cf4ca84e3ec8178839f3367150e32cdcfcf540a95e74ab2a5f86d204de05246d

Analysis

max time kernel
93s
max time network
114s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
19/04/2024, 03:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cf4ca84e3ec8178839f3367150e32cdcfcf540a95e74ab2a5f86d204de05246d.exe
Size

128KB
MD5

d0857bf78d203d3526629aaefb8e861c
SHA1

a7cddaedddb58b55c0db9827c9e7eaff9ff980b5
SHA256

cf4ca84e3ec8178839f3367150e32cdcfcf540a95e74ab2a5f86d204de05246d
SHA512

1aad1875aeff80edf2cade4597aadf081048dfb45be59792abf99f08752b862ed2baf7fb46cd13ec843cb69c433e30fd0e91a49c2624f5d72fd26ce7d717e327
SSDEEP

3072:7Crl2NyFckMp/krwwLt/DCYGRHPMQH2qC7ZQOlzSLUK6MwGsGnDc9nhViX:7El2NIIeEwLt/DCYGHPMQWfdQOhwJ6Md

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pahkjbop.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ejjqeg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Liekmj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdaldd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpaifalo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jfdida32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jbkjjblm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lpcmec32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgekbljc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qbjdiedp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Digkijmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Eodlho32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pbpacfmj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qpikgj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hpbaqj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ahkflk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hmklen32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lpappc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hbanme32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jdmcidam.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cimhckeo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Eleplc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gogbdl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cefemliq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ffbnph32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Haggelfd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mcklgm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	cf4ca84e3ec8178839f3367150e32cdcfcf540a95e74ab2a5f86d204de05246d.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ecbenm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fcnejk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Impepm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kdaldd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kinemkko.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mnocof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Plifll32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ahppgjjl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gmkbnp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dcfebonm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jjmhppqd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jjpeepnb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ijkljp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aeacko32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bbhqjchp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cojqkbdf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Paaeiceg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fopldmcl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kaqcbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jbfpobpb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fqmlhpla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ijdeiaio.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Imgkql32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mpolqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nnmopdep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bbofkbbh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fokbim32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ibjqcd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mgekbljc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aaoaja32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fbllkh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Imbaemhc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gppekj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ipnalhii.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ijdeiaio.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Imbaemhc.exe

Executes dropped EXE 64 IoCs

pid	Process
752	Paaeiceg.exe
2164	Pihmjqfj.exe
4716	Phkmem32.exe
4032	Ppbegkmg.exe
4564	Pbpacfmj.exe
972	Plifll32.exe
3964	Pngbhg32.exe
2088	Paendb32.exe
4980	Pimfep32.exe
968	Plkbak32.exe
4580	Pniomgpl.exe
4132	Pahkjbop.exe
5112	Piockppb.exe
3204	Phbcfl32.exe
5000	Qpikgj32.exe
4968	Qnlkcfni.exe
3284	Qbggce32.exe
4772	Qhdpll32.exe
4044	Qlpllkmc.exe
1656	Qnnhhflf.exe
3656	Qbjdiedp.exe
5032	Qehqepcc.exe
4180	Qhfmalbg.exe
4584	Ablaodbm.exe
4260	Aaoaja32.exe
2112	Aocace32.exe
3736	Ahkflk32.exe
5088	Aoeniefo.exe
2872	Aackeqeb.exe
2640	Aliobieh.exe
540	Aeacko32.exe
1124	Ahppgjjl.exe
4948	Apggihko.exe
452	Abedecjb.exe
1988	Bpidngil.exe
1976	Bbhqjchp.exe
4996	Befmfngc.exe
3048	Bhdibj32.exe
400	Booaodnd.exe
1172	Bammlomg.exe
2584	Bhgehi32.exe
3440	Blbaihmn.exe
2616	Baojaoke.exe
2740	Blennh32.exe
4792	Bpqjofcd.exe
3528	Bbofkbbh.exe
4372	Bemcgmak.exe
744	Biiohl32.exe
1152	Bpcgdfaa.exe
4292	Boegpc32.exe
2768	Beppmmoi.exe
1732	Bikkml32.exe
3240	Clihig32.exe
1436	Cohdebfi.exe
4164	Cimhckeo.exe
4604	Chphoh32.exe
3688	Cojqkbdf.exe
3488	Caimgncj.exe
4452	Cedihl32.exe
1608	Clnadfbp.exe
1868	Cakjmm32.exe
1588	Cefemliq.exe
2208	Coojfa32.exe
4076	Ceibclgn.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Biiohl32.exe	Bemcgmak.exe
File opened for modification	C:\Windows\SysWOW64\Cakjmm32.exe	Clnadfbp.exe
File opened for modification	C:\Windows\SysWOW64\Hjmoibog.exe	Hfachc32.exe
File opened for modification	C:\Windows\SysWOW64\Jmnaakne.exe	Jjpeepnb.exe
File created	C:\Windows\SysWOW64\Mpolqa32.exe	Mnapdf32.exe
File opened for modification	C:\Windows\SysWOW64\Nafokcol.exe	Nnjbke32.exe
File opened for modification	C:\Windows\SysWOW64\Nkjjij32.exe	Mcbahlip.exe
File opened for modification	C:\Windows\SysWOW64\Bbhqjchp.exe	Bpidngil.exe
File created	C:\Windows\SysWOW64\Baojaoke.exe	Blbaihmn.exe
File created	C:\Windows\SysWOW64\Hfbqnjem.dll	Bemcgmak.exe
File opened for modification	C:\Windows\SysWOW64\Dhnepfpj.exe	Dadlclim.exe
File opened for modification	C:\Windows\SysWOW64\Hmklen32.exe	Hjmoibog.exe
File created	C:\Windows\SysWOW64\Lcbiao32.exe	Lpcmec32.exe
File created	C:\Windows\SysWOW64\Qcldhk32.dll	Mdkhapfj.exe
File created	C:\Windows\SysWOW64\Nkqpjidj.exe	Ncihikcg.exe
File created	C:\Windows\SysWOW64\Paaeiceg.exe	cf4ca84e3ec8178839f3367150e32cdcfcf540a95e74ab2a5f86d204de05246d.exe
File created	C:\Windows\SysWOW64\Cedihl32.exe	Caimgncj.exe
File created	C:\Windows\SysWOW64\Gfnnlffc.exe	Gcpapkgp.exe
File opened for modification	C:\Windows\SysWOW64\Gjapmdid.exe	Gbjhlfhb.exe
File created	C:\Windows\SysWOW64\Kilhgk32.exe	Kbapjafe.exe
File created	C:\Windows\SysWOW64\Kkbkamnl.exe	Kckbqpnj.exe
File created	C:\Windows\SysWOW64\Gjoceo32.dll	Lpappc32.exe
File opened for modification	C:\Windows\SysWOW64\Nkqpjidj.exe	Ncihikcg.exe
File created	C:\Windows\SysWOW64\Pimfep32.exe	Paendb32.exe
File opened for modification	C:\Windows\SysWOW64\Fifdgblo.exe	Fbllkh32.exe
File created	C:\Windows\SysWOW64\Ifegaglc.dll	Gjapmdid.exe
File created	C:\Windows\SysWOW64\Hionfema.dll	Haggelfd.exe
File opened for modification	C:\Windows\SysWOW64\Lilanioo.exe	Lgneampk.exe
File opened for modification	C:\Windows\SysWOW64\Ncihikcg.exe	Nqklmpdd.exe
File created	C:\Windows\SysWOW64\Jhgiab32.dll	Paendb32.exe
File opened for modification	C:\Windows\SysWOW64\Pniomgpl.exe	Plkbak32.exe
File opened for modification	C:\Windows\SysWOW64\Ahppgjjl.exe	Aeacko32.exe
File opened for modification	C:\Windows\SysWOW64\Clihig32.exe	Bikkml32.exe
File opened for modification	C:\Windows\SysWOW64\Jbfpobpb.exe	Jaedgjjd.exe
File opened for modification	C:\Windows\SysWOW64\Kinemkko.exe	Kgphpo32.exe
File opened for modification	C:\Windows\SysWOW64\Lgpagm32.exe	Lpfijcfl.exe
File created	C:\Windows\SysWOW64\Pbpacfmj.exe	Ppbegkmg.exe
File opened for modification	C:\Windows\SysWOW64\Bpqjofcd.exe	Blennh32.exe
File created	C:\Windows\SysWOW64\Fjhmgeao.exe	Fflaff32.exe
File created	C:\Windows\SysWOW64\Bghhihab.dll	Nnolfdcn.exe
File opened for modification	C:\Windows\SysWOW64\Qpikgj32.exe	Phbcfl32.exe
File opened for modification	C:\Windows\SysWOW64\Ahkflk32.exe	Aocace32.exe
File opened for modification	C:\Windows\SysWOW64\Abedecjb.exe	Apggihko.exe
File opened for modification	C:\Windows\SysWOW64\Ffbnph32.exe	Ecdbdl32.exe
File created	C:\Windows\SysWOW64\Mmpfpdoi.dll	Ibjqcd32.exe
File created	C:\Windows\SysWOW64\Lpcmec32.exe	Lnepih32.exe
File created	C:\Windows\SysWOW64\Nngcpm32.dll	Lcpllo32.exe
File created	C:\Windows\SysWOW64\Qehqepcc.exe	Qbjdiedp.exe
File created	C:\Windows\SysWOW64\Fqhgbj32.dll	Qhfmalbg.exe
File created	C:\Windows\SysWOW64\Ahppgjjl.exe	Aeacko32.exe
File opened for modification	C:\Windows\SysWOW64\Ifjfnb32.exe	Imbaemhc.exe
File created	C:\Windows\SysWOW64\Eplmgmol.dll	Kaqcbi32.exe
File created	C:\Windows\SysWOW64\Akanejnd.dll	Kgbefoji.exe
File opened for modification	C:\Windows\SysWOW64\Kpjjod32.exe	Kmlnbi32.exe
File created	C:\Windows\SysWOW64\Fnelfilp.dll	Mjhqjg32.exe
File created	C:\Windows\SysWOW64\Mnfipekh.exe	Mjjmog32.exe
File created	C:\Windows\SysWOW64\Nqklmpdd.exe	Nnmopdep.exe
File opened for modification	C:\Windows\SysWOW64\Jidbflcj.exe	Jbkjjblm.exe
File created	C:\Windows\SysWOW64\Ibnmeecd.dll	Ahppgjjl.exe
File created	C:\Windows\SysWOW64\Abmafgei.dll	Bpidngil.exe
File opened for modification	C:\Windows\SysWOW64\Cohdebfi.exe	Clihig32.exe
File created	C:\Windows\SysWOW64\Clnadfbp.exe	Cedihl32.exe
File opened for modification	C:\Windows\SysWOW64\Dcdimopp.exe	Dhnepfpj.exe
File created	C:\Windows\SysWOW64\Kjeebd32.dll	Fqaeco32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
7276	8140	WerFault.exe	341

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nbgiqced.dll"	Ahkflk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Beppmmoi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nokakckp.dll"	Denlnk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dcdimopp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hcnnaikp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jjmhppqd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kgbefoji.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qlpllkmc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bammlomg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ecmlcmhe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jokmgc32.dll"	Gogbdl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lijiaonm.dll"	Hibljoco.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ipnalhii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bclgpkgk.dll"	Iikopmkd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jbfpobpb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lknjmkdo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mgekbljc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Paendb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bejkjg32.dll"	Hbanme32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jidbflcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oedbld32.dll"	Mgekbljc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gpnkgo32.dll"	Mkepnjng.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fqmlhpla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Haggelfd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jfdida32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lmmcfa32.dll"	Kdopod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Agbnmibj.dll"	Mcklgm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ejlmkgkl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kpjjod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mngoghpn.dll"	Gmaioo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ebaqkk32.dll"	Lgpagm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jnngob32.dll"	Lgbnmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibhblqpo.dll"	Lknjmkdo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lelgbkio.dll"	Mpdelajl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qonnknli.dll"	Ccmclp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fokbim32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fjhmgeao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mfogkh32.dll"	Hcedaheh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lcpllo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Piockppb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Blbaihmn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Eflhoigi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dkfpkkqa.dll"	Gcidfi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kaqcbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nqjfoc32.dll"	Kdaldd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cefemliq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gogbdl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Akanejnd.dll"	Kgbefoji.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ncihikcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nmpfgh32.dll"	Abedecjb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cimhckeo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Clnadfbp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fmclmabe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Djmdfpmb.dll"	Gbjhlfhb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hbocda32.dll"	Lcbiao32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mpelbolg.dll"	Aeacko32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mfnfol32.dll"	Bpqjofcd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnmqcaaj.dll"	Clihig32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Omccgkde.dll"	Dcdimopp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jdmcidam.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qgejif32.dll"	Lcmofolg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mcklgm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hndnbj32.dll"	Fjqgff32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gfqjafdq.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 532 wrote to memory of 752	532	cf4ca84e3ec8178839f3367150e32cdcfcf540a95e74ab2a5f86d204de05246d.exe	83
PID 532 wrote to memory of 752	532	cf4ca84e3ec8178839f3367150e32cdcfcf540a95e74ab2a5f86d204de05246d.exe	83
PID 532 wrote to memory of 752	532	cf4ca84e3ec8178839f3367150e32cdcfcf540a95e74ab2a5f86d204de05246d.exe	83
PID 752 wrote to memory of 2164	752	Paaeiceg.exe	84
PID 752 wrote to memory of 2164	752	Paaeiceg.exe	84
PID 752 wrote to memory of 2164	752	Paaeiceg.exe	84
PID 2164 wrote to memory of 4716	2164	Pihmjqfj.exe	85
PID 2164 wrote to memory of 4716	2164	Pihmjqfj.exe	85
PID 2164 wrote to memory of 4716	2164	Pihmjqfj.exe	85
PID 4716 wrote to memory of 4032	4716	Phkmem32.exe	86
PID 4716 wrote to memory of 4032	4716	Phkmem32.exe	86
PID 4716 wrote to memory of 4032	4716	Phkmem32.exe	86
PID 4032 wrote to memory of 4564	4032	Ppbegkmg.exe	87
PID 4032 wrote to memory of 4564	4032	Ppbegkmg.exe	87
PID 4032 wrote to memory of 4564	4032	Ppbegkmg.exe	87
PID 4564 wrote to memory of 972	4564	Pbpacfmj.exe	88
PID 4564 wrote to memory of 972	4564	Pbpacfmj.exe	88
PID 4564 wrote to memory of 972	4564	Pbpacfmj.exe	88
PID 972 wrote to memory of 3964	972	Plifll32.exe	89
PID 972 wrote to memory of 3964	972	Plifll32.exe	89
PID 972 wrote to memory of 3964	972	Plifll32.exe	89
PID 3964 wrote to memory of 2088	3964	Pngbhg32.exe	90
PID 3964 wrote to memory of 2088	3964	Pngbhg32.exe	90
PID 3964 wrote to memory of 2088	3964	Pngbhg32.exe	90
PID 2088 wrote to memory of 4980	2088	Paendb32.exe	91
PID 2088 wrote to memory of 4980	2088	Paendb32.exe	91
PID 2088 wrote to memory of 4980	2088	Paendb32.exe	91
PID 4980 wrote to memory of 968	4980	Pimfep32.exe	92
PID 4980 wrote to memory of 968	4980	Pimfep32.exe	92
PID 4980 wrote to memory of 968	4980	Pimfep32.exe	92
PID 968 wrote to memory of 4580	968	Plkbak32.exe	93
PID 968 wrote to memory of 4580	968	Plkbak32.exe	93
PID 968 wrote to memory of 4580	968	Plkbak32.exe	93
PID 4580 wrote to memory of 4132	4580	Pniomgpl.exe	94
PID 4580 wrote to memory of 4132	4580	Pniomgpl.exe	94
PID 4580 wrote to memory of 4132	4580	Pniomgpl.exe	94
PID 4132 wrote to memory of 5112	4132	Pahkjbop.exe	95
PID 4132 wrote to memory of 5112	4132	Pahkjbop.exe	95
PID 4132 wrote to memory of 5112	4132	Pahkjbop.exe	95
PID 5112 wrote to memory of 3204	5112	Piockppb.exe	96
PID 5112 wrote to memory of 3204	5112	Piockppb.exe	96
PID 5112 wrote to memory of 3204	5112	Piockppb.exe	96
PID 3204 wrote to memory of 5000	3204	Phbcfl32.exe	97
PID 3204 wrote to memory of 5000	3204	Phbcfl32.exe	97
PID 3204 wrote to memory of 5000	3204	Phbcfl32.exe	97
PID 5000 wrote to memory of 4968	5000	Qpikgj32.exe	98
PID 5000 wrote to memory of 4968	5000	Qpikgj32.exe	98
PID 5000 wrote to memory of 4968	5000	Qpikgj32.exe	98
PID 4968 wrote to memory of 3284	4968	Qnlkcfni.exe	99
PID 4968 wrote to memory of 3284	4968	Qnlkcfni.exe	99
PID 4968 wrote to memory of 3284	4968	Qnlkcfni.exe	99
PID 3284 wrote to memory of 4772	3284	Qbggce32.exe	100
PID 3284 wrote to memory of 4772	3284	Qbggce32.exe	100
PID 3284 wrote to memory of 4772	3284	Qbggce32.exe	100
PID 4772 wrote to memory of 4044	4772	Qhdpll32.exe	101
PID 4772 wrote to memory of 4044	4772	Qhdpll32.exe	101
PID 4772 wrote to memory of 4044	4772	Qhdpll32.exe	101
PID 4044 wrote to memory of 1656	4044	Qlpllkmc.exe	102
PID 4044 wrote to memory of 1656	4044	Qlpllkmc.exe	102
PID 4044 wrote to memory of 1656	4044	Qlpllkmc.exe	102
PID 1656 wrote to memory of 3656	1656	Qnnhhflf.exe	103
PID 1656 wrote to memory of 3656	1656	Qnnhhflf.exe	103
PID 1656 wrote to memory of 3656	1656	Qnnhhflf.exe	103
PID 3656 wrote to memory of 5032	3656	Qbjdiedp.exe	104

C:\Users\Admin\AppData\Local\Temp\cf4ca84e3ec8178839f3367150e32cdcfcf540a95e74ab2a5f86d204de05246d.exe
"C:\Users\Admin\AppData\Local\Temp\cf4ca84e3ec8178839f3367150e32cdcfcf540a95e74ab2a5f86d204de05246d.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:532
- C:\Windows\SysWOW64\Paaeiceg.exe
  C:\Windows\system32\Paaeiceg.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:752
- - C:\Windows\SysWOW64\Pihmjqfj.exe
    C:\Windows\system32\Pihmjqfj.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2164
  - - C:\Windows\SysWOW64\Phkmem32.exe
      C:\Windows\system32\Phkmem32.exe
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:4716
    - - C:\Windows\SysWOW64\Ppbegkmg.exe
        
        C:\Windows\system32\Ppbegkmg.exe
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4032
      - C:\Windows\SysWOW64\Pbpacfmj.exe
        
        C:\Windows\system32\Pbpacfmj.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4564
        
        C:\Windows\SysWOW64\Plifll32.exe
        
        C:\Windows\system32\Plifll32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:972
        
        C:\Windows\SysWOW64\Pngbhg32.exe
        
        C:\Windows\system32\Pngbhg32.exe
        8⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3964
        
        C:\Windows\SysWOW64\Paendb32.exe
        
        C:\Windows\system32\Paendb32.exe
        9⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2088
        
        C:\Windows\SysWOW64\Pimfep32.exe
        
        C:\Windows\system32\Pimfep32.exe
        10⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4980
        
        C:\Windows\SysWOW64\Plkbak32.exe
        
        C:\Windows\system32\Plkbak32.exe
        11⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:968
        
        C:\Windows\SysWOW64\Pniomgpl.exe
        
        C:\Windows\system32\Pniomgpl.exe
        12⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4580
        
        C:\Windows\SysWOW64\Pahkjbop.exe
        
        C:\Windows\system32\Pahkjbop.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4132
        
        C:\Windows\SysWOW64\Piockppb.exe
        
        C:\Windows\system32\Piockppb.exe
        14⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5112
        
        C:\Windows\SysWOW64\Phbcfl32.exe
        
        C:\Windows\system32\Phbcfl32.exe
        15⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3204
        
        C:\Windows\SysWOW64\Qpikgj32.exe
        
        C:\Windows\system32\Qpikgj32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:5000
        
        C:\Windows\SysWOW64\Qnlkcfni.exe
        
        C:\Windows\system32\Qnlkcfni.exe
        17⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4968
        
        C:\Windows\SysWOW64\Qbggce32.exe
        
        C:\Windows\system32\Qbggce32.exe
        18⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3284
        
        C:\Windows\SysWOW64\Qhdpll32.exe
        
        C:\Windows\system32\Qhdpll32.exe
        19⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4772
        
        C:\Windows\SysWOW64\Qlpllkmc.exe
        
        C:\Windows\system32\Qlpllkmc.exe
        20⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4044
        
        C:\Windows\SysWOW64\Qnnhhflf.exe
        
        C:\Windows\system32\Qnnhhflf.exe
        21⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1656
        
        C:\Windows\SysWOW64\Qbjdiedp.exe
        
        C:\Windows\system32\Qbjdiedp.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3656
        
        C:\Windows\SysWOW64\Qehqepcc.exe
        
        C:\Windows\system32\Qehqepcc.exe
        23⤵
        Executes dropped EXE
        
        PID:5032
        
        C:\Windows\SysWOW64\Qhfmalbg.exe
        
        C:\Windows\system32\Qhfmalbg.exe
        24⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4180
        
        C:\Windows\SysWOW64\Ablaodbm.exe
        
        C:\Windows\system32\Ablaodbm.exe
        25⤵
        Executes dropped EXE
        
        PID:4584
        
        C:\Windows\SysWOW64\Aaoaja32.exe
        
        C:\Windows\system32\Aaoaja32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4260
        
        C:\Windows\SysWOW64\Aocace32.exe
        
        C:\Windows\system32\Aocace32.exe
        27⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2112
        
        C:\Windows\SysWOW64\Ahkflk32.exe
        
        C:\Windows\system32\Ahkflk32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3736
        
        C:\Windows\SysWOW64\Aoeniefo.exe
        
        C:\Windows\system32\Aoeniefo.exe
        29⤵
        Executes dropped EXE
        
        PID:5088
        
        C:\Windows\SysWOW64\Aackeqeb.exe
        
        C:\Windows\system32\Aackeqeb.exe
        30⤵
        Executes dropped EXE
        
        PID:2872
        
        C:\Windows\SysWOW64\Aliobieh.exe
        
        C:\Windows\system32\Aliobieh.exe
        31⤵
        Executes dropped EXE
        
        PID:2640
        
        C:\Windows\SysWOW64\Aeacko32.exe
        
        C:\Windows\system32\Aeacko32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:540
        
        C:\Windows\SysWOW64\Ahppgjjl.exe
        
        C:\Windows\system32\Ahppgjjl.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1124
        
        C:\Windows\SysWOW64\Apggihko.exe
        
        C:\Windows\system32\Apggihko.exe
        34⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4948
        
        C:\Windows\SysWOW64\Abedecjb.exe
        
        C:\Windows\system32\Abedecjb.exe
        35⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:452
        
        C:\Windows\SysWOW64\Bpidngil.exe
        
        C:\Windows\system32\Bpidngil.exe
        36⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1988
        
        C:\Windows\SysWOW64\Bbhqjchp.exe
        
        C:\Windows\system32\Bbhqjchp.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1976
        
        C:\Windows\SysWOW64\Befmfngc.exe
        
        C:\Windows\system32\Befmfngc.exe
        38⤵
        Executes dropped EXE
        
        PID:4996
        
        C:\Windows\SysWOW64\Bhdibj32.exe
        
        C:\Windows\system32\Bhdibj32.exe
        39⤵
        Executes dropped EXE
        
        PID:3048
        
        C:\Windows\SysWOW64\Booaodnd.exe
        
        C:\Windows\system32\Booaodnd.exe
        40⤵
        Executes dropped EXE
        
        PID:400
        
        C:\Windows\SysWOW64\Bammlomg.exe
        
        C:\Windows\system32\Bammlomg.exe
        41⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1172
        
        C:\Windows\SysWOW64\Bhgehi32.exe
        
        C:\Windows\system32\Bhgehi32.exe
        42⤵
        Executes dropped EXE
        
        PID:2584
        
        C:\Windows\SysWOW64\Blbaihmn.exe
        
        C:\Windows\system32\Blbaihmn.exe
        43⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3440
        
        C:\Windows\SysWOW64\Baojaoke.exe
        
        C:\Windows\system32\Baojaoke.exe
        44⤵
        Executes dropped EXE
        
        PID:2616
        
        C:\Windows\SysWOW64\Blennh32.exe
        
        C:\Windows\system32\Blennh32.exe
        45⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2740
        
        C:\Windows\SysWOW64\Bpqjofcd.exe
        
        C:\Windows\system32\Bpqjofcd.exe
        46⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4792
        
        C:\Windows\SysWOW64\Bbofkbbh.exe
        
        C:\Windows\system32\Bbofkbbh.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3528
        
        C:\Windows\SysWOW64\Bemcgmak.exe
        
        C:\Windows\system32\Bemcgmak.exe
        48⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4372
        
        C:\Windows\SysWOW64\Biiohl32.exe
        
        C:\Windows\system32\Biiohl32.exe
        49⤵
        Executes dropped EXE
        
        PID:744
        
        C:\Windows\SysWOW64\Bpcgdfaa.exe
        
        C:\Windows\system32\Bpcgdfaa.exe
        50⤵
        Executes dropped EXE
        
        PID:1152
        
        C:\Windows\SysWOW64\Boegpc32.exe
        
        C:\Windows\system32\Boegpc32.exe
        51⤵
        Executes dropped EXE
        
        PID:4292
        
        C:\Windows\SysWOW64\Beppmmoi.exe
        
        C:\Windows\system32\Beppmmoi.exe
        52⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2768
        
        C:\Windows\SysWOW64\Bikkml32.exe
        
        C:\Windows\system32\Bikkml32.exe
        53⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1732
        
        C:\Windows\SysWOW64\Clihig32.exe
        
        C:\Windows\system32\Clihig32.exe
        54⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3240
        
        C:\Windows\SysWOW64\Cohdebfi.exe
        
        C:\Windows\system32\Cohdebfi.exe
        55⤵
        Executes dropped EXE
        
        PID:1436
        
        C:\Windows\SysWOW64\Cimhckeo.exe
        
        C:\Windows\system32\Cimhckeo.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4164
        
        C:\Windows\SysWOW64\Chphoh32.exe
        
        C:\Windows\system32\Chphoh32.exe
        57⤵
        Executes dropped EXE
        
        PID:4604
        
        C:\Windows\SysWOW64\Cojqkbdf.exe
        
        C:\Windows\system32\Cojqkbdf.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3688
        
        C:\Windows\SysWOW64\Caimgncj.exe
        
        C:\Windows\system32\Caimgncj.exe
        59⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3488
        
        C:\Windows\SysWOW64\Cedihl32.exe
        
        C:\Windows\system32\Cedihl32.exe
        60⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4452
        
        C:\Windows\SysWOW64\Clnadfbp.exe
        
        C:\Windows\system32\Clnadfbp.exe
        61⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1608
        
        C:\Windows\SysWOW64\Cakjmm32.exe
        
        C:\Windows\system32\Cakjmm32.exe
        62⤵
        Executes dropped EXE
        
        PID:1868
        
        C:\Windows\SysWOW64\Cefemliq.exe
        
        C:\Windows\system32\Cefemliq.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1588
        
        C:\Windows\SysWOW64\Coojfa32.exe
        
        C:\Windows\system32\Coojfa32.exe
        64⤵
        Executes dropped EXE
        
        PID:2208
        
        C:\Windows\SysWOW64\Ceibclgn.exe
        
        C:\Windows\system32\Ceibclgn.exe
        65⤵
        Executes dropped EXE
        
        PID:4076
        
        C:\Windows\SysWOW64\Ccmclp32.exe
        
        C:\Windows\system32\Ccmclp32.exe
        66⤵
        Modifies registry class
        
        PID:3900
        
        C:\Windows\SysWOW64\Cekohk32.exe
        
        C:\Windows\system32\Cekohk32.exe
        67⤵
        
        PID:4348
        
        C:\Windows\SysWOW64\Digkijmd.exe
        
        C:\Windows\system32\Digkijmd.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1216
        
        C:\Windows\SysWOW64\Dpacfd32.exe
        
        C:\Windows\system32\Dpacfd32.exe
        69⤵
        
        PID:3160
        
        C:\Windows\SysWOW64\Denlnk32.exe
        
        C:\Windows\system32\Denlnk32.exe
        70⤵
        Modifies registry class
        
        PID:760
        
        C:\Windows\SysWOW64\Dhlhjf32.exe
        
        C:\Windows\system32\Dhlhjf32.exe
        71⤵
        
        PID:3000
        
        C:\Windows\SysWOW64\Dpcpkc32.exe
        
        C:\Windows\system32\Dpcpkc32.exe
        72⤵
        
        PID:1088
        
        C:\Windows\SysWOW64\Dadlclim.exe
        
        C:\Windows\system32\Dadlclim.exe
        73⤵
        Drops file in System32 directory
        
        PID:4232
        
        C:\Windows\SysWOW64\Dhnepfpj.exe
        
        C:\Windows\system32\Dhnepfpj.exe
        74⤵
        Drops file in System32 directory
        
        PID:1916
        
        C:\Windows\SysWOW64\Dcdimopp.exe
        
        C:\Windows\system32\Dcdimopp.exe
        75⤵
        Modifies registry class
        
        PID:4040
        
        C:\Windows\SysWOW64\Debeijoc.exe
        
        C:\Windows\system32\Debeijoc.exe
        76⤵
        
        PID:2700
        
        C:\Windows\SysWOW64\Dllmfd32.exe
        
        C:\Windows\system32\Dllmfd32.exe
        77⤵
        
        PID:2684
        
        C:\Windows\SysWOW64\Dcfebonm.exe
        
        C:\Windows\system32\Dcfebonm.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4412
        
        C:\Windows\SysWOW64\Dfdbojmq.exe
        
        C:\Windows\system32\Dfdbojmq.exe
        79⤵
        
        PID:1996
        
        C:\Windows\SysWOW64\Djpnohej.exe
        
        C:\Windows\system32\Djpnohej.exe
        80⤵
        
        PID:4100
        
        C:\Windows\SysWOW64\Eckonn32.exe
        
        C:\Windows\system32\Eckonn32.exe
        81⤵
        
        PID:116
        
        C:\Windows\SysWOW64\Ebnoikqb.exe
        
        C:\Windows\system32\Ebnoikqb.exe
        82⤵
        
        PID:3672
        
        C:\Windows\SysWOW64\Ejegjh32.exe
        
        C:\Windows\system32\Ejegjh32.exe
        83⤵
        
        PID:5124
        
        C:\Windows\SysWOW64\Ehhgfdho.exe
        
        C:\Windows\system32\Ehhgfdho.exe
        84⤵
        
        PID:5160
        
        C:\Windows\SysWOW64\Ecmlcmhe.exe
        
        C:\Windows\system32\Ecmlcmhe.exe
        85⤵
        Modifies registry class
        
        PID:5212
        
        C:\Windows\SysWOW64\Eflhoigi.exe
        
        C:\Windows\system32\Eflhoigi.exe
        86⤵
        Modifies registry class
        
        PID:5256
        
        C:\Windows\SysWOW64\Eleplc32.exe
        
        C:\Windows\system32\Eleplc32.exe
        87⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5296
        
        C:\Windows\SysWOW64\Eodlho32.exe
        
        C:\Windows\system32\Eodlho32.exe
        88⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5340
        
        C:\Windows\SysWOW64\Ejjqeg32.exe
        
        C:\Windows\system32\Ejjqeg32.exe
        89⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5396
        
        C:\Windows\SysWOW64\Ehlaaddj.exe
        
        C:\Windows\system32\Ehlaaddj.exe
        90⤵
        
        PID:5436
        
        C:\Windows\SysWOW64\Elhmablc.exe
        
        C:\Windows\system32\Elhmablc.exe
        91⤵
        
        PID:5484
        
        C:\Windows\SysWOW64\Eqciba32.exe
        
        C:\Windows\system32\Eqciba32.exe
        92⤵
        
        PID:5532
        
        C:\Windows\SysWOW64\Ecbenm32.exe
        
        C:\Windows\system32\Ecbenm32.exe
        93⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5572
        
        C:\Windows\SysWOW64\Ebeejijj.exe
        
        C:\Windows\system32\Ebeejijj.exe
        94⤵
        
        PID:5620
        
        C:\Windows\SysWOW64\Ejlmkgkl.exe
        
        C:\Windows\system32\Ejlmkgkl.exe
        95⤵
        Modifies registry class
        
        PID:5664
        
        C:\Windows\SysWOW64\Ehonfc32.exe
        
        C:\Windows\system32\Ehonfc32.exe
        96⤵
        
        PID:5704
        
        C:\Windows\SysWOW64\Ecdbdl32.exe
        
        C:\Windows\system32\Ecdbdl32.exe
        97⤵
        Drops file in System32 directory
        
        PID:5740
        
        C:\Windows\SysWOW64\Ffbnph32.exe
        
        C:\Windows\system32\Ffbnph32.exe
        98⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5780
        
        C:\Windows\SysWOW64\Fhajlc32.exe
        
        C:\Windows\system32\Fhajlc32.exe
        99⤵
        
        PID:5820
        
        C:\Windows\SysWOW64\Fmmfmbhn.exe
        
        C:\Windows\system32\Fmmfmbhn.exe
        100⤵
        
        PID:5864
        
        C:\Windows\SysWOW64\Fokbim32.exe
        
        C:\Windows\system32\Fokbim32.exe
        101⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5904
        
        C:\Windows\SysWOW64\Fbioei32.exe
        
        C:\Windows\system32\Fbioei32.exe
        102⤵
        
        PID:5940
        
        C:\Windows\SysWOW64\Fjqgff32.exe
        
        C:\Windows\system32\Fjqgff32.exe
        103⤵
        Modifies registry class
        
        PID:5992
        
        C:\Windows\SysWOW64\Fomonm32.exe
        
        C:\Windows\system32\Fomonm32.exe
        104⤵
        
        PID:6032
        
        C:\Windows\SysWOW64\Fcikolnh.exe
        
        C:\Windows\system32\Fcikolnh.exe
        105⤵
        
        PID:6076
        
        C:\Windows\SysWOW64\Fbllkh32.exe
        
        C:\Windows\system32\Fbllkh32.exe
        106⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:3436
        
        C:\Windows\SysWOW64\Fifdgblo.exe
        
        C:\Windows\system32\Fifdgblo.exe
        107⤵
        
        PID:5152
        
        C:\Windows\SysWOW64\Fqmlhpla.exe
        
        C:\Windows\system32\Fqmlhpla.exe
        108⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5224
        
        C:\Windows\SysWOW64\Fopldmcl.exe
        
        C:\Windows\system32\Fopldmcl.exe
        109⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5276
        
        C:\Windows\SysWOW64\Fbnhphbp.exe
        
        C:\Windows\system32\Fbnhphbp.exe
        110⤵
        
        PID:5384
        
        C:\Windows\SysWOW64\Fjepaecb.exe
        
        C:\Windows\system32\Fjepaecb.exe
        111⤵
        
        PID:5448
        
        C:\Windows\SysWOW64\Fmclmabe.exe
        
        C:\Windows\system32\Fmclmabe.exe
        112⤵
        Modifies registry class
        
        PID:5516
        
        C:\Windows\SysWOW64\Fobiilai.exe
        
        C:\Windows\system32\Fobiilai.exe
        113⤵
        
        PID:5580
        
        C:\Windows\SysWOW64\Fcnejk32.exe
        
        C:\Windows\system32\Fcnejk32.exe
        114⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5660
        
        C:\Windows\SysWOW64\Fflaff32.exe
        
        C:\Windows\system32\Fflaff32.exe
        115⤵
        Drops file in System32 directory
        
        PID:5752
        
        C:\Windows\SysWOW64\Fjhmgeao.exe
        
        C:\Windows\system32\Fjhmgeao.exe
        116⤵
        Modifies registry class
        
        PID:5808
        
        C:\Windows\SysWOW64\Fqaeco32.exe
        
        C:\Windows\system32\Fqaeco32.exe
        117⤵
        Drops file in System32 directory
        
        PID:5896
        
        C:\Windows\SysWOW64\Gcpapkgp.exe
        
        C:\Windows\system32\Gcpapkgp.exe
        118⤵
        Drops file in System32 directory
        
        PID:5952
        
        C:\Windows\SysWOW64\Gfnnlffc.exe
        
        C:\Windows\system32\Gfnnlffc.exe
        119⤵
        
        PID:6012
        
        C:\Windows\SysWOW64\Gqdbiofi.exe
        
        C:\Windows\system32\Gqdbiofi.exe
        120⤵
        
        PID:6124
        
        C:\Windows\SysWOW64\Gogbdl32.exe
        
        C:\Windows\system32\Gogbdl32.exe
        121⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5148
        
        C:\Windows\SysWOW64\Gcbnejem.exe
        
        C:\Windows\system32\Gcbnejem.exe
        122⤵
        
        PID:5240
        
        C:\Windows\SysWOW64\Gfqjafdq.exe
        
        C:\Windows\system32\Gfqjafdq.exe
        123⤵
        Modifies registry class
        
        PID:5376
        
        C:\Windows\SysWOW64\Gmkbnp32.exe
        
        C:\Windows\system32\Gmkbnp32.exe
        124⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5472
        
        C:\Windows\SysWOW64\Goiojk32.exe
        
        C:\Windows\system32\Goiojk32.exe
        125⤵
        
        PID:5604
        
        C:\Windows\SysWOW64\Gfcgge32.exe
        
        C:\Windows\system32\Gfcgge32.exe
        126⤵
        
        PID:5748
        
        C:\Windows\SysWOW64\Giacca32.exe
        
        C:\Windows\system32\Giacca32.exe
        127⤵
        
        PID:5856
        
        C:\Windows\SysWOW64\Gqikdn32.exe
        
        C:\Windows\system32\Gqikdn32.exe
        128⤵
        
        PID:6040
        
        C:\Windows\SysWOW64\Gbjhlfhb.exe
        
        C:\Windows\system32\Gbjhlfhb.exe
        129⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6060
        
        C:\Windows\SysWOW64\Gjapmdid.exe
        
        C:\Windows\system32\Gjapmdid.exe
        130⤵
        Drops file in System32 directory
        
        PID:5208
        
        C:\Windows\SysWOW64\Gidphq32.exe
        
        C:\Windows\system32\Gidphq32.exe
        131⤵
        
        PID:5452
        
        C:\Windows\SysWOW64\Gqkhjn32.exe
        
        C:\Windows\system32\Gqkhjn32.exe
        132⤵
        
        PID:5672
        
        C:\Windows\SysWOW64\Gcidfi32.exe
        
        C:\Windows\system32\Gcidfi32.exe
        133⤵
        Modifies registry class
        
        PID:5812
        
        C:\Windows\SysWOW64\Gmaioo32.exe
        
        C:\Windows\system32\Gmaioo32.exe
        134⤵
        Modifies registry class
        
        PID:6056
        
        C:\Windows\SysWOW64\Gppekj32.exe
        
        C:\Windows\system32\Gppekj32.exe
        135⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5220
        
        C:\Windows\SysWOW64\Hboagf32.exe
        
        C:\Windows\system32\Hboagf32.exe
        136⤵
        
        PID:5556
        
        C:\Windows\SysWOW64\Hjfihc32.exe
        
        C:\Windows\system32\Hjfihc32.exe
        137⤵
        
        PID:5984
        
        C:\Windows\SysWOW64\Hmdedo32.exe
        
        C:\Windows\system32\Hmdedo32.exe
        138⤵
        
        PID:5284
        
        C:\Windows\SysWOW64\Hpbaqj32.exe
        
        C:\Windows\system32\Hpbaqj32.exe
        139⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5848
        
        C:\Windows\SysWOW64\Hcnnaikp.exe
        
        C:\Windows\system32\Hcnnaikp.exe
        140⤵
        Modifies registry class
        
        PID:5132
        
        C:\Windows\SysWOW64\Hbanme32.exe
        
        C:\Windows\system32\Hbanme32.exe
        141⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6004
        
        C:\Windows\SysWOW64\Hmfbjnbp.exe
        
        C:\Windows\system32\Hmfbjnbp.exe
        142⤵
        
        PID:5336
        
        C:\Windows\SysWOW64\Habnjm32.exe
        
        C:\Windows\system32\Habnjm32.exe
        143⤵
        
        PID:6156
        
        C:\Windows\SysWOW64\Hbckbepg.exe
        
        C:\Windows\system32\Hbckbepg.exe
        144⤵
        
        PID:6200
        
        C:\Windows\SysWOW64\Hfofbd32.exe
        
        C:\Windows\system32\Hfofbd32.exe
        145⤵
        
        PID:6248
        
        C:\Windows\SysWOW64\Himcoo32.exe
        
        C:\Windows\system32\Himcoo32.exe
        146⤵
        
        PID:6292
        
        C:\Windows\SysWOW64\Hadkpm32.exe
        
        C:\Windows\system32\Hadkpm32.exe
        147⤵
        
        PID:6332
        
        C:\Windows\SysWOW64\Hfachc32.exe
        
        C:\Windows\system32\Hfachc32.exe
        148⤵
        Drops file in System32 directory
        
        PID:6376
        
        C:\Windows\SysWOW64\Hjmoibog.exe
        
        C:\Windows\system32\Hjmoibog.exe
        149⤵
        Drops file in System32 directory
        
        PID:6420
        
        C:\Windows\SysWOW64\Hmklen32.exe
        
        C:\Windows\system32\Hmklen32.exe
        150⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6464
        
        C:\Windows\SysWOW64\Haggelfd.exe
        
        C:\Windows\system32\Haggelfd.exe
        151⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6504
        
        C:\Windows\SysWOW64\Hcedaheh.exe
        
        C:\Windows\system32\Hcedaheh.exe
        152⤵
        Modifies registry class
        
        PID:6544
        
        C:\Windows\SysWOW64\Hbhdmd32.exe
        
        C:\Windows\system32\Hbhdmd32.exe
        153⤵
        
        PID:6584
        
        C:\Windows\SysWOW64\Hibljoco.exe
        
        C:\Windows\system32\Hibljoco.exe
        154⤵
        Modifies registry class
        
        PID:6628
        
        C:\Windows\SysWOW64\Haidklda.exe
        
        C:\Windows\system32\Haidklda.exe
        155⤵
        
        PID:6664
        
        C:\Windows\SysWOW64\Ibjqcd32.exe
        
        C:\Windows\system32\Ibjqcd32.exe
        156⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6712
        
        C:\Windows\SysWOW64\Impepm32.exe
        
        C:\Windows\system32\Impepm32.exe
        157⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6756
        
        C:\Windows\SysWOW64\Ipnalhii.exe
        
        C:\Windows\system32\Ipnalhii.exe
        158⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6792
        
        C:\Windows\SysWOW64\Ifhiib32.exe
        
        C:\Windows\system32\Ifhiib32.exe
        159⤵
        
        PID:6840
        
        C:\Windows\SysWOW64\Ijdeiaio.exe
        
        C:\Windows\system32\Ijdeiaio.exe
        160⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6880
        
        C:\Windows\SysWOW64\Imbaemhc.exe
        
        C:\Windows\system32\Imbaemhc.exe
        161⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6924
        
        C:\Windows\SysWOW64\Ifjfnb32.exe
        
        C:\Windows\system32\Ifjfnb32.exe
        162⤵
        
        PID:6964
        
        C:\Windows\SysWOW64\Ifmcdblq.exe
        
        C:\Windows\system32\Ifmcdblq.exe
        163⤵
        
        PID:7016
        
        C:\Windows\SysWOW64\Iikopmkd.exe
        
        C:\Windows\system32\Iikopmkd.exe
        164⤵
        Modifies registry class
        
        PID:7060
        
        C:\Windows\SysWOW64\Imgkql32.exe
        
        C:\Windows\system32\Imgkql32.exe
        165⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7100
        
        C:\Windows\SysWOW64\Ipegmg32.exe
        
        C:\Windows\system32\Ipegmg32.exe
        166⤵
        
        PID:7148
        
        C:\Windows\SysWOW64\Ijkljp32.exe
        
        C:\Windows\system32\Ijkljp32.exe
        167⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5176
        
        C:\Windows\SysWOW64\Jaedgjjd.exe
        
        C:\Windows\system32\Jaedgjjd.exe
        168⤵
        Drops file in System32 directory
        
        PID:6236
        
        C:\Windows\SysWOW64\Jbfpobpb.exe
        
        C:\Windows\system32\Jbfpobpb.exe
        169⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6312
        
        C:\Windows\SysWOW64\Jjmhppqd.exe
        
        C:\Windows\system32\Jjmhppqd.exe
        170⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6360
        
        C:\Windows\SysWOW64\Jpjqhgol.exe
        
        C:\Windows\system32\Jpjqhgol.exe
        171⤵
        
        PID:6428
        
        C:\Windows\SysWOW64\Jfdida32.exe
        
        C:\Windows\system32\Jfdida32.exe
        172⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6488
        
        C:\Windows\SysWOW64\Jjpeepnb.exe
        
        C:\Windows\system32\Jjpeepnb.exe
        173⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6560
        
        C:\Windows\SysWOW64\Jmnaakne.exe
        
        C:\Windows\system32\Jmnaakne.exe
        174⤵
        
        PID:6652
        
        C:\Windows\SysWOW64\Jbkjjblm.exe
        
        C:\Windows\system32\Jbkjjblm.exe
        175⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6724
        
        C:\Windows\SysWOW64\Jidbflcj.exe
        
        C:\Windows\system32\Jidbflcj.exe
        176⤵
        Modifies registry class
        
        PID:6788
        
        C:\Windows\SysWOW64\Jaljgidl.exe
        
        C:\Windows\system32\Jaljgidl.exe
        177⤵
        
        PID:6860
        
        C:\Windows\SysWOW64\Jdjfcecp.exe
        
        C:\Windows\system32\Jdjfcecp.exe
        178⤵
        
        PID:6920
        
        C:\Windows\SysWOW64\Jbmfoa32.exe
        
        C:\Windows\system32\Jbmfoa32.exe
        179⤵
        
        PID:6996
        
        C:\Windows\SysWOW64\Jangmibi.exe
        
        C:\Windows\system32\Jangmibi.exe
        180⤵
        
        PID:7068
        
        C:\Windows\SysWOW64\Jdmcidam.exe
        
        C:\Windows\system32\Jdmcidam.exe
        181⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:7128
        
        C:\Windows\SysWOW64\Jkfkfohj.exe
        
        C:\Windows\system32\Jkfkfohj.exe
        182⤵
        
        PID:6216
        
        C:\Windows\SysWOW64\Kaqcbi32.exe
        
        C:\Windows\system32\Kaqcbi32.exe
        183⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6284
        
        C:\Windows\SysWOW64\Kdopod32.exe
        
        C:\Windows\system32\Kdopod32.exe
        184⤵
        Modifies registry class
        
        PID:6460
        
        C:\Windows\SysWOW64\Kbapjafe.exe
        
        C:\Windows\system32\Kbapjafe.exe
        185⤵
        Drops file in System32 directory
        
        PID:6572
        
        C:\Windows\SysWOW64\Kilhgk32.exe
        
        C:\Windows\system32\Kilhgk32.exe
        186⤵
        
        PID:6636
        
        C:\Windows\SysWOW64\Kacphh32.exe
        
        C:\Windows\system32\Kacphh32.exe
        187⤵
        
        PID:6764
        
        C:\Windows\SysWOW64\Kdaldd32.exe
        
        C:\Windows\system32\Kdaldd32.exe
        188⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6868
        
        C:\Windows\SysWOW64\Kgphpo32.exe
        
        C:\Windows\system32\Kgphpo32.exe
        189⤵
        Drops file in System32 directory
        
        PID:6984
        
        C:\Windows\SysWOW64\Kinemkko.exe
        
        C:\Windows\system32\Kinemkko.exe
        190⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7140
        
        C:\Windows\SysWOW64\Kmjqmi32.exe
        
        C:\Windows\system32\Kmjqmi32.exe
        191⤵
        
        PID:7084
        
        C:\Windows\SysWOW64\Kdcijcke.exe
        
        C:\Windows\system32\Kdcijcke.exe
        192⤵
        
        PID:6404
        
        C:\Windows\SysWOW64\Kgbefoji.exe
        
        C:\Windows\system32\Kgbefoji.exe
        193⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6536
        
        C:\Windows\SysWOW64\Kmlnbi32.exe
        
        C:\Windows\system32\Kmlnbi32.exe
        194⤵
        Drops file in System32 directory
        
        PID:6692
        
        C:\Windows\SysWOW64\Kpjjod32.exe
        
        C:\Windows\system32\Kpjjod32.exe
        195⤵
        Modifies registry class
        
        PID:6956
        
        C:\Windows\SysWOW64\Kcifkp32.exe
        
        C:\Windows\system32\Kcifkp32.exe
        196⤵
        
        PID:7044
        
        C:\Windows\SysWOW64\Kkpnlm32.exe
        
        C:\Windows\system32\Kkpnlm32.exe
        197⤵
        
        PID:6368
        
        C:\Windows\SysWOW64\Kmnjhioc.exe
        
        C:\Windows\system32\Kmnjhioc.exe
        198⤵
        
        PID:6648
        
        C:\Windows\SysWOW64\Kpmfddnf.exe
        
        C:\Windows\system32\Kpmfddnf.exe
        199⤵
        
        PID:6852
        
        C:\Windows\SysWOW64\Kckbqpnj.exe
        
        C:\Windows\system32\Kckbqpnj.exe
        200⤵
        Drops file in System32 directory
        
        PID:6324
        
        C:\Windows\SysWOW64\Kkbkamnl.exe
        
        C:\Windows\system32\Kkbkamnl.exe
        201⤵
        
        PID:6848
        
        C:\Windows\SysWOW64\Liekmj32.exe
        
        C:\Windows\system32\Liekmj32.exe
        202⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6196
        
        C:\Windows\SysWOW64\Lalcng32.exe
        
        C:\Windows\system32\Lalcng32.exe
        203⤵
        
        PID:6244
        
        C:\Windows\SysWOW64\Ldkojb32.exe
        
        C:\Windows\system32\Ldkojb32.exe
        204⤵
        
        PID:6612
        
        C:\Windows\SysWOW64\Lcmofolg.exe
        
        C:\Windows\system32\Lcmofolg.exe
        205⤵
        Modifies registry class
        
        PID:7204
        
        C:\Windows\SysWOW64\Lkdggmlj.exe
        
        C:\Windows\system32\Lkdggmlj.exe
        206⤵
        
        PID:7244
        
        C:\Windows\SysWOW64\Lpappc32.exe
        
        C:\Windows\system32\Lpappc32.exe
        207⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:7288
        
        C:\Windows\SysWOW64\Lcpllo32.exe
        
        C:\Windows\system32\Lcpllo32.exe
        208⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:7328
        
        C:\Windows\SysWOW64\Lnepih32.exe
        
        C:\Windows\system32\Lnepih32.exe
        209⤵
        Drops file in System32 directory
        
        PID:7376
        
        C:\Windows\SysWOW64\Lpcmec32.exe
        
        C:\Windows\system32\Lpcmec32.exe
        210⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:7412
        
        C:\Windows\SysWOW64\Lcbiao32.exe
        
        C:\Windows\system32\Lcbiao32.exe
        211⤵
        Modifies registry class
        
        PID:7460
        
        C:\Windows\SysWOW64\Lgneampk.exe
        
        C:\Windows\system32\Lgneampk.exe
        212⤵
        Drops file in System32 directory
        
        PID:7500
        
        C:\Windows\SysWOW64\Lilanioo.exe
        
        C:\Windows\system32\Lilanioo.exe
        213⤵
        
        PID:7540
        
        C:\Windows\SysWOW64\Laciofpa.exe
        
        C:\Windows\system32\Laciofpa.exe
        214⤵
        
        PID:7584
        
        C:\Windows\SysWOW64\Lpfijcfl.exe
        
        C:\Windows\system32\Lpfijcfl.exe
        215⤵
        Drops file in System32 directory
        
        PID:7620
        
        C:\Windows\SysWOW64\Lgpagm32.exe
        
        C:\Windows\system32\Lgpagm32.exe
        216⤵
        Modifies registry class
        
        PID:7668
        
        C:\Windows\SysWOW64\Laefdf32.exe
        
        C:\Windows\system32\Laefdf32.exe
        217⤵
        
        PID:7708
        
        C:\Windows\SysWOW64\Lphfpbdi.exe
        
        C:\Windows\system32\Lphfpbdi.exe
        218⤵
        
        PID:7744
        
        C:\Windows\SysWOW64\Lgbnmm32.exe
        
        C:\Windows\system32\Lgbnmm32.exe
        219⤵
        Modifies registry class
        
        PID:7788
        
        C:\Windows\SysWOW64\Lknjmkdo.exe
        
        C:\Windows\system32\Lknjmkdo.exe
        220⤵
        Modifies registry class
        
        PID:7836
        
        C:\Windows\SysWOW64\Mahbje32.exe
        
        C:\Windows\system32\Mahbje32.exe
        221⤵
        
        PID:7880
        
        C:\Windows\SysWOW64\Mciobn32.exe
        
        C:\Windows\system32\Mciobn32.exe
        222⤵
        
        PID:7920
        
        C:\Windows\SysWOW64\Mgekbljc.exe
        
        C:\Windows\system32\Mgekbljc.exe
        223⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:7956
        
        C:\Windows\SysWOW64\Mnocof32.exe
        
        C:\Windows\system32\Mnocof32.exe
        224⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8004
        
        C:\Windows\SysWOW64\Mdiklqhm.exe
        
        C:\Windows\system32\Mdiklqhm.exe
        225⤵
        
        PID:8044
        
        C:\Windows\SysWOW64\Mcklgm32.exe
        
        C:\Windows\system32\Mcklgm32.exe
        226⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:8084
        
        C:\Windows\SysWOW64\Mgghhlhq.exe
        
        C:\Windows\system32\Mgghhlhq.exe
        227⤵
        
        PID:8124
        
        C:\Windows\SysWOW64\Mnapdf32.exe
        
        C:\Windows\system32\Mnapdf32.exe
        228⤵
        Drops file in System32 directory
        
        PID:8172
        
        C:\Windows\SysWOW64\Mpolqa32.exe
        
        C:\Windows\system32\Mpolqa32.exe
        229⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7176
        
        C:\Windows\SysWOW64\Mdkhapfj.exe
        
        C:\Windows\system32\Mdkhapfj.exe
        230⤵
        Drops file in System32 directory
        
        PID:7236
        
        C:\Windows\SysWOW64\Mkepnjng.exe
        
        C:\Windows\system32\Mkepnjng.exe
        231⤵
        Modifies registry class
        
        PID:7320
        
        C:\Windows\SysWOW64\Mjhqjg32.exe
        
        C:\Windows\system32\Mjhqjg32.exe
        232⤵
        Drops file in System32 directory
        
        PID:7360
        
        C:\Windows\SysWOW64\Mpaifalo.exe
        
        C:\Windows\system32\Mpaifalo.exe
        233⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7444
        
        C:\Windows\SysWOW64\Mcpebmkb.exe
        
        C:\Windows\system32\Mcpebmkb.exe
        234⤵
        
        PID:7524
        
        C:\Windows\SysWOW64\Mjjmog32.exe
        
        C:\Windows\system32\Mjjmog32.exe
        235⤵
        Drops file in System32 directory
        
        PID:7568
        
        C:\Windows\SysWOW64\Mnfipekh.exe
        
        C:\Windows\system32\Mnfipekh.exe
        236⤵
        
        PID:7648
        
        C:\Windows\SysWOW64\Mpdelajl.exe
        
        C:\Windows\system32\Mpdelajl.exe
        237⤵
        Modifies registry class
        
        PID:7720
        
        C:\Windows\SysWOW64\Mcbahlip.exe
        
        C:\Windows\system32\Mcbahlip.exe
        238⤵
        Drops file in System32 directory
        
        PID:7784
        
        C:\Windows\SysWOW64\Nkjjij32.exe
        
        C:\Windows\system32\Nkjjij32.exe
        239⤵
        
        PID:7848
        
        C:\Windows\SysWOW64\Nacbfdao.exe
        
        C:\Windows\system32\Nacbfdao.exe
        240⤵
        
        PID:7928
        
        C:\Windows\SysWOW64\Nqfbaq32.exe
        
        C:\Windows\system32\Nqfbaq32.exe
        241⤵
        
        PID:7992
        
        C:\Windows\SysWOW64\Ngpjnkpf.exe
        
        C:\Windows\system32\Ngpjnkpf.exe
        242⤵
        
        PID:8076
        
        C:\Windows\SysWOW64\Nklfoi32.exe
        
        C:\Windows\system32\Nklfoi32.exe
        243⤵
        
        PID:8120
        
        C:\Windows\SysWOW64\Nnjbke32.exe
        
        C:\Windows\system32\Nnjbke32.exe
        244⤵
        Drops file in System32 directory
        
        PID:8148
        
        C:\Windows\SysWOW64\Nafokcol.exe
        
        C:\Windows\system32\Nafokcol.exe
        245⤵
        
        PID:7252
        
        C:\Windows\SysWOW64\Nkncdifl.exe
        
        C:\Windows\system32\Nkncdifl.exe
        246⤵
        
        PID:7296
        
        C:\Windows\SysWOW64\Nnmopdep.exe
        
        C:\Windows\system32\Nnmopdep.exe
        247⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:7404
        
        C:\Windows\SysWOW64\Nqklmpdd.exe
        
        C:\Windows\system32\Nqklmpdd.exe
        248⤵
        Drops file in System32 directory
        
        PID:7508
        
        C:\Windows\SysWOW64\Ncihikcg.exe
        
        C:\Windows\system32\Ncihikcg.exe
        249⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:7608
        
        C:\Windows\SysWOW64\Nkqpjidj.exe
        
        C:\Windows\system32\Nkqpjidj.exe
        250⤵
        
        PID:7700
        
        C:\Windows\SysWOW64\Nnolfdcn.exe
        
        C:\Windows\system32\Nnolfdcn.exe
        251⤵
        Drops file in System32 directory
        
        PID:7828
        
        C:\Windows\SysWOW64\Nqmhbpba.exe
        
        C:\Windows\system32\Nqmhbpba.exe
        252⤵
        
        PID:7912
        
        C:\Windows\SysWOW64\Ncldnkae.exe
        
        C:\Windows\system32\Ncldnkae.exe
        253⤵
        
        PID:8040
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        254⤵
        
        PID:8140
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 8140 -s 400
        255⤵
        Program crash
        
        PID:7276

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 8140 -ip 8140
1⤵
PID:6172

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aackeqeb.exe

Filesize
128KB

MD5
d27f1e4747a92299f04f0a6af1d2787d

SHA1
08044810060a3f7312e34777f82fa9d7cde2309c

SHA256
77fd8a0112d81d6c92629efc53247ab9d8799858dd62a6ffc5707940a2d9caca

SHA512
3b6c26aba46e74edba34e28f0ddc7892b533c3124c058e70e80598ed77f5ef7e79e4b98bb31e9bf5edcd004684226d963f4367174259373370964eef9791ad86

Download Submit
C:\Windows\SysWOW64\Aaoaja32.exe

Filesize
128KB

MD5
cde4a2ee17149d2bba222ac354e7d440

SHA1
e32cbd12af08feb502a9a1cabaf1f1b3f5ed1568

SHA256
542c6c8a6fb9cb4753cbd6612c726210471ad5f8f42bf6f43080564b2c233957

SHA512
69bbded9e6638c91a4033290e1d88fcf0ac40ff1d934139ac7d694de94aa67d8f0e6ed4805d4919ac7a2ffc9a4a2bd4189636c3bccef8da2e720a1b305c11aa9

Download Submit
C:\Windows\SysWOW64\Ablaodbm.exe

Filesize
128KB

MD5
3c4a03320b0f2ec28b21c389e8c5dc44

SHA1
f7e1c42bdbb3392380adc126c5216569cfc0c2b3

SHA256
3c213489d5854185564888744f1983f57940afc92fc65c5fcf53017343f2b7de

SHA512
201864e891b7aabfedacfc4d0cc19bdc72d3710e355eb46f6f9db778246d34fd1ec35c39bf754aa984fea9c89d2113a9fd6cb5bb65c60fdf04834e4eed4b73a2

Download Submit
C:\Windows\SysWOW64\Aeacko32.exe

Filesize
128KB

MD5
3bae4b936531b7c9def4de178c2efdc1

SHA1
3aaac169abe2b71d84ccb13c3eb0620728a9429e

SHA256
a8b2cf2d304309f6f05fe2d5cde8f9f2d41cee2d00f4be4d028c130a5b3cac76

SHA512
852a971001e084a2a8ee112c73585daf385ae8614b04a7f2f6851f2330101226cb97a101c3c973a50ff6461d043eb765dfd6f8efeaaf98167f1579e9d2a5acb4

Download Submit
C:\Windows\SysWOW64\Ahkflk32.exe

Filesize
128KB

MD5
69a3448d2b717a508ca186407ada2442

SHA1
b14d73bda7be9c57b58a7c6d34bcccae90faf1cc

SHA256
dbdb2cace39ab4bf9e292423c602d5e058c6db5c27242ec6a9e24cb1527266e2

SHA512
3de9ea9758860707114f8d6491d9ebf2d5e3b919908c10156d0a7697e95b66d37c0ae3c368b51dd26a45ba8544c73630853dbd5120f28c7943e6ba9bbc35e266

Download Submit
C:\Windows\SysWOW64\Ahppgjjl.exe

Filesize
128KB

MD5
49a2eb71cd0fc03314917feba0fafd7f

SHA1
2c30d0550c4e4a96da2ba5451c889b953b646143

SHA256
433f3485a213391011fe08b73d5ecd79616e793bdaba7e2ba3e2d630a96de396

SHA512
4d5cd52d07db78b543bc6f87010ac84213dfd4a48eaf6daceed495f465e03ffbc287e47f2996addcfd238ae734d6d5f02e4c3266ac3496962fa1835956de2c3a

Download Submit
C:\Windows\SysWOW64\Aliobieh.exe

Filesize
128KB

MD5
d07a3b2000e5df13fa8133b458bb8132

SHA1
26da08567721deeb5858ce84b4cfa5790cd379f9

SHA256
b4e1aaebd65d56853b155a18059e861f1abad01ee0158de82ee77aa072566744

SHA512
c3e56bb98b6b674516cb72b01931cd694f60525f2c614a32015dfa80593af4388da7f2935a1e112f84df2f41a764413ac7e5edc500f209a0c29124fbaed1dec4

Download Submit
C:\Windows\SysWOW64\Aocace32.exe

Filesize
128KB

MD5
699ed0f67efae830356d3ddd7fc51c90

SHA1
c2cf30ee58ac4701aa8d9565b45161def167bc33

SHA256
4356f0d483a96c0b30140ef4f61256a2cee1ac070c1625b6a9adcbe66e2edcf9

SHA512
89b4e80f99acf89d4cceca8b0127966082a0e090311bf66e5b3d886b2142ea724240c6de732ceb65a2360908b451f378a24c984f0a9e5d12994503ab08e969fa

Download Submit
C:\Windows\SysWOW64\Aoeniefo.exe

Filesize
128KB

MD5
61c4fef064d4a5d01c6b847e53bae7e3

SHA1
0da9d7b88a3bf13763915058c3320d3d4522bd80

SHA256
17fa8e64040007897622044e24ebb3a6157ba3019b1a86419bd0b886ac92701f

SHA512
ff9967cb9f2ba0a92cf2ad59e1dd22f24428d7651e009614bdeab4caa50d18a834a9805313b28cdab5eef7357d717bab2c9d1646ec5a35ac4a2fb2e30e2761a6

Download Submit
C:\Windows\SysWOW64\Biiohl32.exe

Filesize
128KB

MD5
ac969c4742aeea63e60ec3341e8a4f2b

SHA1
e1165bb613cf712a49bd862e2d84712506b11899

SHA256
83e1faca51fdcb53fac8d1734929971acfc71a37ff5b999e30106adb3db297b4

SHA512
ead49f57f3101903856d0a63c0903895cc853bcea70ae650285af0cd71b4c39dce36a1f8213cf007704ff148ecc8d45512921c71aede3094b06154f165174deb

Download Submit
C:\Windows\SysWOW64\Ipegmg32.exe

Filesize
128KB

MD5
4bd0700d868b49471ccf44efe32d10f0

SHA1
b25f059fbe2dd21b026533f9c99cab063b006b37

SHA256
5c7721f44dc6e0c9d1df776fd5246438266822c802c53f08430baf4075ae9b22

SHA512
6fa8493f670cf78588cb833f871c92f6751057df7a2f0967eed58bb23811f2f20fcf5a44df2a7f3d8918dae4418c502ba53790d88e0f8304c7c7d53a5e18d58d

Download Submit
C:\Windows\SysWOW64\Jjpeepnb.exe

Filesize
128KB

MD5
c0407b3ee8c51b5910fd7e1fcbff78fc

SHA1
5150a3ff4abdb37753a91ac44bcd7b67b1cacde2

SHA256
dad84bb3db9404369a545710a25b5de34618882149b92fb95db677a8a9a889d2

SHA512
a800169a244f248dda6a16705cd083709b8e7112e5e977457d071c6bbdb5ed1b449170f9922c96067090d63f79c8792563acb6a067b79889666f3dfcf4b6a238

Download Submit
C:\Windows\SysWOW64\Nqklmpdd.exe

Filesize
128KB

MD5
bc78c0cdb736f40ea8b39b45f7acbd67

SHA1
711a06ad78b0cf6cda423f0086479cf7fbebe284

SHA256
97e20d3ad4071bb3cfccbc8d0001220c3c849de78bb4bef61f1e6fa152ba41e9

SHA512
cffd0aa73fff14d866efd6587ff798a75e10ed72289ae7197a998535c9ad4d4c8aea4947acdea34edb51b0b6f4863ada4f66233dcf70fe8f74a5e6aad7a7e2be

Download Submit
C:\Windows\SysWOW64\Paaeiceg.exe

Filesize
128KB

MD5
486f51f5da88b2f47ddf8c038cdaec04

SHA1
11ff72e0c21074c8319323f583f5665d9f927570

SHA256
66b264573ef274bf89f3d5aed7bcbda5142a81b8f8107f4af6526cc560eebe9f

SHA512
c5879c442c5fcb976fb5b84e53c0ca4563eab90dce7d6b408b27e8e1b3b4dfbab811b7677f0de982a56bad1ae4ad8098cb456cd1c64b7ec6266fa82ea5dc3727

Download Submit
C:\Windows\SysWOW64\Paendb32.exe

Filesize
128KB

MD5
366ea65ddecab47f5bdf3da466c75a09

SHA1
24625713a428e26d3105703b76eeafead83e884a

SHA256
6a3928c5a52b2bddb2a3135643b97fbba97dc41cd0d6fbbcbe29a96b0a22e664

SHA512
c2069e9769def7c338a8f453c5b2df76372a41186c1bda4a1223125607ebd0b3461dd82a224d1c81dc79b84122a0949ac3c00a6b47d7d88bd0e8b98b3421a8c4

Download Submit
C:\Windows\SysWOW64\Pahkjbop.exe

Filesize
128KB

MD5
442ef8437d79e016e8ab61fe6d22b6b9

SHA1
2f1f83a13997285160f362bdc5e00ea12607088c

SHA256
cb8b260bae6cc70946c4c7fb59b48f4948d971e94de81948c3cc93c8bfd9cd6a

SHA512
d654b39cd402f9519dcb3d78d071c6602487feacbf7f8d73325af679a0fb6b1b9db84dc3d8162b431233bed4e90d43defa8fc081e789e40d64a6bd782f44a7a4

Download Submit
C:\Windows\SysWOW64\Pbpacfmj.exe

Filesize
128KB

MD5
15777103c0aa6cf0bb53f92deb25a42e

SHA1
7b48808f9bec4646af4e2e98e177318418e54bc6

SHA256
edc36a4eb8cd3014ab5ad49fe658aa30fe202b4fc269fda7947b50bce072f00a

SHA512
4ca338b01afd409ae7b207333e07aa30f08c247a6704c7bf7450156589e1eb718d48f0cc96afc44207ad829a925c46744f245515d9b24cfd82e2ea8d9c01b971

Download Submit
C:\Windows\SysWOW64\Phbcfl32.exe

Filesize
128KB

MD5
a4595790257668629d2f22ec4000da0b

SHA1
aa5e7344b702834986f41a2d93616ba96d7886ad

SHA256
908a8789d4b15a06066d1f00c4feb83176d3e976efaaff3c994c4f7d40280e39

SHA512
4b589b8d6fe7214be6fefd99d45576cdb7b4b20172b5c15f04b0b8bd956484df7ef32f8cce39c15b2b23c8174274d1b9b43ea4999cfb6cdd65a891a326bbb9d6

Download Submit
C:\Windows\SysWOW64\Phkmem32.exe

Filesize
128KB

MD5
a7471e84242454eddf9b0c26df7bf10b

SHA1
4c5b922ee0785e68af4fff16f6385fe682090ffa

SHA256
db082c9c40475485280250b25272631ff3744c89f97716689d1c10ea9850473c

SHA512
dd4a6c6bd881c837470eb27f3bdf919639fe887e06c1ba28ebd01809aa94146515f89c18b733ef5d0a2e12e5499aae1de61a61a823219a3afaed821ba467c56a

Download Submit
C:\Windows\SysWOW64\Pihmjqfj.exe

Filesize
128KB

MD5
4bf116783f2490d4bf72fe14b064791a

SHA1
e9277611ab02bc6cc0d2f39c031c70fc9b8b8a43

SHA256
29f7e82f6a08bcf94d3f4776e6688bbf80047d43dfe1c8ac9d7154378e846018

SHA512
403d6d0c08e4860ec50a30290206b63ba89213b5cbd3ac65955a8d942e52eb60a800fcce7df5f0b678caec6342ba9e4188c3f7c10bf576475ec1581c19d04e94

Download Submit
C:\Windows\SysWOW64\Pimfep32.exe

Filesize
128KB

MD5
a53f64fe42a3ce530530ad3da78d1cff

SHA1
ba248419fbe95ade73290fe0100787aa9aee783d

SHA256
8ab1b7975361dcf9782615f46e5b5d004a39fb9fd7e2c9b01f7486398eca81a3

SHA512
76b4b6d92bc4fe43b57f77af49aa18becb23f92f4b8295d52442b298a0cef9b41e6bec951bcfcec076f66754c8a4d6efff176cf249b00a15d60172972b87dce4

Download Submit
C:\Windows\SysWOW64\Piockppb.exe

Filesize
128KB

MD5
91a927c4336b0d3d4da961910c2b60bf

SHA1
09434382427fba805b0f3c930dd968a09949c451

SHA256
2413ef7c5ca0a906f88c34baea5674d7810b127e2aaf65d6859038f1b618c76f

SHA512
9f00f48f409748d7113c6d249a10df4bcee85feb4e80ee1e12905687a0d66aa102800e453fe483afbd81728cdff872d21be32830766e05fe76a136a1d8fbdb08

Download Submit
C:\Windows\SysWOW64\Plifll32.exe

Filesize
128KB

MD5
257d5dd5ecd289ad90867d6fb10ff16f

SHA1
6dddf2153c31566f5f83aeb4c24308449533aed1

SHA256
780d0e6136eca980f1f2bec19a18380ff30b1bbcee6be467b906a17da3d0a170

SHA512
8eea9cc0b9deeefbb8cbe3bd3bfb7af210da82375804b8524a1a31a3e6245d7c49e597dfad19eb426376ee13c65bca9788cf8d0cdad8559461978eac24900416

Download Submit
C:\Windows\SysWOW64\Plkbak32.exe

Filesize
128KB

MD5
65ad47be5dc20c80533c26e0934f1b96

SHA1
8ab75df31f376dcf419ffdab77dad8856e8fc9fc

SHA256
c55fb479eb1a391ddf7c5df9e306f79eef4541e872c75a4a5fb37589fd0e22dd

SHA512
9ffe7822c23654e0caaaa99ae35a198cb4ae144636b271c641053936c2760d3e0f51a60871572d629678e48d95343998403d4e5eb253737b2ce711d580d35663

Download Submit
C:\Windows\SysWOW64\Pngbhg32.exe

Filesize
128KB

MD5
1a822646d59b81265d3e9a9cea05a0eb

SHA1
c607c698e6003017c3176d0589d47fa20fc3d18d

SHA256
600f4365b3004a869e48f7e46862c3bf3d28c2098bc93e7744810a65371cf076

SHA512
c5fea7f9795c32067949646871d0cf7a91311a988d4f582e4507530a7b48565278660e16d8fb22256c6169855a4af020eaf9a7ae8c4afa1530a052960108ee8e

Download Submit
C:\Windows\SysWOW64\Pniomgpl.exe

Filesize
128KB

MD5
9ef9b91f2d5d2c432d5972e1ae9676b4

SHA1
11e37e5d588e86ac67f711f15bdd1c5c9b652d5d

SHA256
ab2ef4fc85eb64bd47fefda9af9b202f8965c1d8b61dbf99027bf80e54d7ed8c

SHA512
5191af31fac0810c557bca43bf3514350840ae12a3c6480d5acf22aa47c6d313268566b27ef8a638c42c2b459b8a36c16aa35374d0af07c63d140c27a8d2d80c

Download Submit
C:\Windows\SysWOW64\Ppbegkmg.exe

Filesize
128KB

MD5
415103e593b00d05474d1a10e0326d6f

SHA1
95d2bfffd2544eb11a112d19a312d7c55abfe3ec

SHA256
9d81da2901b6e28b8bf96cd0f348035da9b6a2ec1c151fb05ece48a53b0c93c2

SHA512
dbb610d672be650acd8e5bd04a84edc470714e9b8001aa23f5d811f228b9333d2dcb89933b1c9933fd856d3b0e5fd8fdcc50b6cf2fe09b8e2fd719951e6fb08e

Download Submit
C:\Windows\SysWOW64\Qbggce32.exe

Filesize
128KB

MD5
f5ecaff30dd397d595492a0339fd35f7

SHA1
e74fcc2a8e5bf1a0494fc704d5e220e47d6fabff

SHA256
a337ce1fd6e43e3db55fe2858f75ba4cdce5fa4ab8611d519ec7a89e7300fee3

SHA512
b8767003b7fbd25deee26848b9bdd07615f0ce84650b237ec7a53a3e22d89fd97d1ac6358bb06fed4f751ca0d3f97da12727149bf56d4426cbf8003102186395

Download Submit
C:\Windows\SysWOW64\Qbjdiedp.exe

Filesize
128KB

MD5
202d4650b8a109d526e93eb23d7fff6b

SHA1
20f396a469f7869f0834c574c7944cb637d7cd62

SHA256
ea70b762502c8b28e2b6f3bf4d6d93fc5868e020c1e9056c69cc6dca4c59ea46

SHA512
89d5a8c91b4b50dcc5fc1e953cec80c6eb7b7466e1ccb8a8e8f8d9b9c01a500e09ce9e2636b498c0ec13cc5154371a264bd9feef1a6e66dc9eb371799b5450ff

Download Submit
C:\Windows\SysWOW64\Qehqepcc.exe

Filesize
128KB

MD5
2c0ba31d238d49288f078b9c1ae59e03

SHA1
834edc08f6e93470520adf886ff7c6e83682350a

SHA256
98028c93f06fbe70a5d4945e0548638337b99d64aa8999503677a892ec78eb49

SHA512
1dd1e73c18b98b2cb9a2cc0e1b22b8d17c28d28f002ab7cb033765ebb92927bea3593990cb03d8dd34328944063a0a9126c0bffb829db637f8b113b601db82ca

Download Submit
C:\Windows\SysWOW64\Qhdpll32.exe

Filesize
128KB

MD5
5d60f099c3d7ef590484e2f720b3debb

SHA1
3437c32cb69f607ee9bbfa066529eb25498afa1c

SHA256
d6a8526ec98842dbd1c3888031eb97e06812d09558f7b024d790179e8004db21

SHA512
8ec062ccf2af242acc04cbd4268dd0e16919f209f33400f8c4cf7acfd76163b49c751bead636d167c01a2c89f2ebc7c920cd6cec500852035a8267a727115401

Download Submit
C:\Windows\SysWOW64\Qhfmalbg.exe

Filesize
128KB

MD5
cebfec85539f227d8f4c00aa2ee7007b

SHA1
36a57f3543846d4482d1fb3048b2e47ab725ca98

SHA256
87aa6a1c3ef4176331bb99b5f445d821fdd24f9a058d31a5dbe7654569cbf33d

SHA512
54638460246995bb7e4022bcc2da16800216c58a3deabc523bcfd7627ef5a281fe04600d68bcd0786319761fb92773f4b3a18ff767687bddb74a2c7fac1b5bd1

Download Submit
C:\Windows\SysWOW64\Qlpllkmc.exe

Filesize
128KB

MD5
2bc4d7f5987f87f75da9bfbe3a666168

SHA1
16dc3b1c2f639effabb91a2a67bfde5833221e06

SHA256
85928c1d8489d0bc308a47739cc38e91c5421580b3aa7ef38bb6adf090c935c1

SHA512
5099f3428f7d6dfd0644e87e2130a96d03c9585bc607be216d87ae86cbcbf6d049ff624bcca6a5087bec347c1302ac926474ef6131fe1889454f3f414a710666

Download Submit
C:\Windows\SysWOW64\Qnlkcfni.exe

Filesize
128KB

MD5
f0e97aaaa089c0e3fbb62f85f74e1283

SHA1
5ccb294f0f99ff68a0dd14ef1194816b5a00bbd4

SHA256
5a9c88ac8bbb1141d56089bd362ec0ba64da348e1b7c880e1e1d96e161e02ed1

SHA512
b549359d9dc9e3c61bb09f165c8f866f349d79c481f678677580165f2afa8a2f6ea21ab30cd1bfd5af1ac61713f7b14f053272bd34e8e47de35518667aff0265

Download Submit
C:\Windows\SysWOW64\Qnnhhflf.exe

Filesize
128KB

MD5
fbde9355d78e8b703d241a1ecaf0f849

SHA1
a797098102d0a574f270270e24a7fbd99853cdb2

SHA256
c01339d09dca33eba3eb43575f2f9f7dd9712906294feb2a7a0d85a706ab1559

SHA512
6abd1dcf611fdaec6e1e46433edbcb4905ade60f9aab97b5a5c26440549e00d1115028cc921c55df96a554918a88c4656a73e22afc9d18f389044733e1241306

Download Submit
C:\Windows\SysWOW64\Qpikgj32.exe

Filesize
128KB

MD5
b6bf51461a87450337624c255eb17238

SHA1
00707acd40504489e56d4a2359cc204fd17cf91b

SHA256
ce38c50391488c8580de72ff20381fc4c7fc8e793f0ddf202dfb82401b1b35e9

SHA512
177d24203846d8d81f652fbcb0b511796505fb73b5aadda1809e4171f92e3e1e54ecbfb3c725e3893f313ca4a892cff93dead5e93a33ee38a1b9ce83098a90f9

Download Submit
memory/400-319-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/452-281-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/532-0-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/532-5-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/540-259-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/540-332-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/752-89-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/752-16-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/968-217-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/968-85-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/972-49-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/972-163-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1124-274-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1172-322-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1656-186-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1976-300-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1988-288-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2088-65-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2088-203-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2112-298-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2112-218-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2164-25-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2584-333-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2616-342-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2640-321-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2640-251-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2872-244-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2872-314-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3048-312-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3204-127-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3284-155-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3440-341-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3656-190-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3736-231-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3964-188-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3964-57-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4032-115-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4032-32-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4044-179-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4132-99-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4132-226-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4180-202-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4260-209-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4260-287-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4564-136-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4564-41-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4580-94-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4584-205-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4716-97-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4716-23-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4772-168-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4948-275-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4948-335-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4968-147-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4980-73-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4980-206-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4996-301-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/5000-135-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/5032-180-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/5032-268-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/5088-238-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/5088-307-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/5112-235-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/5112-107-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads