b118f93ed809a89c0c077e19cec388fdea528f8750dc8c681926bd2bb6a6b8fc

Analysis

max time kernel
92s
max time network
101s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
09/04/2024, 19:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7387452138711ca7765fffd9c33f5069.exe
Size

80KB
MD5

7387452138711ca7765fffd9c33f5069
SHA1

56fc741397f6aacc0302695eef44b0498fd1dfd8
SHA256

b118f93ed809a89c0c077e19cec388fdea528f8750dc8c681926bd2bb6a6b8fc
SHA512

00e45ceb3a16c6b8d82d67c828fd1aebb46e47f7eed8e0cdb0112e38c0cf237b99646e54d294872096489333e5cdd0669329d3e614b63d078c22f2f83994280a
SSDEEP

1536:TZsGAJjbUJtzTSvoyqdxWd6JxlOzzDfWqdMVrlEFtyb7IYOOqw4Tv:TZsGUAHWd6J7OzzTWqAhELy1MTTv

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chmeobkq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nphhmj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Anfmjhmd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ojllan32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajneip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddgkpp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hkmefd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Agglboim.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ahkobekf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iefioj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nnlhfn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnqbanmo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qgcbgo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddonekbl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mchhggno.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Npmagine.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aeiofcji.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mmnldp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjpaooda.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Balfaiil.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aelcfilb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lmgfda32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jfcbjk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Odmgcgbi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bjghpn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dekhneap.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhnnep32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jedeph32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjddphlq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chbnia32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cajlhqjp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Icnpmp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pjmehkqk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qcepkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Eocenh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Eemnjbaj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fhemmlhc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nckndeni.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Amgapeea.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kdnidn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Npfkgjdn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ampkof32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Miemjaci.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ofcmfodb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfnjafap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Abemjmgg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bbgipldd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cklaknjd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Liddbc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mpoefk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcmabg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iikhfg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Afjlnk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bdhfhe32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Conclk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pggbkagp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Baocghgi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhidjpqc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bfkedibe.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Faihkbci.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bhdbhcck.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhkapp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dceohhja.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fojlngce.exe

Executes dropped EXE 64 IoCs

pid	Process
2252	Pnfkma32.exe
4524	Peqcjkfp.exe
5016	Pkjlge32.exe
224	Pnihcq32.exe
2436	Qecppkdm.exe
1960	Qcepkg32.exe
2824	Qkmhlekj.exe
2592	Qbgqio32.exe
2488	Qchmagie.exe
2876	Qloebdig.exe
448	Qnnanphk.exe
4396	Aegikj32.exe
1664	Agffge32.exe
4048	Alabgd32.exe
3144	Abkjdnoa.exe
2760	Aejfpjne.exe
4556	Ahhblemi.exe
3320	Anbkio32.exe
2696	Abngjnmo.exe
3484	Aelcfilb.exe
4280	Ahkobekf.exe
836	Alfkbc32.exe
2880	Aacckjaf.exe
1724	Adapgfqj.exe
2680	Alhhhcal.exe
3152	Ajkhdp32.exe
3740	Aealah32.exe
2024	Ahoimd32.exe
4000	Ajneip32.exe
4476	Abemjmgg.exe
2508	Bahmfj32.exe
3424	Bdfibe32.exe
3356	Bhaebcen.exe
4196	Bjpaooda.exe
3684	Bbgipldd.exe
2176	Bdhfhe32.exe
2996	Bhdbhcck.exe
2756	Bjbndobo.exe
4372	Bnnjen32.exe
4940	Balfaiil.exe
2820	Bdkcmdhp.exe
3436	Bhfonc32.exe
3236	Blbknaib.exe
772	Bopgjmhe.exe
1700	Bblckl32.exe
4996	Baocghgi.exe
1332	Bdmpcdfm.exe
1496	Bldgdago.exe
3884	Bjghpn32.exe
4884	Bbnpqk32.exe
4500	Bemlmgnp.exe
3400	Bhkhibmc.exe
2576	Bkidenlg.exe
3976	Cacmah32.exe
4560	Ceoibflm.exe
4832	Chmeobkq.exe
3480	Cklaknjd.exe
1644	Cogmkl32.exe
1368	Cbcilkjg.exe
2548	Ceaehfjj.exe
2108	Chpada32.exe
2284	Cknnpm32.exe
2636	Cojjqlpk.exe
1512	Cbefaj32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Kgngca32.dll	Qjoankoi.exe
File created	C:\Windows\SysWOW64\Dddhpjof.exe	Dmjocp32.exe
File created	C:\Windows\SysWOW64\Alabgd32.exe	Agffge32.exe
File created	C:\Windows\SysWOW64\Fafkecel.exe	Fohoigfh.exe
File created	C:\Windows\SysWOW64\Pfhfan32.exe	Pgefeajb.exe
File created	C:\Windows\SysWOW64\Hgaoidec.dll	Pgnilpah.exe
File opened for modification	C:\Windows\SysWOW64\Mchhggno.exe	Mlopkm32.exe
File created	C:\Windows\SysWOW64\Dknpmdfc.exe	Dddhpjof.exe
File created	C:\Windows\SysWOW64\Iclnemml.dll	Aegikj32.exe
File created	C:\Windows\SysWOW64\Ophfae32.dll	Flqimk32.exe
File created	C:\Windows\SysWOW64\Fcnopdeh.dll	Fdlnbm32.exe
File created	C:\Windows\SysWOW64\Gpiaib32.dll	Gkkojgao.exe
File created	C:\Windows\SysWOW64\Doeiljfn.exe	Dkjmlk32.exe
File created	C:\Windows\SysWOW64\Aoohalad.dll	Kdnidn32.exe
File opened for modification	C:\Windows\SysWOW64\Qecppkdm.exe	Pnihcq32.exe
File created	C:\Windows\SysWOW64\Fdmlkkap.dll	Pnihcq32.exe
File created	C:\Windows\SysWOW64\Bdmpcdfm.exe	Baocghgi.exe
File created	C:\Windows\SysWOW64\Dnieoofh.dll	Caebma32.exe
File created	C:\Windows\SysWOW64\Liddbc32.exe	Lbjlfi32.exe
File opened for modification	C:\Windows\SysWOW64\Dobfld32.exe	Dfknkg32.exe
File created	C:\Windows\SysWOW64\Anmnemcc.dll	Aejfpjne.exe
File opened for modification	C:\Windows\SysWOW64\Cbefaj32.exe	Cojjqlpk.exe
File created	C:\Windows\SysWOW64\Naoncahj.dll	Heapdjlp.exe
File opened for modification	C:\Windows\SysWOW64\Hofdacke.exe	Hmhhehlb.exe
File created	C:\Windows\SysWOW64\Bkjpmk32.dll	Aeniabfd.exe
File created	C:\Windows\SysWOW64\Cnnlaehj.exe	Chcddk32.exe
File created	C:\Windows\SysWOW64\Bldgdago.exe	Bdmpcdfm.exe
File created	C:\Windows\SysWOW64\Jlajgl32.dll	Cdiooblp.exe
File created	C:\Windows\SysWOW64\Jfoiokfb.exe	Ipdqba32.exe
File created	C:\Windows\SysWOW64\Pcncpbmd.exe	Pjeoglgc.exe
File opened for modification	C:\Windows\SysWOW64\Fomhdg32.exe	Flnlhk32.exe
File created	C:\Windows\SysWOW64\Keajjc32.dll	Hkmefd32.exe
File created	C:\Windows\SysWOW64\Nngokoej.exe	Nepgjaeg.exe
File created	C:\Windows\SysWOW64\Cdfkolkf.exe	Cmlcbbcj.exe
File created	C:\Windows\SysWOW64\Kfoafi32.exe	Kpeiioac.exe
File opened for modification	C:\Windows\SysWOW64\Balpgb32.exe	Bjagjhnc.exe
File created	C:\Windows\SysWOW64\Gkoiefmj.exe	Ghaliknf.exe
File created	C:\Windows\SysWOW64\Dqfhilhd.dll	Aepefb32.exe
File opened for modification	C:\Windows\SysWOW64\Jefbfgig.exe	Jfcbjk32.exe
File created	C:\Windows\SysWOW64\Odmgcgbi.exe	Oncofm32.exe
File opened for modification	C:\Windows\SysWOW64\Bfkedibe.exe	Banllbdn.exe
File opened for modification	C:\Windows\SysWOW64\Pcncpbmd.exe	Pjeoglgc.exe
File opened for modification	C:\Windows\SysWOW64\Clpgpp32.exe	Cdiooblp.exe
File created	C:\Windows\SysWOW64\Kplcdidf.dll	Eefhjc32.exe
File created	C:\Windows\SysWOW64\Kqoieqhe.dll	Elbmlmml.exe
File created	C:\Windows\SysWOW64\Nodfmh32.dll	Mdhdajea.exe
File created	C:\Windows\SysWOW64\Ddakjkqi.exe	Daconoae.exe
File created	C:\Windows\SysWOW64\Mgcdak32.dll	Hkdbpe32.exe
File created	C:\Windows\SysWOW64\Ipnjab32.exe	Ikbnacmd.exe
File created	C:\Windows\SysWOW64\Banllbdn.exe	Bjddphlq.exe
File created	C:\Windows\SysWOW64\Nbgngp32.dll	Danecp32.exe
File opened for modification	C:\Windows\SysWOW64\Bblckl32.exe	Bopgjmhe.exe
File created	C:\Windows\SysWOW64\Dfdjmlhn.dll	Ognpebpj.exe
File opened for modification	C:\Windows\SysWOW64\Alhhhcal.exe	Adapgfqj.exe
File created	C:\Windows\SysWOW64\Jmhale32.exe	Jfoiokfb.exe
File opened for modification	C:\Windows\SysWOW64\Olmeci32.exe	Onjegled.exe
File created	C:\Windows\SysWOW64\Hhqeiena.dll	Balpgb32.exe
File created	C:\Windows\SysWOW64\Mhciec32.dll	Ckpjfm32.exe
File opened for modification	C:\Windows\SysWOW64\Eolpmi32.exe	Dlncan32.exe
File opened for modification	C:\Windows\SysWOW64\Agoabn32.exe	Aepefb32.exe
File created	C:\Windows\SysWOW64\Pflplnlg.exe	Pcncpbmd.exe
File created	C:\Windows\SysWOW64\Ajkhdp32.exe	Alhhhcal.exe
File created	C:\Windows\SysWOW64\Dbfmkjoa.dll	Gfgjgo32.exe
File created	C:\Windows\SysWOW64\Ngbpidjh.exe	Nphhmj32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2764	9520	WerFault.exe	481

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bdhfhe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hfbcpl32.dll"	Chbnia32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qkkdmeko.dll"	Flnlhk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ifmafkkf.dll"	Gdhmnlcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oendmdab.dll"	Jcllonma.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kmkfhc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bahmfj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Llcpoo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lbabgh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hleecc32.dll"	Mchhggno.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bmemac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Belebq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gdcdbl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ghlcnk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bjghpn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fdlnbm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lnlden32.dll"	Pcppfaka.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Blbknaib.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Phfkqkek.dll"	Ahkobekf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bhaebcen.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Demecd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nhdlom32.dll"	Fdnjgmle.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ghlcnk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Heapdjlp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dkcfedla.dll"	Himldi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jccejahl.dll"	Qchmagie.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ejfenk32.dll"	Pcijeb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nnbnoffm.dll"	Jblpek32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lpcfkm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mpoefk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jmmmebhb.dll"	Agglboim.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bjagjhnc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cjpckf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dmjocp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Camphf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ceoibflm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Eamhodmf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fkopnh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Blbknaib.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Eapedd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bnnjen32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ehnglm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gkmlofol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ojllan32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	7387452138711ca7765fffd9c33f5069.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ffkjlp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kfoafi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bebblb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Balpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kldggoeb.dll"	Fojlngce.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qjoankoi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qjoankoi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ehljfnpn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ojleohnl.dll"	Kbfbkj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfnbea32.dll"	Kpgfooop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Chmeobkq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jpnchp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ddonekbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnicfelf.dll"	Qecppkdm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fbnafb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dpmdoo32.dll"	Aeiofcji.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aelcfilb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Melnob32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fibbmq32.dll"	Ngbpidjh.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1524 wrote to memory of 2252	1524	7387452138711ca7765fffd9c33f5069.exe	85
PID 1524 wrote to memory of 2252	1524	7387452138711ca7765fffd9c33f5069.exe	85
PID 1524 wrote to memory of 2252	1524	7387452138711ca7765fffd9c33f5069.exe	85
PID 2252 wrote to memory of 4524	2252	Pnfkma32.exe	86
PID 2252 wrote to memory of 4524	2252	Pnfkma32.exe	86
PID 2252 wrote to memory of 4524	2252	Pnfkma32.exe	86
PID 4524 wrote to memory of 5016	4524	Peqcjkfp.exe	87
PID 4524 wrote to memory of 5016	4524	Peqcjkfp.exe	87
PID 4524 wrote to memory of 5016	4524	Peqcjkfp.exe	87
PID 5016 wrote to memory of 224	5016	Pkjlge32.exe	88
PID 5016 wrote to memory of 224	5016	Pkjlge32.exe	88
PID 5016 wrote to memory of 224	5016	Pkjlge32.exe	88
PID 224 wrote to memory of 2436	224	Pnihcq32.exe	89
PID 224 wrote to memory of 2436	224	Pnihcq32.exe	89
PID 224 wrote to memory of 2436	224	Pnihcq32.exe	89
PID 2436 wrote to memory of 1960	2436	Qecppkdm.exe	91
PID 2436 wrote to memory of 1960	2436	Qecppkdm.exe	91
PID 2436 wrote to memory of 1960	2436	Qecppkdm.exe	91
PID 1960 wrote to memory of 2824	1960	Qcepkg32.exe	92
PID 1960 wrote to memory of 2824	1960	Qcepkg32.exe	92
PID 1960 wrote to memory of 2824	1960	Qcepkg32.exe	92
PID 2824 wrote to memory of 2592	2824	Qkmhlekj.exe	93
PID 2824 wrote to memory of 2592	2824	Qkmhlekj.exe	93
PID 2824 wrote to memory of 2592	2824	Qkmhlekj.exe	93
PID 2592 wrote to memory of 2488	2592	Qbgqio32.exe	95
PID 2592 wrote to memory of 2488	2592	Qbgqio32.exe	95
PID 2592 wrote to memory of 2488	2592	Qbgqio32.exe	95
PID 2488 wrote to memory of 2876	2488	Qchmagie.exe	96
PID 2488 wrote to memory of 2876	2488	Qchmagie.exe	96
PID 2488 wrote to memory of 2876	2488	Qchmagie.exe	96
PID 2876 wrote to memory of 448	2876	Qloebdig.exe	97
PID 2876 wrote to memory of 448	2876	Qloebdig.exe	97
PID 2876 wrote to memory of 448	2876	Qloebdig.exe	97
PID 448 wrote to memory of 4396	448	Qnnanphk.exe	98
PID 448 wrote to memory of 4396	448	Qnnanphk.exe	98
PID 448 wrote to memory of 4396	448	Qnnanphk.exe	98
PID 4396 wrote to memory of 1664	4396	Aegikj32.exe	100
PID 4396 wrote to memory of 1664	4396	Aegikj32.exe	100
PID 4396 wrote to memory of 1664	4396	Aegikj32.exe	100
PID 1664 wrote to memory of 4048	1664	Agffge32.exe	101
PID 1664 wrote to memory of 4048	1664	Agffge32.exe	101
PID 1664 wrote to memory of 4048	1664	Agffge32.exe	101
PID 4048 wrote to memory of 3144	4048	Alabgd32.exe	102
PID 4048 wrote to memory of 3144	4048	Alabgd32.exe	102
PID 4048 wrote to memory of 3144	4048	Alabgd32.exe	102
PID 3144 wrote to memory of 2760	3144	Abkjdnoa.exe	103
PID 3144 wrote to memory of 2760	3144	Abkjdnoa.exe	103
PID 3144 wrote to memory of 2760	3144	Abkjdnoa.exe	103
PID 2760 wrote to memory of 4556	2760	Aejfpjne.exe	104
PID 2760 wrote to memory of 4556	2760	Aejfpjne.exe	104
PID 2760 wrote to memory of 4556	2760	Aejfpjne.exe	104
PID 4556 wrote to memory of 3320	4556	Ahhblemi.exe	105
PID 4556 wrote to memory of 3320	4556	Ahhblemi.exe	105
PID 4556 wrote to memory of 3320	4556	Ahhblemi.exe	105
PID 3320 wrote to memory of 2696	3320	Anbkio32.exe	106
PID 3320 wrote to memory of 2696	3320	Anbkio32.exe	106
PID 3320 wrote to memory of 2696	3320	Anbkio32.exe	106
PID 2696 wrote to memory of 3484	2696	Abngjnmo.exe	107
PID 2696 wrote to memory of 3484	2696	Abngjnmo.exe	107
PID 2696 wrote to memory of 3484	2696	Abngjnmo.exe	107
PID 3484 wrote to memory of 4280	3484	Aelcfilb.exe	108
PID 3484 wrote to memory of 4280	3484	Aelcfilb.exe	108
PID 3484 wrote to memory of 4280	3484	Aelcfilb.exe	108
PID 4280 wrote to memory of 836	4280	Ahkobekf.exe	109

C:\Users\Admin\AppData\Local\Temp\7387452138711ca7765fffd9c33f5069.exe
"C:\Users\Admin\AppData\Local\Temp\7387452138711ca7765fffd9c33f5069.exe"
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1524
- C:\Windows\SysWOW64\Pnfkma32.exe
  C:\Windows\system32\Pnfkma32.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2252
- - C:\Windows\SysWOW64\Peqcjkfp.exe
    C:\Windows\system32\Peqcjkfp.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:4524
  - - C:\Windows\SysWOW64\Pkjlge32.exe
      C:\Windows\system32\Pkjlge32.exe
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:5016
    - - C:\Windows\SysWOW64\Pnihcq32.exe
        
        C:\Windows\system32\Pnihcq32.exe
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:224
      - C:\Windows\SysWOW64\Qecppkdm.exe
        
        C:\Windows\system32\Qecppkdm.exe
        6⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2436
        
        C:\Windows\SysWOW64\Qcepkg32.exe
        
        C:\Windows\system32\Qcepkg32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1960
        
        C:\Windows\SysWOW64\Qkmhlekj.exe
        
        C:\Windows\system32\Qkmhlekj.exe
        8⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2824
        
        C:\Windows\SysWOW64\Qbgqio32.exe
        
        C:\Windows\system32\Qbgqio32.exe
        9⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2592
        
        C:\Windows\SysWOW64\Qchmagie.exe
        
        C:\Windows\system32\Qchmagie.exe
        10⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2488
        
        C:\Windows\SysWOW64\Qloebdig.exe
        
        C:\Windows\system32\Qloebdig.exe
        11⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2876
        
        C:\Windows\SysWOW64\Qnnanphk.exe
        
        C:\Windows\system32\Qnnanphk.exe
        12⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:448
        
        C:\Windows\SysWOW64\Aegikj32.exe
        
        C:\Windows\system32\Aegikj32.exe
        13⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4396
        
        C:\Windows\SysWOW64\Agffge32.exe
        
        C:\Windows\system32\Agffge32.exe
        14⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1664
        
        C:\Windows\SysWOW64\Alabgd32.exe
        
        C:\Windows\system32\Alabgd32.exe
        15⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4048
        
        C:\Windows\SysWOW64\Abkjdnoa.exe
        
        C:\Windows\system32\Abkjdnoa.exe
        16⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3144
        
        C:\Windows\SysWOW64\Aejfpjne.exe
        
        C:\Windows\system32\Aejfpjne.exe
        17⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2760
        
        C:\Windows\SysWOW64\Ahhblemi.exe
        
        C:\Windows\system32\Ahhblemi.exe
        18⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4556
        
        C:\Windows\SysWOW64\Anbkio32.exe
        
        C:\Windows\system32\Anbkio32.exe
        19⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3320
        
        C:\Windows\SysWOW64\Abngjnmo.exe
        
        C:\Windows\system32\Abngjnmo.exe
        20⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2696
        
        C:\Windows\SysWOW64\Aelcfilb.exe
        
        C:\Windows\system32\Aelcfilb.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3484
        
        C:\Windows\SysWOW64\Ahkobekf.exe
        
        C:\Windows\system32\Ahkobekf.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4280
        
        C:\Windows\SysWOW64\Alfkbc32.exe
        
        C:\Windows\system32\Alfkbc32.exe
        23⤵
        Executes dropped EXE
        
        PID:836
        
        C:\Windows\SysWOW64\Aacckjaf.exe
        
        C:\Windows\system32\Aacckjaf.exe
        24⤵
        Executes dropped EXE
        
        PID:2880
        
        C:\Windows\SysWOW64\Adapgfqj.exe
        
        C:\Windows\system32\Adapgfqj.exe
        25⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1724
        
        C:\Windows\SysWOW64\Alhhhcal.exe
        
        C:\Windows\system32\Alhhhcal.exe
        26⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2680
        
        C:\Windows\SysWOW64\Ajkhdp32.exe
        
        C:\Windows\system32\Ajkhdp32.exe
        27⤵
        Executes dropped EXE
        
        PID:3152
        
        C:\Windows\SysWOW64\Aealah32.exe
        
        C:\Windows\system32\Aealah32.exe
        28⤵
        Executes dropped EXE
        
        PID:3740
        
        C:\Windows\SysWOW64\Ahoimd32.exe
        
        C:\Windows\system32\Ahoimd32.exe
        29⤵
        Executes dropped EXE
        
        PID:2024
        
        C:\Windows\SysWOW64\Ajneip32.exe
        
        C:\Windows\system32\Ajneip32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4000
        
        C:\Windows\SysWOW64\Abemjmgg.exe
        
        C:\Windows\system32\Abemjmgg.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4476
        
        C:\Windows\SysWOW64\Bahmfj32.exe
        
        C:\Windows\system32\Bahmfj32.exe
        32⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2508
        
        C:\Windows\SysWOW64\Bdfibe32.exe
        
        C:\Windows\system32\Bdfibe32.exe
        33⤵
        Executes dropped EXE
        
        PID:3424
        
        C:\Windows\SysWOW64\Bhaebcen.exe
        
        C:\Windows\system32\Bhaebcen.exe
        34⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3356
        
        C:\Windows\SysWOW64\Bjpaooda.exe
        
        C:\Windows\system32\Bjpaooda.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4196
        
        C:\Windows\SysWOW64\Bbgipldd.exe
        
        C:\Windows\system32\Bbgipldd.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3684
        
        C:\Windows\SysWOW64\Bdhfhe32.exe
        
        C:\Windows\system32\Bdhfhe32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2176
        
        C:\Windows\SysWOW64\Bhdbhcck.exe
        
        C:\Windows\system32\Bhdbhcck.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2996
        
        C:\Windows\SysWOW64\Bjbndobo.exe
        
        C:\Windows\system32\Bjbndobo.exe
        39⤵
        Executes dropped EXE
        
        PID:2756
        
        C:\Windows\SysWOW64\Bnnjen32.exe
        
        C:\Windows\system32\Bnnjen32.exe
        40⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4372
        
        C:\Windows\SysWOW64\Balfaiil.exe
        
        C:\Windows\system32\Balfaiil.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4940
        
        C:\Windows\SysWOW64\Bdkcmdhp.exe
        
        C:\Windows\system32\Bdkcmdhp.exe
        42⤵
        Executes dropped EXE
        
        PID:2820
        
        C:\Windows\SysWOW64\Bhfonc32.exe
        
        C:\Windows\system32\Bhfonc32.exe
        43⤵
        Executes dropped EXE
        
        PID:3436
        
        C:\Windows\SysWOW64\Blbknaib.exe
        
        C:\Windows\system32\Blbknaib.exe
        44⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3236
        
        C:\Windows\SysWOW64\Bopgjmhe.exe
        
        C:\Windows\system32\Bopgjmhe.exe
        45⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:772
        
        C:\Windows\SysWOW64\Bblckl32.exe
        
        C:\Windows\system32\Bblckl32.exe
        46⤵
        Executes dropped EXE
        
        PID:1700
        
        C:\Windows\SysWOW64\Baocghgi.exe
        
        C:\Windows\system32\Baocghgi.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4996
        
        C:\Windows\SysWOW64\Bdmpcdfm.exe
        
        C:\Windows\system32\Bdmpcdfm.exe
        48⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1332
        
        C:\Windows\SysWOW64\Bldgdago.exe
        
        C:\Windows\system32\Bldgdago.exe
        49⤵
        Executes dropped EXE
        
        PID:1496
        
        C:\Windows\SysWOW64\Bjghpn32.exe
        
        C:\Windows\system32\Bjghpn32.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3884
        
        C:\Windows\SysWOW64\Bbnpqk32.exe
        
        C:\Windows\system32\Bbnpqk32.exe
        51⤵
        Executes dropped EXE
        
        PID:4884
        
        C:\Windows\SysWOW64\Bemlmgnp.exe
        
        C:\Windows\system32\Bemlmgnp.exe
        52⤵
        Executes dropped EXE
        
        PID:4500
        
        C:\Windows\SysWOW64\Bhkhibmc.exe
        
        C:\Windows\system32\Bhkhibmc.exe
        53⤵
        Executes dropped EXE
        
        PID:3400
        
        C:\Windows\SysWOW64\Bkidenlg.exe
        
        C:\Windows\system32\Bkidenlg.exe
        54⤵
        Executes dropped EXE
        
        PID:2576
        
        C:\Windows\SysWOW64\Cacmah32.exe
        
        C:\Windows\system32\Cacmah32.exe
        55⤵
        Executes dropped EXE
        
        PID:3976
        
        C:\Windows\SysWOW64\Ceoibflm.exe
        
        C:\Windows\system32\Ceoibflm.exe
        56⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4560
        
        C:\Windows\SysWOW64\Chmeobkq.exe
        
        C:\Windows\system32\Chmeobkq.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4832
        
        C:\Windows\SysWOW64\Cklaknjd.exe
        
        C:\Windows\system32\Cklaknjd.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3480
        
        C:\Windows\SysWOW64\Cogmkl32.exe
        
        C:\Windows\system32\Cogmkl32.exe
        59⤵
        Executes dropped EXE
        
        PID:1644
        
        C:\Windows\SysWOW64\Cbcilkjg.exe
        
        C:\Windows\system32\Cbcilkjg.exe
        60⤵
        Executes dropped EXE
        
        PID:1368
        
        C:\Windows\SysWOW64\Ceaehfjj.exe
        
        C:\Windows\system32\Ceaehfjj.exe
        61⤵
        Executes dropped EXE
        
        PID:2548
        
        C:\Windows\SysWOW64\Chpada32.exe
        
        C:\Windows\system32\Chpada32.exe
        62⤵
        Executes dropped EXE
        
        PID:2108
        
        C:\Windows\SysWOW64\Cknnpm32.exe
        
        C:\Windows\system32\Cknnpm32.exe
        63⤵
        Executes dropped EXE
        
        PID:2284
        
        C:\Windows\SysWOW64\Cojjqlpk.exe
        
        C:\Windows\system32\Cojjqlpk.exe
        64⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2636
        
        C:\Windows\SysWOW64\Cbefaj32.exe
        
        C:\Windows\system32\Cbefaj32.exe
        65⤵
        Executes dropped EXE
        
        PID:1512
        
        C:\Windows\SysWOW64\Cecbmf32.exe
        
        C:\Windows\system32\Cecbmf32.exe
        66⤵
        
        PID:4484
        
        C:\Windows\SysWOW64\Chbnia32.exe
        
        C:\Windows\system32\Chbnia32.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:2956
        
        C:\Windows\SysWOW64\Ckpjfm32.exe
        
        C:\Windows\system32\Ckpjfm32.exe
        68⤵
        Drops file in System32 directory
        
        PID:3604
        
        C:\Windows\SysWOW64\Cbgbgj32.exe
        
        C:\Windows\system32\Cbgbgj32.exe
        69⤵
        
        PID:5012
        
        C:\Windows\SysWOW64\Cefoce32.exe
        
        C:\Windows\system32\Cefoce32.exe
        70⤵
        
        PID:4192
        
        C:\Windows\SysWOW64\Cdiooblp.exe
        
        C:\Windows\system32\Cdiooblp.exe
        71⤵
        Drops file in System32 directory
        
        PID:5112
        
        C:\Windows\SysWOW64\Clpgpp32.exe
        
        C:\Windows\system32\Clpgpp32.exe
        72⤵
        
        PID:3000
        
        C:\Windows\SysWOW64\Conclk32.exe
        
        C:\Windows\system32\Conclk32.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:776
        
        C:\Windows\SysWOW64\Camphf32.exe
        
        C:\Windows\system32\Camphf32.exe
        74⤵
        Modifies registry class
        
        PID:4848
        
        C:\Windows\SysWOW64\Cehkhecb.exe
        
        C:\Windows\system32\Cehkhecb.exe
        75⤵
        
        PID:1220
        
        C:\Windows\SysWOW64\Chghdqbf.exe
        
        C:\Windows\system32\Chghdqbf.exe
        76⤵
        
        PID:3148
        
        C:\Windows\SysWOW64\Doqpak32.exe
        
        C:\Windows\system32\Doqpak32.exe
        77⤵
        
        PID:3716
        
        C:\Windows\SysWOW64\Daolnf32.exe
        
        C:\Windows\system32\Daolnf32.exe
        78⤵
        
        PID:536
        
        C:\Windows\SysWOW64\Dekhneap.exe
        
        C:\Windows\system32\Dekhneap.exe
        79⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4508
        
        C:\Windows\SysWOW64\Dhidjpqc.exe
        
        C:\Windows\system32\Dhidjpqc.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1864
        
        C:\Windows\SysWOW64\Dldpkoil.exe
        
        C:\Windows\system32\Dldpkoil.exe
        81⤵
        
        PID:2372
        
        C:\Windows\SysWOW64\Dkgqfl32.exe
        
        C:\Windows\system32\Dkgqfl32.exe
        82⤵
        
        PID:3288
        
        C:\Windows\SysWOW64\Dboigi32.exe
        
        C:\Windows\system32\Dboigi32.exe
        83⤵
        
        PID:2800
        
        C:\Windows\SysWOW64\Daaicfgd.exe
        
        C:\Windows\system32\Daaicfgd.exe
        84⤵
        
        PID:3024
        
        C:\Windows\SysWOW64\Demecd32.exe
        
        C:\Windows\system32\Demecd32.exe
        85⤵
        Modifies registry class
        
        PID:3156
        
        C:\Windows\SysWOW64\Ddpeoafg.exe
        
        C:\Windows\system32\Ddpeoafg.exe
        86⤵
        
        PID:3572
        
        C:\Windows\SysWOW64\Dhkapp32.exe
        
        C:\Windows\system32\Dhkapp32.exe
        87⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:964
        
        C:\Windows\SysWOW64\Dkjmlk32.exe
        
        C:\Windows\system32\Dkjmlk32.exe
        88⤵
        Drops file in System32 directory
        
        PID:4668
        
        C:\Windows\SysWOW64\Doeiljfn.exe
        
        C:\Windows\system32\Doeiljfn.exe
        89⤵
        
        PID:3068
        
        C:\Windows\SysWOW64\Dbaemi32.exe
        
        C:\Windows\system32\Dbaemi32.exe
        90⤵
        
        PID:4532
        
        C:\Windows\SysWOW64\Deoaid32.exe
        
        C:\Windows\system32\Deoaid32.exe
        91⤵
        
        PID:3704
        
        C:\Windows\SysWOW64\Dhnnep32.exe
        
        C:\Windows\system32\Dhnnep32.exe
        92⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:212
        
        C:\Windows\SysWOW64\Dohfbj32.exe
        
        C:\Windows\system32\Dohfbj32.exe
        93⤵
        
        PID:3516
        
        C:\Windows\SysWOW64\Dccbbhld.exe
        
        C:\Windows\system32\Dccbbhld.exe
        94⤵
        
        PID:1044
        
        C:\Windows\SysWOW64\Dddojq32.exe
        
        C:\Windows\system32\Dddojq32.exe
        95⤵
        
        PID:2012
        
        C:\Windows\SysWOW64\Dhpjkojk.exe
        
        C:\Windows\system32\Dhpjkojk.exe
        96⤵
        
        PID:5136
        
        C:\Windows\SysWOW64\Dkoggkjo.exe
        
        C:\Windows\system32\Dkoggkjo.exe
        97⤵
        
        PID:5180
        
        C:\Windows\SysWOW64\Dceohhja.exe
        
        C:\Windows\system32\Dceohhja.exe
        98⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5216
        
        C:\Windows\SysWOW64\Dahode32.exe
        
        C:\Windows\system32\Dahode32.exe
        99⤵
        
        PID:5260
        
        C:\Windows\SysWOW64\Ddgkpp32.exe
        
        C:\Windows\system32\Ddgkpp32.exe
        100⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5308
        
        C:\Windows\SysWOW64\Dlncan32.exe
        
        C:\Windows\system32\Dlncan32.exe
        101⤵
        Drops file in System32 directory
        
        PID:5348
        
        C:\Windows\SysWOW64\Eolpmi32.exe
        
        C:\Windows\system32\Eolpmi32.exe
        102⤵
        
        PID:5400
        
        C:\Windows\SysWOW64\Eefhjc32.exe
        
        C:\Windows\system32\Eefhjc32.exe
        103⤵
        Drops file in System32 directory
        
        PID:5448
        
        C:\Windows\SysWOW64\Ehedfo32.exe
        
        C:\Windows\system32\Ehedfo32.exe
        104⤵
        
        PID:5488
        
        C:\Windows\SysWOW64\Ekcpbj32.exe
        
        C:\Windows\system32\Ekcpbj32.exe
        105⤵
        
        PID:5532
        
        C:\Windows\SysWOW64\Eamhodmf.exe
        
        C:\Windows\system32\Eamhodmf.exe
        106⤵
        Modifies registry class
        
        PID:5572
        
        C:\Windows\SysWOW64\Eeidoc32.exe
        
        C:\Windows\system32\Eeidoc32.exe
        107⤵
        
        PID:5616
        
        C:\Windows\SysWOW64\Elbmlmml.exe
        
        C:\Windows\system32\Elbmlmml.exe
        108⤵
        Drops file in System32 directory
        
        PID:5664
        
        C:\Windows\SysWOW64\Eoaihhlp.exe
        
        C:\Windows\system32\Eoaihhlp.exe
        109⤵
        
        PID:5704
        
        C:\Windows\SysWOW64\Eapedd32.exe
        
        C:\Windows\system32\Eapedd32.exe
        110⤵
        Modifies registry class
        
        PID:5744
        
        C:\Windows\SysWOW64\Ednaqo32.exe
        
        C:\Windows\system32\Ednaqo32.exe
        111⤵
        
        PID:5792
        
        C:\Windows\SysWOW64\Eleiam32.exe
        
        C:\Windows\system32\Eleiam32.exe
        112⤵
        
        PID:5832
        
        C:\Windows\SysWOW64\Ekhjmiad.exe
        
        C:\Windows\system32\Ekhjmiad.exe
        113⤵
        
        PID:5872
        
        C:\Windows\SysWOW64\Eocenh32.exe
        
        C:\Windows\system32\Eocenh32.exe
        114⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5924
        
        C:\Windows\SysWOW64\Eemnjbaj.exe
        
        C:\Windows\system32\Eemnjbaj.exe
        115⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5964
        
        C:\Windows\SysWOW64\Ehljfnpn.exe
        
        C:\Windows\system32\Ehljfnpn.exe
        116⤵
        Modifies registry class
        
        PID:6008
        
        C:\Windows\SysWOW64\Eofbch32.exe
        
        C:\Windows\system32\Eofbch32.exe
        117⤵
        
        PID:6048
        
        C:\Windows\SysWOW64\Eadopc32.exe
        
        C:\Windows\system32\Eadopc32.exe
        118⤵
        
        PID:6096
        
        C:\Windows\SysWOW64\Edbklofb.exe
        
        C:\Windows\system32\Edbklofb.exe
        119⤵
        
        PID:6140
        
        C:\Windows\SysWOW64\Ehnglm32.exe
        
        C:\Windows\system32\Ehnglm32.exe
        120⤵
        Modifies registry class
        
        PID:5168
        
        C:\Windows\SysWOW64\Fohoigfh.exe
        
        C:\Windows\system32\Fohoigfh.exe
        121⤵
        Drops file in System32 directory
        
        PID:5252
        
        C:\Windows\SysWOW64\Fafkecel.exe
        
        C:\Windows\system32\Fafkecel.exe
        122⤵
        
        PID:5304
        
        C:\Windows\SysWOW64\Fdegandp.exe
        
        C:\Windows\system32\Fdegandp.exe
        123⤵
        
        PID:5364
        
        C:\Windows\SysWOW64\Fllpbldb.exe
        
        C:\Windows\system32\Fllpbldb.exe
        124⤵
        
        PID:5432
        
        C:\Windows\SysWOW64\Fkopnh32.exe
        
        C:\Windows\system32\Fkopnh32.exe
        125⤵
        Modifies registry class
        
        PID:5500
        
        C:\Windows\SysWOW64\Fojlngce.exe
        
        C:\Windows\system32\Fojlngce.exe
        126⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5568
        
        C:\Windows\SysWOW64\Faihkbci.exe
        
        C:\Windows\system32\Faihkbci.exe
        127⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5644
        
        C:\Windows\SysWOW64\Fdgdgnbm.exe
        
        C:\Windows\system32\Fdgdgnbm.exe
        128⤵
        
        PID:5684
        
        C:\Windows\SysWOW64\Flnlhk32.exe
        
        C:\Windows\system32\Flnlhk32.exe
        129⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5768
        
        C:\Windows\SysWOW64\Fomhdg32.exe
        
        C:\Windows\system32\Fomhdg32.exe
        130⤵
        
        PID:5820
        
        C:\Windows\SysWOW64\Fhemmlhc.exe
        
        C:\Windows\system32\Fhemmlhc.exe
        131⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5912
        
        C:\Windows\SysWOW64\Flqimk32.exe
        
        C:\Windows\system32\Flqimk32.exe
        132⤵
        Drops file in System32 directory
        
        PID:5944
        
        C:\Windows\SysWOW64\Fbnafb32.exe
        
        C:\Windows\system32\Fbnafb32.exe
        133⤵
        Modifies registry class
        
        PID:6036
        
        C:\Windows\SysWOW64\Fdlnbm32.exe
        
        C:\Windows\system32\Fdlnbm32.exe
        134⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6088
        
        C:\Windows\SysWOW64\Flceckoj.exe
        
        C:\Windows\system32\Flceckoj.exe
        135⤵
        
        PID:3712
        
        C:\Windows\SysWOW64\Foabofnn.exe
        
        C:\Windows\system32\Foabofnn.exe
        136⤵
        
        PID:5208
        
        C:\Windows\SysWOW64\Fbpnkama.exe
        
        C:\Windows\system32\Fbpnkama.exe
        137⤵
        
        PID:5340
        
        C:\Windows\SysWOW64\Ffkjlp32.exe
        
        C:\Windows\system32\Ffkjlp32.exe
        138⤵
        Modifies registry class
        
        PID:5424
        
        C:\Windows\SysWOW64\Fdnjgmle.exe
        
        C:\Windows\system32\Fdnjgmle.exe
        139⤵
        Modifies registry class
        
        PID:5604
        
        C:\Windows\SysWOW64\Glebhjlg.exe
        
        C:\Windows\system32\Glebhjlg.exe
        140⤵
        
        PID:5700
        
        C:\Windows\SysWOW64\Gcojed32.exe
        
        C:\Windows\system32\Gcojed32.exe
        141⤵
        
        PID:5780
        
        C:\Windows\SysWOW64\Gbbkaako.exe
        
        C:\Windows\system32\Gbbkaako.exe
        142⤵
        
        PID:5860
        
        C:\Windows\SysWOW64\Gdqgmmjb.exe
        
        C:\Windows\system32\Gdqgmmjb.exe
        143⤵
        
        PID:5980
        
        C:\Windows\SysWOW64\Ghlcnk32.exe
        
        C:\Windows\system32\Ghlcnk32.exe
        144⤵
        Modifies registry class
        
        PID:6084
        
        C:\Windows\SysWOW64\Gkkojgao.exe
        
        C:\Windows\system32\Gkkojgao.exe
        145⤵
        Drops file in System32 directory
        
        PID:5240
        
        C:\Windows\SysWOW64\Gofkje32.exe
        
        C:\Windows\system32\Gofkje32.exe
        146⤵
        
        PID:5416
        
        C:\Windows\SysWOW64\Gbdgfa32.exe
        
        C:\Windows\system32\Gbdgfa32.exe
        147⤵
        
        PID:5628
        
        C:\Windows\SysWOW64\Gdcdbl32.exe
        
        C:\Windows\system32\Gdcdbl32.exe
        148⤵
        Modifies registry class
        
        PID:5728
        
        C:\Windows\SysWOW64\Gmjlcj32.exe
        
        C:\Windows\system32\Gmjlcj32.exe
        149⤵
        
        PID:5984
        
        C:\Windows\SysWOW64\Gkmlofol.exe
        
        C:\Windows\system32\Gkmlofol.exe
        150⤵
        Modifies registry class
        
        PID:5144
        
        C:\Windows\SysWOW64\Gohhpe32.exe
        
        C:\Windows\system32\Gohhpe32.exe
        151⤵
        
        PID:5200
        
        C:\Windows\SysWOW64\Gcddpdpo.exe
        
        C:\Windows\system32\Gcddpdpo.exe
        152⤵
        
        PID:5696
        
        C:\Windows\SysWOW64\Gfbploob.exe
        
        C:\Windows\system32\Gfbploob.exe
        153⤵
        
        PID:5920
        
        C:\Windows\SysWOW64\Gdeqhl32.exe
        
        C:\Windows\system32\Gdeqhl32.exe
        154⤵
        
        PID:5356
        
        C:\Windows\SysWOW64\Ghaliknf.exe
        
        C:\Windows\system32\Ghaliknf.exe
        155⤵
        Drops file in System32 directory
        
        PID:5636
        
        C:\Windows\SysWOW64\Gkoiefmj.exe
        
        C:\Windows\system32\Gkoiefmj.exe
        156⤵
        
        PID:6064
        
        C:\Windows\SysWOW64\Gbiaapdf.exe
        
        C:\Windows\system32\Gbiaapdf.exe
        157⤵
        
        PID:5956
        
        C:\Windows\SysWOW64\Gdhmnlcj.exe
        
        C:\Windows\system32\Gdhmnlcj.exe
        158⤵
        Modifies registry class
        
        PID:5908
        
        C:\Windows\SysWOW64\Gmoeoidl.exe
        
        C:\Windows\system32\Gmoeoidl.exe
        159⤵
        
        PID:6180
        
        C:\Windows\SysWOW64\Gomakdcp.exe
        
        C:\Windows\system32\Gomakdcp.exe
        160⤵
        
        PID:6224
        
        C:\Windows\SysWOW64\Gfgjgo32.exe
        
        C:\Windows\system32\Gfgjgo32.exe
        161⤵
        Drops file in System32 directory
        
        PID:6264
        
        C:\Windows\SysWOW64\Hiefcj32.exe
        
        C:\Windows\system32\Hiefcj32.exe
        162⤵
        
        PID:6308
        
        C:\Windows\SysWOW64\Hkdbpe32.exe
        
        C:\Windows\system32\Hkdbpe32.exe
        163⤵
        Drops file in System32 directory
        
        PID:6352
        
        C:\Windows\SysWOW64\Hopnqdan.exe
        
        C:\Windows\system32\Hopnqdan.exe
        164⤵
        
        PID:6400
        
        C:\Windows\SysWOW64\Hbbdholl.exe
        
        C:\Windows\system32\Hbbdholl.exe
        165⤵
        
        PID:6436
        
        C:\Windows\SysWOW64\Heapdjlp.exe
        
        C:\Windows\system32\Heapdjlp.exe
        166⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6472
        
        C:\Windows\SysWOW64\Himldi32.exe
        
        C:\Windows\system32\Himldi32.exe
        167⤵
        Modifies registry class
        
        PID:6520
        
        C:\Windows\SysWOW64\Hmhhehlb.exe
        
        C:\Windows\system32\Hmhhehlb.exe
        168⤵
        Drops file in System32 directory
        
        PID:6556
        
        C:\Windows\SysWOW64\Hofdacke.exe
        
        C:\Windows\system32\Hofdacke.exe
        169⤵
        
        PID:6604
        
        C:\Windows\SysWOW64\Hcbpab32.exe
        
        C:\Windows\system32\Hcbpab32.exe
        170⤵
        
        PID:6644
        
        C:\Windows\SysWOW64\Hbeqmoji.exe
        
        C:\Windows\system32\Hbeqmoji.exe
        171⤵
        
        PID:6688
        
        C:\Windows\SysWOW64\Hecmijim.exe
        
        C:\Windows\system32\Hecmijim.exe
        172⤵
        
        PID:6732
        
        C:\Windows\SysWOW64\Hmjdjgjo.exe
        
        C:\Windows\system32\Hmjdjgjo.exe
        173⤵
        
        PID:6784
        
        C:\Windows\SysWOW64\Hkmefd32.exe
        
        C:\Windows\system32\Hkmefd32.exe
        174⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6828
        
        C:\Windows\SysWOW64\Hcdmga32.exe
        
        C:\Windows\system32\Hcdmga32.exe
        175⤵
        
        PID:6876
        
        C:\Windows\SysWOW64\Hbgmcnhf.exe
        
        C:\Windows\system32\Hbgmcnhf.exe
        176⤵
        
        PID:6920
        
        C:\Windows\SysWOW64\Iefioj32.exe
        
        C:\Windows\system32\Iefioj32.exe
        177⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6980
        
        C:\Windows\SysWOW64\Iiaephpc.exe
        
        C:\Windows\system32\Iiaephpc.exe
        178⤵
        
        PID:7028
        
        C:\Windows\SysWOW64\Ipknlb32.exe
        
        C:\Windows\system32\Ipknlb32.exe
        179⤵
        
        PID:7068
        
        C:\Windows\SysWOW64\Ibjjhn32.exe
        
        C:\Windows\system32\Ibjjhn32.exe
        180⤵
        
        PID:7108
        
        C:\Windows\SysWOW64\Iicbehnq.exe
        
        C:\Windows\system32\Iicbehnq.exe
        181⤵
        
        PID:7148
        
        C:\Windows\SysWOW64\Ikbnacmd.exe
        
        C:\Windows\system32\Ikbnacmd.exe
        182⤵
        Drops file in System32 directory
        
        PID:6136
        
        C:\Windows\SysWOW64\Ipnjab32.exe
        
        C:\Windows\system32\Ipnjab32.exe
        183⤵
        
        PID:6208
        
        C:\Windows\SysWOW64\Iblfnn32.exe
        
        C:\Windows\system32\Iblfnn32.exe
        184⤵
        
        PID:6288
        
        C:\Windows\SysWOW64\Iejcji32.exe
        
        C:\Windows\system32\Iejcji32.exe
        185⤵
        
        PID:6340
        
        C:\Windows\SysWOW64\Iifokh32.exe
        
        C:\Windows\system32\Iifokh32.exe
        186⤵
        
        PID:6424
        
        C:\Windows\SysWOW64\Ibnccmbo.exe
        
        C:\Windows\system32\Ibnccmbo.exe
        187⤵
        
        PID:6504
        
        C:\Windows\SysWOW64\Ifjodl32.exe
        
        C:\Windows\system32\Ifjodl32.exe
        188⤵
        
        PID:6564
        
        C:\Windows\SysWOW64\Iihkpg32.exe
        
        C:\Windows\system32\Iihkpg32.exe
        189⤵
        
        PID:6628
        
        C:\Windows\SysWOW64\Ilghlc32.exe
        
        C:\Windows\system32\Ilghlc32.exe
        190⤵
        
        PID:6716
        
        C:\Windows\SysWOW64\Icnpmp32.exe
        
        C:\Windows\system32\Icnpmp32.exe
        191⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6772
        
        C:\Windows\SysWOW64\Ifllil32.exe
        
        C:\Windows\system32\Ifllil32.exe
        192⤵
        
        PID:6868
        
        C:\Windows\SysWOW64\Iikhfg32.exe
        
        C:\Windows\system32\Iikhfg32.exe
        193⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6948
        
        C:\Windows\SysWOW64\Ipdqba32.exe
        
        C:\Windows\system32\Ipdqba32.exe
        194⤵
        Drops file in System32 directory
        
        PID:7012
        
        C:\Windows\SysWOW64\Jfoiokfb.exe
        
        C:\Windows\system32\Jfoiokfb.exe
        195⤵
        Drops file in System32 directory
        
        PID:7084
        
        C:\Windows\SysWOW64\Jmhale32.exe
        
        C:\Windows\system32\Jmhale32.exe
        196⤵
        
        PID:5560
        
        C:\Windows\SysWOW64\Jlkagbej.exe
        
        C:\Windows\system32\Jlkagbej.exe
        197⤵
        
        PID:6204
        
        C:\Windows\SysWOW64\Jbeidl32.exe
        
        C:\Windows\system32\Jbeidl32.exe
        198⤵
        
        PID:6284
        
        C:\Windows\SysWOW64\Jedeph32.exe
        
        C:\Windows\system32\Jedeph32.exe
        199⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6376
        
        C:\Windows\SysWOW64\Jioaqfcc.exe
        
        C:\Windows\system32\Jioaqfcc.exe
        200⤵
        
        PID:6516
        
        C:\Windows\SysWOW64\Jpijnqkp.exe
        
        C:\Windows\system32\Jpijnqkp.exe
        201⤵
        
        PID:6624
        
        C:\Windows\SysWOW64\Jcefno32.exe
        
        C:\Windows\system32\Jcefno32.exe
        202⤵
        
        PID:6728
        
        C:\Windows\SysWOW64\Jfcbjk32.exe
        
        C:\Windows\system32\Jfcbjk32.exe
        203⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6856
        
        C:\Windows\SysWOW64\Jefbfgig.exe
        
        C:\Windows\system32\Jefbfgig.exe
        204⤵
        
        PID:7056
        
        C:\Windows\SysWOW64\Jianff32.exe
        
        C:\Windows\system32\Jianff32.exe
        205⤵
        
        PID:7140
        
        C:\Windows\SysWOW64\Jlpkba32.exe
        
        C:\Windows\system32\Jlpkba32.exe
        206⤵
        
        PID:6336
        
        C:\Windows\SysWOW64\Jplfcpin.exe
        
        C:\Windows\system32\Jplfcpin.exe
        207⤵
        
        PID:6420
        
        C:\Windows\SysWOW64\Jcgbco32.exe
        
        C:\Windows\system32\Jcgbco32.exe
        208⤵
        
        PID:6664
        
        C:\Windows\SysWOW64\Jfeopj32.exe
        
        C:\Windows\system32\Jfeopj32.exe
        209⤵
        
        PID:6844
        
        C:\Windows\SysWOW64\Jehokgge.exe
        
        C:\Windows\system32\Jehokgge.exe
        210⤵
        
        PID:7132
        
        C:\Windows\SysWOW64\Jidklf32.exe
        
        C:\Windows\system32\Jidklf32.exe
        211⤵
        
        PID:6276
        
        C:\Windows\SysWOW64\Jlbgha32.exe
        
        C:\Windows\system32\Jlbgha32.exe
        212⤵
        
        PID:6764
        
        C:\Windows\SysWOW64\Jpnchp32.exe
        
        C:\Windows\system32\Jpnchp32.exe
        213⤵
        Modifies registry class
        
        PID:6168
        
        C:\Windows\SysWOW64\Jblpek32.exe
        
        C:\Windows\system32\Jblpek32.exe
        214⤵
        Modifies registry class
        
        PID:7100
        
        C:\Windows\SysWOW64\Jeklag32.exe
        
        C:\Windows\system32\Jeklag32.exe
        215⤵
        
        PID:6708
        
        C:\Windows\SysWOW64\Jlednamo.exe
        
        C:\Windows\system32\Jlednamo.exe
        216⤵
        
        PID:7220
        
        C:\Windows\SysWOW64\Jcllonma.exe
        
        C:\Windows\system32\Jcllonma.exe
        217⤵
        Modifies registry class
        
        PID:7264
        
        C:\Windows\SysWOW64\Kboljk32.exe
        
        C:\Windows\system32\Kboljk32.exe
        218⤵
        
        PID:7304
        
        C:\Windows\SysWOW64\Kfjhkjle.exe
        
        C:\Windows\system32\Kfjhkjle.exe
        219⤵
        
        PID:7368
        
        C:\Windows\SysWOW64\Kiidgeki.exe
        
        C:\Windows\system32\Kiidgeki.exe
        220⤵
        
        PID:7420
        
        C:\Windows\SysWOW64\Kmdqgd32.exe
        
        C:\Windows\system32\Kmdqgd32.exe
        221⤵
        
        PID:7468
        
        C:\Windows\SysWOW64\Klgqcqkl.exe
        
        C:\Windows\system32\Klgqcqkl.exe
        222⤵
        
        PID:7504
        
        C:\Windows\SysWOW64\Kdnidn32.exe
        
        C:\Windows\system32\Kdnidn32.exe
        223⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:7580
        
        C:\Windows\SysWOW64\Kfmepi32.exe
        
        C:\Windows\system32\Kfmepi32.exe
        224⤵
        
        PID:7636
        
        C:\Windows\SysWOW64\Kepelfam.exe
        
        C:\Windows\system32\Kepelfam.exe
        225⤵
        
        PID:7680
        
        C:\Windows\SysWOW64\Kmfmmcbo.exe
        
        C:\Windows\system32\Kmfmmcbo.exe
        226⤵
        
        PID:7720
        
        C:\Windows\SysWOW64\Kpeiioac.exe
        
        C:\Windows\system32\Kpeiioac.exe
        227⤵
        Drops file in System32 directory
        
        PID:7760
        
        C:\Windows\SysWOW64\Kfoafi32.exe
        
        C:\Windows\system32\Kfoafi32.exe
        228⤵
        Modifies registry class
        
        PID:7812
        
        C:\Windows\SysWOW64\Kimnbd32.exe
        
        C:\Windows\system32\Kimnbd32.exe
        229⤵
        
        PID:7856
        
        C:\Windows\SysWOW64\Klljnp32.exe
        
        C:\Windows\system32\Klljnp32.exe
        230⤵
        
        PID:7896
        
        C:\Windows\SysWOW64\Kpgfooop.exe
        
        C:\Windows\system32\Kpgfooop.exe
        231⤵
        Modifies registry class
        
        PID:7952
        
        C:\Windows\SysWOW64\Kbfbkj32.exe
        
        C:\Windows\system32\Kbfbkj32.exe
        232⤵
        Modifies registry class
        
        PID:8000
        
        C:\Windows\SysWOW64\Kedoge32.exe
        
        C:\Windows\system32\Kedoge32.exe
        233⤵
        
        PID:8044
        
        C:\Windows\SysWOW64\Kmkfhc32.exe
        
        C:\Windows\system32\Kmkfhc32.exe
        234⤵
        Modifies registry class
        
        PID:8080
        
        C:\Windows\SysWOW64\Kpjcdn32.exe
        
        C:\Windows\system32\Kpjcdn32.exe
        235⤵
        
        PID:8120
        
        C:\Windows\SysWOW64\Kbhoqj32.exe
        
        C:\Windows\system32\Kbhoqj32.exe
        236⤵
        
        PID:8160
        
        C:\Windows\SysWOW64\Kfckahdj.exe
        
        C:\Windows\system32\Kfckahdj.exe
        237⤵
        
        PID:7176
        
        C:\Windows\SysWOW64\Klqcioba.exe
        
        C:\Windows\system32\Klqcioba.exe
        238⤵
        
        PID:7276
        
        C:\Windows\SysWOW64\Lbjlfi32.exe
        
        C:\Windows\system32\Lbjlfi32.exe
        239⤵
        Drops file in System32 directory
        
        PID:7376
        
        C:\Windows\SysWOW64\Liddbc32.exe
        
        C:\Windows\system32\Liddbc32.exe
        240⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7444
        
        C:\Windows\SysWOW64\Llcpoo32.exe
        
        C:\Windows\system32\Llcpoo32.exe
        241⤵
        Modifies registry class
        
        PID:7500
        
        C:\Windows\SysWOW64\Ldjhpl32.exe
        
        C:\Windows\system32\Ldjhpl32.exe
        242⤵
        
        PID:7588
        
        C:\Windows\SysWOW64\Lfhdlh32.exe
        
        C:\Windows\system32\Lfhdlh32.exe
        243⤵
        
        PID:7672
        
        C:\Windows\SysWOW64\Ligqhc32.exe
        
        C:\Windows\system32\Ligqhc32.exe
        244⤵
        
        PID:7744
        
        C:\Windows\SysWOW64\Llemdo32.exe
        
        C:\Windows\system32\Llemdo32.exe
        245⤵
        
        PID:7808
        
        C:\Windows\SysWOW64\Lenamdem.exe
        
        C:\Windows\system32\Lenamdem.exe
        246⤵
        
        PID:7888
        
        C:\Windows\SysWOW64\Lmdina32.exe
        
        C:\Windows\system32\Lmdina32.exe
        247⤵
        
        PID:7948
        
        C:\Windows\SysWOW64\Lpcfkm32.exe
        
        C:\Windows\system32\Lpcfkm32.exe
        248⤵
        Modifies registry class
        
        PID:8028
        
        C:\Windows\SysWOW64\Lbabgh32.exe
        
        C:\Windows\system32\Lbabgh32.exe
        249⤵
        Modifies registry class
        
        PID:8116
        
        C:\Windows\SysWOW64\Lepncd32.exe
        
        C:\Windows\system32\Lepncd32.exe
        250⤵
        
        PID:4268
        
        C:\Windows\SysWOW64\Lmgfda32.exe
        
        C:\Windows\system32\Lmgfda32.exe
        251⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6836
        
        C:\Windows\SysWOW64\Mgagbf32.exe
        
        C:\Windows\system32\Mgagbf32.exe
        252⤵
        
        PID:7252
        
        C:\Windows\SysWOW64\Mlopkm32.exe
        
        C:\Windows\system32\Mlopkm32.exe
        253⤵
        Drops file in System32 directory
        
        PID:7348
        
        C:\Windows\SysWOW64\Mchhggno.exe
        
        C:\Windows\system32\Mchhggno.exe
        254⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:7492
        
        C:\Windows\SysWOW64\Megdccmb.exe
        
        C:\Windows\system32\Megdccmb.exe
        255⤵
        
        PID:7668
        
        C:\Windows\SysWOW64\Mmnldp32.exe
        
        C:\Windows\system32\Mmnldp32.exe
        256⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7796
        
        C:\Windows\SysWOW64\Mdhdajea.exe
        
        C:\Windows\system32\Mdhdajea.exe
        257⤵
        Drops file in System32 directory
        
        PID:7908
        
        C:\Windows\SysWOW64\Meiaib32.exe
        
        C:\Windows\system32\Meiaib32.exe
        258⤵
        
        PID:8032
        
        C:\Windows\SysWOW64\Miemjaci.exe
        
        C:\Windows\system32\Miemjaci.exe
        259⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8128
        
        C:\Windows\SysWOW64\Mpoefk32.exe
        
        C:\Windows\system32\Mpoefk32.exe
        260⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:1284
        
        C:\Windows\SysWOW64\Mcmabg32.exe
        
        C:\Windows\system32\Mcmabg32.exe
        261⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7324
        
        C:\Windows\SysWOW64\Melnob32.exe
        
        C:\Windows\system32\Melnob32.exe
        262⤵
        Modifies registry class
        
        PID:7620
        
        C:\Windows\SysWOW64\Mmbfpp32.exe
        
        C:\Windows\system32\Mmbfpp32.exe
        263⤵
        
        PID:7752
        
        C:\Windows\SysWOW64\Mpablkhc.exe
        
        C:\Windows\system32\Mpablkhc.exe
        264⤵
        
        PID:7988
        
        C:\Windows\SysWOW64\Mdmnlj32.exe
        
        C:\Windows\system32\Mdmnlj32.exe
        265⤵
        
        PID:8152
        
        C:\Windows\SysWOW64\Mgkjhe32.exe
        
        C:\Windows\system32\Mgkjhe32.exe
        266⤵
        
        PID:4836
        
        C:\Windows\SysWOW64\Miifeq32.exe
        
        C:\Windows\system32\Miifeq32.exe
        267⤵
        
        PID:7692
        
        C:\Windows\SysWOW64\Mlhbal32.exe
        
        C:\Windows\system32\Mlhbal32.exe
        268⤵
        
        PID:7840
        
        C:\Windows\SysWOW64\Npcoakfp.exe
        
        C:\Windows\system32\Npcoakfp.exe
        269⤵
        
        PID:7296
        
        C:\Windows\SysWOW64\Ncbknfed.exe
        
        C:\Windows\system32\Ncbknfed.exe
        270⤵
        
        PID:7864
        
        C:\Windows\SysWOW64\Nepgjaeg.exe
        
        C:\Windows\system32\Nepgjaeg.exe
        271⤵
        Drops file in System32 directory
        
        PID:396
        
        C:\Windows\SysWOW64\Nngokoej.exe
        
        C:\Windows\system32\Nngokoej.exe
        272⤵
        
        PID:8100
        
        C:\Windows\SysWOW64\Npfkgjdn.exe
        
        C:\Windows\system32\Npfkgjdn.exe
        273⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8156
        
        C:\Windows\SysWOW64\Njnpppkn.exe
        
        C:\Windows\system32\Njnpppkn.exe
        274⤵
        
        PID:8200
        
        C:\Windows\SysWOW64\Nnjlpo32.exe
        
        C:\Windows\system32\Nnjlpo32.exe
        275⤵
        
        PID:8240
        
        C:\Windows\SysWOW64\Nphhmj32.exe
        
        C:\Windows\system32\Nphhmj32.exe
        276⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:8284
        
        C:\Windows\SysWOW64\Ngbpidjh.exe
        
        C:\Windows\system32\Ngbpidjh.exe
        277⤵
        Modifies registry class
        
        PID:8328
        
        C:\Windows\SysWOW64\Nnlhfn32.exe
        
        C:\Windows\system32\Nnlhfn32.exe
        278⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8372
        
        C:\Windows\SysWOW64\Npjebj32.exe
        
        C:\Windows\system32\Npjebj32.exe
        279⤵
        
        PID:8412
        
        C:\Windows\SysWOW64\Ncianepl.exe
        
        C:\Windows\system32\Ncianepl.exe
        280⤵
        
        PID:8456
        
        C:\Windows\SysWOW64\Nfgmjqop.exe
        
        C:\Windows\system32\Nfgmjqop.exe
        281⤵
        
        PID:8496
        
        C:\Windows\SysWOW64\Npmagine.exe
        
        C:\Windows\system32\Npmagine.exe
        282⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8540
        
        C:\Windows\SysWOW64\Nckndeni.exe
        
        C:\Windows\system32\Nckndeni.exe
        283⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8580
        
        C:\Windows\SysWOW64\Nnqbanmo.exe
        
        C:\Windows\system32\Nnqbanmo.exe
        284⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8624
        
        C:\Windows\SysWOW64\Odkjng32.exe
        
        C:\Windows\system32\Odkjng32.exe
        285⤵
        
        PID:8668
        
        C:\Windows\SysWOW64\Oflgep32.exe
        
        C:\Windows\system32\Oflgep32.exe
        286⤵
        
        PID:8708
        
        C:\Windows\SysWOW64\Oncofm32.exe
        
        C:\Windows\system32\Oncofm32.exe
        287⤵
        Drops file in System32 directory
        
        PID:8748
        
        C:\Windows\SysWOW64\Odmgcgbi.exe
        
        C:\Windows\system32\Odmgcgbi.exe
        288⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8788
        
        C:\Windows\SysWOW64\Ogkcpbam.exe
        
        C:\Windows\system32\Ogkcpbam.exe
        289⤵
        
        PID:8832
        
        C:\Windows\SysWOW64\Ofnckp32.exe
        
        C:\Windows\system32\Ofnckp32.exe
        290⤵
        
        PID:8872
        
        C:\Windows\SysWOW64\Oneklm32.exe
        
        C:\Windows\system32\Oneklm32.exe
        291⤵
        
        PID:8912
        
        C:\Windows\SysWOW64\Opdghh32.exe
        
        C:\Windows\system32\Opdghh32.exe
        292⤵
        
        PID:8948
        
        C:\Windows\SysWOW64\Ocbddc32.exe
        
        C:\Windows\system32\Ocbddc32.exe
        293⤵
        
        PID:8988
        
        C:\Windows\SysWOW64\Ognpebpj.exe
        
        C:\Windows\system32\Ognpebpj.exe
        294⤵
        Drops file in System32 directory
        
        PID:9032
        
        C:\Windows\SysWOW64\Ojllan32.exe
        
        C:\Windows\system32\Ojllan32.exe
        295⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:9080
        
        C:\Windows\SysWOW64\Olkhmi32.exe
        
        C:\Windows\system32\Olkhmi32.exe
        296⤵
        
        PID:9120
        
        C:\Windows\SysWOW64\Odapnf32.exe
        
        C:\Windows\system32\Odapnf32.exe
        297⤵
        
        PID:9160
        
        C:\Windows\SysWOW64\Ofcmfodb.exe
        
        C:\Windows\system32\Ofcmfodb.exe
        298⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8196
        
        C:\Windows\SysWOW64\Onjegled.exe
        
        C:\Windows\system32\Onjegled.exe
        299⤵
        Drops file in System32 directory
        
        PID:8268
        
        C:\Windows\SysWOW64\Olmeci32.exe
        
        C:\Windows\system32\Olmeci32.exe
        300⤵
        
        PID:8352
        
        C:\Windows\SysWOW64\Ocgmpccl.exe
        
        C:\Windows\system32\Ocgmpccl.exe
        301⤵
        
        PID:8420
        
        C:\Windows\SysWOW64\Pmoahijl.exe
        
        C:\Windows\system32\Pmoahijl.exe
        302⤵
        
        PID:8488
        
        C:\Windows\SysWOW64\Pcijeb32.exe
        
        C:\Windows\system32\Pcijeb32.exe
        303⤵
        Modifies registry class
        
        PID:8548
        
        C:\Windows\SysWOW64\Pgefeajb.exe
        
        C:\Windows\system32\Pgefeajb.exe
        304⤵
        Drops file in System32 directory
        
        PID:8608
        
        C:\Windows\SysWOW64\Pfhfan32.exe
        
        C:\Windows\system32\Pfhfan32.exe
        305⤵
        
        PID:8664
        
        C:\Windows\SysWOW64\Pnonbk32.exe
        
        C:\Windows\system32\Pnonbk32.exe
        306⤵
        
        PID:8744
        
        C:\Windows\SysWOW64\Pqmjog32.exe
        
        C:\Windows\system32\Pqmjog32.exe
        307⤵
        
        PID:8812
        
        C:\Windows\SysWOW64\Pggbkagp.exe
        
        C:\Windows\system32\Pggbkagp.exe
        308⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8864
        
        C:\Windows\SysWOW64\Pjeoglgc.exe
        
        C:\Windows\system32\Pjeoglgc.exe
        309⤵
        Drops file in System32 directory
        
        PID:8936
        
        C:\Windows\SysWOW64\Pcncpbmd.exe
        
        C:\Windows\system32\Pcncpbmd.exe
        310⤵
        Drops file in System32 directory
        
        PID:9016
        
        C:\Windows\SysWOW64\Pflplnlg.exe
        
        C:\Windows\system32\Pflplnlg.exe
        311⤵
        
        PID:9076
        
        C:\Windows\SysWOW64\Pqbdjfln.exe
        
        C:\Windows\system32\Pqbdjfln.exe
        312⤵
        
        PID:9148
        
        C:\Windows\SysWOW64\Pcppfaka.exe
        
        C:\Windows\system32\Pcppfaka.exe
        313⤵
        Modifies registry class
        
        PID:7736
        
        C:\Windows\SysWOW64\Pnfdcjkg.exe
        
        C:\Windows\system32\Pnfdcjkg.exe
        314⤵
        
        PID:8336
        
        C:\Windows\SysWOW64\Pqdqof32.exe
        
        C:\Windows\system32\Pqdqof32.exe
        315⤵
        
        PID:8436
        
        C:\Windows\SysWOW64\Pgnilpah.exe
        
        C:\Windows\system32\Pgnilpah.exe
        316⤵
        Drops file in System32 directory
        
        PID:8576
        
        C:\Windows\SysWOW64\Pjmehkqk.exe
        
        C:\Windows\system32\Pjmehkqk.exe
        317⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8704
        
        C:\Windows\SysWOW64\Qqfmde32.exe
        
        C:\Windows\system32\Qqfmde32.exe
        318⤵
        
        PID:8780
        
        C:\Windows\SysWOW64\Qceiaa32.exe
        
        C:\Windows\system32\Qceiaa32.exe
        319⤵
        
        PID:8928
        
        C:\Windows\SysWOW64\Qjoankoi.exe
        
        C:\Windows\system32\Qjoankoi.exe
        320⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:9024
        
        C:\Windows\SysWOW64\Qmmnjfnl.exe
        
        C:\Windows\system32\Qmmnjfnl.exe
        321⤵
        
        PID:9104
        
        C:\Windows\SysWOW64\Qgcbgo32.exe
        
        C:\Windows\system32\Qgcbgo32.exe
        322⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8248
        
        C:\Windows\SysWOW64\Ampkof32.exe
        
        C:\Windows\system32\Ampkof32.exe
        323⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8484
        
        C:\Windows\SysWOW64\Aqkgpedc.exe
        
        C:\Windows\system32\Aqkgpedc.exe
        324⤵
        
        PID:8648
        
        C:\Windows\SysWOW64\Acjclpcf.exe
        
        C:\Windows\system32\Acjclpcf.exe
        325⤵
        
        PID:7664
        
        C:\Windows\SysWOW64\Ajckij32.exe
        
        C:\Windows\system32\Ajckij32.exe
        326⤵
        
        PID:8920
        
        C:\Windows\SysWOW64\Ambgef32.exe
        
        C:\Windows\system32\Ambgef32.exe
        327⤵
        
        PID:9156
        
        C:\Windows\SysWOW64\Aqncedbp.exe
        
        C:\Windows\system32\Aqncedbp.exe
        328⤵
        
        PID:8408
        
        C:\Windows\SysWOW64\Aeiofcji.exe
        
        C:\Windows\system32\Aeiofcji.exe
        329⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:8716
        
        C:\Windows\SysWOW64\Agglboim.exe
        
        C:\Windows\system32\Agglboim.exe
        330⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:9068
        
        C:\Windows\SysWOW64\Afjlnk32.exe
        
        C:\Windows\system32\Afjlnk32.exe
        331⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8304
        
        C:\Windows\SysWOW64\Ajfhnjhq.exe
        
        C:\Windows\system32\Ajfhnjhq.exe
        332⤵
        
        PID:8840
        
        C:\Windows\SysWOW64\Aqppkd32.exe
        
        C:\Windows\system32\Aqppkd32.exe
        333⤵
        
        PID:8756
        
        C:\Windows\SysWOW64\Acnlgp32.exe
        
        C:\Windows\system32\Acnlgp32.exe
        334⤵
        
        PID:8316
        
        C:\Windows\SysWOW64\Afmhck32.exe
        
        C:\Windows\system32\Afmhck32.exe
        335⤵
        
        PID:8740
        
        C:\Windows\SysWOW64\Ajhddjfn.exe
        
        C:\Windows\system32\Ajhddjfn.exe
        336⤵
        
        PID:9256
        
        C:\Windows\SysWOW64\Amgapeea.exe
        
        C:\Windows\system32\Amgapeea.exe
        337⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:9308
        
        C:\Windows\SysWOW64\Aeniabfd.exe
        
        C:\Windows\system32\Aeniabfd.exe
        338⤵
        Drops file in System32 directory
        
        PID:9348
        
        C:\Windows\SysWOW64\Afoeiklb.exe
        
        C:\Windows\system32\Afoeiklb.exe
        339⤵
        
        PID:9384
        
        C:\Windows\SysWOW64\Anfmjhmd.exe
        
        C:\Windows\system32\Anfmjhmd.exe
        340⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:9432
        
        C:\Windows\SysWOW64\Aepefb32.exe
        
        C:\Windows\system32\Aepefb32.exe
        341⤵
        Drops file in System32 directory
        
        PID:9472
        
        C:\Windows\SysWOW64\Agoabn32.exe
        
        C:\Windows\system32\Agoabn32.exe
        342⤵
        
        PID:9560
        
        C:\Windows\SysWOW64\Bebblb32.exe
        
        C:\Windows\system32\Bebblb32.exe
        343⤵
        Modifies registry class
        
        PID:9756
        
        C:\Windows\SysWOW64\Bganhm32.exe
        
        C:\Windows\system32\Bganhm32.exe
        344⤵
        
        PID:9792
        
        C:\Windows\SysWOW64\Bnkgeg32.exe
        
        C:\Windows\system32\Bnkgeg32.exe
        345⤵
        
        PID:9836
        
        C:\Windows\SysWOW64\Beeoaapl.exe
        
        C:\Windows\system32\Beeoaapl.exe
        346⤵
        
        PID:9880
        
        C:\Windows\SysWOW64\Bgcknmop.exe
        
        C:\Windows\system32\Bgcknmop.exe
        347⤵
        
        PID:9916
        
        C:\Windows\SysWOW64\Bjagjhnc.exe
        
        C:\Windows\system32\Bjagjhnc.exe
        348⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:9960
        
        C:\Windows\SysWOW64\Balpgb32.exe
        
        C:\Windows\system32\Balpgb32.exe
        349⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:10000
        
        C:\Windows\SysWOW64\Bjddphlq.exe
        
        C:\Windows\system32\Bjddphlq.exe
        350⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:10044
        
        C:\Windows\SysWOW64\Banllbdn.exe
        
        C:\Windows\system32\Banllbdn.exe
        351⤵
        Drops file in System32 directory
        
        PID:10084
        
        C:\Windows\SysWOW64\Bfkedibe.exe
        
        C:\Windows\system32\Bfkedibe.exe
        352⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:10120
        
        C:\Windows\SysWOW64\Bmemac32.exe
        
        C:\Windows\system32\Bmemac32.exe
        353⤵
        Modifies registry class
        
        PID:10160
        
        C:\Windows\SysWOW64\Belebq32.exe
        
        C:\Windows\system32\Belebq32.exe
        354⤵
        Modifies registry class
        
        PID:10208
        
        C:\Windows\SysWOW64\Chjaol32.exe
        
        C:\Windows\system32\Chjaol32.exe
        355⤵
        
        PID:8220
        
        C:\Windows\SysWOW64\Cmgjgcgo.exe
        
        C:\Windows\system32\Cmgjgcgo.exe
        356⤵
        
        PID:9276
        
        C:\Windows\SysWOW64\Cdabcm32.exe
        
        C:\Windows\system32\Cdabcm32.exe
        357⤵
        
        PID:9336
        
        C:\Windows\SysWOW64\Chmndlge.exe
        
        C:\Windows\system32\Chmndlge.exe
        358⤵
        
        PID:9400
        
        C:\Windows\SysWOW64\Cjkjpgfi.exe
        
        C:\Windows\system32\Cjkjpgfi.exe
        359⤵
        
        PID:9488
        
        C:\Windows\SysWOW64\Caebma32.exe
        
        C:\Windows\system32\Caebma32.exe
        360⤵
        Drops file in System32 directory
        
        PID:9556
        
        C:\Windows\SysWOW64\Chokikeb.exe
        
        C:\Windows\system32\Chokikeb.exe
        361⤵
        
        PID:9608
        
        C:\Windows\SysWOW64\Cjmgfgdf.exe
        
        C:\Windows\system32\Cjmgfgdf.exe
        362⤵
        
        PID:9656
        
        C:\Windows\SysWOW64\Cmlcbbcj.exe
        
        C:\Windows\system32\Cmlcbbcj.exe
        363⤵
        Drops file in System32 directory
        
        PID:9700
        
        C:\Windows\SysWOW64\Cdfkolkf.exe
        
        C:\Windows\system32\Cdfkolkf.exe
        364⤵
        
        PID:9736
        
        C:\Windows\SysWOW64\Chagok32.exe
        
        C:\Windows\system32\Chagok32.exe
        365⤵
        
        PID:9772
        
        C:\Windows\SysWOW64\Cjpckf32.exe
        
        C:\Windows\system32\Cjpckf32.exe
        366⤵
        Modifies registry class
        
        PID:9864
        
        C:\Windows\SysWOW64\Cajlhqjp.exe
        
        C:\Windows\system32\Cajlhqjp.exe
        367⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:9948
        
        C:\Windows\SysWOW64\Chcddk32.exe
        
        C:\Windows\system32\Chcddk32.exe
        368⤵
        Drops file in System32 directory
        
        PID:10028
        
        C:\Windows\SysWOW64\Cnnlaehj.exe
        
        C:\Windows\system32\Cnnlaehj.exe
        369⤵
        
        PID:10104
        
        C:\Windows\SysWOW64\Calhnpgn.exe
        
        C:\Windows\system32\Calhnpgn.exe
        370⤵
        
        PID:10168
        
        C:\Windows\SysWOW64\Ddjejl32.exe
        
        C:\Windows\system32\Ddjejl32.exe
        371⤵
        
        PID:10236
        
        C:\Windows\SysWOW64\Djdmffnn.exe
        
        C:\Windows\system32\Djdmffnn.exe
        372⤵
        
        PID:9272
        
        C:\Windows\SysWOW64\Dmcibama.exe
        
        C:\Windows\system32\Dmcibama.exe
        373⤵
        
        PID:9392
        
        C:\Windows\SysWOW64\Danecp32.exe
        
        C:\Windows\system32\Danecp32.exe
        374⤵
        Drops file in System32 directory
        
        PID:9516
        
        C:\Windows\SysWOW64\Dhhnpjmh.exe
        
        C:\Windows\system32\Dhhnpjmh.exe
        375⤵
        
        PID:9604
        
        C:\Windows\SysWOW64\Dfknkg32.exe
        
        C:\Windows\system32\Dfknkg32.exe
        376⤵
        Drops file in System32 directory
        
        PID:9692
        
        C:\Windows\SysWOW64\Dobfld32.exe
        
        C:\Windows\system32\Dobfld32.exe
        377⤵
        
        PID:9748
        
        C:\Windows\SysWOW64\Dmefhako.exe
        
        C:\Windows\system32\Dmefhako.exe
        378⤵
        
        PID:9872
        
        C:\Windows\SysWOW64\Ddonekbl.exe
        
        C:\Windows\system32\Ddonekbl.exe
        379⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:10068
        
        C:\Windows\SysWOW64\Dfnjafap.exe
        
        C:\Windows\system32\Dfnjafap.exe
        380⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:10220
        
        C:\Windows\SysWOW64\Daconoae.exe
        
        C:\Windows\system32\Daconoae.exe
        381⤵
        Drops file in System32 directory
        
        PID:9464
        
        C:\Windows\SysWOW64\Ddakjkqi.exe
        
        C:\Windows\system32\Ddakjkqi.exe
        382⤵
        
        PID:9684
        
        C:\Windows\SysWOW64\Dfpgffpm.exe
        
        C:\Windows\system32\Dfpgffpm.exe
        383⤵
        
        PID:9504
        
        C:\Windows\SysWOW64\Dogogcpo.exe
        
        C:\Windows\system32\Dogogcpo.exe
        384⤵
        
        PID:10036
        
        C:\Windows\SysWOW64\Dmjocp32.exe
        
        C:\Windows\system32\Dmjocp32.exe
        385⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:10192
        
        C:\Windows\SysWOW64\Dddhpjof.exe
        
        C:\Windows\system32\Dddhpjof.exe
        386⤵
        Drops file in System32 directory
        
        PID:9652
        
        C:\Windows\SysWOW64\Dknpmdfc.exe
        
        C:\Windows\system32\Dknpmdfc.exe
        387⤵
        
        PID:10016
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        388⤵
        
        PID:9520
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 9520 -s 396
        389⤵
        Program crash
        
        PID:2764

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 9520 -ip 9520
1⤵
PID:10140

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aacckjaf.exe

Filesize
80KB

MD5
640945e6613281e8f21e7f7340bfd7d0

SHA1
d69b089afe55e9424864b67b8e50b61ab3902e16

SHA256
46bb650c5210ab91a44a9b36ffb6514b1d6fc5a13f118bb32308d567a8edede2

SHA512
e8a2251d8e38f1582924c34b7a261f997e87e1c93a0b2c58e05d807ac686e89f087e716aab8c614a9faf901fc47c8cd56c7e1799dcf8eef64db39f2b62b07650

Download Submit
C:\Windows\SysWOW64\Abemjmgg.exe

Filesize
80KB

MD5
fe822806349b36853ebc20012997dde1

SHA1
7872131b1d099b0603bd49f44a2fb546ff85fccf

SHA256
f59ec8a7ef24a4acd09ba0e0ab812d8e7325f7bf550be9e5cc9cfece375f6fec

SHA512
8a45ef38c699680d12d46e1a59c0a7143df25eacf442ce9300d6eac509851d036005306f4bc0fc41d1054355dbd43c101908e8c0482ba5f4995be8bd225fb2f6

Download Submit
C:\Windows\SysWOW64\Abkjdnoa.exe

Filesize
80KB

MD5
144b199cddac729f8c769fa3d1a1227a

SHA1
89dceb91469e2919e63552972e28724903b22b06

SHA256
a0e57321b242f48eb7bd9ee2ba29b2ca511db0c0d39bc66c2c308b3a3278be60

SHA512
156cb248be8a571fbf7569dc59e9255597294676beaf8fd5b9d090b919705fb9e840bc411d623a692923046293abdd7fd9acb3c759418b0474f4f1457ee12f34

Download Submit
C:\Windows\SysWOW64\Abngjnmo.exe

Filesize
80KB

MD5
bdc7bd84c52ff30f2cbb08144c4cec8c

SHA1
9884a7b4232321959d1630bb2f01d8a69b7442cf

SHA256
e8ceb36da7abb83e1b1555d8647097b2dc48bc557462f4ca5de9c02f52a06530

SHA512
fc29685c15860a791ab6ac395988ba5d4855621227f9095654287fd9afc547ec51438d84074f66d6fbdba22f3f695166c151ab8a0d00d3facd0ec79e566f8de2

Download Submit
C:\Windows\SysWOW64\Adapgfqj.exe

Filesize
80KB

MD5
0c0e0dab14b7590a5a63e915dbbf94ee

SHA1
42aec3aa02483ef3b8fb1233246c9497ab84d4e7

SHA256
23abdf5b2c08ea58447817b9847e19bb614a55f391a016d2a2877832eba457f7

SHA512
199195558d23f6b8d72d6f65c43d77f6e5967e617ba4405edcf22037ad61052f9f2c817a6bb39eb18cfa9be3273f1d3ffbb9dc60d5e5fb94bf96c3e6f971f9da

Download Submit
C:\Windows\SysWOW64\Aealah32.exe

Filesize
80KB

MD5
fe46f7b8682af52cee2ccabcf97cea50

SHA1
c11e0010133fbb03e43c218739ff9177c4ff85d5

SHA256
45e244a9a4faa38533e26f475f7102623ae153d44347a485ea60c1468bf65d66

SHA512
5cdb1ac139598932eff02f7c8b06c540a38333eb743fe0fd19578eccbf68ba64d84a1d41ff371f39458bdc975f0847e9e21e686a6b89726e00c1e0103e1fc364

Download Submit
C:\Windows\SysWOW64\Aegikj32.exe

Filesize
80KB

MD5
f6b277c9cd4ff0e96d75e73cf25e6e84

SHA1
a39df4bf1e94522f42410c4d8c7cd946027af7e6

SHA256
7f964bd6354f659dfa9ae14001e17c96207a823f83ccb802677dee2566a76965

SHA512
28396385bb62f15cd91474e917638009e1c110b0f7b63859b349fcbc2d04df7de4d886dd9617911cb6650aec3f6fc61687fa8cbc71fa77d237623310a762fcda

Download Submit
C:\Windows\SysWOW64\Aejfpjne.exe

Filesize
80KB

MD5
6997c4df2bf9a262a64cd7ce27e3f3e4

SHA1
dcfc9ea91e3b29bc33e2b85cb45580df164da799

SHA256
89f560b50e7d6e7cd8d9954c910671fa9d6e108db5e62087f09dab71a5724805

SHA512
b3f6e4f8425b98a4d4f787452a8ef7fe68d5705a8f4d8fc8b18f8d5df06eabced4d930ca26f08551dc2781d23391600c181758732185bf8f80d922035bba3c31

Download Submit
C:\Windows\SysWOW64\Aelcfilb.exe

Filesize
80KB

MD5
cd30f7e366bd2da0b0740864e3caddd8

SHA1
1fe79617a0b3ea1cc8469d88db6729f47cc236ff

SHA256
b08bab495b15df6706582e8cfa35cb2deb34ee8c8014546dde6eeb8f2472a6fd

SHA512
b0d7c7564557720a22144b511fb293413a8dd8d39247b9d8d65842ee5327eb5673acadc340d01fb782d1161b1c7ee7028d8b7e59dd97720fe448090e3f37c2e1

Download Submit
C:\Windows\SysWOW64\Agffge32.exe

Filesize
80KB

MD5
b827a4e1389265f2ceb0f58f43220249

SHA1
912d114f935fb442e8b56de0c43f91c280bbca6f

SHA256
00f2307dcc30318682e4ff4f05b679878aa76ecd3ce493bc3606aa634e98bea9

SHA512
63bc63943a30338262d5fdc6561806db15b4117a41200e0d6628096d4ea53234b74732ff4295b44e77ffa9024a1c97db15a9d2caf78585ef33c2093f6cf0d71d

Download Submit
C:\Windows\SysWOW64\Ahhblemi.exe

Filesize
80KB

MD5
f70ba9e5b2e3e10a084091f0f37d461c

SHA1
fa8311bbe307f868ea4f32ba4552e9d59caeeaac

SHA256
d5826c286bad7c95bdb430152b864d5609b8a6bfa507e2b68ae977078b0a2422

SHA512
907937e5a339338024538e6acd56a91da601bccdb5ca13644afef52a88e53a811709b47373daff175a165f0ada7cd05b9077822a0c5e0deacece458a990b9edb

Download Submit
C:\Windows\SysWOW64\Ahkobekf.exe

Filesize
80KB

MD5
070a4b322638cb4bd85a373f7abfbba0

SHA1
ff0c5f2af9e8067cd3da1590640860271479df72

SHA256
43314612bb5f0804b40e161794670e0dd1ad40572639ec0ec2cb01849791ac1b

SHA512
88d9715b7c97a1f84eee08d24b2878747c65596ea3bebfef3964bfb59a3e37f1354faf4df2e7fc018a9e6851b1fad0b1646653948c092e076edb33df4358118e

Download Submit
C:\Windows\SysWOW64\Ahoimd32.exe

Filesize
80KB

MD5
8d648f3df647a9943ff8ed5e62260376

SHA1
a496859cf89aab8c1ac1c9464c90cf17e671b755

SHA256
f8e28f5d5d40c558264ce4e4135d458e031caca33808c9b18648db2fbce58d34

SHA512
afc12f7d213b2314dc71cfb9e99ce1cd00af3e5938423ce62d29f730317810629f92e265936f47c71d103a009eeb4e8bdb0adbcefee43ae1c85e0ba462df8232

Download Submit
C:\Windows\SysWOW64\Ajkhdp32.exe

Filesize
80KB

MD5
c4908d5daec1c5cf4634e7d3c1cd8499

SHA1
8971723f1610ca8202399c484daa8bc83d906ae6

SHA256
bac39b385ab8f4c885afda02d5392754605e1fe8c4e3627fdda1ad91902657f0

SHA512
945927c46b87f00c1661df636ad7489d077a7c2478648a6c7ca78e778c0e1fffa8a63548df7d9b034849ee8bbff00108bcaceab095a4453ece09bb178e70325b

Download Submit
C:\Windows\SysWOW64\Ajneip32.exe

Filesize
80KB

MD5
92573bfc14e2bad4193168e70f5b5130

SHA1
d61eda10c6b0ad7489a54be55da3640caf5d3bf2

SHA256
165eaecc6b548bec785dcea0b7febed2bee916750685d05aa85ca2db8f5e02a5

SHA512
fe6098ceffcd06e003e6a0f57a7a3b8beee4aee8e315a0a20ca51598a76c2f7f9935dd6c10d84503ed6bd9e724511e156ae5663744ea6e44a0a9656d99a6e848

Download Submit
C:\Windows\SysWOW64\Alabgd32.exe

Filesize
80KB

MD5
80ed45c69ab5818e171f9be014821151

SHA1
8bf34f0e8830dd47174df48f4350f2e04abaf15c

SHA256
eb342c09f93c808c8a74c341be29cab699491f6902157a2ca73ac94b19f175c3

SHA512
37906e0b2ac1867d32b0fe45284f606eee1a708e792e3a38e15b68d0b0f31b2cd250b056bc391c9e6f7dbb81683e16bd8a4691379710737cd167e7f2065a8b36

Download Submit
C:\Windows\SysWOW64\Alfkbc32.exe

Filesize
80KB

MD5
4fac1fa4ae990fcd732dc1d7de2fe425

SHA1
6d0ed546661ed4b1ac1f67c63854b4c10f7a17ba

SHA256
3160d4bfa54a4d270edd9a4d1df5f7c98c7185ab3dda2ab5a008e394088a2650

SHA512
1761114394109fbc57ed56b2d6fa930195361eae677c278ce681ce5d411554f5baea7fee80a8a06d317b55a4c280921475f545075494ccbbc5e52249d17fceb4

Download Submit
C:\Windows\SysWOW64\Alhhhcal.exe

Filesize
80KB

MD5
e1f46d40a84f110538b6f55422233bd9

SHA1
213059c03104243b7fa2f34527245a317dc3da78

SHA256
229521fc884d006fc180077dd0be81f97d071c9e9b33fe04bdd16e65489d7c6c

SHA512
92f0d383108c3df96d4f377669e03cdf769f4d0ec588b352fd4d56cd186523489ebbac6f060cd86dbc3dfdebbd585c6b08c4036776cdbfaa4e4d748905e34865

Download Submit
C:\Windows\SysWOW64\Anbkio32.exe

Filesize
80KB

MD5
22cb416e835cccb9887a9e60de850263

SHA1
f96ef12271fdbbd142b98ce4deeb5cd041d56829

SHA256
7140293a35319ece7ec496453c73d77e9bb65897124c4758842b63f23f74bd7b

SHA512
5544caedf20be936271526814e70071d9b6b4066f0f4982781c90dc0fff563fa1035f7dee7c74d6aaff94d7b096f417baaed3cf807729725379a87582566910c

Download Submit
C:\Windows\SysWOW64\Bahmfj32.exe

Filesize
80KB

MD5
1aa8546785dcb52b06d170af2777eecd

SHA1
8c9460103e7f6610321d593df15b579879b2e5ab

SHA256
635ad8077785177a24bb1d75a237a244615862bdfd5a60a6e9bab53c21c2bb79

SHA512
641d80d9671b24ccf4c8aa025f1d445f528d7789521dbea0ff837b13253f249f87f4cfe6014ce110505a4a8558128a889238a1452cf229d76912f524a1510915

Download Submit
C:\Windows\SysWOW64\Bdfibe32.exe

Filesize
80KB

MD5
6b134172bb315531a876896388c11950

SHA1
13da7e5f583e5a28b4df915c480f28129a95a56e

SHA256
ebab571f4fe97fa4b90c3cc55400de4097677770aa488cdadff7d55e6991ef71

SHA512
5924c8bcd40964db8db2866bd986b5cc9d90031e66e19f70abba067e50e86fedf53dba76cef837cb9bd62c194dfab839583810dc8eca85b6dad619d78d911a3e

Download Submit
C:\Windows\SysWOW64\Blbknaib.exe

Filesize
80KB

MD5
ceb4f733ba197b2651ce5c864290d2fb

SHA1
02a21a45e4712880abdbfc5f951c6ecbd8a89564

SHA256
ee3eaf3b58e4f6ee8dcbb574c70bfaed76e70e33b0385c1d4fa50809a31f8c0f

SHA512
031bde82cd6d113ae0b83dbc152c4ab1347e33f79477a8ce368ade0a3036f69f7d930ac5c0c6ed808855b6f2e9ef2781be954f92b23d2d8c9985cc1ddb17de5a

Download Submit
C:\Windows\SysWOW64\Bnkgeg32.exe

Filesize
80KB

MD5
c2f19593e6a18d17197dd737e03d625e

SHA1
b2eb704ee6146815d1a57c42de39285add80bc26

SHA256
4d5cc35089d2af8e5f850f68029d5bbb987fa15a819062ebf5c46cdb0ab5c0aa

SHA512
8a068630a2750c35852995646b74a002d817a1145f4e3a22b6e899d90ea28dc366687cc17b945c58cfefc867734a69fcd469a4430ac4518a25be3f4ca5d61cb7

Download Submit
C:\Windows\SysWOW64\Ceaehfjj.exe

Filesize
80KB

MD5
597ebe3ca10cddd9f103a9754bdc189e

SHA1
960af0f514a4ebe515557e0817a3094909d3119c

SHA256
352a11566c6d81dc6cba2e11593e2fc31b77ca48fc2134d19d3eb652d5400a0b

SHA512
20ed87b5347b883e05a02d7c311b957b00079d6df918f96e52edd44918d33e88bebeff517124b12e4b6ddfda0c58ed2a96bd7009f572c819572a0a8515b86135

Download Submit
C:\Windows\SysWOW64\Dceohhja.exe

Filesize
80KB

MD5
375e58410940924856eab24907e6a45c

SHA1
924531cda05750ae76476e9ea69e4a00c0c656b5

SHA256
6b9f7056f83177f5df663c91840e7e5cf5cc21be62388374bdf7ebb5ebd52f91

SHA512
8975c6dcc0b3ec08268017fd46115b0093c159906edaaf45d340bb123502fa9ece8c0dba177460135ea1c9db456ba7ae561223a09326b33ecac242118ea7161d

Download Submit
C:\Windows\SysWOW64\Ddonekbl.exe

Filesize
80KB

MD5
666056569a2f9b73214381cad96301b1

SHA1
19516ce94b5a4ff27ec3c1402ff8abadd7b2847a

SHA256
d0e909df5226c87d657ce4837a904e43979035b1ec53f49249ab2c6c32b816df

SHA512
64ada2554443758cbd1ca05d129af70dba03b1c731f8e27dda5a069f7bf7ee874800a5bf79470f75480f41e5ad01d014c3b2739a4b1f9c3766fe06391f298f76

Download Submit
C:\Windows\SysWOW64\Ifjodl32.exe

Filesize
80KB

MD5
49801be533a09697bbcb26dd41516c35

SHA1
8aaa5605fc6c1b7d1d09b20e8b95c0af92632287

SHA256
772515d022dbb328dabbcf22bc9b10e686bf3607a3ae70f0bb7dbf19ccea43c7

SHA512
96331c5a4f3500b59e69ba71438620e8166866d17497061387458a9ee7372408c0b242880634afbf09f9361e7f647f8ad9340232cec63461b740bcc100dd2103

Download Submit
C:\Windows\SysWOW64\Lfhdlh32.exe

Filesize
80KB

MD5
8d53cd8440483a470d6adf1f89bdc8a3

SHA1
6464ab02fc1a9eb3bfaf5195edabb83b77e4ecba

SHA256
bceaa4307f6d5c719c262f5f6095d793c463ce915d6cd3514f84f1f8d238ca3a

SHA512
319bbb82dce661ad68ae7532727e64d9d28f7b893fbb1ad7d0683a620852e79e217897c3a656003622ae52eafb577c97aeef7020ec049626cc00d5dcabd06d64

Download Submit
C:\Windows\SysWOW64\Llemdo32.exe

Filesize
80KB

MD5
fbfb49fba2cf14f170d8d0ce7bb94e5a

SHA1
24cd64564acd3aa89bf1524b4b9a31c7a3783e1b

SHA256
f3bb02372e04ce3e8e6c87096e92710fdbf2486586560dc983d12da4a1b77ef9

SHA512
2c6cc10671cb087e1e7f645f70c1ad1237ef0bfd27f73f9e5829e18dd8990cbf22a645f7c284e6272c7b1795f2b1492d52b431bcdfcfd3bfe497baefb7f18e4a

Download Submit
C:\Windows\SysWOW64\Nfgmjqop.exe

Filesize
80KB

MD5
0dc40c6a56711691a51abb45f5a92f13

SHA1
dd51607264c4b050bbd71ae3ca0baa9b2e0d1398

SHA256
3acdb66d7f85ef87b1f5f5cd0cfda86dee6d8ff2fde85ed2d34c2294061e8736

SHA512
3d57a693ef7c20e20e5cb2326ec550613580226f262b8a9128d323a58d8970cea3aad670ccbc50a8df39865b98f26e62108e6a70ee6cfb69d9256f72b939182f

Download Submit
C:\Windows\SysWOW64\Ngbpidjh.exe

Filesize
80KB

MD5
bdde425ba0449ac430e65bcc2b3a50da

SHA1
3b1fbc6bca253849b645f25f3b767a1353a829a2

SHA256
b2285e633289718321fb7ad8b31f65c1cb78c755bc032308c58cb271fad30f34

SHA512
587688e9ff2c00d2b9abdea1a55534a642f6d691d088f43b2c0678e03a17f9ab416c46714cded2f63b706222d38ff0c8903986b699753533105d557788a0a160

Download Submit
C:\Windows\SysWOW64\Odmgcgbi.exe

Filesize
80KB

MD5
35fc86b8c22815cbc724ffafe00b6f31

SHA1
9f207209cf5eb6fe01ef443fc343da7f65d8fe15

SHA256
0a8b8b27b953aca2e0415e9828211c7627d13dee254bbaca9457c8a9dfea4292

SHA512
427b3823f876da4a2ad0e485db0838344d8895fedf30fd155a5d47fd4e1e67a8b092be1bc9ebb94228d8e8d5a01d8a3a3232a1e69482ae46728e88d5ecb1f070

Download Submit
C:\Windows\SysWOW64\Oneklm32.exe

Filesize
80KB

MD5
5bda4be9420e84bd806dd642393c2f6c

SHA1
32277d88553558ab24810afc4ff246ccb56cf0fe

SHA256
e119058c946821c9729eb565e8f84762c608647c246314ad8156c69d0a784da6

SHA512
ef6774e3c016b3e63f892e71b9dd9541beea82cfbcb467c1bfbc19bcf4c293e9742b080d4103995ebe0795d2ff7ebbacc5b72ccd3c9eff515c4a201b0a4f065f

Download Submit
C:\Windows\SysWOW64\Peqcjkfp.exe

Filesize
80KB

MD5
8f3da6d0426980b0da74a334ab9b95ed

SHA1
7f0cb4698e1a411735c785754d0870e25d748207

SHA256
466af1aef140804b0b7b58167178ff269ae00a33d4350c0540b2a5795db9b96d

SHA512
4611713d7faaf0fef5e57b290152a020dcabafed07d341a64e9a6c2d623849c034be9c9827a71f94cb23c8e376bc51733f6cbd127ecef2a9525ea99f4683a5fd

Download Submit
C:\Windows\SysWOW64\Pkjlge32.exe

Filesize
80KB

MD5
bb47a2daceda77e219739552a29ef75a

SHA1
436c67bdbf3dfcd8806fbc2f6c9f3ba31d556989

SHA256
de1677ea4895b5a10bd693f047f030becb353f53b008b8a6a87a499ba02cca55

SHA512
b76085ab3c2d17826fbcdf0e9549acbb589dd48f78f69ab7b6e1adca2d082551fdcdcb81c88360d9f4882871f1535fead6ce30f68e14b059b6d1badc1ecae588

Download Submit
C:\Windows\SysWOW64\Pnfkma32.exe

Filesize
80KB

MD5
d7d1af15789c544811d89cb6f8096cd5

SHA1
d149d127a76688ff659a474364bc8b782c10c51b

SHA256
6f3edb3f5d6a4fcaba0d925a09c32e4c576797fe8f607aff0efa4a03cd28a11c

SHA512
240654877921cc7951418c1ea4d68efef2208c7852bb7dfe8fec97c2a15673d323543d0a2cde1e11223961ae451df1727be0887a595b0ac710147465e5d3f339

Download Submit
C:\Windows\SysWOW64\Pnihcq32.exe

Filesize
80KB

MD5
cacf5c10aaf46c7c08395dce00fe834d

SHA1
b8b21b521514c33febda65c5e88342a141812411

SHA256
1699a382e8e643a3744284fe0c28c103bd133b3fd429513b4445e7680dce58b5

SHA512
05164addc6b5f594268486e3493df6e8b0f01f8b22280a361e3002ab394696fbbc1cd384703bf33a07094b1d464e4a200a751c649b6d5a38d07c729e65607a2f

Download Submit
C:\Windows\SysWOW64\Qbgqio32.exe

Filesize
80KB

MD5
65e2f8bc3e5c46ace943f290e0b9a450

SHA1
1bc59015b0649bfd6cb20a671266c1b746465f63

SHA256
88ce75339ea2d158883d7b379c104e48fac090bda9abad490ea418d3791a489d

SHA512
44b86fda9287ad07ce1d52172fe0242b14ac0c8149559ad434d33c885d7ecd0e1fb32ea1e7b6512ee4a89df08376364ee2904a0de2ffdd6ff2d431edf2cf5fff

Download Submit
C:\Windows\SysWOW64\Qcepkg32.exe

Filesize
80KB

MD5
a6700aee3c1aeb673fe39e08b6670e94

SHA1
e94046467a6e04fd68e83d9c2b443e1149955b4f

SHA256
99e4d678c4c1bc243f4fbebbbd892f9ca470786c201fc0004b4145834caa6dbd

SHA512
4e88da2cda13fb7f94b18d4ca7177aae7f53dc57914acc5b918231a11754015112e9893b3fe9d99f79e781547a36f0aad5dd4132d579f4ad1b0511c6ef83af19

Download Submit
C:\Windows\SysWOW64\Qchmagie.exe

Filesize
80KB

MD5
402ab5a1765aea4831c691c33bab250c

SHA1
c57d29d9cd949f30471f1509e2af38d07074f693

SHA256
77ebb99defe22f9dbdc87012d3e4cbe5df12c7d657d6372297b83d65a29fc757

SHA512
f492ab0b9d2e8465aecce9e16014cfe73cb5b165e2a8dcf2102512e9991554eec5d535693b077f98df405e47ecd6e990301558fba59bea043bc15401dd6e52a0

Download Submit
C:\Windows\SysWOW64\Qecppkdm.exe

Filesize
80KB

MD5
4bd6acb098fd764668a28d6aa0ea9d83

SHA1
8aa7d16d3158974f8ce9c71726b4437d332e7b09

SHA256
7edebcd21c7ebc8dd0bbb5eb081e4b642590a416649e6c7bf28f823811ad7289

SHA512
082849e97b06669c3b5f29dca19151b410929b7a041c78a8684e46eb2a1eab5c1ba8af045c1aa2862222b177379ee196244317998efd49dcc4891c6a97b5445b

Download Submit
C:\Windows\SysWOW64\Qkmhlekj.exe

Filesize
80KB

MD5
d49312570f47b4672cfcdb47fb8c9bcb

SHA1
4461fce4aa8e40338c38dbae8b2e25bd0afef9df

SHA256
9523e847da4dee7aed9ee3ee14d139b132f612566d16ca8a4950dba3706f6c23

SHA512
664662dc7ec54692a90415a231b314828768b2f1861a5b6822199e51e7ad3bb6b2e22cca2cb2ceca7138ee237bc402c942354a2d26a46c45d61f0bae263623d3

Download Submit
C:\Windows\SysWOW64\Qloebdig.exe

Filesize
80KB

MD5
29bdb3c4187867a76b23d6ce970016f9

SHA1
7e058b7a58a20e43b2c5fd2e57d8d2889aad286e

SHA256
051c6b612c9f6b82579c968e2e4e57b433d79d23c740ebf0109569259ac0c970

SHA512
59acab95277a76d1330e8ed9495b7f838938cd3f39bb005c8050119949b6df22b5daca157c2a3c8ef7e79721b36e3dc4299ee1be6e7e7fa3cbff647624cbc186

Download Submit
C:\Windows\SysWOW64\Qnnanphk.exe

Filesize
80KB

MD5
3a1b933cf2a4228af9f13e297eb75ae1

SHA1
d3837b762aa899cc72398fc7094faeb7d6c3186a

SHA256
45dcfb658a2e0bab4243d33ed8b3474d83fdd4eaac0dd7a5b0cbf1655b1ce567

SHA512
7e2e729be92a9d143a7d5f105c25b4e764af9ce3870a9dbc833c70b9704ba927a4ac4444d3ed1deb51515761d58c77628572df1409c7a0df03d5c6b384888d01

Download Submit
memory/224-37-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/448-90-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/772-334-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/836-177-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1332-353-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1368-420-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1496-354-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1524-1-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1524-0-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1524-80-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1644-419-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1664-110-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1700-336-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1724-194-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1960-49-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2024-226-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2108-432-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2176-282-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2252-9-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2436-41-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2488-72-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2508-263-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2548-426-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2576-388-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2592-65-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2680-206-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2696-154-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2756-294-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2760-130-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2820-312-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2824-57-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2876-82-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2880-185-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2996-292-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3144-122-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3152-210-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3236-328-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3320-146-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3356-264-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3400-378-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3424-256-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3436-322-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3480-408-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3484-167-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3684-276-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3740-218-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3884-364-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3976-394-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4000-238-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4048-114-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4196-270-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4280-172-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4372-304-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4396-98-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4476-247-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4500-376-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4524-17-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4556-138-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4560-397-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4832-402-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4884-370-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4940-306-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4996-347-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5016-25-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads