Hfqlnm32.exe
        
        C:\Windows\system32\Hfqlnm32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:384
        
        C:\Windows\SysWOW64\Hecmijim.exe
        
        C:\Windows\system32\Hecmijim.exe
        39⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:388
        
        C:\Windows\SysWOW64\Hmjdjgjo.exe
        
        C:\Windows\system32\Hmjdjgjo.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2868
        
        C:\Windows\SysWOW64\Hbgmcnhf.exe
        
        C:\Windows\system32\Hbgmcnhf.exe
        41⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4200
        
        C:\Windows\SysWOW64\Iefioj32.exe
        
        C:\Windows\system32\Iefioj32.exe
        42⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:772
        
        C:\Windows\SysWOW64\Immapg32.exe
        
        C:\Windows\system32\Immapg32.exe
        43⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2368
        
        C:\Windows\SysWOW64\Ibjjhn32.exe
        
        C:\Windows\system32\Ibjjhn32.exe
        44⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1716
        
        C:\Windows\SysWOW64\Iehfdi32.exe
        
        C:\Windows\system32\Iehfdi32.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:492
        
        C:\Windows\SysWOW64\Imoneg32.exe
        
        C:\Windows\system32\Imoneg32.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3612
        
        C:\Windows\SysWOW64\Ifgbnlmj.exe
        
        C:\Windows\system32\Ifgbnlmj.exe
        47⤵
        Executes dropped EXE
        
        PID:1472
        
        C:\Windows\SysWOW64\Ildkgc32.exe
        
        C:\Windows\system32\Ildkgc32.exe
        48⤵
        Executes dropped EXE
        
        PID:552
        
        C:\Windows\SysWOW64\Ifjodl32.exe
        
        C:\Windows\system32\Ifjodl32.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:456
        
        C:\Windows\SysWOW64\Imdgqfbd.exe
        
        C:\Windows\system32\Imdgqfbd.exe
        50⤵
        Executes dropped EXE
        
        PID:4092
        
        C:\Windows\SysWOW64\Ilghlc32.exe
        
        C:\Windows\system32\Ilghlc32.exe
        51⤵
        Executes dropped EXE
        
        PID:5068
        
        C:\Windows\SysWOW64\Iikhfg32.exe
        
        C:\Windows\system32\Iikhfg32.exe
        52⤵
        Executes dropped EXE
        
        PID:4168
        
        C:\Windows\SysWOW64\Ilidbbgl.exe
        
        C:\Windows\system32\Ilidbbgl.exe
        53⤵
        Executes dropped EXE
        
        PID:760
        
        C:\Windows\SysWOW64\Icplcpgo.exe
        
        C:\Windows\system32\Icplcpgo.exe
        54⤵
        Executes dropped EXE
        
        PID:872
        
        C:\Windows\SysWOW64\Jfoiokfb.exe
        
        C:\Windows\system32\Jfoiokfb.exe
        55⤵
        Executes dropped EXE
        
        PID:3208
        
        C:\Windows\SysWOW64\Jmhale32.exe
        
        C:\Windows\system32\Jmhale32.exe
        56⤵
        Executes dropped EXE
        
        PID:3604
        
        C:\Windows\SysWOW64\Jpgmha32.exe
        
        C:\Windows\system32\Jpgmha32.exe
        57⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1584
        
        C:\Windows\SysWOW64\Jfaedkdp.exe
        
        C:\Windows\system32\Jfaedkdp.exe
        58⤵
        Executes dropped EXE
        
        PID:5020
        
        C:\Windows\SysWOW64\Jioaqfcc.exe
        
        C:\Windows\system32\Jioaqfcc.exe
        59⤵
        Executes dropped EXE
        
        PID:4508
        
        C:\Windows\SysWOW64\Jpijnqkp.exe
        
        C:\Windows\system32\Jpijnqkp.exe
        60⤵
        Executes dropped EXE
        
        PID:4240
        
        C:\Windows\SysWOW64\Jbhfjljd.exe
        
        C:\Windows\system32\Jbhfjljd.exe
        61⤵
        Executes dropped EXE
        
        PID:3020
        
        C:\Windows\SysWOW64\Jianff32.exe
        
        C:\Windows\system32\Jianff32.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3840
        
        C:\Windows\SysWOW64\Jplfcpin.exe
        
        C:\Windows\system32\Jplfcpin.exe
        63⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4284
        
        C:\Windows\SysWOW64\Jbjcolha.exe
        
        C:\Windows\system32\Jbjcolha.exe
        64⤵
        Executes dropped EXE
        
        PID:4344
        
        C:\Windows\SysWOW64\Jehokgge.exe
        
        C:\Windows\system32\Jehokgge.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2008
        
        C:\Windows\SysWOW64\Jmpgldhg.exe
        
        C:\Windows\system32\Jmpgldhg.exe
        66⤵
        Modifies registry class
        
        PID:1880
        
        C:\Windows\SysWOW64\Jpnchp32.exe
        
        C:\Windows\system32\Jpnchp32.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:948
        
        C:\Windows\SysWOW64\Jblpek32.exe
        
        C:\Windows\system32\Jblpek32.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:1064
        
        C:\Windows\SysWOW64\Jfhlejnh.exe
        
        C:\Windows\system32\Jfhlejnh.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4992
        
        C:\Windows\SysWOW64\Jmbdbd32.exe
        
        C:\Windows\system32\Jmbdbd32.exe
        70⤵
        
        PID:4304
        
        C:\Windows\SysWOW64\Jcllonma.exe
        
        C:\Windows\system32\Jcllonma.exe
        71⤵
        
        PID:4548
        
        C:\Windows\SysWOW64\Kfjhkjle.exe
        
        C:\Windows\system32\Kfjhkjle.exe
        72⤵
        
        PID:2940
        
        C:\Windows\SysWOW64\Kemhff32.exe
        
        C:\Windows\system32\Kemhff32.exe
        73⤵
        Drops file in System32 directory
        
        PID:4924
        
        C:\Windows\SysWOW64\Klgqcqkl.exe
        
        C:\Windows\system32\Klgqcqkl.exe
        74⤵
        
        PID:880
        
        C:\Windows\SysWOW64\Kdnidn32.exe
        
        C:\Windows\system32\Kdnidn32.exe
        75⤵
        
        PID:2080
        
        C:\Windows\SysWOW64\Kfmepi32.exe
        
        C:\Windows\system32\Kfmepi32.exe
        76⤵
        
        PID:3500
        
        C:\Windows\SysWOW64\Kikame32.exe
        
        C:\Windows\system32\Kikame32.exe
        77⤵
        
        PID:3596
        
        C:\Windows\SysWOW64\Kmfmmcbo.exe
        
        C:\Windows\system32\Kmfmmcbo.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4416
        
        C:\Windows\SysWOW64\Kdqejn32.exe
        
        C:\Windows\system32\Kdqejn32.exe
        79⤵
        Modifies registry class
        
        PID:3320
        
        C:\Windows\SysWOW64\Kfoafi32.exe
        
        C:\Windows\system32\Kfoafi32.exe
        80⤵
        Modifies registry class
        
        PID:2228
        
        C:\Windows\SysWOW64\Kmijbcpl.exe
        
        C:\Windows\system32\Kmijbcpl.exe
        81⤵
        
        PID:3856
        
        C:\Windows\SysWOW64\Klljnp32.exe
        
        C:\Windows\system32\Klljnp32.exe
        82⤵
        
        PID:460
        
        C:\Windows\SysWOW64\Kdcbom32.exe
        
        C:\Windows\system32\Kdcbom32.exe
        83⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3816
        
        C:\Windows\SysWOW64\Kfankifm.exe
        
        C:\Windows\system32\Kfankifm.exe
        84⤵
        Drops file in System32 directory
        
        PID:4024
        
        C:\Windows\SysWOW64\Kipkhdeq.exe
        
        C:\Windows\system32\Kipkhdeq.exe
        85⤵
        Modifies registry class
        
        PID:4172
        
        C:\Windows\SysWOW64\Kmkfhc32.exe
        
        C:\Windows\system32\Kmkfhc32.exe
        86⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:2584
        
        C:\Windows\SysWOW64\Kpjcdn32.exe
        
        C:\Windows\system32\Kpjcdn32.exe
        87⤵
        
        PID:4848
        
        C:\Windows\SysWOW64\Kdeoemeg.exe
        
        C:\Windows\system32\Kdeoemeg.exe
        88⤵
        Drops file in System32 directory
        
        PID:2976
        
        C:\Windows\SysWOW64\Kfckahdj.exe
        
        C:\Windows\system32\Kfckahdj.exe
        89⤵
        
        PID:2888
        
        C:\Windows\SysWOW64\Kibgmdcn.exe
        
        C:\Windows\system32\Kibgmdcn.exe
        90⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:2060
        
        C:\Windows\SysWOW64\Klqcioba.exe
        
        C:\Windows\system32\Klqcioba.exe
        91⤵
        
        PID:4384
        
        C:\Windows\SysWOW64\Kdgljmcd.exe
        
        C:\Windows\system32\Kdgljmcd.exe
        92⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2068
        
        C:\Windows\SysWOW64\Lffhfh32.exe
        
        C:\Windows\system32\Lffhfh32.exe
        93⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4768
        
        C:\Windows\SysWOW64\Lmppcbjd.exe
        
        C:\Windows\system32\Lmppcbjd.exe
        94⤵
        
        PID:1640
        
        C:\Windows\SysWOW64\Lpnlpnih.exe
        
        C:\Windows\system32\Lpnlpnih.exe
        95⤵
        Modifies registry class
        
        PID:5040
        
        C:\Windows\SysWOW64\Lfhdlh32.exe
        
        C:\Windows\system32\Lfhdlh32.exe
        96⤵
        
        PID:5136
        
        C:\Windows\SysWOW64\Ligqhc32.exe
        
        C:\Windows\system32\Ligqhc32.exe
        97⤵
        
        PID:5176
        
        C:\Windows\SysWOW64\Llemdo32.exe
        
        C:\Windows\system32\Llemdo32.exe
        98⤵
        
        PID:5212
        
        C:\Windows\SysWOW64\Ldleel32.exe
        
        C:\Windows\system32\Ldleel32.exe
        99⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5260
        
        C:\Windows\SysWOW64\Liimncmf.exe
        
        C:\Windows\system32\Liimncmf.exe
        100⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5296
        
        C:\Windows\SysWOW64\Ldoaklml.exe
        
        C:\Windows\system32\Ldoaklml.exe
        101⤵
        
        PID:5344
        
        C:\Windows\SysWOW64\Lbabgh32.exe
        
        C:\Windows\system32\Lbabgh32.exe
        102⤵
        Modifies registry class
        
        PID:5384
        
        C:\Windows\SysWOW64\Lepncd32.exe
        
        C:\Windows\system32\Lepncd32.exe
        103⤵
        
        PID:5428
        
        C:\Windows\SysWOW64\Lmgfda32.exe
        
        C:\Windows\system32\Lmgfda32.exe
        104⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5476
        
        C:\Windows\SysWOW64\Lpebpm32.exe
        
        C:\Windows\system32\Lpebpm32.exe
        105⤵
        Modifies registry class
        
        PID:5516
        
        C:\Windows\SysWOW64\Lbdolh32.exe
        
        C:\Windows\system32\Lbdolh32.exe
        106⤵
        
        PID:5564
        
        C:\Windows\SysWOW64\Lingibiq.exe
        
        C:\Windows\system32\Lingibiq.exe
        107⤵
        Drops file in System32 directory
        
        PID:5608
        
        C:\Windows\SysWOW64\Lllcen32.exe
        
        C:\Windows\system32\Lllcen32.exe
        108⤵
        Drops file in System32 directory
        
        PID:5652
        
        C:\Windows\SysWOW64\Mdckfk32.exe
        
        C:\Windows\system32\Mdckfk32.exe
        109⤵
        Modifies registry class
        
        PID:5696
        
        C:\Windows\SysWOW64\Mgagbf32.exe
        
        C:\Windows\system32\Mgagbf32.exe
        110⤵
        Drops file in System32 directory
        
        PID:5744
        
        C:\Windows\SysWOW64\Mipcob32.exe
        
        C:\Windows\system32\Mipcob32.exe
        111⤵
        Modifies registry class
        
        PID:5784
        
        C:\Windows\SysWOW64\Mpjlklok.exe
        
        C:\Windows\system32\Mpjlklok.exe
        112⤵
        
        PID:5828
        
        C:\Windows\SysWOW64\Mchhggno.exe
        
        C:\Windows\system32\Mchhggno.exe
        113⤵
        Drops file in System32 directory
        
        PID:5864
        
        C:\Windows\SysWOW64\Mibpda32.exe
        
        C:\Windows\system32\Mibpda32.exe
        114⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5908
        
        C:\Windows\SysWOW64\Mmnldp32.exe
        
        C:\Windows\system32\Mmnldp32.exe
        115⤵
        Modifies registry class
        
        PID:5956
        
        C:\Windows\SysWOW64\Mplhql32.exe
        
        C:\Windows\system32\Mplhql32.exe
        116⤵
        Modifies registry class
        
        PID:5996
        
        C:\Windows\SysWOW64\Mgfqmfde.exe
        
        C:\Windows\system32\Mgfqmfde.exe
        117⤵
        
        PID:6032
        
        C:\Windows\SysWOW64\Meiaib32.exe
        
        C:\Windows\system32\Meiaib32.exe
        118⤵
        
        PID:6080
        
        C:\Windows\SysWOW64\Mcmabg32.exe
        
        C:\Windows\system32\Mcmabg32.exe
        119⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6132
        
        C:\Windows\SysWOW64\Melnob32.exe
        
        C:\Windows\system32\Melnob32.exe
        120⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5156
        
        C:\Windows\SysWOW64\Mmbfpp32.exe
        
        C:\Windows\system32\Mmbfpp32.exe
        121⤵
        
        PID:5292
        
        C:\Windows\SysWOW64\Mpablkhc.exe
        
        C:\Windows\system32\Mpablkhc.exe
        122⤵
        
        PID:5380
        
        C:\Windows\SysWOW64\Mdmnlj32.exe
        
        C:\Windows\system32\Mdmnlj32.exe
        123⤵
        
        PID:5420
        
        C:\Windows\SysWOW64\Mgkjhe32.exe
        
        C:\Windows\system32\Mgkjhe32.exe
        124⤵
        
        PID:5488
        
        C:\Windows\SysWOW64\Miifeq32.exe
        
        C:\Windows\system32\Miifeq32.exe
        125⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5572
        
        C:\Windows\SysWOW64\Mnebeogl.exe
        
        C:\Windows\system32\Mnebeogl.exe
        126⤵
        
        PID:5648
        
        C:\Windows\SysWOW64\Npcoakfp.exe
        
        C:\Windows\system32\Npcoakfp.exe
        127⤵
        
        PID:5692
        
        C:\Windows\SysWOW64\Ncbknfed.exe
        
        C:\Windows\system32\Ncbknfed.exe
        128⤵
        
        PID:5768
        
        C:\Windows\SysWOW64\Ngmgne32.exe
        
        C:\Windows\system32\Ngmgne32.exe
        129⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5820
        
        C:\Windows\SysWOW64\Nepgjaeg.exe
        
        C:\Windows\system32\Nepgjaeg.exe
        130⤵
        Modifies registry class
        
        PID:5920
        
        C:\Windows\SysWOW64\Nljofl32.exe
        
        C:\Windows\system32\Nljofl32.exe
        131⤵
        
        PID:5988
        
        C:\Windows\SysWOW64\Npfkgjdn.exe
        
        C:\Windows\system32\Npfkgjdn.exe
        132⤵
        Modifies registry class
        
        PID:6088
        
        C:\Windows\SysWOW64\Ncdgcf32.exe
        
        C:\Windows\system32\Ncdgcf32.exe
        133⤵
        
        PID:6112
        
        C:\Windows\SysWOW64\Ngpccdlj.exe
        
        C:\Windows\system32\Ngpccdlj.exe
        134⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5208
        
        C:\Windows\SysWOW64\Njnpppkn.exe
        
        C:\Windows\system32\Njnpppkn.exe
        135⤵
        
        PID:5332
        
        C:\Windows\SysWOW64\Nlmllkja.exe
        
        C:\Windows\system32\Nlmllkja.exe
        136⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5484
        
        C:\Windows\SysWOW64\Ncfdie32.exe
        
        C:\Windows\system32\Ncfdie32.exe
        137⤵
        
        PID:5576
        
        C:\Windows\SysWOW64\Neeqea32.exe
        
        C:\Windows\system32\Neeqea32.exe
        138⤵
        Drops file in System32 directory
        
        PID:5644
        
        C:\Windows\SysWOW64\Nnlhfn32.exe
        
        C:\Windows\system32\Nnlhfn32.exe
        139⤵
        Drops file in System32 directory
        
        PID:5756
        
        C:\Windows\SysWOW64\Nloiakho.exe
        
        C:\Windows\system32\Nloiakho.exe
        140⤵
        Modifies registry class
        
        PID:5852
        
        C:\Windows\SysWOW64\Ndfqbhia.exe
        
        C:\Windows\system32\Ndfqbhia.exe
        141⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6028
        
        C:\Windows\SysWOW64\Ncianepl.exe
        
        C:\Windows\system32\Ncianepl.exe
        142⤵
        
        PID:3976
        
        C:\Windows\SysWOW64\Nfgmjqop.exe
        
        C:\Windows\system32\Nfgmjqop.exe
        143⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5324
        
        C:\Windows\SysWOW64\Njciko32.exe
        
        C:\Windows\system32\Njciko32.exe
        144⤵
        
        PID:5504
        
        C:\Windows\SysWOW64\Nlaegk32.exe
        
        C:\Windows\system32\Nlaegk32.exe
        145⤵
        
        PID:5632
        
        C:\Windows\SysWOW64\Npmagine.exe
        
        C:\Windows\system32\Npmagine.exe
        146⤵
        
        PID:5900
        
        C:\Windows\SysWOW64\Njefqo32.exe
        
        C:\Windows\system32\Njefqo32.exe
        147⤵
        
        PID:6008
        
        C:\Windows\SysWOW64\Olcbmj32.exe
        
        C:\Windows\system32\Olcbmj32.exe
        148⤵
        
        PID:5312
        
        C:\Windows\SysWOW64\Odkjng32.exe
        
        C:\Windows\system32\Odkjng32.exe
        149⤵
        Modifies registry class
        
        PID:5552
        
        C:\Windows\SysWOW64\Ogifjcdp.exe
        
        C:\Windows\system32\Ogifjcdp.exe
        150⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5892
        
        C:\Windows\SysWOW64\Ojgbfocc.exe
        
        C:\Windows\system32\Ojgbfocc.exe
        151⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5172
        
        C:\Windows\SysWOW64\Oncofm32.exe
        
        C:\Windows\system32\Oncofm32.exe
        152⤵
        
        PID:5540
        
        C:\Windows\SysWOW64\Opakbi32.exe
        
        C:\Windows\system32\Opakbi32.exe
        153⤵
        Drops file in System32 directory
        
        PID:5600
        
        C:\Windows\SysWOW64\Odmgcgbi.exe
        
        C:\Windows\system32\Odmgcgbi.exe
        154⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5752
        
        C:\Windows\SysWOW64\Ocpgod32.exe
        
        C:\Windows\system32\Ocpgod32.exe
        155⤵
        
        PID:5732
        
        C:\Windows\SysWOW64\Ofnckp32.exe
        
        C:\Windows\system32\Ofnckp32.exe
        156⤵
        Drops file in System32 directory
        
        PID:6172
        
        C:\Windows\SysWOW64\Olhlhjpd.exe
        
        C:\Windows\system32\Olhlhjpd.exe
        157⤵
        
        PID:6208
        
        C:\Windows\SysWOW64\Opdghh32.exe
        
        C:\Windows\system32\Opdghh32.exe
        158⤵
        Drops file in System32 directory
        
        PID:6280
        
        C:\Windows\SysWOW64\Ocbddc32.exe
        
        C:\Windows\system32\Ocbddc32.exe
        159⤵
        
        PID:6328
        
        C:\Windows\SysWOW64\Ofqpqo32.exe
        
        C:\Windows\system32\Ofqpqo32.exe
        160⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6396
        
        C:\Windows\SysWOW64\Onhhamgg.exe
        
        C:\Windows\system32\Onhhamgg.exe
        161⤵
        
        PID:6444
        
        C:\Windows\SysWOW64\Olkhmi32.exe
        
        C:\Windows\system32\Olkhmi32.exe
        162⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6480
        
        C:\Windows\SysWOW64\Odapnf32.exe
        
        C:\Windows\system32\Odapnf32.exe
        163⤵
        Modifies registry class
        
        PID:6524
        
        C:\Windows\SysWOW64\Ogpmjb32.exe
        
        C:\Windows\system32\Ogpmjb32.exe
        164⤵
        Modifies registry class
        
        PID:6572
        
        C:\Windows\SysWOW64\Ofcmfodb.exe
        
        C:\Windows\system32\Ofcmfodb.exe
        165⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6608
        
        C:\Windows\SysWOW64\Onjegled.exe
        
        C:\Windows\system32\Onjegled.exe
        166⤵
        
        PID:6652
        
        C:\Windows\SysWOW64\Oqhacgdh.exe
        
        C:\Windows\system32\Oqhacgdh.exe
        167⤵
        
        PID:6692
        
        C:\Windows\SysWOW64\Ojaelm32.exe
        
        C:\Windows\system32\Ojaelm32.exe
        168⤵
        Modifies registry class
        
        PID:6756
        
        C:\Windows\SysWOW64\Pnlaml32.exe
        
        C:\Windows\system32\Pnlaml32.exe
        169⤵
        
        PID:6812
        
        C:\Windows\SysWOW64\Pqknig32.exe
        
        C:\Windows\system32\Pqknig32.exe
        170⤵
        Modifies registry class
        
        PID:6852
        
        C:\Windows\SysWOW64\Pcijeb32.exe
        
        C:\Windows\system32\Pcijeb32.exe
        171⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6920
        
        C:\Windows\SysWOW64\Pgefeajb.exe
        
        C:\Windows\system32\Pgefeajb.exe
        172⤵
        Modifies registry class
        
        PID:6972
        
        C:\Windows\SysWOW64\Pjcbbmif.exe
        
        C:\Windows\system32\Pjcbbmif.exe
        173⤵
        
        PID:7016
        
        C:\Windows\SysWOW64\Pdifoehl.exe
        
        C:\Windows\system32\Pdifoehl.exe
        174⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7060
        
        C:\Windows\SysWOW64\Pggbkagp.exe
        
        C:\Windows\system32\Pggbkagp.exe
        175⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7104
        
        C:\Windows\SysWOW64\Pfjcgn32.exe
        
        C:\Windows\system32\Pfjcgn32.exe
        176⤵
        
        PID:7152
        
        C:\Windows\SysWOW64\Pnakhkol.exe
        
        C:\Windows\system32\Pnakhkol.exe
        177⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6180
        
        C:\Windows\SysWOW64\Pdkcde32.exe
        
        C:\Windows\system32\Pdkcde32.exe
        178⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6276
        
        C:\Windows\SysWOW64\Pgioqq32.exe
        
        C:\Windows\system32\Pgioqq32.exe
        179⤵
        
        PID:6392
        
        C:\Windows\SysWOW64\Pflplnlg.exe
        
        C:\Windows\system32\Pflplnlg.exe
        180⤵
        Modifies registry class
        
        PID:6468
        
        C:\Windows\SysWOW64\Pncgmkmj.exe
        
        C:\Windows\system32\Pncgmkmj.exe
        181⤵
        
        PID:6532
        
        C:\Windows\SysWOW64\Pqbdjfln.exe
        
        C:\Windows\system32\Pqbdjfln.exe
        182⤵
        Drops file in System32 directory
        
        PID:6604
        
        C:\Windows\SysWOW64\Pcppfaka.exe
        
        C:\Windows\system32\Pcppfaka.exe
        183⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6684
        
        C:\Windows\SysWOW64\Pgllfp32.exe
        
        C:\Windows\system32\Pgllfp32.exe
        184⤵
        Modifies registry class
        
        PID:6772
        
        C:\Windows\SysWOW64\Pjjhbl32.exe
        
        C:\Windows\system32\Pjjhbl32.exe
        185⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6840
        
        C:\Windows\SysWOW64\Pmidog32.exe
        
        C:\Windows\system32\Pmidog32.exe
        186⤵
        
        PID:6960
        
        C:\Windows\SysWOW64\Pcbmka32.exe
        
        C:\Windows\system32\Pcbmka32.exe
        187⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7044
        
        C:\Windows\SysWOW64\Pgnilpah.exe
        
        C:\Windows\system32\Pgnilpah.exe
        188⤵
        
        PID:7116
        
        C:\Windows\SysWOW64\Pjmehkqk.exe
        
        C:\Windows\system32\Pjmehkqk.exe
        189⤵
        
        PID:6160
        
        C:\Windows\SysWOW64\Qqfmde32.exe
        
        C:\Windows\system32\Qqfmde32.exe
        190⤵
        
        PID:6320
        
        C:\Windows\SysWOW64\Qceiaa32.exe
        
        C:\Windows\system32\Qceiaa32.exe
        191⤵
        
        PID:6512
        
        C:\Windows\SysWOW64\Qgqeappe.exe
        
        C:\Windows\system32\Qgqeappe.exe
        192⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6632
        
        C:\Windows\SysWOW64\Qjoankoi.exe
        
        C:\Windows\system32\Qjoankoi.exe
        193⤵
        
        PID:6744
        
        C:\Windows\SysWOW64\Qmmnjfnl.exe
        
        C:\Windows\system32\Qmmnjfnl.exe
        194⤵
        
        PID:6928
        
        C:\Windows\SysWOW64\Qqijje32.exe
        
        C:\Windows\system32\Qqijje32.exe
        195⤵
        
        PID:7012
        
        C:\Windows\SysWOW64\Qcgffqei.exe
        
        C:\Windows\system32\Qcgffqei.exe
        196⤵
        Drops file in System32 directory
        
        PID:6152
        
        C:\Windows\SysWOW64\Qffbbldm.exe
        
        C:\Windows\system32\Qffbbldm.exe
        197⤵
        Modifies registry class
        
        PID:6316
        
        C:\Windows\SysWOW64\Anmjcieo.exe
        
        C:\Windows\system32\Anmjcieo.exe
        198⤵
        
        PID:6564
        
        C:\Windows\SysWOW64\Ampkof32.exe
        
        C:\Windows\system32\Ampkof32.exe
        199⤵
        
        PID:6740
        
        C:\Windows\SysWOW64\Aqkgpedc.exe
        
        C:\Windows\system32\Aqkgpedc.exe
        200⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6956
        
        C:\Windows\SysWOW64\Adgbpc32.exe
        
        C:\Windows\system32\Adgbpc32.exe
        201⤵
        
        PID:6272
        
        C:\Windows\SysWOW64\Ageolo32.exe
        
        C:\Windows\system32\Ageolo32.exe
        202⤵
        Drops file in System32 directory
        
        PID:6504
        
        C:\Windows\SysWOW64\Ajckij32.exe
        
        C:\Windows\system32\Ajckij32.exe
        203⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6896
        
        C:\Windows\SysWOW64\Ambgef32.exe
        
        C:\Windows\system32\Ambgef32.exe
        204⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6488
        
        C:\Windows\SysWOW64\Aclpap32.exe
        
        C:\Windows\system32\Aclpap32.exe
        205⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:7148
        
        C:\Windows\SysWOW64\Afjlnk32.exe
        
        C:\Windows\system32\Afjlnk32.exe
        206⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6848
        
        C:\Windows\SysWOW64\Anadoi32.exe
        
        C:\Windows\system32\Anadoi32.exe
        207⤵
        Modifies registry class
        
        PID:7176
        
        C:\Windows\SysWOW64\Amddjegd.exe
        
        C:\Windows\system32\Amddjegd.exe
        208⤵
        
        PID:7216
        
        C:\Windows\SysWOW64\Acnlgp32.exe
        
        C:\Windows\system32\Acnlgp32.exe
        209⤵
        Drops file in System32 directory
        
        PID:7260
        
        C:\Windows\SysWOW64\Afmhck32.exe
        
        C:\Windows\system32\Afmhck32.exe
        210⤵
        
        PID:7296
        
        C:\Windows\SysWOW64\Amgapeea.exe
        
        C:\Windows\system32\Amgapeea.exe
        211⤵
        
        PID:7336
        
        C:\Windows\SysWOW64\Aeniabfd.exe
        
        C:\Windows\system32\Aeniabfd.exe
        212⤵
        
        PID:7380
        
        C:\Windows\SysWOW64\Acqimo32.exe
        
        C:\Windows\system32\Acqimo32.exe
        213⤵
        
        PID:7416
        
        C:\Windows\SysWOW64\Afoeiklb.exe
        
        C:\Windows\system32\Afoeiklb.exe
        214⤵
        Modifies registry class
        
        PID:7464
        
        C:\Windows\SysWOW64\Aminee32.exe
        
        C:\Windows\system32\Aminee32.exe
        215⤵
        
        PID:7508
        
        C:\Windows\SysWOW64\Aadifclh.exe
        
        C:\Windows\system32\Aadifclh.exe
        216⤵
        
        PID:7544
        
        C:\Windows\SysWOW64\Bfabnjjp.exe
        
        C:\Windows\system32\Bfabnjjp.exe
        217⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7592
        
        C:\Windows\SysWOW64\Bjmnoi32.exe
        
        C:\Windows\system32\Bjmnoi32.exe
        218⤵
        
        PID:7632
        
        C:\Windows\SysWOW64\Bmkjkd32.exe
        
        C:\Windows\system32\Bmkjkd32.exe
        219⤵
        
        PID:7668
        
        C:\Windows\SysWOW64\Bebblb32.exe
        
        C:\Windows\system32\Bebblb32.exe
        220⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:7712
        
        C:\Windows\SysWOW64\Bganhm32.exe
        
        C:\Windows\system32\Bganhm32.exe
        221⤵
        Modifies registry class
        
        PID:7756
        
        C:\Windows\SysWOW64\Bfdodjhm.exe
        
        C:\Windows\system32\Bfdodjhm.exe
        222⤵
        
        PID:7796
        
        C:\Windows\SysWOW64\Bnkgeg32.exe
        
        C:\Windows\system32\Bnkgeg32.exe
        223⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:7840
        
        C:\Windows\SysWOW64\Baicac32.exe
        
        C:\Windows\system32\Baicac32.exe
        224⤵
        
        PID:7876
        
        C:\Windows\SysWOW64\Beeoaapl.exe
        
        C:\Windows\system32\Beeoaapl.exe
        225⤵
        
        PID:7920
        
        C:\Windows\SysWOW64\Bgcknmop.exe
        
        C:\Windows\system32\Bgcknmop.exe
        226⤵
        
        PID:7960
        
        C:\Windows\SysWOW64\Bjagjhnc.exe
        
        C:\Windows\system32\Bjagjhnc.exe
        227⤵
        
        PID:8000
        
        C:\Windows\SysWOW64\Bmpcfdmg.exe
        
        C:\Windows\system32\Bmpcfdmg.exe
        228⤵
        
        PID:8036
        
        C:\Windows\SysWOW64\Bcjlcn32.exe
        
        C:\Windows\system32\Bcjlcn32.exe
        229⤵
        
        PID:8076
        
        C:\Windows\SysWOW64\Bjddphlq.exe
        
        C:\Windows\system32\Bjddphlq.exe
        230⤵
        
        PID:8120
        
        C:\Windows\SysWOW64\Bmbplc32.exe
        
        C:\Windows\system32\Bmbplc32.exe
        231⤵
        
        PID:8164
        
        C:\Windows\SysWOW64\Banllbdn.exe
        
        C:\Windows\system32\Banllbdn.exe
        232⤵
        
        PID:6824
        
        C:\Windows\SysWOW64\Bclhhnca.exe
        
        C:\Windows\system32\Bclhhnca.exe
        233⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:7228
        
        C:\Windows\SysWOW64\Bfkedibe.exe
        
        C:\Windows\system32\Bfkedibe.exe
        234⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:7320
        
        C:\Windows\SysWOW64\Belebq32.exe
        
        C:\Windows\system32\Belebq32.exe
        235⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:7388
        
        C:\Windows\SysWOW64\Chjaol32.exe
        
        C:\Windows\system32\Chjaol32.exe
        236⤵
        Drops file in System32 directory
        
        PID:7444
        
        C:\Windows\SysWOW64\Cfmajipb.exe
        
        C:\Windows\system32\Cfmajipb.exe
        237⤵
        Drops file in System32 directory
        
        PID:7492
        
        C:\Windows\SysWOW64\Cmgjgcgo.exe
        
        C:\Windows\system32\Cmgjgcgo.exe
        238⤵
        
        PID:7572
        
        C:\Windows\SysWOW64\Cenahpha.exe
        
        C:\Windows\system32\Cenahpha.exe
        239⤵
        
        PID:7648
        
        C:\Windows\SysWOW64\Cdabcm32.exe
        
        C:\Windows\system32\Cdabcm32.exe
        240⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7720
        
        C:\Windows\SysWOW64\Chmndlge.exe
        
        C:\Windows\system32\Chmndlge.exe
        241⤵
        
        PID:7784
        
        C:\Windows\SysWOW64\Cmiflbel.exe
        
        C:\Windows\system32\Cmiflbel.exe
        242⤵
        Modifies registry class
        
        PID:7856
        
        C:\Windows\SysWOW64\Ceqnmpfo.exe
        
        C:\Windows\system32\Ceqnmpfo.exe
        243⤵
        Drops file in System32 directory
        
        PID:7928
        
        C:\Windows\SysWOW64\Chokikeb.exe
        
        C:\Windows\system32\Chokikeb.exe
        244⤵
        
        PID:7984
        
        C:\Windows\SysWOW64\Cjmgfgdf.exe
        
        C:\Windows\system32\Cjmgfgdf.exe
        245⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:8044
        
        C:\Windows\SysWOW64\Cagobalc.exe
        
        C:\Windows\system32\Cagobalc.exe
        246⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8100
        
        C:\Windows\SysWOW64\Cdfkolkf.exe
        
        C:\Windows\system32\Cdfkolkf.exe
        247⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8184
        
        C:\Windows\SysWOW64\Cfdhkhjj.exe
        
        C:\Windows\system32\Cfdhkhjj.exe
        248⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7220
        
        C:\Windows\SysWOW64\Cnkplejl.exe
        
        C:\Windows\system32\Cnkplejl.exe
        249⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:7332
        
        C:\Windows\SysWOW64\Chcddk32.exe
        
        C:\Windows\system32\Chcddk32.exe
        250⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7472
        
        C:\Windows\SysWOW64\Cffdpghg.exe
        
        C:\Windows\system32\Cffdpghg.exe
        251⤵
        
        PID:7520
        
        C:\Windows\SysWOW64\Cnnlaehj.exe
        
        C:\Windows\system32\Cnnlaehj.exe
        252⤵
        
        PID:7660
        
        C:\Windows\SysWOW64\Cmqmma32.exe
        
        C:\Windows\system32\Cmqmma32.exe
        253⤵
        
        PID:7776
        
        C:\Windows\SysWOW64\Ddjejl32.exe
        
        C:\Windows\system32\Ddjejl32.exe
        254⤵
        
        PID:7912
        
        C:\Windows\SysWOW64\Dhfajjoj.exe
        
        C:\Windows\system32\Dhfajjoj.exe
        255⤵
        
        PID:8024
        
        C:\Windows\SysWOW64\Dopigd32.exe
        
        C:\Windows\system32\Dopigd32.exe
        256⤵
        Drops file in System32 directory
        
        PID:6224
        
        C:\Windows\SysWOW64\Danecp32.exe
        
        C:\Windows\system32\Danecp32.exe
        257⤵
        Drops file in System32 directory
        
        PID:7304
        
        C:\Windows\SysWOW64\Dejacond.exe
        
        C:\Windows\system32\Dejacond.exe
        258⤵
        
        PID:7452
        
        C:\Windows\SysWOW64\Ddmaok32.exe
        
        C:\Windows\system32\Ddmaok32.exe
        259⤵
        Drops file in System32 directory
        
        PID:7700
        
        C:\Windows\SysWOW64\Dfknkg32.exe
        
        C:\Windows\system32\Dfknkg32.exe
        260⤵
        
        PID:7904
        
        C:\Windows\SysWOW64\Daqbip32.exe
        
        C:\Windows\system32\Daqbip32.exe
        261⤵
        Drops file in System32 directory
        
        PID:8152
        
        C:\Windows\SysWOW64\Ddonekbl.exe
        
        C:\Windows\system32\Ddonekbl.exe
        262⤵
        
        PID:7288
        
        C:\Windows\SysWOW64\Dhkjej32.exe
        
        C:\Windows\system32\Dhkjej32.exe
        263⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7612
        
        C:\Windows\SysWOW64\Dkifae32.exe
        
        C:\Windows\system32\Dkifae32.exe
        264⤵
        
        PID:8072
        
        C:\Windows\SysWOW64\Dmgbnq32.exe
        
        C:\Windows\system32\Dmgbnq32.exe
        265⤵
        
        PID:7392
        
        C:\Windows\SysWOW64\Daconoae.exe
        
        C:\Windows\system32\Daconoae.exe
        266⤵
        
        PID:7940
        
        C:\Windows\SysWOW64\Dhmgki32.exe
        
        C:\Windows\system32\Dhmgki32.exe
        267⤵
        
        PID:7620
        
        C:\Windows\SysWOW64\Dfpgffpm.exe
        
        C:\Windows\system32\Dfpgffpm.exe
        268⤵
        
        PID:7676
        
        C:\Windows\SysWOW64\Dogogcpo.exe
        
        C:\Windows\system32\Dogogcpo.exe
        269⤵
        Drops file in System32 directory
        
        PID:7372
        
        C:\Windows\SysWOW64\Daekdooc.exe
        
        C:\Windows\system32\Daekdooc.exe
        270⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8208
        
        C:\Windows\SysWOW64\Dddhpjof.exe
        
        C:\Windows\system32\Dddhpjof.exe
        271⤵
        
        PID:8252
        
        C:\Windows\SysWOW64\Dgbdlf32.exe
        
        C:\Windows\system32\Dgbdlf32.exe
        272⤵
        
        PID:8296
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        273⤵
        
        PID:8336
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 8336 -s 396
        274⤵
        Program crash
        
        PID:8432

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 8336 -ip 8336
1⤵
PID:8408

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Dfknkg32.exe

Filesize
79KB

MD5
a5b06ec24dafd374f9607efeb465652c

SHA1
a03a0a6ae46b9827ac3d53c180e9e6366635663a

SHA256
544a0eed524d5b990e2e641ede9fcec19ec4aa7bc7276f4fabb487e6b27c4e61

SHA512
3dbbcf0242be99ec30d9738dd3c32fce22e589fcb5f9732ce571dc4f1f5b0a59cde096838858ecc8537ce7a27f972741a260a9f8cef6043ccd9a662526e15090

Download Submit
C:\Windows\SysWOW64\Eadopc32.exe

Filesize
79KB

MD5
f2b9c1dff6d832945f7678eedf886aa1

SHA1
e8d23d5e7a0df227f205ca268194326ec996f6e6

SHA256
b4de4f67e8417efee2bec4f13d19d037992f30fe52b5f9fa46707482499edad2

SHA512
bb4c0e5e1bb6f85dbf14409089982c5e2c666633a8ebd32b3da6a88ee56336c704cd3554aec5a06bb884ce18b7f3b209d4568f5f9e84fa876e95f0111cc15d74

Download Submit
C:\Windows\SysWOW64\Fafkecel.exe

Filesize
79KB

MD5
546e617c3f4fe2c9584143dfaf2a6d23

SHA1
5624d29b08e75f8c071fd825d48efc5d31a12451

SHA256
2b274f1382e245c60b878412c8fd7c5eca0741619a1601a12a5bd55c71f04147

SHA512
46b372df956f057ae5085b27e21a497a56e55b2d70c07fd83bbfa4029c92184103ac08420793724bc62269c99c36faaaaa56f2b66725e7e1afa59d7bd465e58d

Download Submit
C:\Windows\SysWOW64\Fdlnbm32.exe

Filesize
79KB

MD5
f42383b5b44ebe321d18ec797aa86cdd

SHA1
74ba3cb1eed14c49ead0b044bd76dc35bf136f12

SHA256
f72bc2e5259984ed3d1b71f64e2da184276622ac3cd9727ae9bf94a633f45ec4

SHA512
8b1ec5e10bca97da5eb272f3a37364843314befbc5b1aa81547698efcae66b506ec95ab81f7199144dfb3b62c40326420810134fc02dbcf1637bcd928acb6475

Download Submit
C:\Windows\SysWOW64\Ffgqqaip.exe

Filesize
79KB

MD5
7f5b717828ce4b5004403ce2b7857ac6

SHA1
12614feb89fc6ed766e82032a14159b7194f9aa0

SHA256
19b08aad0bb6ac5e854e5862c26052cd8436d72d79380c58700860647dbd388e

SHA512
b20bef5e6f49b70054b5e5680aa931475cb414e772b903ffe6e6977f26e6191a3a8aa692fee31031d2ee216eb7df0cb73dbe0b51970e709470cf4f5e3671b903

Download Submit
C:\Windows\SysWOW64\Ffkjlp32.exe

Filesize
79KB

MD5
686e280dba8179c16878ea385a192868

SHA1
7aedbcdb83cc5569e8c1e8207ca15282c078932b

SHA256
48df222654374ae5ff21f6d7f0138f1340b33884aeb700d51c87c27dd3cf8147

SHA512
ea1b1d2916047f158b738672a677a0eaeb845ed36ad32b9af41683f90b1a6dc7209a84a4b4ae8497a3501e060d58c756c81bd9dc5a4981b4434e37dd7fcfc11f

Download Submit
C:\Windows\SysWOW64\Fhcpgmjf.exe

Filesize
79KB

MD5
5ed4e95b076dcc0d3b4f998bfd5857bf

SHA1
9ed5e6dd63a4bdfe75741ffe9cbd9b9dfa40cd6b

SHA256
be6411ac339dcb48d0aa6c8d5f0ff2fa639d55e1f15359df3cdae34b75cc762c

SHA512
880685eb7dc36db892946b8c5d2480a1996ff4b19180be56c82a3d8016a8184d332bdd1b256fbdf4d6e14183900c4fe5d1df716dee3c071fc5a158b61a8937d9

Download Submit
C:\Windows\SysWOW64\Fhjfhl32.exe

Filesize
79KB

MD5
967adcdcf4f3078ce28dc2347101bcf7

SHA1
253fe665764f50a883c0413fa88040e9a1b95654

SHA256
d0e57d10c19d3fa163790e200cd646fea0df2b440608d8302d5909b5026107f2

SHA512
5ec01fd8735bca7ed9d6216163baf747821fe0a054df59409d91c8fe3e8eb0afc8c4a1e55d9f2424f2cb0048bbd3ccd6256d5535ec1e23dde0105f86b9eb7c75

Download Submit
C:\Windows\SysWOW64\Fhqcam32.exe

Filesize
79KB

MD5
ecbb90a923fc60cb97bb165ee2e54f23

SHA1
fe6a8b13bdd229b82a2d2610d05bb6e6612449a9

SHA256
f7b7aa1fb923dcd939c632aa4ab63a4144b1589927d31b6fe333cc4e8a52e610

SHA512
02d9047b7bdaaa82dc6a9a60085ae5666ffcccd38e67cf84f7ebc001481e1ae86336aef6dd0bd6f6c9e28d25c27d95f503c5efcfc06603bedd2d6a8a4b450550

Download Submit
C:\Windows\SysWOW64\Flceckoj.exe

Filesize
79KB

MD5
b02f6b662f7525800ebbdec2811175c3

SHA1
4781f1881365f868bc7920b052bf3cda255c2f18

SHA256
8c6b2dd1920f48bb66bf5a516f6ca032fef5a454ddcf1c5bd0b58e3e016fe256

SHA512
986612d8645711a5136e667992f8a5e87994ad36b50f117e85be4a09108493b0898f87c271752bc82b6bdc8963360a0b61b8d18fc9f26dd114e294b57774be46

Download Submit
C:\Windows\SysWOW64\Fljcmlfd.exe

Filesize
79KB

MD5
79ab137b34df8227a4f7102412e6ecf8

SHA1
1f751b654bee2af13535de229e761d09d3220e27

SHA256
f5d00f44f8bf0f798d2c12468cedfea243a4a9806e1ed8582a1c388f7f0c7fe3

SHA512
163b325f275f749eac0f8b079cfa577108e1cecbd6466c84e954719b5d40a2a51820b677fb15cb118ac152a884bdf1cbbea810b3488751633182f7955a51a832

Download Submit
C:\Windows\SysWOW64\Flqimk32.exe

Filesize
79KB

MD5
2038a13f153035275ec36773408102e5

SHA1
cf7ac437c7e38a303de142bd1ed64755e6d9905d

SHA256
8c644decf12d783e06cc4b1b5758a6331603bfbb0eb70c28c0a0a713f7077036

SHA512
71f27a79efad95e61043da9203913286fc17b94bffa96642b9ea7ed1845a949e7f24ed7178206bffc9758a44c0dc065053a76ec8428dcc5dcf3eac5103258f6d

Download Submit
C:\Windows\SysWOW64\Foabofnn.exe

Filesize
79KB

MD5
db793c9933521b8837e3f3e84d0e5acc

SHA1
7992c80f14e445cd582a05e68f2d585abf85d0d0

SHA256
5cb6bcdf4dba5826fbb29c5c62114228172e9ad8b0e156b92f3974b3c46bd15b

SHA512
fb016d86e6c2948337e47ad553ce92e20c1f43a8917cfde3f44091086cd266dd40ba6e02ea0e22ae5b1d9bcabe053804183ac15864975484279cd087f145e20e

Download Submit
C:\Windows\SysWOW64\Fojlngce.exe

Filesize
79KB

MD5
730913eee17abbfecb819948a647fbbc

SHA1
b02138371105a1d1ce4ddbbbbea502fd81cbd571

SHA256
c001e520f135c282d2a95bf01a3f109b38434e2bc457b9abe992279d5bf037f9

SHA512
cf0da394c983a284d9133bf97516ab1102ba8faa409e497e70e2e3ac2c21666681def7e8aeedea841d8b32bfd5b727da7a2b1311a646de73bca402a00aa3c7f6

Download Submit
C:\Windows\SysWOW64\Fomhdg32.exe

Filesize
79KB

MD5
668401e580737739667c2a73a98d56cd

SHA1
61bcd65911f145d3e6b93ba0d8014fc0de5804d4

SHA256
785250ff036920662cd9a704a8f7a373a47ad4f1e1e079a0a3ae81b2943ebe3b

SHA512
396bddc2bc89bad8badc550b5f1d197caed76ba4b25014c895c5fee46cef6def720a5a56f6786ec0d8b343a3fbba0416dc11365c31327868aa666311383ced03

Download Submit
C:\Windows\SysWOW64\Fooeif32.exe

Filesize
79KB

MD5
8d656dcca823c2331513dd7cb85925ae

SHA1
9963fe5928c2533635991f171eb665cd962baf91

SHA256
94e3f6b41bcfe63548df17d3c07a571ab69a7e93fb397e31e1547f12bd926453

SHA512
0c867b184880b5252106ede5f16617d055e7b7f085c819aa89b32de23201049c75af13d8dfb884c045dbf6e575c0443453c89b1ae34f71be46692a0a9bda2eef

Download Submit
C:\Windows\SysWOW64\Gblngpbd.exe

Filesize
79KB

MD5
f0602ee8511bd8cccd8a6f3820eef1b7

SHA1
b7107c6aa0cfbd3fc4c729c13754768f73c51f55

SHA256
6570c21ab17f39b1b048bb8aff3771cd6741d4471e24d49a9af26ff748360b79

SHA512
c728b0ae341269a1dcecd569b1adb12ae8cb79127a4c234e583011410823814eeba8af0f474dd10647a346fa85e33e5881e17b505b6c217b9f0ac2ab3e5dd686

Download Submit
C:\Windows\SysWOW64\Gcagkdba.exe

Filesize
79KB

MD5
d7da1f044a79a5adfa562be2a81270c6

SHA1
19daf50ed8086c1c95e2155a783c8678b8855410

SHA256
1714561bcb80994cca105ba9532f0914dec1bc8f8a56e4a8a3293c5dcac30c29

SHA512
bcbcb283fff7ee1990969cbb7279280524e242da403b3aac9abf037a5f18a534651ef390385a1570dbd0ee2831cbc5a9e79301eaeb6c202ca26f2e230a432729

Download Submit
C:\Windows\SysWOW64\Gcfqfc32.exe

Filesize
79KB

MD5
93f44861a3bea679f943d4aedf09ff2e

SHA1
6eeb25d760af03070672322548d4b6ae8d0b617a

SHA256
416af5e07476d8ebcb9d745a0cea53bff30b7d8d1f3cd1cbc8ba17b0d04e55a9

SHA512
1ab3d7368fa4b04d92e32c2e3abb1a93f2a25ed9d26ad79dfadee708bdd0882c59611b78f0fa6a34027094431eba6c144ab03c79939f8a2ef4b6716bca231783

Download Submit
C:\Windows\SysWOW64\Gdcdbl32.exe

Filesize
79KB

MD5
4a5c2932db65e04569c1492d3df32a5c

SHA1
841941ce7a8d9777f821042ab3477d5dddfc4fc8

SHA256
a4c6e5a81885a6051ba0291d4505d19cd83e57c88302edc1e9236dcd17e75556

SHA512
c4e09cc24aeb6edfbd8a1cb9f0366ec84784a7b031801bfcbd23892c092c9b720df5b851893ccb21c3f9bd07f3d9573bd85727d951adc3cd4a828e763712dcd1

Download Submit
C:\Windows\SysWOW64\Gfbploob.exe

Filesize
79KB

MD5
45336efda9eae7a7f8b2e3ee5254aff8

SHA1
33ab42a6e508ca51914f03972e14aba8963b26a4

SHA256
e1f6e51b8b4ea6962ce297daefe5980d6ff4e3c45314835ba26a28f79b3508d2

SHA512
106c714232aa73327289195fcdb094c33dadd0b04d1dbf5576a9ae384dc7184ed86081e4186dc0005710341ab37b53101edb475416e37b9fc7f5f34e80cd5392

Download Submit
C:\Windows\SysWOW64\Gfngap32.exe

Filesize
79KB

MD5
4faae133e9d862f79acd9ac5d7700886

SHA1
eded382d36e684d49cde85aaf0c5ae6ed60c83d9

SHA256
a9f95577581d28a64592032754b23910adf09737ccb9f2a6b900bce39dcce448

SHA512
e69daad8c73424552db85a0d13ad1495b7a5c2e5778f2192103596e7b39909b08212176c858c66e347e708bd0a1a6a733699cad5df123c82c936c8ee911ae117

Download Submit
C:\Windows\SysWOW64\Ghaliknf.exe

Filesize
79KB

MD5
a19bc7eb9070be0b85f6f47b67b52b5b

SHA1
63597fed3c4496fb0fec58698f68612e7d21591c

SHA256
5070218288ad19643ffbb7e24f9dcbcb6142e09d869c49b5b1b881906db79be5

SHA512
915539160c7ce0c3ec28c21a0531e1651872a38b0a3a1f4ce8742cacf60b7d05ce7542fb2835137c9967e0511d3083bf21f54a0ab56c573719b4942acd856f60

Download Submit
C:\Windows\SysWOW64\Ghopckpi.exe

Filesize
79KB

MD5
ca8c4efd0eb61ba879d753a363669951

SHA1
ef8342441df9b3a6caf94ce2584af07b6adf25cc

SHA256
efa91e009e1cb60893cc2308e57d6552699b59f99a153a0de47bcf24ba93a831

SHA512
17a226d95b263beb18de90894ba46bb04dadb13f5ba67170cf609c24c66bc0936351ad5dacafd76395d4b42b141f29fbfb591afd5936ca8908190a9d287b7921

Download Submit
C:\Windows\SysWOW64\Gicinj32.exe

Filesize
79KB

MD5
ca57a10005caf330b9b450098ffd29d2

SHA1
ffd5e5cf7c93f6d6425c597f24af0aecff90bc13

SHA256
db89d1160c4ff23045c02c5660a53d2acb820e2604cbce73badd80db626747ab

SHA512
43fb4db227d99e6baf2c54718e2b918ce23455f7d24310e5d4ecf44780bb4f2a472d9842d33710aa3903925c261de26acee890b8e495abf39d469a76f7966b10

Download Submit
C:\Windows\SysWOW64\Gkaejf32.exe

Filesize
79KB

MD5
723068daf9fec6f28e9f49cea6508f17

SHA1
25cc8f96af940e9146fc01ebb7c9d48cae9aa1d3

SHA256
59108290aa49734938b4a366e98383d1a1c57b588ccb562c609115442d6ecccd

SHA512
530c3dfa93d358bbe80f53703394422c8d9fb39a4a45ded1dddbe87f68880de78824d1fd926526eb575a1b7998437566c7ead48355a7528de4d27d961271ed1f

Download Submit
C:\Windows\SysWOW64\Gkkojgao.exe

Filesize
79KB

MD5
e2863cb9c690347792aef8ce3a3bc2ed

SHA1
d920209b58e6767b06ba2a69fb6ecf0389028799

SHA256
f5913a0f947faae6acca4942264234a53d632becbc8af6f18751527def3f123d

SHA512
e43e161ad6bbd66bf064b56505440bec584d5e6893ae3541c8ab9780311f79c8c072d3b72f964876a28defa1592a3102a27033fbe6176e88fc199716b674dd2f

Download Submit
C:\Windows\SysWOW64\Gohhpe32.exe

Filesize
79KB

MD5
d496500a88b8823a194fd7271511e3da

SHA1
b8a9ffa0b76534f9aec6ae8aa0b2dbc98db0553f

SHA256
ff39ee31c9d71378dd65b2b1ba4d1458df474d9f3c9e6054351e6a3390aff5ae

SHA512
4303be24e123ccce498d60ad630a94d0b8ea101a5b2d6cd36b76a2996e913ee74a7ee1c6d06116139c07616a6603687a95f3c71bac2463b97df25d535521504f

Download Submit
C:\Windows\SysWOW64\Hbpgbo32.exe

Filesize
79KB

MD5
58039022e01bee9144a5f4e600a3f786

SHA1
54850955784d497640e7382d5b39e847764eb71b

SHA256
888a69f74125a2ad89449359efd76dc6950f6952d484434136f97987937d8f3b

SHA512
dc7a945c95df510ff3f2b44ef47cc548fa147e57f8f5228794f1c80ab392bbdfe025316865905ba7def20df7da9019348cfd8b11f74c21cd235d2f805c6980e0

Download Submit
C:\Windows\SysWOW64\Heocnk32.exe

Filesize
79KB

MD5
14489024082c8574b75e4bbc86e6bdeb

SHA1
95f88f8c1ea5e9314bc525e0e595e6666cb10613

SHA256
0b2f1ba7f54c2796c92efa90baf4cf211d934135f3668bf402dc887a2291f42f

SHA512
c7af93e18192b3a87f3cb0b3eb87a209d93560a2d618caf536a2b8060223ed8ae304961d86608002a474dab361a7e7015703b2ad089f414bca6292c59e3ae392

Download Submit
C:\Windows\SysWOW64\Hfifmnij.exe

Filesize
79KB

MD5
1bdc50edc22516b4803002aa40cd397a

SHA1
85ac59cdef327bb60da11518a21bf00785c67ff4

SHA256
32ae3a90818d82313d323bc08e07b37774d98b48bc89b0d86928aa6d856049f8

SHA512
3d3a3c8540442ccf44f876728d258c2668159176a316ca4c435ca273d58befd02b9f86a24b01615d3508d4220782daa89d2df8494c76eb822110bd8875a93583

Download Submit
C:\Windows\SysWOW64\Hmabdibj.exe

Filesize
79KB

MD5
b1797a87d447f1f3e1b8b7132a2e81ad

SHA1
77ceee0518fe04f9809272d1823a91b26b973a9c

SHA256
e5d107a09e51401f5c7dd8594dee12fa3fa879b35d3351d7425513b3ecf595a8

SHA512
6a9b541fde6844ae24535dc26e41de9c18623f4753565d6d787b2c0ffee7e20a16cf8e41184174cb5b563c502c89d5464456800f83f1b00a60a84d7ddd673fd2

Download Submit
C:\Windows\SysWOW64\Hopnqdan.exe

Filesize
79KB

MD5
13465a721a1a90524d18d4ac6bd7ef92

SHA1
a3f465c53da8b16ed04f7984d3012a85a5555721

SHA256
ae129276aa01440e3d19176126e7d9cc0b72d9e6e5e64e13fb74ef528edd4948

SHA512
7c0ffe100b93b60a0d375440b33f1f08c3634bf1d925bb077712b3eda4adbc7cfcf49771fbc808120c132e46f8d014b0a631dc4432bdac817d7404feb8f44cc7

Download Submit
C:\Windows\SysWOW64\Ifgbnlmj.exe

Filesize
79KB

MD5
a1137a04fc68b36a7cad0c05f04b61dc

SHA1
0561c5b66d5bdd1b15e46be8fbcff0e7b82a8d97

SHA256
578606763be945ce35204eff731bae637edaf28a98fff9646bf2b8ed4314eec6

SHA512
c0c39a8376045913e2803907aacb5abc859b80b80ca16f506dcc4a35b92d3ea6ebde600b31431453a54ff7272b17a526c41a98593a91c61f48bb47a146273157

Download Submit
C:\Windows\SysWOW64\Ilidbbgl.exe

Filesize
79KB

MD5
30310c3ec2e8a0a2c78648d00f63d827

SHA1
1de765d69039a864db6d8c91e866d5bf3b86b090

SHA256
315e5e6b2e47b25f123f7bef053e53be66dd9226f36a8b54b57e7beb13f946e1

SHA512
c02f0d20a7f3369d85b5b63035d3af139b360ea63ed63c56b1ffaf2f4cc5b199cd3349387d83fd684ae00df872bd6394984264da64e2866bb0d1ad68f6c300d6

Download Submit
C:\Windows\SysWOW64\Kmfmmcbo.exe

Filesize
79KB

MD5
63c3aa78bc05911144e0503bd4520f18

SHA1
5ab30da523ecd4f1a60090105df2fff899df4138

SHA256
e405ee9f73c6dab7d453904a02b3ff421def09699727d5253de7e32bd0afddd6

SHA512
86080d47b76e2d3d7bb66c5e64036b29f967fef0c398da2c9949bee82271683f13555365d9c4acd7063c9ffbb4476d61a5e5bd1ff1499662ed47296eb91bbc83

Download Submit
C:\Windows\SysWOW64\Pgefeajb.exe

Filesize
79KB

MD5
be87c67babe705bb043e7afc87d13571

SHA1
fb45bc3c282f7ce38507a20bb87f90393c336f18

SHA256
758417b4188b7b14aae767fa13ff2c13a8d51bf17e5895324bd9aed4dbd34609

SHA512
fb631f4d24911bc2fbce0850a8cb8004d0b0186dde6b93806adc8f1ced48e9fcb3bce23d096d24759a2d3fc383491aed8efe4b0dc20f0f66cf6d0a49f86fa156

Download Submit
memory/280-258-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/384-288-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/388-298-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/396-287-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/456-354-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/492-330-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/504-73-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/532-32-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/552-348-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/760-378-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/772-312-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/872-388-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/916-86-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/940-8-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/984-241-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1008-217-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1400-21-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1472-342-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1516-270-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1572-230-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1584-402-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1592-24-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1616-110-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1716-324-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1936-98-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2100-178-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2216-130-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2296-238-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2368-318-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2396-114-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2792-41-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2808-80-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2808-1-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2808-0-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2868-300-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2904-254-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2912-142-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3020-426-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3176-170-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3208-390-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3376-186-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3604-396-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3612-336-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3624-90-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3680-276-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3684-57-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3840-432-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3952-65-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4020-154-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4092-364-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4168-372-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4200-306-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4240-420-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4336-126-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4352-202-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4508-418-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4736-48-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4856-264-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4864-146-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4976-210-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5020-408-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5068-366-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5080-163-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5088-193-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads