17b4b2e1748748e59f10319e27ed2994320d28a27c630f63f85a33ac15a05359

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
20/04/2024, 19:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

17b4b2e1748748e59f10319e27ed2994320d28a27c630f63f85a33ac15a05359.exe
Size

99KB
MD5

b4ad4c21efe04862372c66d2704f1c1c
SHA1

39cd2de1a47579481a27203609722b63291edfd7
SHA256

17b4b2e1748748e59f10319e27ed2994320d28a27c630f63f85a33ac15a05359
SHA512

3a9a926a1e9ec69aa38a46607880a539e373c5953b1370d7e7c8fcf89fad5ec2bf2db76f048e1e2d1aed1aab6b15ccd437f10d2b38a2edb8b88ebed67dc15019
SSDEEP

3072:svCyC8LnhFvYFaT8eqMSd8t+ze6DeyTpwoTRBmDRGGurhUI:svCylhVYFs8BvdHq6qNm7UI

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nklfoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ngcgcjnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Aaanpa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cojqkbdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ccmclp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Jidbflcj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Elccfc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Eoapbo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdcijcke.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hbeghene.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pecgja32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Clldogdc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dokjbp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Gpnhekgl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gjapmdid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Hippdo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kacphh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Njljefql.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dpcpkc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aldegj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dcopbp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndidbn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpolqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bpnnig32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fqaeco32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Fqaeco32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kaemnhla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Befmfngc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dcfebonm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ifopiajn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkpgck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Imbaemhc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Fbgbpihg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Gfqjafdq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hcedaheh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Hjolnb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gogbdl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Hfljmdjc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Jpojcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kmjqmi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngedij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pimfep32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aoeniefo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bibigmpl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fjepaecb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Clqnjf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ifhiib32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kdhbec32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Peajdajk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Alkkhi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kbapjafe.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ldmlpbbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ebeejijj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gmoliohh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ifjfnb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkbchk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgidml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ppdbljkd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cccpfa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cipehkcl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ejjqeg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dcopbp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dokjbp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ijaida32.exe

Executes dropped EXE 64 IoCs

pid	Process
2444	Pacaoc32.exe
4200	Pijjpp32.exe
4584	Phmjkmka.exe
2044	Ppdbljkd.exe
5088	Peajdajk.exe
4504	Pimfep32.exe
392	Ppgobjia.exe
408	Pbekne32.exe
4148	Pecgja32.exe
2040	Plmogkoe.exe
1856	Qnlkcfni.exe
1852	Qajhobmm.exe
1704	Qefdpq32.exe
1792	Qlpllkmc.exe
1356	Qpkhmi32.exe
4548	Qamdda32.exe
2016	Qehqepcc.exe
5116	Qhfmalbg.exe
3492	Aoqenf32.exe
368	Aaoaja32.exe
3204	Ahiigkqd.exe
536	Aldegj32.exe
3708	Aocace32.exe
3444	Aaanpa32.exe
2316	Aihfanhg.exe
2480	Aoeniefo.exe
4304	Aeoffo32.exe
4576	Aogkoedl.exe
4472	Aimoln32.exe
2600	Alkkhi32.exe
3188	Aojhdd32.exe
4000	Aahdqp32.exe
3084	Blnhni32.exe
3704	Boldjd32.exe
4604	Befmfngc.exe
3544	Bibigmpl.exe
4432	Bpladg32.exe
932	Bammlomg.exe
3572	Bidemmnj.exe
3820	Bpnnig32.exe
2464	Bbljeb32.exe
2996	Baojaoke.exe
716	Bifbbllg.exe
4012	Blennh32.exe
4308	Bbofkbbh.exe
4128	Bemcgmak.exe
5056	Bhlocipo.exe
1972	Bbacqape.exe
3688	Beppmmoi.exe
4292	Bikkml32.exe
1716	Clihig32.exe
2196	Cohdebfi.exe
4492	Cccpfa32.exe
4244	Cafpanem.exe
3152	Cimhckeo.exe
216	Clldogdc.exe
2596	Cojqkbdf.exe
4420	Ccfmla32.exe
2492	Cedihl32.exe
1744	Cipehkcl.exe
2964	Commqb32.exe
4596	Cakjmm32.exe
4712	Cefemliq.exe
2796	Cibank32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Pijjpp32.exe	Pacaoc32.exe
File created	C:\Windows\SysWOW64\Aimoln32.exe	Aogkoedl.exe
File opened for modification	C:\Windows\SysWOW64\Dohmlp32.exe	Dpemacql.exe
File opened for modification	C:\Windows\SysWOW64\Elagacbk.exe	Ehekqe32.exe
File opened for modification	C:\Windows\SysWOW64\Eflhoigi.exe	Ecmlcmhe.exe
File created	C:\Windows\SysWOW64\Ocaapo32.dll	Gfnnlffc.exe
File created	C:\Windows\SysWOW64\Leqcod32.dll	Jibeql32.exe
File created	C:\Windows\SysWOW64\Bpcbnd32.dll	Kgdbkohf.exe
File created	C:\Windows\SysWOW64\Baefid32.dll	Lnepih32.exe
File opened for modification	C:\Windows\SysWOW64\Haggelfd.exe	Hmklen32.exe
File opened for modification	C:\Windows\SysWOW64\Hjolnb32.exe	Hfcpncdk.exe
File created	C:\Windows\SysWOW64\Kaqcbi32.exe	Jiikak32.exe
File created	C:\Windows\SysWOW64\Fkindkmi.dll	Dcopbp32.exe
File created	C:\Windows\SysWOW64\Fbioei32.exe	Fokbim32.exe
File opened for modification	C:\Windows\SysWOW64\Qlpllkmc.exe	Qefdpq32.exe
File created	C:\Windows\SysWOW64\Bdhngp32.dll	Dohmlp32.exe
File created	C:\Windows\SysWOW64\Ampkqqjm.dll	Ecmlcmhe.exe
File opened for modification	C:\Windows\SysWOW64\Jjmhppqd.exe	Jpgdbg32.exe
File opened for modification	C:\Windows\SysWOW64\Ndidbn32.exe	Nnolfdcn.exe
File created	C:\Windows\SysWOW64\Bikkml32.exe	Beppmmoi.exe
File opened for modification	C:\Windows\SysWOW64\Jibeql32.exe	Jfdida32.exe
File created	C:\Windows\SysWOW64\Defbic32.dll	Pacaoc32.exe
File created	C:\Windows\SysWOW64\Dglajema.dll	Cimhckeo.exe
File opened for modification	C:\Windows\SysWOW64\Imbaemhc.exe	Ifhiib32.exe
File created	C:\Windows\SysWOW64\Kgdbkohf.exe	Kdffocib.exe
File created	C:\Windows\SysWOW64\Lkdggmlj.exe	Ldkojb32.exe
File created	C:\Windows\SysWOW64\Ndghmo32.exe	Nnmopdep.exe
File created	C:\Windows\SysWOW64\Hdgpjm32.dll	Ipldfi32.exe
File created	C:\Windows\SysWOW64\Mjjmog32.exe	Mglack32.exe
File created	C:\Windows\SysWOW64\Kpmkpqcp.dll	Dcfebonm.exe
File opened for modification	C:\Windows\SysWOW64\Iakaql32.exe	Ijaida32.exe
File created	C:\Windows\SysWOW64\Kpccnefa.exe	Kaqcbi32.exe
File created	C:\Windows\SysWOW64\Fogjfmfe.dll	Kdffocib.exe
File created	C:\Windows\SysWOW64\Qgejif32.dll	Ldkojb32.exe
File created	C:\Windows\SysWOW64\Mjhqjg32.exe	Mgidml32.exe
File created	C:\Windows\SysWOW64\Pponmema.dll	Nnjbke32.exe
File created	C:\Windows\SysWOW64\Dhnepfpj.exe	Dephckaf.exe
File created	C:\Windows\SysWOW64\Jokmgc32.dll	Gogbdl32.exe
File created	C:\Windows\SysWOW64\Qnlkcfni.exe	Plmogkoe.exe
File created	C:\Windows\SysWOW64\Bgadhj32.dll	Cccpfa32.exe
File created	C:\Windows\SysWOW64\Hippdo32.exe	Hfachc32.exe
File created	C:\Windows\SysWOW64\Kdffocib.exe	Kmlnbi32.exe
File opened for modification	C:\Windows\SysWOW64\Njacpf32.exe	Ngcgcjnc.exe
File opened for modification	C:\Windows\SysWOW64\Qpkhmi32.exe	Qlpllkmc.exe
File created	C:\Windows\SysWOW64\Iqopbm32.dll	Qhfmalbg.exe
File created	C:\Windows\SysWOW64\Ihgjcg32.dll	Bbljeb32.exe
File opened for modification	C:\Windows\SysWOW64\Nnolfdcn.exe	Njcpee32.exe
File opened for modification	C:\Windows\SysWOW64\Qefdpq32.exe	Qajhobmm.exe
File created	C:\Windows\SysWOW64\Aihfanhg.exe	Aaanpa32.exe
File opened for modification	C:\Windows\SysWOW64\Eoifcnid.exe	Emjjgbjp.exe
File created	C:\Windows\SysWOW64\Enbofg32.dll	Kbapjafe.exe
File created	C:\Windows\SysWOW64\Mnfipekh.exe	Mjjmog32.exe
File created	C:\Windows\SysWOW64\Hpbaqj32.exe	Hapaemll.exe
File created	C:\Windows\SysWOW64\Hjjbcbqj.exe	Hbckbepg.exe
File created	C:\Windows\SysWOW64\Iikopmkd.exe	Ibagcc32.exe
File opened for modification	C:\Windows\SysWOW64\Bammlomg.exe	Bpladg32.exe
File created	C:\Windows\SysWOW64\Eenphlji.dll	Cedihl32.exe
File opened for modification	C:\Windows\SysWOW64\Ijaida32.exe	Ibjqcd32.exe
File opened for modification	C:\Windows\SysWOW64\Phmjkmka.exe	Pijjpp32.exe
File opened for modification	C:\Windows\SysWOW64\Ecmlcmhe.exe	Eoapbo32.exe
File opened for modification	C:\Windows\SysWOW64\Hikfip32.exe	Hfljmdjc.exe
File created	C:\Windows\SysWOW64\Mbgaem32.dll	Hmioonpn.exe
File created	C:\Windows\SysWOW64\Bnckcnhb.dll	Kacphh32.exe
File created	C:\Windows\SysWOW64\Qamdda32.exe	Qpkhmi32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
8724	8508	WerFault.exe	378

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ikfcpn32.dll"	Ceibclgn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Fifdgblo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fogjfmfe.dll"	Kdffocib.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Giacca32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mpkbebbf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fopfdhej.dll"	Ccfmla32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dpgbbq32.dll"	Dlojkddn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Fbllkh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Kmjqmi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Elagacbk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Emjjgbjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hlmobp32.dll"	Njljefql.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Aaoaja32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcpkbc32.dll"	Kaemnhla.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ndghmo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Llebfo32.dll"	Fhajlc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckfliccm.dll"	Ficgacna.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Jdemhe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lmoejkpj.dll"	Aogkoedl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kbbfkb32.dll"	Elagacbk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Gfhqbe32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mnlfigcc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Njcpee32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Beppmmoi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Lcgblncm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mgqlqc32.dll"	Beppmmoi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Beppmmoi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Fijmbb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkckjila.dll"	Ndghmo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Eoocmoao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bjikbh32.dll"	Fqmlhpla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Jjmhppqd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Kdhbec32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Baojaoke.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Eflhoigi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Fmocba32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Fqohnp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Fodeolof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mnnkcb32.dll"	Imihfl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Aaanpa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fibgnfha.dll"	Fokbim32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ajgblndm.dll"	Kgphpo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bibigmpl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Digkijmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Gfnnlffc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lcnodhch.dll"	Ijaida32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Lcpllo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ehhgfdho.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hakfehok.dll"	Fijmbb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lcglnp32.dll"	Fqaeco32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ecmlcmhe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Lnepih32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nokakckp.dll"	Denlnk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Eqalmafo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Iikopmkd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Njacpf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Opbnic32.dll"	Nnolfdcn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bammlomg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cqddbnon.dll"	Bidemmnj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mfnfol32.dll"	Blennh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Iabgaklg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mpdelajl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ngedij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmelmhjn.dll"	Pbekne32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5104 wrote to memory of 2444	5104	17b4b2e1748748e59f10319e27ed2994320d28a27c630f63f85a33ac15a05359.exe	86
PID 5104 wrote to memory of 2444	5104	17b4b2e1748748e59f10319e27ed2994320d28a27c630f63f85a33ac15a05359.exe	86
PID 5104 wrote to memory of 2444	5104	17b4b2e1748748e59f10319e27ed2994320d28a27c630f63f85a33ac15a05359.exe	86
PID 2444 wrote to memory of 4200	2444	Pacaoc32.exe	87
PID 2444 wrote to memory of 4200	2444	Pacaoc32.exe	87
PID 2444 wrote to memory of 4200	2444	Pacaoc32.exe	87
PID 4200 wrote to memory of 4584	4200	Pijjpp32.exe	88
PID 4200 wrote to memory of 4584	4200	Pijjpp32.exe	88
PID 4200 wrote to memory of 4584	4200	Pijjpp32.exe	88
PID 4584 wrote to memory of 2044	4584	Phmjkmka.exe	89
PID 4584 wrote to memory of 2044	4584	Phmjkmka.exe	89
PID 4584 wrote to memory of 2044	4584	Phmjkmka.exe	89
PID 2044 wrote to memory of 5088	2044	Ppdbljkd.exe	90
PID 2044 wrote to memory of 5088	2044	Ppdbljkd.exe	90
PID 2044 wrote to memory of 5088	2044	Ppdbljkd.exe	90
PID 5088 wrote to memory of 4504	5088	Peajdajk.exe	91
PID 5088 wrote to memory of 4504	5088	Peajdajk.exe	91
PID 5088 wrote to memory of 4504	5088	Peajdajk.exe	91
PID 4504 wrote to memory of 392	4504	Pimfep32.exe	92
PID 4504 wrote to memory of 392	4504	Pimfep32.exe	92
PID 4504 wrote to memory of 392	4504	Pimfep32.exe	92
PID 392 wrote to memory of 408	392	Ppgobjia.exe	93
PID 392 wrote to memory of 408	392	Ppgobjia.exe	93
PID 392 wrote to memory of 408	392	Ppgobjia.exe	93
PID 408 wrote to memory of 4148	408	Pbekne32.exe	94
PID 408 wrote to memory of 4148	408	Pbekne32.exe	94
PID 408 wrote to memory of 4148	408	Pbekne32.exe	94
PID 4148 wrote to memory of 2040	4148	Pecgja32.exe	95
PID 4148 wrote to memory of 2040	4148	Pecgja32.exe	95
PID 4148 wrote to memory of 2040	4148	Pecgja32.exe	95
PID 2040 wrote to memory of 1856	2040	Plmogkoe.exe	96
PID 2040 wrote to memory of 1856	2040	Plmogkoe.exe	96
PID 2040 wrote to memory of 1856	2040	Plmogkoe.exe	96
PID 1856 wrote to memory of 1852	1856	Qnlkcfni.exe	97
PID 1856 wrote to memory of 1852	1856	Qnlkcfni.exe	97
PID 1856 wrote to memory of 1852	1856	Qnlkcfni.exe	97
PID 1852 wrote to memory of 1704	1852	Qajhobmm.exe	98
PID 1852 wrote to memory of 1704	1852	Qajhobmm.exe	98
PID 1852 wrote to memory of 1704	1852	Qajhobmm.exe	98
PID 1704 wrote to memory of 1792	1704	Qefdpq32.exe	99
PID 1704 wrote to memory of 1792	1704	Qefdpq32.exe	99
PID 1704 wrote to memory of 1792	1704	Qefdpq32.exe	99
PID 1792 wrote to memory of 1356	1792	Qlpllkmc.exe	100
PID 1792 wrote to memory of 1356	1792	Qlpllkmc.exe	100
PID 1792 wrote to memory of 1356	1792	Qlpllkmc.exe	100
PID 1356 wrote to memory of 4548	1356	Qpkhmi32.exe	101
PID 1356 wrote to memory of 4548	1356	Qpkhmi32.exe	101
PID 1356 wrote to memory of 4548	1356	Qpkhmi32.exe	101
PID 4548 wrote to memory of 2016	4548	Qamdda32.exe	102
PID 4548 wrote to memory of 2016	4548	Qamdda32.exe	102
PID 4548 wrote to memory of 2016	4548	Qamdda32.exe	102
PID 2016 wrote to memory of 5116	2016	Qehqepcc.exe	103
PID 2016 wrote to memory of 5116	2016	Qehqepcc.exe	103
PID 2016 wrote to memory of 5116	2016	Qehqepcc.exe	103
PID 5116 wrote to memory of 3492	5116	Qhfmalbg.exe	104
PID 5116 wrote to memory of 3492	5116	Qhfmalbg.exe	104
PID 5116 wrote to memory of 3492	5116	Qhfmalbg.exe	104
PID 3492 wrote to memory of 368	3492	Aoqenf32.exe	105
PID 3492 wrote to memory of 368	3492	Aoqenf32.exe	105
PID 3492 wrote to memory of 368	3492	Aoqenf32.exe	105
PID 368 wrote to memory of 3204	368	Aaoaja32.exe	106
PID 368 wrote to memory of 3204	368	Aaoaja32.exe	106
PID 368 wrote to memory of 3204	368	Aaoaja32.exe	106
PID 3204 wrote to memory of 536	3204	Ahiigkqd.exe	107

C:\Users\Admin\AppData\Local\Temp\17b4b2e1748748e59f10319e27ed2994320d28a27c630f63f85a33ac15a05359.exe
"C:\Users\Admin\AppData\Local\Temp\17b4b2e1748748e59f10319e27ed2994320d28a27c630f63f85a33ac15a05359.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:5104
- C:\Windows\SysWOW64\Pacaoc32.exe
  C:\Windows\system32\Pacaoc32.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:2444
- - C:\Windows\SysWOW64\Pijjpp32.exe
    C:\Windows\system32\Pijjpp32.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious use of WriteProcessMemory
    PID:4200
  - - C:\Windows\SysWOW64\Phmjkmka.exe
      C:\Windows\system32\Phmjkmka.exe
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:4584
    - - C:\Windows\SysWOW64\Ppdbljkd.exe
        
        C:\Windows\system32\Ppdbljkd.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2044
      - C:\Windows\SysWOW64\Peajdajk.exe
        
        C:\Windows\system32\Peajdajk.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:5088
        
        C:\Windows\SysWOW64\Pimfep32.exe
        
        C:\Windows\system32\Pimfep32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4504
        
        C:\Windows\SysWOW64\Ppgobjia.exe
        
        C:\Windows\system32\Ppgobjia.exe
        8⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:392
        
        C:\Windows\SysWOW64\Pbekne32.exe
        
        C:\Windows\system32\Pbekne32.exe
        9⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:408
        
        C:\Windows\SysWOW64\Pecgja32.exe
        
        C:\Windows\system32\Pecgja32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4148
        
        C:\Windows\SysWOW64\Plmogkoe.exe
        
        C:\Windows\system32\Plmogkoe.exe
        11⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2040
        
        C:\Windows\SysWOW64\Qnlkcfni.exe
        
        C:\Windows\system32\Qnlkcfni.exe
        12⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1856
        
        C:\Windows\SysWOW64\Qajhobmm.exe
        
        C:\Windows\system32\Qajhobmm.exe
        13⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1852
        
        C:\Windows\SysWOW64\Qefdpq32.exe
        
        C:\Windows\system32\Qefdpq32.exe
        14⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1704
        
        C:\Windows\SysWOW64\Qlpllkmc.exe
        
        C:\Windows\system32\Qlpllkmc.exe
        15⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1792
        
        C:\Windows\SysWOW64\Qpkhmi32.exe
        
        C:\Windows\system32\Qpkhmi32.exe
        16⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1356
        
        C:\Windows\SysWOW64\Qamdda32.exe
        
        C:\Windows\system32\Qamdda32.exe
        17⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4548
        
        C:\Windows\SysWOW64\Qehqepcc.exe
        
        C:\Windows\system32\Qehqepcc.exe
        18⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2016
        
        C:\Windows\SysWOW64\Qhfmalbg.exe
        
        C:\Windows\system32\Qhfmalbg.exe
        19⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:5116
        
        C:\Windows\SysWOW64\Aoqenf32.exe
        
        C:\Windows\system32\Aoqenf32.exe
        20⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3492
        
        C:\Windows\SysWOW64\Aaoaja32.exe
        
        C:\Windows\system32\Aaoaja32.exe
        21⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:368
        
        C:\Windows\SysWOW64\Ahiigkqd.exe
        
        C:\Windows\system32\Ahiigkqd.exe
        22⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3204
        
        C:\Windows\SysWOW64\Aldegj32.exe
        
        C:\Windows\system32\Aldegj32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:536
        
        C:\Windows\SysWOW64\Aocace32.exe
        
        C:\Windows\system32\Aocace32.exe
        24⤵
        Executes dropped EXE
        
        PID:3708
        
        C:\Windows\SysWOW64\Aaanpa32.exe
        
        C:\Windows\system32\Aaanpa32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3444
        
        C:\Windows\SysWOW64\Aihfanhg.exe
        
        C:\Windows\system32\Aihfanhg.exe
        26⤵
        Executes dropped EXE
        
        PID:2316
        
        C:\Windows\SysWOW64\Aoeniefo.exe
        
        C:\Windows\system32\Aoeniefo.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2480
        
        C:\Windows\SysWOW64\Aeoffo32.exe
        
        C:\Windows\system32\Aeoffo32.exe
        28⤵
        Executes dropped EXE
        
        PID:4304
        
        C:\Windows\SysWOW64\Aogkoedl.exe
        
        C:\Windows\system32\Aogkoedl.exe
        29⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4576
        
        C:\Windows\SysWOW64\Aimoln32.exe
        
        C:\Windows\system32\Aimoln32.exe
        30⤵
        Executes dropped EXE
        
        PID:4472
        
        C:\Windows\SysWOW64\Alkkhi32.exe
        
        C:\Windows\system32\Alkkhi32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2600
        
        C:\Windows\SysWOW64\Aojhdd32.exe
        
        C:\Windows\system32\Aojhdd32.exe
        32⤵
        Executes dropped EXE
        
        PID:3188
        
        C:\Windows\SysWOW64\Aahdqp32.exe
        
        C:\Windows\system32\Aahdqp32.exe
        33⤵
        Executes dropped EXE
        
        PID:4000
        
        C:\Windows\SysWOW64\Blnhni32.exe
        
        C:\Windows\system32\Blnhni32.exe
        34⤵
        Executes dropped EXE
        
        PID:3084
        
        C:\Windows\SysWOW64\Boldjd32.exe
        
        C:\Windows\system32\Boldjd32.exe
        35⤵
        Executes dropped EXE
        
        PID:3704
        
        C:\Windows\SysWOW64\Befmfngc.exe
        
        C:\Windows\system32\Befmfngc.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4604
        
        C:\Windows\SysWOW64\Bibigmpl.exe
        
        C:\Windows\system32\Bibigmpl.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3544
        
        C:\Windows\SysWOW64\Bpladg32.exe
        
        C:\Windows\system32\Bpladg32.exe
        38⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4432
        
        C:\Windows\SysWOW64\Bammlomg.exe
        
        C:\Windows\system32\Bammlomg.exe
        39⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:932
        
        C:\Windows\SysWOW64\Bidemmnj.exe
        
        C:\Windows\system32\Bidemmnj.exe
        40⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3572
        
        C:\Windows\SysWOW64\Bpnnig32.exe
        
        C:\Windows\system32\Bpnnig32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3820
        
        C:\Windows\SysWOW64\Bbljeb32.exe
        
        C:\Windows\system32\Bbljeb32.exe
        42⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2464
        
        C:\Windows\SysWOW64\Baojaoke.exe
        
        C:\Windows\system32\Baojaoke.exe
        43⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2996
        
        C:\Windows\SysWOW64\Bifbbllg.exe
        
        C:\Windows\system32\Bifbbllg.exe
        44⤵
        Executes dropped EXE
        
        PID:716
        
        C:\Windows\SysWOW64\Blennh32.exe
        
        C:\Windows\system32\Blennh32.exe
        45⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4012
        
        C:\Windows\SysWOW64\Bbofkbbh.exe
        
        C:\Windows\system32\Bbofkbbh.exe
        46⤵
        Executes dropped EXE
        
        PID:4308
        
        C:\Windows\SysWOW64\Bemcgmak.exe
        
        C:\Windows\system32\Bemcgmak.exe
        47⤵
        Executes dropped EXE
        
        PID:4128
        
        C:\Windows\SysWOW64\Bhlocipo.exe
        
        C:\Windows\system32\Bhlocipo.exe
        48⤵
        Executes dropped EXE
        
        PID:5056
        
        C:\Windows\SysWOW64\Bbacqape.exe
        
        C:\Windows\system32\Bbacqape.exe
        49⤵
        Executes dropped EXE
        
        PID:1972
        
        C:\Windows\SysWOW64\Beppmmoi.exe
        
        C:\Windows\system32\Beppmmoi.exe
        50⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3688
        
        C:\Windows\SysWOW64\Bikkml32.exe
        
        C:\Windows\system32\Bikkml32.exe
        51⤵
        Executes dropped EXE
        
        PID:4292
        
        C:\Windows\SysWOW64\Clihig32.exe
        
        C:\Windows\system32\Clihig32.exe
        52⤵
        Executes dropped EXE
        
        PID:1716
        
        C:\Windows\SysWOW64\Cohdebfi.exe
        
        C:\Windows\system32\Cohdebfi.exe
        53⤵
        Executes dropped EXE
        
        PID:2196
        
        C:\Windows\SysWOW64\Cccpfa32.exe
        
        C:\Windows\system32\Cccpfa32.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4492
        
        C:\Windows\SysWOW64\Cafpanem.exe
        
        C:\Windows\system32\Cafpanem.exe
        55⤵
        Executes dropped EXE
        
        PID:4244
        
        C:\Windows\SysWOW64\Cimhckeo.exe
        
        C:\Windows\system32\Cimhckeo.exe
        56⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3152
        
        C:\Windows\SysWOW64\Clldogdc.exe
        
        C:\Windows\system32\Clldogdc.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:216
        
        C:\Windows\SysWOW64\Cojqkbdf.exe
        
        C:\Windows\system32\Cojqkbdf.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2596
        
        C:\Windows\SysWOW64\Ccfmla32.exe
        
        C:\Windows\system32\Ccfmla32.exe
        59⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4420
        
        C:\Windows\SysWOW64\Cedihl32.exe
        
        C:\Windows\system32\Cedihl32.exe
        60⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2492
        
        C:\Windows\SysWOW64\Cipehkcl.exe
        
        C:\Windows\system32\Cipehkcl.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1744
        
        C:\Windows\SysWOW64\Commqb32.exe
        
        C:\Windows\system32\Commqb32.exe
        62⤵
        Executes dropped EXE
        
        PID:2964
        
        C:\Windows\SysWOW64\Cakjmm32.exe
        
        C:\Windows\system32\Cakjmm32.exe
        63⤵
        Executes dropped EXE
        
        PID:4596
        
        C:\Windows\SysWOW64\Cefemliq.exe
        
        C:\Windows\system32\Cefemliq.exe
        64⤵
        Executes dropped EXE
        
        PID:4712
        
        C:\Windows\SysWOW64\Cibank32.exe
        
        C:\Windows\system32\Cibank32.exe
        65⤵
        Executes dropped EXE
        
        PID:2796
        
        C:\Windows\SysWOW64\Clqnjf32.exe
        
        C:\Windows\system32\Clqnjf32.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4212
        
        C:\Windows\SysWOW64\Cpljkdig.exe
        
        C:\Windows\system32\Cpljkdig.exe
        67⤵
        
        PID:2172
        
        C:\Windows\SysWOW64\Camfbm32.exe
        
        C:\Windows\system32\Camfbm32.exe
        68⤵
        
        PID:4448
        
        C:\Windows\SysWOW64\Ceibclgn.exe
        
        C:\Windows\system32\Ceibclgn.exe
        69⤵
        Modifies registry class
        
        PID:404
        
        C:\Windows\SysWOW64\Chgoogfa.exe
        
        C:\Windows\system32\Chgoogfa.exe
        70⤵
        
        PID:4728
        
        C:\Windows\SysWOW64\Clckpf32.exe
        
        C:\Windows\system32\Clckpf32.exe
        71⤵
        
        PID:4392
        
        C:\Windows\SysWOW64\Ccmclp32.exe
        
        C:\Windows\system32\Ccmclp32.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3712
        
        C:\Windows\SysWOW64\Capchmmb.exe
        
        C:\Windows\system32\Capchmmb.exe
        73⤵
        
        PID:4048
        
        C:\Windows\SysWOW64\Digkijmd.exe
        
        C:\Windows\system32\Digkijmd.exe
        74⤵
        Modifies registry class
        
        PID:3260
        
        C:\Windows\SysWOW64\Dhjkdg32.exe
        
        C:\Windows\system32\Dhjkdg32.exe
        75⤵
        
        PID:2092
        
        C:\Windows\SysWOW64\Dpacfd32.exe
        
        C:\Windows\system32\Dpacfd32.exe
        76⤵
        
        PID:1764
        
        C:\Windows\SysWOW64\Dcopbp32.exe
        
        C:\Windows\system32\Dcopbp32.exe
        77⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:3812
        
        C:\Windows\SysWOW64\Denlnk32.exe
        
        C:\Windows\system32\Denlnk32.exe
        78⤵
        Modifies registry class
        
        PID:2104
        
        C:\Windows\SysWOW64\Dhlhjf32.exe
        
        C:\Windows\system32\Dhlhjf32.exe
        79⤵
        
        PID:1680
        
        C:\Windows\SysWOW64\Dpcpkc32.exe
        
        C:\Windows\system32\Dpcpkc32.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2412
        
        C:\Windows\SysWOW64\Dcalgo32.exe
        
        C:\Windows\system32\Dcalgo32.exe
        81⤵
        
        PID:3292
        
        C:\Windows\SysWOW64\Dephckaf.exe
        
        C:\Windows\system32\Dephckaf.exe
        82⤵
        Drops file in System32 directory
        
        PID:2848
        
        C:\Windows\SysWOW64\Dhnepfpj.exe
        
        C:\Windows\system32\Dhnepfpj.exe
        83⤵
        
        PID:2144
        
        C:\Windows\SysWOW64\Dpemacql.exe
        
        C:\Windows\system32\Dpemacql.exe
        84⤵
        Drops file in System32 directory
        
        PID:5168
        
        C:\Windows\SysWOW64\Dohmlp32.exe
        
        C:\Windows\system32\Dohmlp32.exe
        85⤵
        Drops file in System32 directory
        
        PID:5204
        
        C:\Windows\SysWOW64\Dagiil32.exe
        
        C:\Windows\system32\Dagiil32.exe
        86⤵
        
        PID:5252
        
        C:\Windows\SysWOW64\Dhqaefng.exe
        
        C:\Windows\system32\Dhqaefng.exe
        87⤵
        
        PID:5292
        
        C:\Windows\SysWOW64\Dllmfd32.exe
        
        C:\Windows\system32\Dllmfd32.exe
        88⤵
        
        PID:5328
        
        C:\Windows\SysWOW64\Dokjbp32.exe
        
        C:\Windows\system32\Dokjbp32.exe
        89⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5376
        
        C:\Windows\SysWOW64\Dcfebonm.exe
        
        C:\Windows\system32\Dcfebonm.exe
        90⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5420
        
        C:\Windows\SysWOW64\Dfdbojmq.exe
        
        C:\Windows\system32\Dfdbojmq.exe
        91⤵
        
        PID:5456
        
        C:\Windows\SysWOW64\Dlojkddn.exe
        
        C:\Windows\system32\Dlojkddn.exe
        92⤵
        Modifies registry class
        
        PID:5492
        
        C:\Windows\SysWOW64\Efgodj32.exe
        
        C:\Windows\system32\Efgodj32.exe
        93⤵
        
        PID:5544
        
        C:\Windows\SysWOW64\Ehekqe32.exe
        
        C:\Windows\system32\Ehekqe32.exe
        94⤵
        Drops file in System32 directory
        
        PID:5584
        
        C:\Windows\SysWOW64\Elagacbk.exe
        
        C:\Windows\system32\Elagacbk.exe
        95⤵
        Modifies registry class
        
        PID:5628
        
        C:\Windows\SysWOW64\Eoocmoao.exe
        
        C:\Windows\system32\Eoocmoao.exe
        96⤵
        Modifies registry class
        
        PID:5668
        
        C:\Windows\SysWOW64\Eckonn32.exe
        
        C:\Windows\system32\Eckonn32.exe
        97⤵
        
        PID:5716
        
        C:\Windows\SysWOW64\Efikji32.exe
        
        C:\Windows\system32\Efikji32.exe
        98⤵
        
        PID:5760
        
        C:\Windows\SysWOW64\Ehhgfdho.exe
        
        C:\Windows\system32\Ehhgfdho.exe
        99⤵
        Modifies registry class
        
        PID:5800
        
        C:\Windows\SysWOW64\Elccfc32.exe
        
        C:\Windows\system32\Elccfc32.exe
        100⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5856
        
        C:\Windows\SysWOW64\Eoapbo32.exe
        
        C:\Windows\system32\Eoapbo32.exe
        101⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5900
        
        C:\Windows\SysWOW64\Ecmlcmhe.exe
        
        C:\Windows\system32\Ecmlcmhe.exe
        102⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5964
        
        C:\Windows\SysWOW64\Eflhoigi.exe
        
        C:\Windows\system32\Eflhoigi.exe
        103⤵
        Modifies registry class
        
        PID:6012
        
        C:\Windows\SysWOW64\Ehjdldfl.exe
        
        C:\Windows\system32\Ehjdldfl.exe
        104⤵
        
        PID:6052
        
        C:\Windows\SysWOW64\Eleplc32.exe
        
        C:\Windows\system32\Eleplc32.exe
        105⤵
        
        PID:6100
        
        C:\Windows\SysWOW64\Eqalmafo.exe
        
        C:\Windows\system32\Eqalmafo.exe
        106⤵
        Modifies registry class
        
        PID:1916
        
        C:\Windows\SysWOW64\Ebbidj32.exe
        
        C:\Windows\system32\Ebbidj32.exe
        107⤵
        
        PID:5164
        
        C:\Windows\SysWOW64\Ejjqeg32.exe
        
        C:\Windows\system32\Ejjqeg32.exe
        108⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5232
        
        C:\Windows\SysWOW64\Elhmablc.exe
        
        C:\Windows\system32\Elhmablc.exe
        109⤵
        
        PID:5300
        
        C:\Windows\SysWOW64\Eofinnkf.exe
        
        C:\Windows\system32\Eofinnkf.exe
        110⤵
        
        PID:5388
        
        C:\Windows\SysWOW64\Ebeejijj.exe
        
        C:\Windows\system32\Ebeejijj.exe
        111⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5464
        
        C:\Windows\SysWOW64\Ejlmkgkl.exe
        
        C:\Windows\system32\Ejlmkgkl.exe
        112⤵
        
        PID:5524
        
        C:\Windows\SysWOW64\Emjjgbjp.exe
        
        C:\Windows\system32\Emjjgbjp.exe
        113⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5604
        
        C:\Windows\SysWOW64\Eoifcnid.exe
        
        C:\Windows\system32\Eoifcnid.exe
        114⤵
        
        PID:5656
        
        C:\Windows\SysWOW64\Fbgbpihg.exe
        
        C:\Windows\system32\Fbgbpihg.exe
        115⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5744
        
        C:\Windows\SysWOW64\Ffbnph32.exe
        
        C:\Windows\system32\Ffbnph32.exe
        116⤵
        
        PID:5832
        
        C:\Windows\SysWOW64\Fhajlc32.exe
        
        C:\Windows\system32\Fhajlc32.exe
        117⤵
        Modifies registry class
        
        PID:5944
        
        C:\Windows\SysWOW64\Fqhbmqqg.exe
        
        C:\Windows\system32\Fqhbmqqg.exe
        118⤵
        
        PID:5980
        
        C:\Windows\SysWOW64\Fokbim32.exe
        
        C:\Windows\system32\Fokbim32.exe
        119⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6064
        
        C:\Windows\SysWOW64\Fbioei32.exe
        
        C:\Windows\system32\Fbioei32.exe
        120⤵
        
        PID:6128
        
        C:\Windows\SysWOW64\Ficgacna.exe
        
        C:\Windows\system32\Ficgacna.exe
        121⤵
        Modifies registry class
        
        PID:5220
        
        C:\Windows\SysWOW64\Fmocba32.exe
        
        C:\Windows\system32\Fmocba32.exe
        122⤵
        Modifies registry class
        
        PID:5316
        
        C:\Windows\SysWOW64\Fomonm32.exe
        
        C:\Windows\system32\Fomonm32.exe
        123⤵
        
        PID:5416
        
        C:\Windows\SysWOW64\Fbllkh32.exe
        
        C:\Windows\system32\Fbllkh32.exe
        124⤵
        Modifies registry class
        
        PID:5528
        
        C:\Windows\SysWOW64\Ffggkgmk.exe
        
        C:\Windows\system32\Ffggkgmk.exe
        125⤵
        
        PID:5648
        
        C:\Windows\SysWOW64\Fifdgblo.exe
        
        C:\Windows\system32\Fifdgblo.exe
        126⤵
        Modifies registry class
        
        PID:5788
        
        C:\Windows\SysWOW64\Fqmlhpla.exe
        
        C:\Windows\system32\Fqmlhpla.exe
        127⤵
        Modifies registry class
        
        PID:5972
        
        C:\Windows\SysWOW64\Fckhdk32.exe
        
        C:\Windows\system32\Fckhdk32.exe
        128⤵
        
        PID:6032
        
        C:\Windows\SysWOW64\Fbnhphbp.exe
        
        C:\Windows\system32\Fbnhphbp.exe
        129⤵
        
        PID:5152
        
        C:\Windows\SysWOW64\Fjepaecb.exe
        
        C:\Windows\system32\Fjepaecb.exe
        130⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5412
        
        C:\Windows\SysWOW64\Fqohnp32.exe
        
        C:\Windows\system32\Fqohnp32.exe
        131⤵
        Modifies registry class
        
        PID:5608
        
        C:\Windows\SysWOW64\Fflaff32.exe
        
        C:\Windows\system32\Fflaff32.exe
        132⤵
        
        PID:5784
        
        C:\Windows\SysWOW64\Fijmbb32.exe
        
        C:\Windows\system32\Fijmbb32.exe
        133⤵
        Modifies registry class
        
        PID:6060
        
        C:\Windows\SysWOW64\Fqaeco32.exe
        
        C:\Windows\system32\Fqaeco32.exe
        134⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5188
        
        C:\Windows\SysWOW64\Fodeolof.exe
        
        C:\Windows\system32\Fodeolof.exe
        135⤵
        Modifies registry class
        
        PID:5448
        
        C:\Windows\SysWOW64\Gbcakg32.exe
        
        C:\Windows\system32\Gbcakg32.exe
        136⤵
        
        PID:5940
        
        C:\Windows\SysWOW64\Gfnnlffc.exe
        
        C:\Windows\system32\Gfnnlffc.exe
        137⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5128
        
        C:\Windows\SysWOW64\Gjjjle32.exe
        
        C:\Windows\system32\Gjjjle32.exe
        138⤵
        
        PID:5836
        
        C:\Windows\SysWOW64\Gmhfhp32.exe
        
        C:\Windows\system32\Gmhfhp32.exe
        139⤵
        
        PID:5532
        
        C:\Windows\SysWOW64\Gogbdl32.exe
        
        C:\Windows\system32\Gogbdl32.exe
        140⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6124
        
        C:\Windows\SysWOW64\Gcbnejem.exe
        
        C:\Windows\system32\Gcbnejem.exe
        141⤵
        
        PID:6188
        
        C:\Windows\SysWOW64\Gfqjafdq.exe
        
        C:\Windows\system32\Gfqjafdq.exe
        142⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6228
        
        C:\Windows\SysWOW64\Giofnacd.exe
        
        C:\Windows\system32\Giofnacd.exe
        143⤵
        
        PID:6272
        
        C:\Windows\SysWOW64\Gmkbnp32.exe
        
        C:\Windows\system32\Gmkbnp32.exe
        144⤵
        
        PID:6308
        
        C:\Windows\SysWOW64\Gcekkjcj.exe
        
        C:\Windows\system32\Gcekkjcj.exe
        145⤵
        
        PID:6356
        
        C:\Windows\SysWOW64\Gfcgge32.exe
        
        C:\Windows\system32\Gfcgge32.exe
        146⤵
        
        PID:6400
        
        C:\Windows\SysWOW64\Gjocgdkg.exe
        
        C:\Windows\system32\Gjocgdkg.exe
        147⤵
        
        PID:6444
        
        C:\Windows\SysWOW64\Giacca32.exe
        
        C:\Windows\system32\Giacca32.exe
        148⤵
        Modifies registry class
        
        PID:6480
        
        C:\Windows\SysWOW64\Gqikdn32.exe
        
        C:\Windows\system32\Gqikdn32.exe
        149⤵
        
        PID:6520
        
        C:\Windows\SysWOW64\Gbjhlfhb.exe
        
        C:\Windows\system32\Gbjhlfhb.exe
        150⤵
        
        PID:6564
        
        C:\Windows\SysWOW64\Gjapmdid.exe
        
        C:\Windows\system32\Gjapmdid.exe
        151⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6608
        
        C:\Windows\SysWOW64\Gmoliohh.exe
        
        C:\Windows\system32\Gmoliohh.exe
        152⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6648
        
        C:\Windows\SysWOW64\Gpnhekgl.exe
        
        C:\Windows\system32\Gpnhekgl.exe
        153⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6692
        
        C:\Windows\SysWOW64\Gfhqbe32.exe
        
        C:\Windows\system32\Gfhqbe32.exe
        154⤵
        Modifies registry class
        
        PID:6736
        
        C:\Windows\SysWOW64\Gppekj32.exe
        
        C:\Windows\system32\Gppekj32.exe
        155⤵
        
        PID:6780
        
        C:\Windows\SysWOW64\Hclakimb.exe
        
        C:\Windows\system32\Hclakimb.exe
        156⤵
        
        PID:6824
        
        C:\Windows\SysWOW64\Hfjmgdlf.exe
        
        C:\Windows\system32\Hfjmgdlf.exe
        157⤵
        
        PID:6864
        
        C:\Windows\SysWOW64\Hjfihc32.exe
        
        C:\Windows\system32\Hjfihc32.exe
        158⤵
        
        PID:6908
        
        C:\Windows\SysWOW64\Hmdedo32.exe
        
        C:\Windows\system32\Hmdedo32.exe
        159⤵
        
        PID:6948
        
        C:\Windows\SysWOW64\Hapaemll.exe
        
        C:\Windows\system32\Hapaemll.exe
        160⤵
        Drops file in System32 directory
        
        PID:6992
        
        C:\Windows\SysWOW64\Hpbaqj32.exe
        
        C:\Windows\system32\Hpbaqj32.exe
        161⤵
        
        PID:7036
        
        C:\Windows\SysWOW64\Hfljmdjc.exe
        
        C:\Windows\system32\Hfljmdjc.exe
        162⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:7084
        
        C:\Windows\SysWOW64\Hikfip32.exe
        
        C:\Windows\system32\Hikfip32.exe
        163⤵
        
        PID:7128
        
        C:\Windows\SysWOW64\Habnjm32.exe
        
        C:\Windows\system32\Habnjm32.exe
        164⤵
        
        PID:6008
        
        C:\Windows\SysWOW64\Hpenfjad.exe
        
        C:\Windows\system32\Hpenfjad.exe
        165⤵
        
        PID:6184
        
        C:\Windows\SysWOW64\Hbckbepg.exe
        
        C:\Windows\system32\Hbckbepg.exe
        166⤵
        Drops file in System32 directory
        
        PID:6248
        
        C:\Windows\SysWOW64\Hjjbcbqj.exe
        
        C:\Windows\system32\Hjjbcbqj.exe
        167⤵
        
        PID:6304
        
        C:\Windows\SysWOW64\Hmioonpn.exe
        
        C:\Windows\system32\Hmioonpn.exe
        168⤵
        Drops file in System32 directory
        
        PID:6388
        
        C:\Windows\SysWOW64\Hpgkkioa.exe
        
        C:\Windows\system32\Hpgkkioa.exe
        169⤵
        
        PID:6468
        
        C:\Windows\SysWOW64\Hbeghene.exe
        
        C:\Windows\system32\Hbeghene.exe
        170⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6528
        
        C:\Windows\SysWOW64\Hfachc32.exe
        
        C:\Windows\system32\Hfachc32.exe
        171⤵
        Drops file in System32 directory
        
        PID:6600
        
        C:\Windows\SysWOW64\Hippdo32.exe
        
        C:\Windows\system32\Hippdo32.exe
        172⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6636
        
        C:\Windows\SysWOW64\Hmklen32.exe
        
        C:\Windows\system32\Hmklen32.exe
        173⤵
        Drops file in System32 directory
        
        PID:6732
        
        C:\Windows\SysWOW64\Haggelfd.exe
        
        C:\Windows\system32\Haggelfd.exe
        174⤵
        
        PID:6792
        
        C:\Windows\SysWOW64\Hcedaheh.exe
        
        C:\Windows\system32\Hcedaheh.exe
        175⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6852
        
        C:\Windows\SysWOW64\Hfcpncdk.exe
        
        C:\Windows\system32\Hfcpncdk.exe
        176⤵
        Drops file in System32 directory
        
        PID:6932
        
        C:\Windows\SysWOW64\Hjolnb32.exe
        
        C:\Windows\system32\Hjolnb32.exe
        177⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6976
        
        C:\Windows\SysWOW64\Hmmhjm32.exe
        
        C:\Windows\system32\Hmmhjm32.exe
        178⤵
        
        PID:7072
        
        C:\Windows\SysWOW64\Ipldfi32.exe
        
        C:\Windows\system32\Ipldfi32.exe
        179⤵
        Drops file in System32 directory
        
        PID:7148
        
        C:\Windows\SysWOW64\Ibjqcd32.exe
        
        C:\Windows\system32\Ibjqcd32.exe
        180⤵
        Drops file in System32 directory
        
        PID:6196
        
        C:\Windows\SysWOW64\Ijaida32.exe
        
        C:\Windows\system32\Ijaida32.exe
        181⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6292
        
        C:\Windows\SysWOW64\Iakaql32.exe
        
        C:\Windows\system32\Iakaql32.exe
        182⤵
        
        PID:6396
        
        C:\Windows\SysWOW64\Ifhiib32.exe
        
        C:\Windows\system32\Ifhiib32.exe
        183⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6428
        
        C:\Windows\SysWOW64\Imbaemhc.exe
        
        C:\Windows\system32\Imbaemhc.exe
        184⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6624
        
        C:\Windows\SysWOW64\Icljbg32.exe
        
        C:\Windows\system32\Icljbg32.exe
        185⤵
        
        PID:6680
        
        C:\Windows\SysWOW64\Ifjfnb32.exe
        
        C:\Windows\system32\Ifjfnb32.exe
        186⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6832
        
        C:\Windows\SysWOW64\Iiibkn32.exe
        
        C:\Windows\system32\Iiibkn32.exe
        187⤵
        
        PID:6956
        
        C:\Windows\SysWOW64\Iapjlk32.exe
        
        C:\Windows\system32\Iapjlk32.exe
        188⤵
        
        PID:7032
        
        C:\Windows\SysWOW64\Ibagcc32.exe
        
        C:\Windows\system32\Ibagcc32.exe
        189⤵
        Drops file in System32 directory
        
        PID:6180
        
        C:\Windows\SysWOW64\Iikopmkd.exe
        
        C:\Windows\system32\Iikopmkd.exe
        190⤵
        Modifies registry class
        
        PID:6332
        
        C:\Windows\SysWOW64\Iabgaklg.exe
        
        C:\Windows\system32\Iabgaklg.exe
        191⤵
        Modifies registry class
        
        PID:6476
        
        C:\Windows\SysWOW64\Idacmfkj.exe
        
        C:\Windows\system32\Idacmfkj.exe
        192⤵
        
        PID:6640
        
        C:\Windows\SysWOW64\Ifopiajn.exe
        
        C:\Windows\system32\Ifopiajn.exe
        193⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6808
        
        C:\Windows\SysWOW64\Iinlemia.exe
        
        C:\Windows\system32\Iinlemia.exe
        194⤵
        
        PID:7068
        
        C:\Windows\SysWOW64\Imihfl32.exe
        
        C:\Windows\system32\Imihfl32.exe
        195⤵
        Modifies registry class
        
        PID:6220
        
        C:\Windows\SysWOW64\Jpgdbg32.exe
        
        C:\Windows\system32\Jpgdbg32.exe
        196⤵
        Drops file in System32 directory
        
        PID:6440
        
        C:\Windows\SysWOW64\Jjmhppqd.exe
        
        C:\Windows\system32\Jjmhppqd.exe
        197⤵
        Modifies registry class
        
        PID:6712
        
        C:\Windows\SysWOW64\Jagqlj32.exe
        
        C:\Windows\system32\Jagqlj32.exe
        198⤵
        
        PID:7052
        
        C:\Windows\SysWOW64\Jdemhe32.exe
        
        C:\Windows\system32\Jdemhe32.exe
        199⤵
        Modifies registry class
        
        PID:6264
        
        C:\Windows\SysWOW64\Jfdida32.exe
        
        C:\Windows\system32\Jfdida32.exe
        200⤵
        Drops file in System32 directory
        
        PID:6788
        
        C:\Windows\SysWOW64\Jibeql32.exe
        
        C:\Windows\system32\Jibeql32.exe
        201⤵
        Drops file in System32 directory
        
        PID:4004
        
        C:\Windows\SysWOW64\Jaimbj32.exe
        
        C:\Windows\system32\Jaimbj32.exe
        202⤵
        
        PID:7016
        
        C:\Windows\SysWOW64\Jplmmfmi.exe
        
        C:\Windows\system32\Jplmmfmi.exe
        203⤵
        
        PID:7176
        
        C:\Windows\SysWOW64\Jbkjjblm.exe
        
        C:\Windows\system32\Jbkjjblm.exe
        204⤵
        
        PID:7220
        
        C:\Windows\SysWOW64\Jfffjqdf.exe
        
        C:\Windows\system32\Jfffjqdf.exe
        205⤵
        
        PID:7256
        
        C:\Windows\SysWOW64\Jidbflcj.exe
        
        C:\Windows\system32\Jidbflcj.exe
        206⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7296
        
        C:\Windows\SysWOW64\Jmpngk32.exe
        
        C:\Windows\system32\Jmpngk32.exe
        207⤵
        
        PID:7344
        
        C:\Windows\SysWOW64\Jpojcf32.exe
        
        C:\Windows\system32\Jpojcf32.exe
        208⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7388
        
        C:\Windows\SysWOW64\Jbmfoa32.exe
        
        C:\Windows\system32\Jbmfoa32.exe
        209⤵
        
        PID:7428
        
        C:\Windows\SysWOW64\Jkdnpo32.exe
        
        C:\Windows\system32\Jkdnpo32.exe
        210⤵
        
        PID:7472
        
        C:\Windows\SysWOW64\Jmbklj32.exe
        
        C:\Windows\system32\Jmbklj32.exe
        211⤵
        
        PID:7504
        
        C:\Windows\SysWOW64\Jbocea32.exe
        
        C:\Windows\system32\Jbocea32.exe
        212⤵
        
        PID:7552
        
        C:\Windows\SysWOW64\Jiikak32.exe
        
        C:\Windows\system32\Jiikak32.exe
        213⤵
        Drops file in System32 directory
        
        PID:7584
        
        C:\Windows\SysWOW64\Kaqcbi32.exe
        
        C:\Windows\system32\Kaqcbi32.exe
        214⤵
        Drops file in System32 directory
        
        PID:7628
        
        C:\Windows\SysWOW64\Kpccnefa.exe
        
        C:\Windows\system32\Kpccnefa.exe
        215⤵
        
        PID:7676
        
        C:\Windows\SysWOW64\Kbapjafe.exe
        
        C:\Windows\system32\Kbapjafe.exe
        216⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:7716
        
        C:\Windows\SysWOW64\Kkihknfg.exe
        
        C:\Windows\system32\Kkihknfg.exe
        217⤵
        
        PID:7760
        
        C:\Windows\SysWOW64\Kmgdgjek.exe
        
        C:\Windows\system32\Kmgdgjek.exe
        218⤵
        
        PID:7800
        
        C:\Windows\SysWOW64\Kacphh32.exe
        
        C:\Windows\system32\Kacphh32.exe
        219⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:7848
        
        C:\Windows\SysWOW64\Kdaldd32.exe
        
        C:\Windows\system32\Kdaldd32.exe
        220⤵
        
        PID:7888
        
        C:\Windows\SysWOW64\Kgphpo32.exe
        
        C:\Windows\system32\Kgphpo32.exe
        221⤵
        Modifies registry class
        
        PID:7932
        
        C:\Windows\SysWOW64\Kmjqmi32.exe
        
        C:\Windows\system32\Kmjqmi32.exe
        222⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:7980
        
        C:\Windows\SysWOW64\Kaemnhla.exe
        
        C:\Windows\system32\Kaemnhla.exe
        223⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:8020
        
        C:\Windows\SysWOW64\Kdcijcke.exe
        
        C:\Windows\system32\Kdcijcke.exe
        224⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8068
        
        C:\Windows\SysWOW64\Kmlnbi32.exe
        
        C:\Windows\system32\Kmlnbi32.exe
        225⤵
        Drops file in System32 directory
        
        PID:8112
        
        C:\Windows\SysWOW64\Kdffocib.exe
        
        C:\Windows\system32\Kdffocib.exe
        226⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:8152
        
        C:\Windows\SysWOW64\Kgdbkohf.exe
        
        C:\Windows\system32\Kgdbkohf.exe
        227⤵
        Drops file in System32 directory
        
        PID:6176
        
        C:\Windows\SysWOW64\Kibnhjgj.exe
        
        C:\Windows\system32\Kibnhjgj.exe
        228⤵
        
        PID:7208
        
        C:\Windows\SysWOW64\Kmnjhioc.exe
        
        C:\Windows\system32\Kmnjhioc.exe
        229⤵
        
        PID:7320
        
        C:\Windows\SysWOW64\Kdhbec32.exe
        
        C:\Windows\system32\Kdhbec32.exe
        230⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:7416
        
        C:\Windows\SysWOW64\Kkbkamnl.exe
        
        C:\Windows\system32\Kkbkamnl.exe
        231⤵
        
        PID:7468
        
        C:\Windows\SysWOW64\Lalcng32.exe
        
        C:\Windows\system32\Lalcng32.exe
        232⤵
        
        PID:7544
        
        C:\Windows\SysWOW64\Ldkojb32.exe
        
        C:\Windows\system32\Ldkojb32.exe
        233⤵
        Drops file in System32 directory
        
        PID:7600
        
        C:\Windows\SysWOW64\Lkdggmlj.exe
        
        C:\Windows\system32\Lkdggmlj.exe
        234⤵
        
        PID:7668
        
        C:\Windows\SysWOW64\Lmccchkn.exe
        
        C:\Windows\system32\Lmccchkn.exe
        235⤵
        
        PID:7756
        
        C:\Windows\SysWOW64\Ldmlpbbj.exe
        
        C:\Windows\system32\Ldmlpbbj.exe
        236⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7840
        
        C:\Windows\SysWOW64\Lcpllo32.exe
        
        C:\Windows\system32\Lcpllo32.exe
        237⤵
        Modifies registry class
        
        PID:7880
        
        C:\Windows\SysWOW64\Lkgdml32.exe
        
        C:\Windows\system32\Lkgdml32.exe
        238⤵
        
        PID:7968
        
        C:\Windows\SysWOW64\Lnepih32.exe
        
        C:\Windows\system32\Lnepih32.exe
        239⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:8048
        
        C:\Windows\SysWOW64\Lpcmec32.exe
        
        C:\Windows\system32\Lpcmec32.exe
        240⤵
        
        PID:8104
        
        C:\Windows\SysWOW64\Lcbiao32.exe
        
        C:\Windows\system32\Lcbiao32.exe
        241⤵
        
        PID:8172
        
        C:\Windows\SysWOW64\Lilanioo.exe
        
        C:\Windows\system32\Lilanioo.exe
        242⤵
        
        PID:7172
        
        C:\Windows\SysWOW64\Lnhmng32.exe
        
        C:\Windows\system32\Lnhmng32.exe
        243⤵
        
        PID:7024
        
        C:\Windows\SysWOW64\Ldaeka32.exe
        
        C:\Windows\system32\Ldaeka32.exe
        244⤵
        
        PID:7460
        
        C:\Windows\SysWOW64\Lklnhlfb.exe
        
        C:\Windows\system32\Lklnhlfb.exe
        245⤵
        
        PID:7580
        
        C:\Windows\SysWOW64\Lcgblncm.exe
        
        C:\Windows\system32\Lcgblncm.exe
        246⤵
        Modifies registry class
        
        PID:7664
        
        C:\Windows\SysWOW64\Lknjmkdo.exe
        
        C:\Windows\system32\Lknjmkdo.exe
        247⤵
        
        PID:7796
        
        C:\Windows\SysWOW64\Mnlfigcc.exe
        
        C:\Windows\system32\Mnlfigcc.exe
        248⤵
        Modifies registry class
        
        PID:7904
        
        C:\Windows\SysWOW64\Mpkbebbf.exe
        
        C:\Windows\system32\Mpkbebbf.exe
        249⤵
        Modifies registry class
        
        PID:8008
        
        C:\Windows\SysWOW64\Mciobn32.exe
        
        C:\Windows\system32\Mciobn32.exe
        250⤵
        
        PID:8176
        
        C:\Windows\SysWOW64\Mkpgck32.exe
        
        C:\Windows\system32\Mkpgck32.exe
        251⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7280
        
        C:\Windows\SysWOW64\Mjcgohig.exe
        
        C:\Windows\system32\Mjcgohig.exe
        252⤵
        
        PID:7488
        
        C:\Windows\SysWOW64\Mpmokb32.exe
        
        C:\Windows\system32\Mpmokb32.exe
        253⤵
        
        PID:7728
        
        C:\Windows\SysWOW64\Mcklgm32.exe
        
        C:\Windows\system32\Mcklgm32.exe
        254⤵
        
        PID:7828
        
        C:\Windows\SysWOW64\Mkbchk32.exe
        
        C:\Windows\system32\Mkbchk32.exe
        255⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8144
        
        C:\Windows\SysWOW64\Mnapdf32.exe
        
        C:\Windows\system32\Mnapdf32.exe
        256⤵
        
        PID:7532
        
        C:\Windows\SysWOW64\Mpolqa32.exe
        
        C:\Windows\system32\Mpolqa32.exe
        257⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7660
        
        C:\Windows\SysWOW64\Mdkhapfj.exe
        
        C:\Windows\system32\Mdkhapfj.exe
        258⤵
        
        PID:8100
        
        C:\Windows\SysWOW64\Mgidml32.exe
        
        C:\Windows\system32\Mgidml32.exe
        259⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:7656
        
        C:\Windows\SysWOW64\Mjhqjg32.exe
        
        C:\Windows\system32\Mjhqjg32.exe
        260⤵
        
        PID:7212
        
        C:\Windows\SysWOW64\Maohkd32.exe
        
        C:\Windows\system32\Maohkd32.exe
        261⤵
        
        PID:8212
        
        C:\Windows\SysWOW64\Mdmegp32.exe
        
        C:\Windows\system32\Mdmegp32.exe
        262⤵
        
        PID:8268
        
        C:\Windows\SysWOW64\Mglack32.exe
        
        C:\Windows\system32\Mglack32.exe
        263⤵
        Drops file in System32 directory
        
        PID:8336
        
        C:\Windows\SysWOW64\Mjjmog32.exe
        
        C:\Windows\system32\Mjjmog32.exe
        264⤵
        Drops file in System32 directory
        
        PID:8380
        
        C:\Windows\SysWOW64\Mnfipekh.exe
        
        C:\Windows\system32\Mnfipekh.exe
        265⤵
        
        PID:8424
        
        C:\Windows\SysWOW64\Mpdelajl.exe
        
        C:\Windows\system32\Mpdelajl.exe
        266⤵
        Modifies registry class
        
        PID:8480
        
        C:\Windows\SysWOW64\Mcbahlip.exe
        
        C:\Windows\system32\Mcbahlip.exe
        267⤵
        
        PID:8536
        
        C:\Windows\SysWOW64\Mgnnhk32.exe
        
        C:\Windows\system32\Mgnnhk32.exe
        268⤵
        
        PID:8572
        
        C:\Windows\SysWOW64\Njljefql.exe
        
        C:\Windows\system32\Njljefql.exe
        269⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:8632
        
        C:\Windows\SysWOW64\Nnhfee32.exe
        
        C:\Windows\system32\Nnhfee32.exe
        270⤵
        
        PID:8684
        
        C:\Windows\SysWOW64\Nacbfdao.exe
        
        C:\Windows\system32\Nacbfdao.exe
        271⤵
        
        PID:8744
        
        C:\Windows\SysWOW64\Ndbnboqb.exe
        
        C:\Windows\system32\Ndbnboqb.exe
        272⤵
        
        PID:8784
        
        C:\Windows\SysWOW64\Nklfoi32.exe
        
        C:\Windows\system32\Nklfoi32.exe
        273⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8828
        
        C:\Windows\SysWOW64\Nnjbke32.exe
        
        C:\Windows\system32\Nnjbke32.exe
        274⤵
        Drops file in System32 directory
        
        PID:8864
        
        C:\Windows\SysWOW64\Nqiogp32.exe
        
        C:\Windows\system32\Nqiogp32.exe
        275⤵
        
        PID:8908
        
        C:\Windows\SysWOW64\Nddkgonp.exe
        
        C:\Windows\system32\Nddkgonp.exe
        276⤵
        
        PID:8956
        
        C:\Windows\SysWOW64\Ngcgcjnc.exe
        
        C:\Windows\system32\Ngcgcjnc.exe
        277⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:9004
        
        C:\Windows\SysWOW64\Njacpf32.exe
        
        C:\Windows\system32\Njacpf32.exe
        278⤵
        Modifies registry class
        
        PID:9040
        
        C:\Windows\SysWOW64\Nnmopdep.exe
        
        C:\Windows\system32\Nnmopdep.exe
        279⤵
        Drops file in System32 directory
        
        PID:9088
        
        C:\Windows\SysWOW64\Ndghmo32.exe
        
        C:\Windows\system32\Ndghmo32.exe
        280⤵
        Modifies registry class
        
        PID:9128
        
        C:\Windows\SysWOW64\Ncihikcg.exe
        
        C:\Windows\system32\Ncihikcg.exe
        281⤵
        
        PID:9168
        
        C:\Windows\SysWOW64\Ngedij32.exe
        
        C:\Windows\system32\Ngedij32.exe
        282⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:9212
        
        C:\Windows\SysWOW64\Njcpee32.exe
        
        C:\Windows\system32\Njcpee32.exe
        283⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:8204
        
        C:\Windows\SysWOW64\Nnolfdcn.exe
        
        C:\Windows\system32\Nnolfdcn.exe
        284⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:8316
        
        C:\Windows\SysWOW64\Ndidbn32.exe
        
        C:\Windows\system32\Ndidbn32.exe
        285⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8412
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        286⤵
        
        PID:8508
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 8508 -s 420
        287⤵
        Program crash
        
        PID:8724

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 8508 -ip 8508
1⤵
PID:8664

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aaanpa32.exe

Filesize
99KB

MD5
fe58f2e01cbaa0b3c4d955201195e838

SHA1
3a5308de4321f10446c694af3adc874b7e1e7398

SHA256
e5ca29251cae9c76931f583315c6df9955eb4283c5deedbf2d1bbb5633be01e8

SHA512
0eadaf36baab52079733baf104179eaa396d00ad82252d0ba7277ea9fff821db3087cee435a4783bab271567255132c5c572f1e7df50674b352b0ecbe8f8eb91

Download Submit
C:\Windows\SysWOW64\Aahdqp32.exe

Filesize
99KB

MD5
f519bf0d96ffa1bc68a755b16282955e

SHA1
f1dd62e91727793dc9a12841e21ab2b52324a113

SHA256
656dd4ce48805a0a6be77675acb7ecf1ca529bff1a916ca22f1b1ad6f01e1cf1

SHA512
3f5bff744547e7af7f4069825c66bf6011858b79d0dbf112bc359009d484c5db767f5c9ee777e58684331ed24b90a21191eea7b4105114c36b8a763623c0ddd8

Download Submit
C:\Windows\SysWOW64\Aaoaja32.exe

Filesize
99KB

MD5
533d63a84f45bd302d8965a6a069de56

SHA1
a14ecfe1e33ff6aa80e075e6959e4c5fbd820e7f

SHA256
1c7617a7204c438aa432cbefc342a411264e9a115db6fa1bc3b494ecb6fa91d7

SHA512
10fdb55da514083b1f1e2651986633a236af55b6c50aef9431137d4152e9e785a8cc1a43b0290b9642b7ae2fe04745c4a33fae0c500ead30b02ea161be327074

Download Submit
C:\Windows\SysWOW64\Aeoffo32.exe

Filesize
99KB

MD5
b9ad6971dbeb39b643fa6fc036e73664

SHA1
bc7db94a01e6bc219e9439c636c8ab648a3f8d8a

SHA256
a1ec9f0f9ce0465ee2f9db04403837f1dab1b64b9325514af9096f804d925438

SHA512
bbb1901e6103ba501a891e07af35e4d3499b8a6a30520ed13f459d2e99d0e5d5a98db84eb472eddc39bb0793b6cf1a24e4b3b86916875a01d8d37b81cffabd86

Download Submit
C:\Windows\SysWOW64\Ahiigkqd.exe

Filesize
99KB

MD5
529ead212760b647958bc549479c71d7

SHA1
9bad5fb5231d695377515d2e638e16482c307c33

SHA256
fe78c3f24559a7ecb307a622db2dd235f91d108c879aab09a5de933e6111a7a2

SHA512
709ccb600d3e21777040a38f794da6151452ff2826d135dd6fa61f74c87670a79fd060a6d9388b3f3be3dd1327226615002b31355d89af4b1792184cb14e7e11

Download Submit
C:\Windows\SysWOW64\Aihfanhg.exe

Filesize
99KB

MD5
59794e7b6dd13ef256adc9dfefae14e5

SHA1
c8254bc5530bd4c4da0d8cabf5d6f1371efd750b

SHA256
708e0413ca3bef4e7bf16267a619e335b8425a7b3a041e0ea66adb5f8dd8496e

SHA512
340e4c7fa9991cc399db29b41578a0d2649e1c27311114331093addc9b5efef7ac5dd69a87fdfce9a365d3af6ad8232293f76a3a8ad716c323a60813279c1057

Download Submit
C:\Windows\SysWOW64\Aimoln32.exe

Filesize
99KB

MD5
63af1c68e138ac29cb84f3a454479c48

SHA1
bf313781b015d03054dbdc3c53ed3ee4a05f6b83

SHA256
f4aeab08e01eef79e2a7a4c339f068914fba4843db80578c04dde3242dfe9b44

SHA512
81dbcf3f50b69aa323f01984d6fe0edbf6eccb66a677e35a6c6cc255bd1d5c9d8ddb3daaef1dc57d3f0d4bb70d7563897b68917c4d01903dc46c74e633745c55

Download Submit
C:\Windows\SysWOW64\Aldegj32.exe

Filesize
99KB

MD5
70378c61cfabc2d9dde0499bb9105dfd

SHA1
dc2d9b6016ceebe71c5f2e8219bd11a8b261b0ab

SHA256
1147482f743520b8e1e695ec339569d170407a0afc4804ca5fcda57ed6793ef7

SHA512
24551646acb50161fac0d80a5bf3aad5f68f2f6f6a27be72ad767814b4f047934ec47c58a6db8b63ccdef1168d7a85eea7a3cbfc52d0f0fd8f52951a1ef4a2af

Download Submit
C:\Windows\SysWOW64\Alkkhi32.exe

Filesize
99KB

MD5
c1e5cd546e2ea863d31f9b23495610dc

SHA1
ad5a5b7aed18da68042af3fa4a2c07052eb7969c

SHA256
a34b675b9216a245fbe50e18f684d877eae61fcd43826c656e884f02de05e471

SHA512
dd3df76d42816dd000a9abb273047d73fa86e1696e779a44ca97d026d0070c6c096cda8cf75b02cd29c9ca451f78264f24170db4cf1810a0253285557ae4955d

Download Submit
C:\Windows\SysWOW64\Aocace32.exe

Filesize
99KB

MD5
d5b0b5491c5f6e9f7cdee4776831393d

SHA1
fbc37b443e395f998fc3cb2ff4ce67775ecf5624

SHA256
5f5cd93f5cdd2b03a62f71894dae03395724d706a564f07ed708b5dcfcbd7c5d

SHA512
6f8b81084ad4a549abae857877814cfd4eecb87dd32454094837457332295753eab56aac75cb8f15027b0cf13eda068e1b4cf61e1eec6022bc0519ed8e91f20b

Download Submit
C:\Windows\SysWOW64\Aoeniefo.exe

Filesize
99KB

MD5
6b7048cd2d7302c7f9d0778d5aeb029b

SHA1
9630c5b9ddeef885957644831d4226e1061ca6ae

SHA256
3350e3a02e653b0c05dce1981fd9feaeb47f74420011f181a0660320deab4d45

SHA512
f5ef677d1e8faf42b5c17771bbc2789470f3f6da802da3da84e53539e31a431ed1bb1bbec7e5d08cad6960a8534741dadabb2f7db53c6c3935524503159e6dad

Download Submit
C:\Windows\SysWOW64\Aogkoedl.exe

Filesize
99KB

MD5
a6412ca37a39e711c474417eff0d0e7b

SHA1
f448241b90933bd15221dea4d327a8ec85b6caf2

SHA256
edf9dc53cb7be5a2229dcfa8ebb6a077ffc61e0f93cfa958b97159d4556d32c4

SHA512
8a9f43b2380462a9940d16576fedf51b1e426512008173fbed00d8131009fbad0d57bb93809db852f5de2d18c1797b79c3fd1c1d0e30f5a9ac01cfa4ffa9ef9c

Download Submit
C:\Windows\SysWOW64\Aojhdd32.exe

Filesize
99KB

MD5
11b05ff708a909931e138bfa699edbff

SHA1
05c774beeb747a43d56032be549775c65592696f

SHA256
c8243d8a47a857d13e335cf2ca10244266bce5bb3d8176ab8bab5690c47454cd

SHA512
bc745d2d2794aaaac7f194b0399f6a67037167d9b0daf9e3afbe8118f47d6d07d3e7922bd66a8c29ed826cf39ee04f6ef0b1bc2f08a9b074471b67677496706f

Download Submit
C:\Windows\SysWOW64\Aoqenf32.exe

Filesize
99KB

MD5
c40e3e24473f272d0d20461fc433d380

SHA1
a1c30de5b722372e3e1e9aad95100215e320f0ab

SHA256
bb54d66e4bfa12a3eb9e559ec40de47f5b4bc7dbf844c686f514e54fe3379ee7

SHA512
a5dcbbb039db46bd8e980e45f2f6c40c8df02cb1c20aa4231ce5fe1786b3ab2dc4d9108de167cfbbedb347cc0ad54ba0fbf4524452713646889ea7f28f0974a1

Download Submit
C:\Windows\SysWOW64\Cpljkdig.exe

Filesize
99KB

MD5
00ae679237052bebffd7c99897908d3e

SHA1
137b1a5a29b07935543ad7396de2578d2723d038

SHA256
08f39abc891bcf1f2f4379fde96fa6161739b5583ae39728190da08829ac1a3a

SHA512
a869d35ee035486a3202d4fcc7b6fa7d26fc99563d22a523116288701abdb36d9284772c45b00d213f81e2869127c40578f3d1c1fabea28b4e0ff1ae5b058a81

Download Submit
C:\Windows\SysWOW64\Iakaql32.exe

Filesize
99KB

MD5
04896f1512b4b445d724b47a69cf22b2

SHA1
b84890fc3173ebe5041e2f76827072dbbbbb0dce

SHA256
a18c145288a56f016d8661836c9ec3af8b1d8693cde8d8bb71cd2e36fc851c94

SHA512
d4f6b4548d440625909ad0b809e41ad64f6f43bfb3f9d9cd931c146ac05f846dd84bc93bea94f16938c9ac7fdf1b2f5b75f77e61ab618fbf9337b8b4263a781d

Download Submit
C:\Windows\SysWOW64\Jjmhppqd.exe

Filesize
99KB

MD5
054540285af05904cd2b9fe89919fa29

SHA1
96b9e909d12601d29c1a79e489a1b4de62c2e678

SHA256
21d0afad54e05726b3dbcee2e7c89075fdba4c0ae3ceeb6ee07c80190f3d5e5b

SHA512
63b7bed07fe149b957270f62cba2ddb85dda5c86d7e2a1f35b0e4c3bda80b15fe699f09ffc92d714b25ea2ba00b2335e4aed04e57458cab76bebe87bce402f13

Download Submit
C:\Windows\SysWOW64\Ndidbn32.exe

Filesize
99KB

MD5
89d5c03152788dc120f431911f6e4da9

SHA1
5698ead0f1fa63cf2cf72b73c4643ada424fd433

SHA256
c38fc8194b8d51ed6a25fb807ff7588b0793c46c2910b5db16b3d9890569b58b

SHA512
4a7f813d3f58b629203feb8784878faeed888f45aa3addfb46e8a2a716fc730b1b589ce0f5d76d6206b71a3a46ab78ad1348dda5ffc5b05462fe23f3a5a43a1b

Download Submit
C:\Windows\SysWOW64\Pacaoc32.exe

Filesize
99KB

MD5
6379471a117ededd3c96fffe5a98d6da

SHA1
01fdbb506129ffc6af481a57a2baefc181605364

SHA256
e9bae3d9c1b86ba64618b68b391fab49d8a1d0c5935037e1756270966f67024b

SHA512
7bdf5c8734a18b90c6e854b656d064b5591cee40e4520417a86ff0c462182d63f28efb2b2ba1d805c71371a21e5b895f2da178edb291eee8926d984085d528e1

Download Submit
C:\Windows\SysWOW64\Pbekne32.exe

Filesize
99KB

MD5
acdb9d9dee1555f87ccfcf50dbaaaa9b

SHA1
6d365db35fe4cabde411b79dfb2834ce036bb747

SHA256
cc6b49ac098ffb0418a8e78f0c9ebfebba4c2081594d6be0f388445d753282d9

SHA512
8f3f3a6760d1bf4bff9c6067295fa4c8309dbdcb9e55bcfd3de4d902413e7da1f76c48d09d16b22e7ac74a523c586ab1633677bb01f5553aa8a92004ee23f919

Download Submit
C:\Windows\SysWOW64\Peajdajk.exe

Filesize
99KB

MD5
22fcdd2a6c8f6aed0c2b6ddaa5ed8c01

SHA1
b6aff46d73baae9406ccb47898dfe0ed38e6bb11

SHA256
20b9ca070cb36cb8d4a2ac5503aba4af0259be3cf2f382f54e80edf0f2d5d9af

SHA512
d272a4760d8337c3211fd573b2161ee400a27d1dd78ad013467567a0340763bb0797500c30ee9a0870d7de3112ae81c90d8343be482414995f0dc63ea6d9a5ec

Download Submit
C:\Windows\SysWOW64\Pecgja32.exe

Filesize
99KB

MD5
64fd3b490b421588514a68033ef9383b

SHA1
c1b9f7bbd3f664cb138fd1c90c601c86ff24014d

SHA256
42ace3910da4a62e3aab403f4cdf5db383e7df0ec2ae2e56653920c017d0928c

SHA512
40a3b27d012b920582839021a69eca94d4a9057440e005a7351940d23963a1142ea991b7e3780ff98e6144df47bbf5b917d9d9fbfc887ab562ca8328de99ca2a

Download Submit
C:\Windows\SysWOW64\Phmjkmka.exe

Filesize
99KB

MD5
f9203e424ada0fb8f6beead61c01945e

SHA1
ec58c35b4bb5548702c6974789b6da4149c9ed38

SHA256
dc836dd18e611ac3078fcbff343cb8174ed414b82945e57415cd817cb0d49e44

SHA512
63e2778cabe31b90dd5d3fde9422ac4247c65a25b7e35ee21ff50d44cbef6fcd8c649baab67632769ce59d24a5c1a39740eb9919c4c165b9aa5bcfe0b03da2e4

Download Submit
C:\Windows\SysWOW64\Phnelk32.dll

Filesize
7KB

MD5
ce3c163f81c9f33d517877d0b8c9cad1

SHA1
bf90db0b13590b70a47cb45e9707fa63d8501617

SHA256
929392830c8ffc5bf1b6b6c170161f02d516e500a63d518ea7b2bb62a3be2b46

SHA512
c4a8e21744c572a137f1dddf8f55b90cedfa1fe9301b9a9645613ba9bea055ca53af372a3d49034311b77f6294b113125da53fcc85150328694f97f24d3ab22a

Download Submit
C:\Windows\SysWOW64\Pijjpp32.exe

Filesize
99KB

MD5
c9cf170d1038fddc2faa918e0ab88179

SHA1
3379c6d5afbc827e3c4c852d90a92372b3e0803f

SHA256
c55c8cc84d3e271b6768ad8314ab0596f45f28d82489bc60ffecfaa6c32b026b

SHA512
ea3f9a30dad65061fcc70dc8d85bd47269bddd85096375a3891955ac8a574b0448c0ea9a88a3144d724f4ccf33dd3dfe0fab5d1bb2702a4e2c9803ecea5caadb

Download Submit
C:\Windows\SysWOW64\Pimfep32.exe

Filesize
99KB

MD5
a9d8f1ad1fea188fc42c20712aa818dd

SHA1
a81e9819dca8208b8cbbbb5c6b24a463e6373556

SHA256
d6cb34fca1194baf7309ceca50244a852563cfe75787fca52fd76128be7cff43

SHA512
0963590a065b82580964c7221b0eb6b4191ec08d4cb3f7d30e2f8df964338f5dd52eb240c75de410f95cb837636c4e7a46bfa6a7ebf6e2c2ffbd06ffeff35080

Download Submit
C:\Windows\SysWOW64\Plmogkoe.exe

Filesize
99KB

MD5
2e2695e8b54deabdb318597d1d3174c5

SHA1
25cb229d4e061218cdcd5d6f6c2a795d7044d1cd

SHA256
2b30c7781813ccbf00a9bdfa4ea46859e8be6dce45b4b0afb6534a170de6e6de

SHA512
1e8b639cfdbb0638fb95e35c5f17a6274635e694885a351f7cba2831b053b99e8f85a8e65342502ac77373ad78cdb4f875ecc237aa7d4e47a201de0af10f9980

Download Submit
C:\Windows\SysWOW64\Ppdbljkd.exe

Filesize
99KB

MD5
59c02ac2f9bc9dcde6c4100e41d40b46

SHA1
d53066729342f48289aae8d24f49798da442964e

SHA256
f90c66effa6df6a5b3ba6cfd8591cad1afa243411edd07f603a9facd60ee97a1

SHA512
c4f580a0f670a667db9020c131fcad14e55385fc6ab3b844f492cefcceb396beff3678040455131bfa8742f93218444d41ddeb4486c2aefe60703ab462732a47

Download Submit
C:\Windows\SysWOW64\Ppgobjia.exe

Filesize
99KB

MD5
dbfae7e44a2d651b5d311fcc1767f631

SHA1
7c0baf287910cbfa5700bf21a3f7237b5e4cc182

SHA256
9b156a4e3f8998f2cd7477ff7f1f218b42654855f21617f9a3c11a0be66da6ab

SHA512
962dac6e96f47d89d744e3c6e53285da0236a97cdbbb9e5e05da83ebc4bc9590671fe63d1290afe9e49ac439e57392d11c206344e0d9546156cb79a5f4562399

Download Submit
C:\Windows\SysWOW64\Qajhobmm.exe

Filesize
99KB

MD5
162ae352bfa3f5dc8821647ca0400e40

SHA1
c65de83126f9de08f08c945233e9789bb4dc5130

SHA256
79c3f91ec6cd2f1a465a3b01ed60e6dd5cbd909d19d2afd833ab25b40c7577dc

SHA512
a63e491598e15615a278265ff4fe59511bacc37bcc8304b307ca2c0b9abeb75aeb0dc49efa9411d03aa869c03876e20d6c341d37d9ff1903c14ca932ec443288

Download Submit
C:\Windows\SysWOW64\Qamdda32.exe

Filesize
99KB

MD5
e05bdd4441ec03d91084151776401dbf

SHA1
2796e6d568d3a2f75144c45536214ce6e2791c85

SHA256
e4e551691caf5a8880ba8139420c2ca380d58561b5eb2734426a1d1220bd6b9f

SHA512
fd6cbf4c4ff59e64aedb0be1de2192890c368ac1b1821a67d93dca90384b946610656dbaf36e9b8d319844bb403848cef5578e6109fb2141f307af90ecb417fb

Download Submit
C:\Windows\SysWOW64\Qefdpq32.exe

Filesize
99KB

MD5
bad2afb65e5c88d75dd44ae3f1abd0be

SHA1
b046ba87c0f4bcef0bc10d40efd55d540736383e

SHA256
34e336124d2dc017bac037c2fdb0b0469d7c57ce7f181e29ab2d3c4276a7d350

SHA512
29f5fc71acbf0e30d0f7f3493b16c4053f5e152f792d804e135d7f19bbb27b679ee534308f0ee3086749f9a44aa1bbbd9214cfe4d75914f9cf92cb47ccec1f76

Download Submit
C:\Windows\SysWOW64\Qehqepcc.exe

Filesize
99KB

MD5
70d01b6d333afb28a1379a112c500fc0

SHA1
eda7577b576c08decaf6def329607074c67c476f

SHA256
bf5a0df6909291dbe151518dfdf0fda056701a8efa179d109fa39d00f932fdff

SHA512
12df6e527a66d2ee304dd4d80de328f0004ec517838d520092ed84aa949c53ddbfe0203c5e35c32c0089b2f85ebdf069ae2dbcf7268018fda3c90c8ad28010f8

Download Submit
C:\Windows\SysWOW64\Qhfmalbg.exe

Filesize
99KB

MD5
ea3d91bcd2c4676b4b6a4db3f67fb010

SHA1
1c53c4481f2d96c82985a8ff1092657967e8d39f

SHA256
7a97d9af1de5cae1d3664b422281af2b469520d2404491c5c2ea865f05a0e201

SHA512
f6e0cb830212ccb6236f4410611f8d4b1d66b4676a5ca53610e24c60044667186fb54d8354553861b45e9b2ddcf5914f25f7b6ca4650e9e552c16c8f963b9748

Download Submit
C:\Windows\SysWOW64\Qlpllkmc.exe

Filesize
99KB

MD5
0f5f4325715c6dec2ebaef0e6475b4b5

SHA1
3c7ec6cf444f81b2680630b29b2bba81e76e81ea

SHA256
70a4a1593801e6db28b8454291f2379870c0f833dc1f8efc9e0356d9115997cc

SHA512
31091a11b8bbaa38cba45de0a6eac665563d09dcfe160fc11684d6185388e2e71053796c293a5ab4bee590927ca7814de2da58d08eeb940fe3c58cf251864762

Download Submit
C:\Windows\SysWOW64\Qnlkcfni.exe

Filesize
99KB

MD5
977fff5ad40ea0518f552f04167daf90

SHA1
6669264e6be5db1a4850525bef3bd8f000f54d1e

SHA256
381654aefad657aff7ed292dc1107ab8db48b4262661290545fc7ad810dddd53

SHA512
46a7a4cedc95c1a6a61368b979239747fd6cdea36040e121e054d9a0f648299446f579726e23b3a3ec4e8c983200866475beb21ff5ce9e5db6cf35a8b045d153

Download Submit
C:\Windows\SysWOW64\Qpkhmi32.exe

Filesize
99KB

MD5
7f227a2fb4cbbd4c124283887423c5a2

SHA1
9c12bb17950167aefca97c68a81a56b8d3db0a4a

SHA256
75102cd52d5c2f12873fde1973947d2404c78d425c9bdf694edc52d028212530

SHA512
3fa97bec3eaf9b2e0546f0e4d5da06e8ea68fd57170fcd33554d065e4591b9d27294f753068e11590102751321f046434c8a8a36711f816243e830f694ef791b

Download Submit
memory/368-188-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/392-212-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/392-55-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/408-63-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/408-223-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/536-195-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/716-341-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/932-305-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1356-138-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1704-114-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1792-121-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1852-98-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1852-247-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1856-97-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2016-146-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2040-89-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2044-160-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2044-31-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2316-214-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2444-85-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2444-8-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2464-323-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2480-222-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2600-257-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2996-334-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3084-336-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3084-273-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3188-263-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3204-177-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3444-206-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3492-171-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3544-291-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3572-311-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3704-343-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3704-279-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3708-203-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3820-317-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4000-266-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4000-329-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4012-349-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4128-362-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4148-71-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4148-226-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4200-106-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4200-16-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4304-297-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4304-225-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4308-356-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4432-302-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4472-250-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4504-48-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4504-202-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4548-154-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4576-304-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4576-234-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4584-24-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4584-123-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4604-285-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4604-355-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5088-180-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5088-40-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5104-80-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5104-0-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5116-161-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads