d98600abe25a76e717181c196c7996d90c93a5ff27e8ca4f17fd771cb2a4c9d4

Analysis

max time kernel
147s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
21/04/2024, 03:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d98600abe25a76e717181c196c7996d90c93a5ff27e8ca4f17fd771cb2a4c9d4.exe
Size

59KB
MD5

45dddfbe75dde48d3b8ba66db02a192c
SHA1

2f94c1ca74d50bc2b4ad37ee86861470d1edeb1c
SHA256

d98600abe25a76e717181c196c7996d90c93a5ff27e8ca4f17fd771cb2a4c9d4
SHA512

f30d39d94a7c3841c1da0caa6b1e53309dee688002cfbc6571fff225f013572350e86e27fbf79720786123b3b32233952d81a262405045192feb3252f84ea11f
SSDEEP

768:KhQnQ+1fWjuzJ/sOLHM+hiHLQDMIu5SkOp/bU5MF2p/1H5QzKXdnhfXaXdnh:OQQ+1fWj4KijiHMDIMLp/LF2Ly8O

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhpjkojk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ogpmjb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhfajjoj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddpeoafg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Iikhfg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hkkhqd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pncgmkmj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjfaeh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bdhfhe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Colffknh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fkopnh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjkjpgfi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jifhaenk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Neeqea32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pfaigm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Imoneg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ldjhpl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pflplnlg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pflplnlg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gcimkc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iihkpg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Npjebj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kepelfam.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Llgjjnlj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pgllfp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jedeph32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdgljmcd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nddkgonp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fhcpgmjf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ffkjlp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pgemphmn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fcckif32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lmbmibhb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Acocaf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chbnia32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jfeopj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kfjhkjle.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfdodjhm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhmgki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pjkombfj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Paegjl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qmkadgpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nnjlpo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bdfibe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Balfaiil.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nngokoej.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Himldi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Icplcpgo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdcoim32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Balfaiil.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Glebhjlg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hcpclbfa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jblpek32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnkplejl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cbefaj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oponmilc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aaepqjpd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pqpgdfnp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cliaoq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cknnpm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Npmagine.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nbmelbid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bgcknmop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nnjbke32.exe

Executes dropped EXE 64 IoCs

pid	Process
4264	Ndbnboqb.exe
1932	Nnjbke32.exe
1988	Nddkgonp.exe
3708	Nkncdifl.exe
888	Nbhkac32.exe
1108	Ndghmo32.exe
3056	Njcpee32.exe
4704	Ndidbn32.exe
4148	Nggqoj32.exe
3412	Nnaikd32.exe
2220	Nbmelbid.exe
4076	Okeieh32.exe
1540	Ondeac32.exe
3256	Ocqnij32.exe
3604	Okhfjh32.exe
5088	Ojjffddl.exe
1048	Odpjcm32.exe
4976	Ogogoi32.exe
696	Ojmcld32.exe
1984	Oqgkhnjf.exe
3068	Ocegdjij.exe
4480	Ogaceh32.exe
4744	Onklabip.exe
4476	Ojalgcnd.exe
2944	Odgqdlnj.exe
3144	Pgemphmn.exe
1592	Pnpemb32.exe
468	Peimil32.exe
4500	Pkceffcd.exe
4340	Pnbbbabh.exe
4016	Peljol32.exe
752	Pndohaqe.exe
1492	Pcagphom.exe
3532	Pjkombfj.exe
4996	Paegjl32.exe
2288	Pcccfh32.exe
3656	Pnihcq32.exe
2268	Pagdol32.exe
2244	Qcepkg32.exe
1216	Qnkdhpjn.exe
2928	Qeemej32.exe
516	Qloebdig.exe
1528	Qbimoo32.exe
2880	Aegikj32.exe
4780	Agffge32.exe
3836	Anpncp32.exe
3000	Aejfpjne.exe
2240	Ajfoiqll.exe
3748	Aaqgek32.exe
1648	Acocaf32.exe
4388	Andgoobc.exe
116	Aeopki32.exe
2360	Ajkhdp32.exe
3384	Aaepqjpd.exe
1872	Ahoimd32.exe
2964	Ajneip32.exe
4856	Abemjmgg.exe
3404	Bdfibe32.exe
1160	Bdhfhe32.exe
2832	Bjbndobo.exe
2176	Balfaiil.exe
1928	Bdkcmdhp.exe
2260	Bjdkjo32.exe
4088	Baocghgi.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Kdeoemeg.exe	Kmkfhc32.exe
File opened for modification	C:\Windows\SysWOW64\Ndghmo32.exe	Nbhkac32.exe
File created	C:\Windows\SysWOW64\Ehnglm32.exe	Eepjpb32.exe
File created	C:\Windows\SysWOW64\Gcgnkd32.dll	Nnneknob.exe
File created	C:\Windows\SysWOW64\Chokikeb.exe	Cdcoim32.exe
File created	C:\Windows\SysWOW64\Djoeni32.dll	Odkjng32.exe
File opened for modification	C:\Windows\SysWOW64\Ocpgod32.exe	Odmgcgbi.exe
File created	C:\Windows\SysWOW64\Aclpap32.exe	Aqncedbp.exe
File created	C:\Windows\SysWOW64\Fgnjkdco.dll	Balfaiil.exe
File created	C:\Windows\SysWOW64\Jinpgcmg.dll	Doqpak32.exe
File opened for modification	C:\Windows\SysWOW64\Pnihcq32.exe	Pcccfh32.exe
File created	C:\Windows\SysWOW64\Nfjjppmm.exe	Nckndeni.exe
File opened for modification	C:\Windows\SysWOW64\Pflplnlg.exe	Pcncpbmd.exe
File opened for modification	C:\Windows\SysWOW64\Bfdodjhm.exe	Bganhm32.exe
File opened for modification	C:\Windows\SysWOW64\Ondeac32.exe	Okeieh32.exe
File opened for modification	C:\Windows\SysWOW64\Ogaceh32.exe	Ocegdjij.exe
File created	C:\Windows\SysWOW64\Llemdo32.exe	Lmbmibhb.exe
File created	C:\Windows\SysWOW64\Npmagine.exe	Nnneknob.exe
File created	C:\Windows\SysWOW64\Ddonekbl.exe	Daqbip32.exe
File created	C:\Windows\SysWOW64\Aolmfp32.dll	Pkceffcd.exe
File opened for modification	C:\Windows\SysWOW64\Klljnp32.exe	Kebbafoj.exe
File created	C:\Windows\SysWOW64\Ejnjpohk.dll	Klljnp32.exe
File created	C:\Windows\SysWOW64\Aminee32.exe	Anfmjhmd.exe
File created	C:\Windows\SysWOW64\Hjfhhm32.dll	Cndikf32.exe
File created	C:\Windows\SysWOW64\Bgdpie32.dll	Bdfibe32.exe
File created	C:\Windows\SysWOW64\Dboigi32.exe	Dkgqfl32.exe
File created	C:\Windows\SysWOW64\Ekacmjgl.exe	Dhbgqohi.exe
File opened for modification	C:\Windows\SysWOW64\Eepjpb32.exe	Elppfmoo.exe
File opened for modification	C:\Windows\SysWOW64\Fafkecel.exe	Fcckif32.exe
File created	C:\Windows\SysWOW64\Heomgj32.dll	Faihkbci.exe
File opened for modification	C:\Windows\SysWOW64\Gbbkaako.exe	Gododflk.exe
File created	C:\Windows\SysWOW64\Ikbnacmd.exe	Imoneg32.exe
File created	C:\Windows\SysWOW64\Pnpemb32.exe	Pgemphmn.exe
File created	C:\Windows\SysWOW64\Cliaoq32.exe	Cdainc32.exe
File created	C:\Windows\SysWOW64\Ljbncc32.dll	Afoeiklb.exe
File created	C:\Windows\SysWOW64\Kofpij32.dll	Beglgani.exe
File opened for modification	C:\Windows\SysWOW64\Lmgfda32.exe	Lepncd32.exe
File opened for modification	C:\Windows\SysWOW64\Odapnf32.exe	Olkhmi32.exe
File opened for modification	C:\Windows\SysWOW64\Ajanck32.exe	Qgcbgo32.exe
File created	C:\Windows\SysWOW64\Afjlnk32.exe	Agglboim.exe
File created	C:\Windows\SysWOW64\Hcjccj32.dll	Djdmffnn.exe
File opened for modification	C:\Windows\SysWOW64\Odgqdlnj.exe	Ojalgcnd.exe
File opened for modification	C:\Windows\SysWOW64\Dohfbj32.exe	Dlijfneg.exe
File created	C:\Windows\SysWOW64\Nghjpm32.dll	Gododflk.exe
File opened for modification	C:\Windows\SysWOW64\Opakbi32.exe	Oncofm32.exe
File created	C:\Windows\SysWOW64\Gmdkpdef.dll	Oqhacgdh.exe
File created	C:\Windows\SysWOW64\Cogflbdn.dll	Ddmaok32.exe
File created	C:\Windows\SysWOW64\Oammoc32.dll	Dodbbdbb.exe
File created	C:\Windows\SysWOW64\Dmjocp32.exe	Dkkcge32.exe
File created	C:\Windows\SysWOW64\Jlnpomfk.dll	Nnjbke32.exe
File created	C:\Windows\SysWOW64\Nnambi32.dll	Dohfbj32.exe
File opened for modification	C:\Windows\SysWOW64\Paegjl32.exe	Pjkombfj.exe
File created	C:\Windows\SysWOW64\Mjhmqf32.dll	Himldi32.exe
File created	C:\Windows\SysWOW64\Jcefno32.exe	Jmknaell.exe
File created	C:\Windows\SysWOW64\Bdknoa32.dll	Nbhkac32.exe
File opened for modification	C:\Windows\SysWOW64\Njcpee32.exe	Ndghmo32.exe
File opened for modification	C:\Windows\SysWOW64\Mgkjhe32.exe	Mdmnlj32.exe
File created	C:\Windows\SysWOW64\Knfoif32.dll	Oflgep32.exe
File opened for modification	C:\Windows\SysWOW64\Dmllipeg.exe	Dknpmdfc.exe
File created	C:\Windows\SysWOW64\Kdihjfbe.dll	Fcckif32.exe
File opened for modification	C:\Windows\SysWOW64\Fbnafb32.exe	Fooeif32.exe
File created	C:\Windows\SysWOW64\Eeijge32.dll	Ajkhdp32.exe
File created	C:\Windows\SysWOW64\Ogbipa32.exe	Ocgmpccl.exe
File opened for modification	C:\Windows\SysWOW64\Pdmpje32.exe	Pmfhig32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
11176	10880	WerFault.exe	515

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fkopnh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kebbafoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pqknig32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ajneip32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hcpclbfa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mgdjapoo.dll"	Ilghlc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mgkjhe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Neeqea32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Odgqdlnj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Flioncbc.dll"	Doeiljfn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cpaqkn32.dll"	Ehnglm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjhilj32.dll"	Gbbkaako.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hmjdjgjo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jfoiokfb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pcncpbmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfnphnen.dll"	Afjlnk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Idnljnaa.dll"	Andqdh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Anfmjhmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ildkgc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cfmajipb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nbmelbid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ocegdjij.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pcagphom.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhnnep32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cajolcjk.dll"	Elppfmoo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohjgdmkj.dll"	Fkffog32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Okhfjh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Flgmek32.dll"	Baaplhef.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmnbeadp.dll"	Belebq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dobfld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hbpgbo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jcllonma.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nnaikd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dajbcgdm.dll"	Baocghgi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Clpgpp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eocqqdjh.dll"	Daaicfgd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Faihkbci.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gfbploob.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Llemdo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eghpcp32.dll"	Mdjagjco.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qloebdig.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nghjpm32.dll"	Gododflk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qncbfk32.dll"	Lpebpm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lgokmgjm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ogifjcdp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Onjegled.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Miifeq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlingkpe.dll"	Nnjlpo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nlmllkja.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pmidog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qgcbgo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ndbnboqb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ocegdjij.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cdkldb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ibqpimpl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Odmgcgbi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bfddbh32.dll"	Anfmjhmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pndohaqe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhbgqohi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jpcmfk32.dll"	Pmidog32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pkceffcd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fdjlic32.dll"	Ogifjcdp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Djdmffnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gmjlcj32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2700 wrote to memory of 4264	2700	d98600abe25a76e717181c196c7996d90c93a5ff27e8ca4f17fd771cb2a4c9d4.exe	85
PID 2700 wrote to memory of 4264	2700	d98600abe25a76e717181c196c7996d90c93a5ff27e8ca4f17fd771cb2a4c9d4.exe	85
PID 2700 wrote to memory of 4264	2700	d98600abe25a76e717181c196c7996d90c93a5ff27e8ca4f17fd771cb2a4c9d4.exe	85
PID 4264 wrote to memory of 1932	4264	Ndbnboqb.exe	86
PID 4264 wrote to memory of 1932	4264	Ndbnboqb.exe	86
PID 4264 wrote to memory of 1932	4264	Ndbnboqb.exe	86
PID 1932 wrote to memory of 1988	1932	Nnjbke32.exe	87
PID 1932 wrote to memory of 1988	1932	Nnjbke32.exe	87
PID 1932 wrote to memory of 1988	1932	Nnjbke32.exe	87
PID 1988 wrote to memory of 3708	1988	Nddkgonp.exe	88
PID 1988 wrote to memory of 3708	1988	Nddkgonp.exe	88
PID 1988 wrote to memory of 3708	1988	Nddkgonp.exe	88
PID 3708 wrote to memory of 888	3708	Nkncdifl.exe	89
PID 3708 wrote to memory of 888	3708	Nkncdifl.exe	89
PID 3708 wrote to memory of 888	3708	Nkncdifl.exe	89
PID 888 wrote to memory of 1108	888	Nbhkac32.exe	90
PID 888 wrote to memory of 1108	888	Nbhkac32.exe	90
PID 888 wrote to memory of 1108	888	Nbhkac32.exe	90
PID 1108 wrote to memory of 3056	1108	Ndghmo32.exe	91
PID 1108 wrote to memory of 3056	1108	Ndghmo32.exe	91
PID 1108 wrote to memory of 3056	1108	Ndghmo32.exe	91
PID 3056 wrote to memory of 4704	3056	Njcpee32.exe	92
PID 3056 wrote to memory of 4704	3056	Njcpee32.exe	92
PID 3056 wrote to memory of 4704	3056	Njcpee32.exe	92
PID 4704 wrote to memory of 4148	4704	Ndidbn32.exe	93
PID 4704 wrote to memory of 4148	4704	Ndidbn32.exe	93
PID 4704 wrote to memory of 4148	4704	Ndidbn32.exe	93
PID 4148 wrote to memory of 3412	4148	Nggqoj32.exe	94
PID 4148 wrote to memory of 3412	4148	Nggqoj32.exe	94
PID 4148 wrote to memory of 3412	4148	Nggqoj32.exe	94
PID 3412 wrote to memory of 2220	3412	Nnaikd32.exe	95
PID 3412 wrote to memory of 2220	3412	Nnaikd32.exe	95
PID 3412 wrote to memory of 2220	3412	Nnaikd32.exe	95
PID 2220 wrote to memory of 4076	2220	Nbmelbid.exe	96
PID 2220 wrote to memory of 4076	2220	Nbmelbid.exe	96
PID 2220 wrote to memory of 4076	2220	Nbmelbid.exe	96
PID 4076 wrote to memory of 1540	4076	Okeieh32.exe	97
PID 4076 wrote to memory of 1540	4076	Okeieh32.exe	97
PID 4076 wrote to memory of 1540	4076	Okeieh32.exe	97
PID 1540 wrote to memory of 3256	1540	Ondeac32.exe	98
PID 1540 wrote to memory of 3256	1540	Ondeac32.exe	98
PID 1540 wrote to memory of 3256	1540	Ondeac32.exe	98
PID 3256 wrote to memory of 3604	3256	Ocqnij32.exe	99
PID 3256 wrote to memory of 3604	3256	Ocqnij32.exe	99
PID 3256 wrote to memory of 3604	3256	Ocqnij32.exe	99
PID 3604 wrote to memory of 5088	3604	Okhfjh32.exe	101
PID 3604 wrote to memory of 5088	3604	Okhfjh32.exe	101
PID 3604 wrote to memory of 5088	3604	Okhfjh32.exe	101
PID 5088 wrote to memory of 1048	5088	Ojjffddl.exe	102
PID 5088 wrote to memory of 1048	5088	Ojjffddl.exe	102
PID 5088 wrote to memory of 1048	5088	Ojjffddl.exe	102
PID 1048 wrote to memory of 4976	1048	Odpjcm32.exe	103
PID 1048 wrote to memory of 4976	1048	Odpjcm32.exe	103
PID 1048 wrote to memory of 4976	1048	Odpjcm32.exe	103
PID 4976 wrote to memory of 696	4976	Ogogoi32.exe	104
PID 4976 wrote to memory of 696	4976	Ogogoi32.exe	104
PID 4976 wrote to memory of 696	4976	Ogogoi32.exe	104
PID 696 wrote to memory of 1984	696	Ojmcld32.exe	105
PID 696 wrote to memory of 1984	696	Ojmcld32.exe	105
PID 696 wrote to memory of 1984	696	Ojmcld32.exe	105
PID 1984 wrote to memory of 3068	1984	Oqgkhnjf.exe	106
PID 1984 wrote to memory of 3068	1984	Oqgkhnjf.exe	106
PID 1984 wrote to memory of 3068	1984	Oqgkhnjf.exe	106
PID 3068 wrote to memory of 4480	3068	Ocegdjij.exe	107

C:\Users\Admin\AppData\Local\Temp\d98600abe25a76e717181c196c7996d90c93a5ff27e8ca4f17fd771cb2a4c9d4.exe
"C:\Users\Admin\AppData\Local\Temp\d98600abe25a76e717181c196c7996d90c93a5ff27e8ca4f17fd771cb2a4c9d4.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2700
- C:\Windows\SysWOW64\Ndbnboqb.exe
  C:\Windows\system32\Ndbnboqb.exe
  2⤵
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4264
- - C:\Windows\SysWOW64\Nnjbke32.exe
    C:\Windows\system32\Nnjbke32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious use of WriteProcessMemory
    PID:1932
  - - C:\Windows\SysWOW64\Nddkgonp.exe
      C:\Windows\system32\Nddkgonp.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:1988
    - - C:\Windows\SysWOW64\Nkncdifl.exe
        
        C:\Windows\system32\Nkncdifl.exe
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3708
      - C:\Windows\SysWOW64\Nbhkac32.exe
        
        C:\Windows\system32\Nbhkac32.exe
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:888
        
        C:\Windows\SysWOW64\Ndghmo32.exe
        
        C:\Windows\system32\Ndghmo32.exe
        7⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1108
        
        C:\Windows\SysWOW64\Njcpee32.exe
        
        C:\Windows\system32\Njcpee32.exe
        8⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3056
        
        C:\Windows\SysWOW64\Ndidbn32.exe
        
        C:\Windows\system32\Ndidbn32.exe
        9⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4704
        
        C:\Windows\SysWOW64\Nggqoj32.exe
        
        C:\Windows\system32\Nggqoj32.exe
        10⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4148
        
        C:\Windows\SysWOW64\Nnaikd32.exe
        
        C:\Windows\system32\Nnaikd32.exe
        11⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3412
        
        C:\Windows\SysWOW64\Nbmelbid.exe
        
        C:\Windows\system32\Nbmelbid.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2220
        
        C:\Windows\SysWOW64\Okeieh32.exe
        
        C:\Windows\system32\Okeieh32.exe
        13⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4076
        
        C:\Windows\SysWOW64\Ondeac32.exe
        
        C:\Windows\system32\Ondeac32.exe
        14⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1540
        
        C:\Windows\SysWOW64\Ocqnij32.exe
        
        C:\Windows\system32\Ocqnij32.exe
        15⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3256
        
        C:\Windows\SysWOW64\Okhfjh32.exe
        
        C:\Windows\system32\Okhfjh32.exe
        16⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3604
        
        C:\Windows\SysWOW64\Ojjffddl.exe
        
        C:\Windows\system32\Ojjffddl.exe
        17⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:5088
        
        C:\Windows\SysWOW64\Odpjcm32.exe
        
        C:\Windows\system32\Odpjcm32.exe
        18⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1048
        
        C:\Windows\SysWOW64\Ogogoi32.exe
        
        C:\Windows\system32\Ogogoi32.exe
        19⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4976
        
        C:\Windows\SysWOW64\Ojmcld32.exe
        
        C:\Windows\system32\Ojmcld32.exe
        20⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:696
        
        C:\Windows\SysWOW64\Oqgkhnjf.exe
        
        C:\Windows\system32\Oqgkhnjf.exe
        21⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1984
        
        C:\Windows\SysWOW64\Ocegdjij.exe
        
        C:\Windows\system32\Ocegdjij.exe
        22⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3068
        
        C:\Windows\SysWOW64\Ogaceh32.exe
        
        C:\Windows\system32\Ogaceh32.exe
        23⤵
        Executes dropped EXE
        
        PID:4480
        
        C:\Windows\SysWOW64\Onklabip.exe
        
        C:\Windows\system32\Onklabip.exe
        24⤵
        Executes dropped EXE
        
        PID:4744
        
        C:\Windows\SysWOW64\Ojalgcnd.exe
        
        C:\Windows\system32\Ojalgcnd.exe
        25⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4476
        
        C:\Windows\SysWOW64\Odgqdlnj.exe
        
        C:\Windows\system32\Odgqdlnj.exe
        26⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2944
        
        C:\Windows\SysWOW64\Pgemphmn.exe
        
        C:\Windows\system32\Pgemphmn.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3144
        
        C:\Windows\SysWOW64\Pnpemb32.exe
        
        C:\Windows\system32\Pnpemb32.exe
        28⤵
        Executes dropped EXE
        
        PID:1592
        
        C:\Windows\SysWOW64\Peimil32.exe
        
        C:\Windows\system32\Peimil32.exe
        29⤵
        Executes dropped EXE
        
        PID:468
        
        C:\Windows\SysWOW64\Pkceffcd.exe
        
        C:\Windows\system32\Pkceffcd.exe
        30⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4500
        
        C:\Windows\SysWOW64\Pnbbbabh.exe
        
        C:\Windows\system32\Pnbbbabh.exe
        31⤵
        Executes dropped EXE
        
        PID:4340
        
        C:\Windows\SysWOW64\Peljol32.exe
        
        C:\Windows\system32\Peljol32.exe
        32⤵
        Executes dropped EXE
        
        PID:4016
        
        C:\Windows\SysWOW64\Pndohaqe.exe
        
        C:\Windows\system32\Pndohaqe.exe
        33⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:752
        
        C:\Windows\SysWOW64\Pcagphom.exe
        
        C:\Windows\system32\Pcagphom.exe
        34⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1492
        
        C:\Windows\SysWOW64\Pjkombfj.exe
        
        C:\Windows\system32\Pjkombfj.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3532
        
        C:\Windows\SysWOW64\Paegjl32.exe
        
        C:\Windows\system32\Paegjl32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4996
        
        C:\Windows\SysWOW64\Pcccfh32.exe
        
        C:\Windows\system32\Pcccfh32.exe
        37⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2288
        
        C:\Windows\SysWOW64\Pnihcq32.exe
        
        C:\Windows\system32\Pnihcq32.exe
        38⤵
        Executes dropped EXE
        
        PID:3656
        
        C:\Windows\SysWOW64\Pagdol32.exe
        
        C:\Windows\system32\Pagdol32.exe
        39⤵
        Executes dropped EXE
        
        PID:2268
        
        C:\Windows\SysWOW64\Qcepkg32.exe
        
        C:\Windows\system32\Qcepkg32.exe
        40⤵
        Executes dropped EXE
        
        PID:2244
        
        C:\Windows\SysWOW64\Qnkdhpjn.exe
        
        C:\Windows\system32\Qnkdhpjn.exe
        41⤵
        Executes dropped EXE
        
        PID:1216
        
        C:\Windows\SysWOW64\Qeemej32.exe
        
        C:\Windows\system32\Qeemej32.exe
        42⤵
        Executes dropped EXE
        
        PID:2928
        
        C:\Windows\SysWOW64\Qloebdig.exe
        
        C:\Windows\system32\Qloebdig.exe
        43⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:516
        
        C:\Windows\SysWOW64\Qbimoo32.exe
        
        C:\Windows\system32\Qbimoo32.exe
        44⤵
        Executes dropped EXE
        
        PID:1528
        
        C:\Windows\SysWOW64\Aegikj32.exe
        
        C:\Windows\system32\Aegikj32.exe
        45⤵
        Executes dropped EXE
        
        PID:2880
        
        C:\Windows\SysWOW64\Agffge32.exe
        
        C:\Windows\system32\Agffge32.exe
        46⤵
        Executes dropped EXE
        
        PID:4780
        
        C:\Windows\SysWOW64\Anpncp32.exe
        
        C:\Windows\system32\Anpncp32.exe
        47⤵
        Executes dropped EXE
        
        PID:3836
        
        C:\Windows\SysWOW64\Aejfpjne.exe
        
        C:\Windows\system32\Aejfpjne.exe
        48⤵
        Executes dropped EXE
        
        PID:3000
        
        C:\Windows\SysWOW64\Ajfoiqll.exe
        
        C:\Windows\system32\Ajfoiqll.exe
        49⤵
        Executes dropped EXE
        
        PID:2240
        
        C:\Windows\SysWOW64\Aaqgek32.exe
        
        C:\Windows\system32\Aaqgek32.exe
        50⤵
        Executes dropped EXE
        
        PID:3748
        
        C:\Windows\SysWOW64\Acocaf32.exe
        
        C:\Windows\system32\Acocaf32.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1648
        
        C:\Windows\SysWOW64\Andgoobc.exe
        
        C:\Windows\system32\Andgoobc.exe
        52⤵
        Executes dropped EXE
        
        PID:4388
        
        C:\Windows\SysWOW64\Aeopki32.exe
        
        C:\Windows\system32\Aeopki32.exe
        53⤵
        Executes dropped EXE
        
        PID:116
        
        C:\Windows\SysWOW64\Ajkhdp32.exe
        
        C:\Windows\system32\Ajkhdp32.exe
        54⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2360
        
        C:\Windows\SysWOW64\Aaepqjpd.exe
        
        C:\Windows\system32\Aaepqjpd.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3384
        
        C:\Windows\SysWOW64\Ahoimd32.exe
        
        C:\Windows\system32\Ahoimd32.exe
        56⤵
        Executes dropped EXE
        
        PID:1872
        
        C:\Windows\SysWOW64\Ajneip32.exe
        
        C:\Windows\system32\Ajneip32.exe
        57⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2964
        
        C:\Windows\SysWOW64\Abemjmgg.exe
        
        C:\Windows\system32\Abemjmgg.exe
        58⤵
        Executes dropped EXE
        
        PID:4856
        
        C:\Windows\SysWOW64\Bdfibe32.exe
        
        C:\Windows\system32\Bdfibe32.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3404
        
        C:\Windows\SysWOW64\Bdhfhe32.exe
        
        C:\Windows\system32\Bdhfhe32.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1160
        
        C:\Windows\SysWOW64\Bjbndobo.exe
        
        C:\Windows\system32\Bjbndobo.exe
        61⤵
        Executes dropped EXE
        
        PID:2832
        
        C:\Windows\SysWOW64\Balfaiil.exe
        
        C:\Windows\system32\Balfaiil.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2176
        
        C:\Windows\SysWOW64\Bdkcmdhp.exe
        
        C:\Windows\system32\Bdkcmdhp.exe
        63⤵
        Executes dropped EXE
        
        PID:1928
        
        C:\Windows\SysWOW64\Bjdkjo32.exe
        
        C:\Windows\system32\Bjdkjo32.exe
        64⤵
        Executes dropped EXE
        
        PID:2260
        
        C:\Windows\SysWOW64\Baocghgi.exe
        
        C:\Windows\system32\Baocghgi.exe
        65⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4088
        
        C:\Windows\SysWOW64\Bdmpcdfm.exe
        
        C:\Windows\system32\Bdmpcdfm.exe
        66⤵
        
        PID:2820
        
        C:\Windows\SysWOW64\Bjghpn32.exe
        
        C:\Windows\system32\Bjghpn32.exe
        67⤵
        
        PID:4748
        
        C:\Windows\SysWOW64\Baaplhef.exe
        
        C:\Windows\system32\Baaplhef.exe
        68⤵
        Modifies registry class
        
        PID:3816
        
        C:\Windows\SysWOW64\Bdolhc32.exe
        
        C:\Windows\system32\Bdolhc32.exe
        69⤵
        
        PID:4444
        
        C:\Windows\SysWOW64\Bhkhibmc.exe
        
        C:\Windows\system32\Bhkhibmc.exe
        70⤵
        
        PID:4988
        
        C:\Windows\SysWOW64\Boepel32.exe
        
        C:\Windows\system32\Boepel32.exe
        71⤵
        
        PID:800
        
        C:\Windows\SysWOW64\Cacmah32.exe
        
        C:\Windows\system32\Cacmah32.exe
        72⤵
        
        PID:1392
        
        C:\Windows\SysWOW64\Cdainc32.exe
        
        C:\Windows\system32\Cdainc32.exe
        73⤵
        Drops file in System32 directory
        
        PID:3968
        
        C:\Windows\SysWOW64\Cliaoq32.exe
        
        C:\Windows\system32\Cliaoq32.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4872
        
        C:\Windows\SysWOW64\Cogmkl32.exe
        
        C:\Windows\system32\Cogmkl32.exe
        75⤵
        
        PID:1840
        
        C:\Windows\SysWOW64\Ceaehfjj.exe
        
        C:\Windows\system32\Ceaehfjj.exe
        76⤵
        
        PID:2084
        
        C:\Windows\SysWOW64\Chpada32.exe
        
        C:\Windows\system32\Chpada32.exe
        77⤵
        
        PID:3888
        
        C:\Windows\SysWOW64\Cknnpm32.exe
        
        C:\Windows\system32\Cknnpm32.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4980
        
        C:\Windows\SysWOW64\Cbefaj32.exe
        
        C:\Windows\system32\Cbefaj32.exe
        79⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4160
        
        C:\Windows\SysWOW64\Chbnia32.exe
        
        C:\Windows\system32\Chbnia32.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2416
        
        C:\Windows\SysWOW64\Colffknh.exe
        
        C:\Windows\system32\Colffknh.exe
        81⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3516
        
        C:\Windows\SysWOW64\Cajcbgml.exe
        
        C:\Windows\system32\Cajcbgml.exe
        82⤵
        
        PID:3928
        
        C:\Windows\SysWOW64\Cdiooblp.exe
        
        C:\Windows\system32\Cdiooblp.exe
        83⤵
        
        PID:3612
        
        C:\Windows\SysWOW64\Clpgpp32.exe
        
        C:\Windows\system32\Clpgpp32.exe
        84⤵
        Modifies registry class
        
        PID:692
        
        C:\Windows\SysWOW64\Camphf32.exe
        
        C:\Windows\system32\Camphf32.exe
        85⤵
        
        PID:824
        
        C:\Windows\SysWOW64\Cdkldb32.exe
        
        C:\Windows\system32\Cdkldb32.exe
        86⤵
        Modifies registry class
        
        PID:5144
        
        C:\Windows\SysWOW64\Clbceo32.exe
        
        C:\Windows\system32\Clbceo32.exe
        87⤵
        
        PID:5188
        
        C:\Windows\SysWOW64\Doqpak32.exe
        
        C:\Windows\system32\Doqpak32.exe
        88⤵
        Drops file in System32 directory
        
        PID:5232
        
        C:\Windows\SysWOW64\Dekhneap.exe
        
        C:\Windows\system32\Dekhneap.exe
        89⤵
        
        PID:5272
        
        C:\Windows\SysWOW64\Dhidjpqc.exe
        
        C:\Windows\system32\Dhidjpqc.exe
        90⤵
        
        PID:5316
        
        C:\Windows\SysWOW64\Dkgqfl32.exe
        
        C:\Windows\system32\Dkgqfl32.exe
        91⤵
        Drops file in System32 directory
        
        PID:5364
        
        C:\Windows\SysWOW64\Dboigi32.exe
        
        C:\Windows\system32\Dboigi32.exe
        92⤵
        
        PID:5404
        
        C:\Windows\SysWOW64\Daaicfgd.exe
        
        C:\Windows\system32\Daaicfgd.exe
        93⤵
        Modifies registry class
        
        PID:5448
        
        C:\Windows\SysWOW64\Ddpeoafg.exe
        
        C:\Windows\system32\Ddpeoafg.exe
        94⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5484
        
        C:\Windows\SysWOW64\Doeiljfn.exe
        
        C:\Windows\system32\Doeiljfn.exe
        95⤵
        Modifies registry class
        
        PID:5524
        
        C:\Windows\SysWOW64\Dadeieea.exe
        
        C:\Windows\system32\Dadeieea.exe
        96⤵
        
        PID:5568
        
        C:\Windows\SysWOW64\Dhnnep32.exe
        
        C:\Windows\system32\Dhnnep32.exe
        97⤵
        Modifies registry class
        
        PID:5616
        
        C:\Windows\SysWOW64\Dlijfneg.exe
        
        C:\Windows\system32\Dlijfneg.exe
        98⤵
        Drops file in System32 directory
        
        PID:5652
        
        C:\Windows\SysWOW64\Dohfbj32.exe
        
        C:\Windows\system32\Dohfbj32.exe
        99⤵
        Drops file in System32 directory
        
        PID:5716
        
        C:\Windows\SysWOW64\Deanodkh.exe
        
        C:\Windows\system32\Deanodkh.exe
        100⤵
        
        PID:5752
        
        C:\Windows\SysWOW64\Dhpjkojk.exe
        
        C:\Windows\system32\Dhpjkojk.exe
        101⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5792
        
        C:\Windows\SysWOW64\Dojcgi32.exe
        
        C:\Windows\system32\Dojcgi32.exe
        102⤵
        
        PID:5844
        
        C:\Windows\SysWOW64\Dahode32.exe
        
        C:\Windows\system32\Dahode32.exe
        103⤵
        
        PID:5888
        
        C:\Windows\SysWOW64\Dhbgqohi.exe
        
        C:\Windows\system32\Dhbgqohi.exe
        104⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5932
        
        C:\Windows\SysWOW64\Ekacmjgl.exe
        
        C:\Windows\system32\Ekacmjgl.exe
        105⤵
        
        PID:5976
        
        C:\Windows\SysWOW64\Echknh32.exe
        
        C:\Windows\system32\Echknh32.exe
        106⤵
        
        PID:6016
        
        C:\Windows\SysWOW64\Eefhjc32.exe
        
        C:\Windows\system32\Eefhjc32.exe
        107⤵
        
        PID:6056
        
        C:\Windows\SysWOW64\Ehedfo32.exe
        
        C:\Windows\system32\Ehedfo32.exe
        108⤵
        
        PID:6096
        
        C:\Windows\SysWOW64\Elppfmoo.exe
        
        C:\Windows\system32\Elppfmoo.exe
        109⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5024
        
        C:\Windows\SysWOW64\Eepjpb32.exe
        
        C:\Windows\system32\Eepjpb32.exe
        110⤵
        Drops file in System32 directory
        
        PID:5196
        
        C:\Windows\SysWOW64\Ehnglm32.exe
        
        C:\Windows\system32\Ehnglm32.exe
        111⤵
        Modifies registry class
        
        PID:5252
        
        C:\Windows\SysWOW64\Fljcmlfd.exe
        
        C:\Windows\system32\Fljcmlfd.exe
        112⤵
        
        PID:5336
        
        C:\Windows\SysWOW64\Fcckif32.exe
        
        C:\Windows\system32\Fcckif32.exe
        113⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5376
        
        C:\Windows\SysWOW64\Fafkecel.exe
        
        C:\Windows\system32\Fafkecel.exe
        114⤵
        
        PID:5472
        
        C:\Windows\SysWOW64\Fhqcam32.exe
        
        C:\Windows\system32\Fhqcam32.exe
        115⤵
        
        PID:5536
        
        C:\Windows\SysWOW64\Fkopnh32.exe
        
        C:\Windows\system32\Fkopnh32.exe
        116⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5600
        
        C:\Windows\SysWOW64\Faihkbci.exe
        
        C:\Windows\system32\Faihkbci.exe
        117⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5704
        
        C:\Windows\SysWOW64\Ffddka32.exe
        
        C:\Windows\system32\Ffddka32.exe
        118⤵
        
        PID:5732
        
        C:\Windows\SysWOW64\Fhcpgmjf.exe
        
        C:\Windows\system32\Fhcpgmjf.exe
        119⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5816
        
        C:\Windows\SysWOW64\Fomhdg32.exe
        
        C:\Windows\system32\Fomhdg32.exe
        120⤵
        
        PID:5900
        
        C:\Windows\SysWOW64\Ffgqqaip.exe
        
        C:\Windows\system32\Ffgqqaip.exe
        121⤵
        
        PID:5952
        
        C:\Windows\SysWOW64\Fhemmlhc.exe
        
        C:\Windows\system32\Fhemmlhc.exe
        122⤵
        
        PID:6036
        
        C:\Windows\SysWOW64\Fooeif32.exe
        
        C:\Windows\system32\Fooeif32.exe
        123⤵
        Drops file in System32 directory
        
        PID:6120
        
        C:\Windows\SysWOW64\Fbnafb32.exe
        
        C:\Windows\system32\Fbnafb32.exe
        124⤵
        
        PID:5176
        
        C:\Windows\SysWOW64\Fhgjblfq.exe
        
        C:\Windows\system32\Fhgjblfq.exe
        125⤵
        
        PID:5312
        
        C:\Windows\SysWOW64\Fkffog32.exe
        
        C:\Windows\system32\Fkffog32.exe
        126⤵
        Modifies registry class
        
        PID:5440
        
        C:\Windows\SysWOW64\Fcmnpe32.exe
        
        C:\Windows\system32\Fcmnpe32.exe
        127⤵
        
        PID:5592
        
        C:\Windows\SysWOW64\Ffkjlp32.exe
        
        C:\Windows\system32\Ffkjlp32.exe
        128⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5696
        
        C:\Windows\SysWOW64\Fhjfhl32.exe
        
        C:\Windows\system32\Fhjfhl32.exe
        129⤵
        
        PID:5840
        
        C:\Windows\SysWOW64\Glebhjlg.exe
        
        C:\Windows\system32\Glebhjlg.exe
        130⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5944
        
        C:\Windows\SysWOW64\Gododflk.exe
        
        C:\Windows\system32\Gododflk.exe
        131⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6080
        
        C:\Windows\SysWOW64\Gbbkaako.exe
        
        C:\Windows\system32\Gbbkaako.exe
        132⤵
        Modifies registry class
        
        PID:5164
        
        C:\Windows\SysWOW64\Gdqgmmjb.exe
        
        C:\Windows\system32\Gdqgmmjb.exe
        133⤵
        
        PID:5492
        
        C:\Windows\SysWOW64\Glhonj32.exe
        
        C:\Windows\system32\Glhonj32.exe
        134⤵
        
        PID:5712
        
        C:\Windows\SysWOW64\Gofkje32.exe
        
        C:\Windows\system32\Gofkje32.exe
        135⤵
        
        PID:5896
        
        C:\Windows\SysWOW64\Gbdgfa32.exe
        
        C:\Windows\system32\Gbdgfa32.exe
        136⤵
        
        PID:6000
        
        C:\Windows\SysWOW64\Gfpcgpae.exe
        
        C:\Windows\system32\Gfpcgpae.exe
        137⤵
        
        PID:5180
        
        C:\Windows\SysWOW64\Ghopckpi.exe
        
        C:\Windows\system32\Ghopckpi.exe
        138⤵
        
        PID:5612
        
        C:\Windows\SysWOW64\Gmjlcj32.exe
        
        C:\Windows\system32\Gmjlcj32.exe
        139⤵
        Modifies registry class
        
        PID:5864
        
        C:\Windows\SysWOW64\Gcddpdpo.exe
        
        C:\Windows\system32\Gcddpdpo.exe
        140⤵
        
        PID:5300
        
        C:\Windows\SysWOW64\Gfbploob.exe
        
        C:\Windows\system32\Gfbploob.exe
        141⤵
        Modifies registry class
        
        PID:5644
        
        C:\Windows\SysWOW64\Ghaliknf.exe
        
        C:\Windows\system32\Ghaliknf.exe
        142⤵
        
        PID:6244
        
        C:\Windows\SysWOW64\Gokdeeec.exe
        
        C:\Windows\system32\Gokdeeec.exe
        143⤵
        
        PID:6364
        
        C:\Windows\SysWOW64\Gfembo32.exe
        
        C:\Windows\system32\Gfembo32.exe
        144⤵
        
        PID:6408
        
        C:\Windows\SysWOW64\Gicinj32.exe
        
        C:\Windows\system32\Gicinj32.exe
        145⤵
        
        PID:6456
        
        C:\Windows\SysWOW64\Gkaejf32.exe
        
        C:\Windows\system32\Gkaejf32.exe
        146⤵
        
        PID:6496
        
        C:\Windows\SysWOW64\Gcimkc32.exe
        
        C:\Windows\system32\Gcimkc32.exe
        147⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6544
        
        C:\Windows\SysWOW64\Gblngpbd.exe
        
        C:\Windows\system32\Gblngpbd.exe
        148⤵
        
        PID:6588
        
        C:\Windows\SysWOW64\Hiefcj32.exe
        
        C:\Windows\system32\Hiefcj32.exe
        149⤵
        
        PID:6636
        
        C:\Windows\SysWOW64\Hkdbpe32.exe
        
        C:\Windows\system32\Hkdbpe32.exe
        150⤵
        
        PID:6680
        
        C:\Windows\SysWOW64\Hopnqdan.exe
        
        C:\Windows\system32\Hopnqdan.exe
        151⤵
        
        PID:6724
        
        C:\Windows\SysWOW64\Hbnjmp32.exe
        
        C:\Windows\system32\Hbnjmp32.exe
        152⤵
        
        PID:6764
        
        C:\Windows\SysWOW64\Helfik32.exe
        
        C:\Windows\system32\Helfik32.exe
        153⤵
        
        PID:6804
        
        C:\Windows\SysWOW64\Hmcojh32.exe
        
        C:\Windows\system32\Hmcojh32.exe
        154⤵
        
        PID:6852
        
        C:\Windows\SysWOW64\Hobkfd32.exe
        
        C:\Windows\system32\Hobkfd32.exe
        155⤵
        
        PID:6892
        
        C:\Windows\SysWOW64\Hbpgbo32.exe
        
        C:\Windows\system32\Hbpgbo32.exe
        156⤵
        Modifies registry class
        
        PID:6932
        
        C:\Windows\SysWOW64\Heocnk32.exe
        
        C:\Windows\system32\Heocnk32.exe
        157⤵
        
        PID:6976
        
        C:\Windows\SysWOW64\Hmfkoh32.exe
        
        C:\Windows\system32\Hmfkoh32.exe
        158⤵
        
        PID:7012
        
        C:\Windows\SysWOW64\Hkikkeeo.exe
        
        C:\Windows\system32\Hkikkeeo.exe
        159⤵
        
        PID:7060
        
        C:\Windows\SysWOW64\Hcpclbfa.exe
        
        C:\Windows\system32\Hcpclbfa.exe
        160⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:7100
        
        C:\Windows\SysWOW64\Hfnphn32.exe
        
        C:\Windows\system32\Hfnphn32.exe
        161⤵
        
        PID:7144
        
        C:\Windows\SysWOW64\Heapdjlp.exe
        
        C:\Windows\system32\Heapdjlp.exe
        162⤵
        
        PID:5808
        
        C:\Windows\SysWOW64\Himldi32.exe
        
        C:\Windows\system32\Himldi32.exe
        163⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6176
        
        C:\Windows\SysWOW64\Hkkhqd32.exe
        
        C:\Windows\system32\Hkkhqd32.exe
        164⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6228
        
        C:\Windows\SysWOW64\Hcbpab32.exe
        
        C:\Windows\system32\Hcbpab32.exe
        165⤵
        
        PID:6276
        
        C:\Windows\SysWOW64\Hbeqmoji.exe
        
        C:\Windows\system32\Hbeqmoji.exe
        166⤵
        
        PID:6252
        
        C:\Windows\SysWOW64\Hioiji32.exe
        
        C:\Windows\system32\Hioiji32.exe
        167⤵
        
        PID:6420
        
        C:\Windows\SysWOW64\Hmjdjgjo.exe
        
        C:\Windows\system32\Hmjdjgjo.exe
        168⤵
        Modifies registry class
        
        PID:6472
        
        C:\Windows\SysWOW64\Hoiafcic.exe
        
        C:\Windows\system32\Hoiafcic.exe
        169⤵
        
        PID:6564
        
        C:\Windows\SysWOW64\Hbgmcnhf.exe
        
        C:\Windows\system32\Hbgmcnhf.exe
        170⤵
        
        PID:6660
        
        C:\Windows\SysWOW64\Hfcicmqp.exe
        
        C:\Windows\system32\Hfcicmqp.exe
        171⤵
        
        PID:6708
        
        C:\Windows\SysWOW64\Immapg32.exe
        
        C:\Windows\system32\Immapg32.exe
        172⤵
        
        PID:6788
        
        C:\Windows\SysWOW64\Ipknlb32.exe
        
        C:\Windows\system32\Ipknlb32.exe
        173⤵
        
        PID:6860
        
        C:\Windows\SysWOW64\Ibjjhn32.exe
        
        C:\Windows\system32\Ibjjhn32.exe
        174⤵
        
        PID:6960
        
        C:\Windows\SysWOW64\Ifefimom.exe
        
        C:\Windows\system32\Ifefimom.exe
        175⤵
        
        PID:6988
        
        C:\Windows\SysWOW64\Iicbehnq.exe
        
        C:\Windows\system32\Iicbehnq.exe
        176⤵
        
        PID:7128
        
        C:\Windows\SysWOW64\Imoneg32.exe
        
        C:\Windows\system32\Imoneg32.exe
        177⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5128
        
        C:\Windows\SysWOW64\Ikbnacmd.exe
        
        C:\Windows\system32\Ikbnacmd.exe
        178⤵
        
        PID:6196
        
        C:\Windows\SysWOW64\Icifbang.exe
        
        C:\Windows\system32\Icifbang.exe
        179⤵
        
        PID:6312
        
        C:\Windows\SysWOW64\Iblfnn32.exe
        
        C:\Windows\system32\Iblfnn32.exe
        180⤵
        
        PID:6464
        
        C:\Windows\SysWOW64\Ildkgc32.exe
        
        C:\Windows\system32\Ildkgc32.exe
        181⤵
        Modifies registry class
        
        PID:6612
        
        C:\Windows\SysWOW64\Ickchq32.exe
        
        C:\Windows\system32\Ickchq32.exe
        182⤵
        
        PID:6760
        
        C:\Windows\SysWOW64\Ibnccmbo.exe
        
        C:\Windows\system32\Ibnccmbo.exe
        183⤵
        
        PID:6824
        
        C:\Windows\SysWOW64\Ifjodl32.exe
        
        C:\Windows\system32\Ifjodl32.exe
        184⤵
        
        PID:7020
        
        C:\Windows\SysWOW64\Iihkpg32.exe
        
        C:\Windows\system32\Iihkpg32.exe
        185⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7156
        
        C:\Windows\SysWOW64\Ilghlc32.exe
        
        C:\Windows\system32\Ilghlc32.exe
        186⤵
        Modifies registry class
        
        PID:6304
        
        C:\Windows\SysWOW64\Ibqpimpl.exe
        
        C:\Windows\system32\Ibqpimpl.exe
        187⤵
        Modifies registry class
        
        PID:6528
        
        C:\Windows\SysWOW64\Ifllil32.exe
        
        C:\Windows\system32\Ifllil32.exe
        188⤵
        
        PID:6828
        
        C:\Windows\SysWOW64\Iikhfg32.exe
        
        C:\Windows\system32\Iikhfg32.exe
        189⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7096
        
        C:\Windows\SysWOW64\Ilidbbgl.exe
        
        C:\Windows\system32\Ilidbbgl.exe
        190⤵
        
        PID:6284
        
        C:\Windows\SysWOW64\Icplcpgo.exe
        
        C:\Windows\system32\Icplcpgo.exe
        191⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6616
        
        C:\Windows\SysWOW64\Jfoiokfb.exe
        
        C:\Windows\system32\Jfoiokfb.exe
        192⤵
        Modifies registry class
        
        PID:7008
        
        C:\Windows\SysWOW64\Jimekgff.exe
        
        C:\Windows\system32\Jimekgff.exe
        193⤵
        
        PID:6492
        
        C:\Windows\SysWOW64\Jmhale32.exe
        
        C:\Windows\system32\Jmhale32.exe
        194⤵
        
        PID:6996
        
        C:\Windows\SysWOW64\Jpgmha32.exe
        
        C:\Windows\system32\Jpgmha32.exe
        195⤵
        
        PID:7004
        
        C:\Windows\SysWOW64\Jbeidl32.exe
        
        C:\Windows\system32\Jbeidl32.exe
        196⤵
        
        PID:7176
        
        C:\Windows\SysWOW64\Jedeph32.exe
        
        C:\Windows\system32\Jedeph32.exe
        197⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7216
        
        C:\Windows\SysWOW64\Jmknaell.exe
        
        C:\Windows\system32\Jmknaell.exe
        198⤵
        Drops file in System32 directory
        
        PID:7256
        
        C:\Windows\SysWOW64\Jcefno32.exe
        
        C:\Windows\system32\Jcefno32.exe
        199⤵
        
        PID:7300
        
        C:\Windows\SysWOW64\Jefbfgig.exe
        
        C:\Windows\system32\Jefbfgig.exe
        200⤵
        
        PID:7340
        
        C:\Windows\SysWOW64\Jplfcpin.exe
        
        C:\Windows\system32\Jplfcpin.exe
        201⤵
        
        PID:7384
        
        C:\Windows\SysWOW64\Jbjcolha.exe
        
        C:\Windows\system32\Jbjcolha.exe
        202⤵
        
        PID:7420
        
        C:\Windows\SysWOW64\Jfeopj32.exe
        
        C:\Windows\system32\Jfeopj32.exe
        203⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7464
        
        C:\Windows\SysWOW64\Jlbgha32.exe
        
        C:\Windows\system32\Jlbgha32.exe
        204⤵
        
        PID:7508
        
        C:\Windows\SysWOW64\Jblpek32.exe
        
        C:\Windows\system32\Jblpek32.exe
        205⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7552
        
        C:\Windows\SysWOW64\Jifhaenk.exe
        
        C:\Windows\system32\Jifhaenk.exe
        206⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7596
        
        C:\Windows\SysWOW64\Jpppnp32.exe
        
        C:\Windows\system32\Jpppnp32.exe
        207⤵
        
        PID:7644
        
        C:\Windows\SysWOW64\Jcllonma.exe
        
        C:\Windows\system32\Jcllonma.exe
        208⤵
        Modifies registry class
        
        PID:7692
        
        C:\Windows\SysWOW64\Kfjhkjle.exe
        
        C:\Windows\system32\Kfjhkjle.exe
        209⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7732
        
        C:\Windows\SysWOW64\Kmdqgd32.exe
        
        C:\Windows\system32\Kmdqgd32.exe
        210⤵
        
        PID:7772
        
        C:\Windows\SysWOW64\Kbaipkbi.exe
        
        C:\Windows\system32\Kbaipkbi.exe
        211⤵
        
        PID:7820
        
        C:\Windows\SysWOW64\Kepelfam.exe
        
        C:\Windows\system32\Kepelfam.exe
        212⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7856
        
        C:\Windows\SysWOW64\Klimip32.exe
        
        C:\Windows\system32\Klimip32.exe
        213⤵
        
        PID:7900
        
        C:\Windows\SysWOW64\Kdqejn32.exe
        
        C:\Windows\system32\Kdqejn32.exe
        214⤵
        
        PID:7936
        
        C:\Windows\SysWOW64\Kebbafoj.exe
        
        C:\Windows\system32\Kebbafoj.exe
        215⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:7980
        
        C:\Windows\SysWOW64\Klljnp32.exe
        
        C:\Windows\system32\Klljnp32.exe
        216⤵
        Drops file in System32 directory
        
        PID:8020
        
        C:\Windows\SysWOW64\Kdcbom32.exe
        
        C:\Windows\system32\Kdcbom32.exe
        217⤵
        
        PID:8060
        
        C:\Windows\SysWOW64\Kbfbkj32.exe
        
        C:\Windows\system32\Kbfbkj32.exe
        218⤵
        
        PID:8100
        
        C:\Windows\SysWOW64\Kedoge32.exe
        
        C:\Windows\system32\Kedoge32.exe
        219⤵
        
        PID:8144
        
        C:\Windows\SysWOW64\Kmkfhc32.exe
        
        C:\Windows\system32\Kmkfhc32.exe
        220⤵
        Drops file in System32 directory
        
        PID:8184
        
        C:\Windows\SysWOW64\Kdeoemeg.exe
        
        C:\Windows\system32\Kdeoemeg.exe
        221⤵
        
        PID:7200
        
        C:\Windows\SysWOW64\Kfckahdj.exe
        
        C:\Windows\system32\Kfckahdj.exe
        222⤵
        
        PID:7272
        
        C:\Windows\SysWOW64\Kibgmdcn.exe
        
        C:\Windows\system32\Kibgmdcn.exe
        223⤵
        
        PID:7336
        
        C:\Windows\SysWOW64\Klqcioba.exe
        
        C:\Windows\system32\Klqcioba.exe
        224⤵
        
        PID:7408
        
        C:\Windows\SysWOW64\Kdgljmcd.exe
        
        C:\Windows\system32\Kdgljmcd.exe
        225⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7492
        
        C:\Windows\SysWOW64\Lffhfh32.exe
        
        C:\Windows\system32\Lffhfh32.exe
        226⤵
        
        PID:7544
        
        C:\Windows\SysWOW64\Lmppcbjd.exe
        
        C:\Windows\system32\Lmppcbjd.exe
        227⤵
        
        PID:7632
        
        C:\Windows\SysWOW64\Ldjhpl32.exe
        
        C:\Windows\system32\Ldjhpl32.exe
        228⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7700
        
        C:\Windows\SysWOW64\Lfhdlh32.exe
        
        C:\Windows\system32\Lfhdlh32.exe
        229⤵
        
        PID:7756
        
        C:\Windows\SysWOW64\Lekehdgp.exe
        
        C:\Windows\system32\Lekehdgp.exe
        230⤵
        
        PID:7808
        
        C:\Windows\SysWOW64\Lmbmibhb.exe
        
        C:\Windows\system32\Lmbmibhb.exe
        231⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:7888
        
        C:\Windows\SysWOW64\Llemdo32.exe
        
        C:\Windows\system32\Llemdo32.exe
        232⤵
        Modifies registry class
        
        PID:7968
        
        C:\Windows\SysWOW64\Ldleel32.exe
        
        C:\Windows\system32\Ldleel32.exe
        233⤵
        
        PID:8044
        
        C:\Windows\SysWOW64\Liimncmf.exe
        
        C:\Windows\system32\Liimncmf.exe
        234⤵
        
        PID:8088
        
        C:\Windows\SysWOW64\Lmdina32.exe
        
        C:\Windows\system32\Lmdina32.exe
        235⤵
        
        PID:8168
        
        C:\Windows\SysWOW64\Llgjjnlj.exe
        
        C:\Windows\system32\Llgjjnlj.exe
        236⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7204
        
        C:\Windows\SysWOW64\Ldoaklml.exe
        
        C:\Windows\system32\Ldoaklml.exe
        237⤵
        
        PID:7308
        
        C:\Windows\SysWOW64\Lbabgh32.exe
        
        C:\Windows\system32\Lbabgh32.exe
        238⤵
        
        PID:7448
        
        C:\Windows\SysWOW64\Lepncd32.exe
        
        C:\Windows\system32\Lepncd32.exe
        239⤵
        Drops file in System32 directory
        
        PID:7576
        
        C:\Windows\SysWOW64\Lmgfda32.exe
        
        C:\Windows\system32\Lmgfda32.exe
        240⤵
        
        PID:7672
        
        C:\Windows\SysWOW64\Lpebpm32.exe
        
        C:\Windows\system32\Lpebpm32.exe
        241⤵
        Modifies registry class
        
        PID:7796
        
        C:\Windows\SysWOW64\Lgokmgjm.exe
        
        C:\Windows\system32\Lgokmgjm.exe
        242⤵
        Modifies registry class
        
        PID:7916
        
        C:\Windows\SysWOW64\Lingibiq.exe
        
        C:\Windows\system32\Lingibiq.exe
        243⤵
        
        PID:8004
        
        C:\Windows\SysWOW64\Lmiciaaj.exe
        
        C:\Windows\system32\Lmiciaaj.exe
        244⤵
        
        PID:8176
        
        C:\Windows\SysWOW64\Mdckfk32.exe
        
        C:\Windows\system32\Mdckfk32.exe
        245⤵
        
        PID:7192
        
        C:\Windows\SysWOW64\Mmlpoqpg.exe
        
        C:\Windows\system32\Mmlpoqpg.exe
        246⤵
        
        PID:7460
        
        C:\Windows\SysWOW64\Mpjlklok.exe
        
        C:\Windows\system32\Mpjlklok.exe
        247⤵
        
        PID:7560
        
        C:\Windows\SysWOW64\Mdehlk32.exe
        
        C:\Windows\system32\Mdehlk32.exe
        248⤵
        
        PID:7740
        
        C:\Windows\SysWOW64\Mgddhf32.exe
        
        C:\Windows\system32\Mgddhf32.exe
        249⤵
        
        PID:7944
        
        C:\Windows\SysWOW64\Megdccmb.exe
        
        C:\Windows\system32\Megdccmb.exe
        250⤵
        
        PID:8092
        
        C:\Windows\SysWOW64\Mmnldp32.exe
        
        C:\Windows\system32\Mmnldp32.exe
        251⤵
        
        PID:7392
        
        C:\Windows\SysWOW64\Mlampmdo.exe
        
        C:\Windows\system32\Mlampmdo.exe
        252⤵
        
        PID:7652
        
        C:\Windows\SysWOW64\Mckemg32.exe
        
        C:\Windows\system32\Mckemg32.exe
        253⤵
        
        PID:7876
        
        C:\Windows\SysWOW64\Meiaib32.exe
        
        C:\Windows\system32\Meiaib32.exe
        254⤵
        
        PID:7184
        
        C:\Windows\SysWOW64\Miemjaci.exe
        
        C:\Windows\system32\Miemjaci.exe
        255⤵
        
        PID:7800
        
        C:\Windows\SysWOW64\Mlcifmbl.exe
        
        C:\Windows\system32\Mlcifmbl.exe
        256⤵
        
        PID:6784
        
        C:\Windows\SysWOW64\Mdjagjco.exe
        
        C:\Windows\system32\Mdjagjco.exe
        257⤵
        Modifies registry class
        
        PID:7852
        
        C:\Windows\SysWOW64\Melnob32.exe
        
        C:\Windows\system32\Melnob32.exe
        258⤵
        
        PID:7540
        
        C:\Windows\SysWOW64\Mmbfpp32.exe
        
        C:\Windows\system32\Mmbfpp32.exe
        259⤵
        
        PID:8208
        
        C:\Windows\SysWOW64\Mdmnlj32.exe
        
        C:\Windows\system32\Mdmnlj32.exe
        260⤵
        Drops file in System32 directory
        
        PID:8268
        
        C:\Windows\SysWOW64\Mgkjhe32.exe
        
        C:\Windows\system32\Mgkjhe32.exe
        261⤵
        Modifies registry class
        
        PID:8320
        
        C:\Windows\SysWOW64\Miifeq32.exe
        
        C:\Windows\system32\Miifeq32.exe
        262⤵
        Modifies registry class
        
        PID:8368
        
        C:\Windows\SysWOW64\Mnebeogl.exe
        
        C:\Windows\system32\Mnebeogl.exe
        263⤵
        
        PID:8404
        
        C:\Windows\SysWOW64\Npcoakfp.exe
        
        C:\Windows\system32\Npcoakfp.exe
        264⤵
        
        PID:8448
        
        C:\Windows\SysWOW64\Ncbknfed.exe
        
        C:\Windows\system32\Ncbknfed.exe
        265⤵
        
        PID:8488
        
        C:\Windows\SysWOW64\Ngmgne32.exe
        
        C:\Windows\system32\Ngmgne32.exe
        266⤵
        
        PID:8532
        
        C:\Windows\SysWOW64\Nilcjp32.exe
        
        C:\Windows\system32\Nilcjp32.exe
        267⤵
        
        PID:8572
        
        C:\Windows\SysWOW64\Nngokoej.exe
        
        C:\Windows\system32\Nngokoej.exe
        268⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8624
        
        C:\Windows\SysWOW64\Npfkgjdn.exe
        
        C:\Windows\system32\Npfkgjdn.exe
        269⤵
        
        PID:8664
        
        C:\Windows\SysWOW64\Ncdgcf32.exe
        
        C:\Windows\system32\Ncdgcf32.exe
        270⤵
        
        PID:8700
        
        C:\Windows\SysWOW64\Nebdoa32.exe
        
        C:\Windows\system32\Nebdoa32.exe
        271⤵
        
        PID:8744
        
        C:\Windows\SysWOW64\Nnjlpo32.exe
        
        C:\Windows\system32\Nnjlpo32.exe
        272⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:8788
        
        C:\Windows\SysWOW64\Nlmllkja.exe
        
        C:\Windows\system32\Nlmllkja.exe
        273⤵
        Modifies registry class
        
        PID:8836
        
        C:\Windows\SysWOW64\Nphhmj32.exe
        
        C:\Windows\system32\Nphhmj32.exe
        274⤵
        
        PID:8872
        
        C:\Windows\SysWOW64\Ncfdie32.exe
        
        C:\Windows\system32\Ncfdie32.exe
        275⤵
        
        PID:8932
        
        C:\Windows\SysWOW64\Neeqea32.exe
        
        C:\Windows\system32\Neeqea32.exe
        276⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:8980
        
        C:\Windows\SysWOW64\Nnlhfn32.exe
        
        C:\Windows\system32\Nnlhfn32.exe
        277⤵
        
        PID:9024
        
        C:\Windows\SysWOW64\Npjebj32.exe
        
        C:\Windows\system32\Npjebj32.exe
        278⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:9060
        
        C:\Windows\SysWOW64\Ndfqbhia.exe
        
        C:\Windows\system32\Ndfqbhia.exe
        279⤵
        
        PID:9104
        
        C:\Windows\SysWOW64\Ngdmod32.exe
        
        C:\Windows\system32\Ngdmod32.exe
        280⤵
        
        PID:9152
        
        C:\Windows\SysWOW64\Njciko32.exe
        
        C:\Windows\system32\Njciko32.exe
        281⤵
        
        PID:9192
        
        C:\Windows\SysWOW64\Nnneknob.exe
        
        C:\Windows\system32\Nnneknob.exe
        282⤵
        Drops file in System32 directory
        
        PID:8216
        
        C:\Windows\SysWOW64\Npmagine.exe
        
        C:\Windows\system32\Npmagine.exe
        283⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8316
        
        C:\Windows\SysWOW64\Ndhmhh32.exe
        
        C:\Windows\system32\Ndhmhh32.exe
        284⤵
        
        PID:8356
        
        C:\Windows\SysWOW64\Nckndeni.exe
        
        C:\Windows\system32\Nckndeni.exe
        285⤵
        Drops file in System32 directory
        
        PID:8472
        
        C:\Windows\SysWOW64\Nfjjppmm.exe
        
        C:\Windows\system32\Nfjjppmm.exe
        286⤵
        
        PID:8552
        
        C:\Windows\SysWOW64\Nnqbanmo.exe
        
        C:\Windows\system32\Nnqbanmo.exe
        287⤵
        
        PID:8600
        
        C:\Windows\SysWOW64\Olcbmj32.exe
        
        C:\Windows\system32\Olcbmj32.exe
        288⤵
        
        PID:8684
        
        C:\Windows\SysWOW64\Oponmilc.exe
        
        C:\Windows\system32\Oponmilc.exe
        289⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8740
        
        C:\Windows\SysWOW64\Odkjng32.exe
        
        C:\Windows\system32\Odkjng32.exe
        290⤵
        Drops file in System32 directory
        
        PID:8812
        
        C:\Windows\SysWOW64\Ogifjcdp.exe
        
        C:\Windows\system32\Ogifjcdp.exe
        291⤵
        Modifies registry class
        
        PID:8880
        
        C:\Windows\SysWOW64\Oflgep32.exe
        
        C:\Windows\system32\Oflgep32.exe
        292⤵
        Drops file in System32 directory
        
        PID:8944
        
        C:\Windows\SysWOW64\Oncofm32.exe
        
        C:\Windows\system32\Oncofm32.exe
        293⤵
        Drops file in System32 directory
        
        PID:9008
        
        C:\Windows\SysWOW64\Opakbi32.exe
        
        C:\Windows\system32\Opakbi32.exe
        294⤵
        
        PID:9056
        
        C:\Windows\SysWOW64\Odmgcgbi.exe
        
        C:\Windows\system32\Odmgcgbi.exe
        295⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:9140
        
        C:\Windows\SysWOW64\Ocpgod32.exe
        
        C:\Windows\system32\Ocpgod32.exe
        296⤵
        
        PID:9188
        
        C:\Windows\SysWOW64\Ogkcpbam.exe
        
        C:\Windows\system32\Ogkcpbam.exe
        297⤵
        
        PID:8308
        
        C:\Windows\SysWOW64\Ojjolnaq.exe
        
        C:\Windows\system32\Ojjolnaq.exe
        298⤵
        
        PID:8432
        
        C:\Windows\SysWOW64\Oneklm32.exe
        
        C:\Windows\system32\Oneklm32.exe
        299⤵
        
        PID:8512
        
        C:\Windows\SysWOW64\Olhlhjpd.exe
        
        C:\Windows\system32\Olhlhjpd.exe
        300⤵
        
        PID:8736
        
        C:\Windows\SysWOW64\Ofqpqo32.exe
        
        C:\Windows\system32\Ofqpqo32.exe
        301⤵
        
        PID:8796
        
        C:\Windows\SysWOW64\Olkhmi32.exe
        
        C:\Windows\system32\Olkhmi32.exe
        302⤵
        Drops file in System32 directory
        
        PID:8888
        
        C:\Windows\SysWOW64\Odapnf32.exe
        
        C:\Windows\system32\Odapnf32.exe
        303⤵
        
        PID:8992
        
        C:\Windows\SysWOW64\Ogpmjb32.exe
        
        C:\Windows\system32\Ogpmjb32.exe
        304⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:9076
        
        C:\Windows\SysWOW64\Ofcmfodb.exe
        
        C:\Windows\system32\Ofcmfodb.exe
        305⤵
        
        PID:7584
        
        C:\Windows\SysWOW64\Onjegled.exe
        
        C:\Windows\system32\Onjegled.exe
        306⤵
        Modifies registry class
        
        PID:8364
        
        C:\Windows\SysWOW64\Oqhacgdh.exe
        
        C:\Windows\system32\Oqhacgdh.exe
        307⤵
        Drops file in System32 directory
        
        PID:8500
        
        C:\Windows\SysWOW64\Oddmdf32.exe
        
        C:\Windows\system32\Oddmdf32.exe
        308⤵
        
        PID:8728
        
        C:\Windows\SysWOW64\Ocgmpccl.exe
        
        C:\Windows\system32\Ocgmpccl.exe
        309⤵
        Drops file in System32 directory
        
        PID:8856
        
        C:\Windows\SysWOW64\Ogbipa32.exe
        
        C:\Windows\system32\Ogbipa32.exe
        310⤵
        
        PID:8940
        
        C:\Windows\SysWOW64\Ojaelm32.exe
        
        C:\Windows\system32\Ojaelm32.exe
        311⤵
        
        PID:9200
        
        C:\Windows\SysWOW64\Pnlaml32.exe
        
        C:\Windows\system32\Pnlaml32.exe
        312⤵
        
        PID:8344
        
        C:\Windows\SysWOW64\Pmoahijl.exe
        
        C:\Windows\system32\Pmoahijl.exe
        313⤵
        
        PID:8708
        
        C:\Windows\SysWOW64\Pqknig32.exe
        
        C:\Windows\system32\Pqknig32.exe
        314⤵
        Modifies registry class
        
        PID:8960
        
        C:\Windows\SysWOW64\Pcijeb32.exe
        
        C:\Windows\system32\Pcijeb32.exe
        315⤵
        
        PID:9148
        
        C:\Windows\SysWOW64\Pmannhhj.exe
        
        C:\Windows\system32\Pmannhhj.exe
        316⤵
        
        PID:8656
        
        C:\Windows\SysWOW64\Pdifoehl.exe
        
        C:\Windows\system32\Pdifoehl.exe
        317⤵
        
        PID:9088
        
        C:\Windows\SysWOW64\Pclgkb32.exe
        
        C:\Windows\system32\Pclgkb32.exe
        318⤵
        
        PID:8860
        
        C:\Windows\SysWOW64\Pfjcgn32.exe
        
        C:\Windows\system32\Pfjcgn32.exe
        319⤵
        
        PID:8456
        
        C:\Windows\SysWOW64\Pjeoglgc.exe
        
        C:\Windows\system32\Pjeoglgc.exe
        320⤵
        
        PID:9220
        
        C:\Windows\SysWOW64\Pqpgdfnp.exe
        
        C:\Windows\system32\Pqpgdfnp.exe
        321⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:9268
        
        C:\Windows\SysWOW64\Pcncpbmd.exe
        
        C:\Windows\system32\Pcncpbmd.exe
        322⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:9316
        
        C:\Windows\SysWOW64\Pflplnlg.exe
        
        C:\Windows\system32\Pflplnlg.exe
        323⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:9352
        
        C:\Windows\SysWOW64\Pncgmkmj.exe
        
        C:\Windows\system32\Pncgmkmj.exe
        324⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:9392
        
        C:\Windows\SysWOW64\Pmfhig32.exe
        
        C:\Windows\system32\Pmfhig32.exe
        325⤵
        Drops file in System32 directory
        
        PID:9436
        
        C:\Windows\SysWOW64\Pdmpje32.exe
        
        C:\Windows\system32\Pdmpje32.exe
        326⤵
        
        PID:9480
        
        C:\Windows\SysWOW64\Pgllfp32.exe
        
        C:\Windows\system32\Pgllfp32.exe
        327⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:9528
        
        C:\Windows\SysWOW64\Pnfdcjkg.exe
        
        C:\Windows\system32\Pnfdcjkg.exe
        328⤵
        
        PID:9568
        
        C:\Windows\SysWOW64\Pmidog32.exe
        
        C:\Windows\system32\Pmidog32.exe
        329⤵
        Modifies registry class
        
        PID:9608
        
        C:\Windows\SysWOW64\Pdpmpdbd.exe
        
        C:\Windows\system32\Pdpmpdbd.exe
        330⤵
        
        PID:9652
        
        C:\Windows\SysWOW64\Pcbmka32.exe
        
        C:\Windows\system32\Pcbmka32.exe
        331⤵
        
        PID:9688
        
        C:\Windows\SysWOW64\Pfaigm32.exe
        
        C:\Windows\system32\Pfaigm32.exe
        332⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:9736
        
        C:\Windows\SysWOW64\Pjmehkqk.exe
        
        C:\Windows\system32\Pjmehkqk.exe
        333⤵
        
        PID:9784
        
        C:\Windows\SysWOW64\Qmkadgpo.exe
        
        C:\Windows\system32\Qmkadgpo.exe
        334⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:9824
        
        C:\Windows\SysWOW64\Qqfmde32.exe
        
        C:\Windows\system32\Qqfmde32.exe
        335⤵
        
        PID:9868
        
        C:\Windows\SysWOW64\Qgqeappe.exe
        
        C:\Windows\system32\Qgqeappe.exe
        336⤵
        
        PID:9912
        
        C:\Windows\SysWOW64\Qjoankoi.exe
        
        C:\Windows\system32\Qjoankoi.exe
        337⤵
        
        PID:9948
        
        C:\Windows\SysWOW64\Qmmnjfnl.exe
        
        C:\Windows\system32\Qmmnjfnl.exe
        338⤵
        
        PID:9988
        
        C:\Windows\SysWOW64\Qddfkd32.exe
        
        C:\Windows\system32\Qddfkd32.exe
        339⤵
        
        PID:10028
        
        C:\Windows\SysWOW64\Qcgffqei.exe
        
        C:\Windows\system32\Qcgffqei.exe
        340⤵
        
        PID:10076
        
        C:\Windows\SysWOW64\Qgcbgo32.exe
        
        C:\Windows\system32\Qgcbgo32.exe
        341⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:10120
        
        C:\Windows\SysWOW64\Ajanck32.exe
        
        C:\Windows\system32\Ajanck32.exe
        342⤵
        
        PID:10160
        
        C:\Windows\SysWOW64\Ampkof32.exe
        
        C:\Windows\system32\Ampkof32.exe
        343⤵
        
        PID:10200
        
        C:\Windows\SysWOW64\Acjclpcf.exe
        
        C:\Windows\system32\Acjclpcf.exe
        344⤵
        
        PID:8392
        
        C:\Windows\SysWOW64\Afhohlbj.exe
        
        C:\Windows\system32\Afhohlbj.exe
        345⤵
        
        PID:9260
        
        C:\Windows\SysWOW64\Anogiicl.exe
        
        C:\Windows\system32\Anogiicl.exe
        346⤵
        
        PID:9344
        
        C:\Windows\SysWOW64\Aqncedbp.exe
        
        C:\Windows\system32\Aqncedbp.exe
        347⤵
        Drops file in System32 directory
        
        PID:9420
        
        C:\Windows\SysWOW64\Aclpap32.exe
        
        C:\Windows\system32\Aclpap32.exe
        348⤵
        
        PID:9456
        
        C:\Windows\SysWOW64\Agglboim.exe
        
        C:\Windows\system32\Agglboim.exe
        349⤵
        Drops file in System32 directory
        
        PID:9548
        
        C:\Windows\SysWOW64\Afjlnk32.exe
        
        C:\Windows\system32\Afjlnk32.exe
        350⤵
        Modifies registry class
        
        PID:9624
        
        C:\Windows\SysWOW64\Anadoi32.exe
        
        C:\Windows\system32\Anadoi32.exe
        351⤵
        
        PID:9728
        
        C:\Windows\SysWOW64\Aqppkd32.exe
        
        C:\Windows\system32\Aqppkd32.exe
        352⤵
        
        PID:9792
        
        C:\Windows\SysWOW64\Aeklkchg.exe
        
        C:\Windows\system32\Aeklkchg.exe
        353⤵
        
        PID:9856
        
        C:\Windows\SysWOW64\Agjhgngj.exe
        
        C:\Windows\system32\Agjhgngj.exe
        354⤵
        
        PID:9940
        
        C:\Windows\SysWOW64\Ajhddjfn.exe
        
        C:\Windows\system32\Ajhddjfn.exe
        355⤵
        
        PID:10052
        
        C:\Windows\SysWOW64\Andqdh32.exe
        
        C:\Windows\system32\Andqdh32.exe
        356⤵
        Modifies registry class
        
        PID:10088
        
        C:\Windows\SysWOW64\Aabmqd32.exe
        
        C:\Windows\system32\Aabmqd32.exe
        357⤵
        
        PID:10152
        
        C:\Windows\SysWOW64\Aeniabfd.exe
        
        C:\Windows\system32\Aeniabfd.exe
        358⤵
        
        PID:10224
        
        C:\Windows\SysWOW64\Aglemn32.exe
        
        C:\Windows\system32\Aglemn32.exe
        359⤵
        
        PID:9280
        
        C:\Windows\SysWOW64\Afoeiklb.exe
        
        C:\Windows\system32\Afoeiklb.exe
        360⤵
        Drops file in System32 directory
        
        PID:9416
        
        C:\Windows\SysWOW64\Anfmjhmd.exe
        
        C:\Windows\system32\Anfmjhmd.exe
        361⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:9560
        
        C:\Windows\SysWOW64\Aminee32.exe
        
        C:\Windows\system32\Aminee32.exe
        362⤵
        
        PID:9616
        
        C:\Windows\SysWOW64\Aepefb32.exe
        
        C:\Windows\system32\Aepefb32.exe
        363⤵
        
        PID:9744
        
        C:\Windows\SysWOW64\Accfbokl.exe
        
        C:\Windows\system32\Accfbokl.exe
        364⤵
        
        PID:9876
        
        C:\Windows\SysWOW64\Bjmnoi32.exe
        
        C:\Windows\system32\Bjmnoi32.exe
        365⤵
        
        PID:10004
        
        C:\Windows\SysWOW64\Bmkjkd32.exe
        
        C:\Windows\system32\Bmkjkd32.exe
        366⤵
        
        PID:10128
        
        C:\Windows\SysWOW64\Bganhm32.exe
        
        C:\Windows\system32\Bganhm32.exe
        367⤵
        Drops file in System32 directory
        
        PID:8484
        
        C:\Windows\SysWOW64\Bfdodjhm.exe
        
        C:\Windows\system32\Bfdodjhm.exe
        368⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:9388
        
        C:\Windows\SysWOW64\Bmngqdpj.exe
        
        C:\Windows\system32\Bmngqdpj.exe
        369⤵
        
        PID:9504
        
        C:\Windows\SysWOW64\Baicac32.exe
        
        C:\Windows\system32\Baicac32.exe
        370⤵
        
        PID:9724
        
        C:\Windows\SysWOW64\Bgcknmop.exe
        
        C:\Windows\system32\Bgcknmop.exe
        371⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:9968
        
        C:\Windows\SysWOW64\Bjagjhnc.exe
        
        C:\Windows\system32\Bjagjhnc.exe
        372⤵
        
        PID:10192
        
        C:\Windows\SysWOW64\Bmpcfdmg.exe
        
        C:\Windows\system32\Bmpcfdmg.exe
        373⤵
        
        PID:9468
        
        C:\Windows\SysWOW64\Beglgani.exe
        
        C:\Windows\system32\Beglgani.exe
        374⤵
        Drops file in System32 directory
        
        PID:9920
        
        C:\Windows\SysWOW64\Bfhhoi32.exe
        
        C:\Windows\system32\Bfhhoi32.exe
        375⤵
        
        PID:10208
        
        C:\Windows\SysWOW64\Bmbplc32.exe
        
        C:\Windows\system32\Bmbplc32.exe
        376⤵
        
        PID:10112
        
        C:\Windows\SysWOW64\Beihma32.exe
        
        C:\Windows\system32\Beihma32.exe
        377⤵
        
        PID:10220
        
        C:\Windows\SysWOW64\Bhhdil32.exe
        
        C:\Windows\system32\Bhhdil32.exe
        378⤵
        
        PID:10280
        
        C:\Windows\SysWOW64\Bjfaeh32.exe
        
        C:\Windows\system32\Bjfaeh32.exe
        379⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:10316
        
        C:\Windows\SysWOW64\Bnbmefbg.exe
        
        C:\Windows\system32\Bnbmefbg.exe
        380⤵
        
        PID:10360
        
        C:\Windows\SysWOW64\Belebq32.exe
        
        C:\Windows\system32\Belebq32.exe
        381⤵
        Modifies registry class
        
        PID:10404
        
        C:\Windows\SysWOW64\Bcoenmao.exe
        
        C:\Windows\system32\Bcoenmao.exe
        382⤵
        
        PID:10444
        
        C:\Windows\SysWOW64\Cfmajipb.exe
        
        C:\Windows\system32\Cfmajipb.exe
        383⤵
        Modifies registry class
        
        PID:10488
        
        C:\Windows\SysWOW64\Cndikf32.exe
        
        C:\Windows\system32\Cndikf32.exe
        384⤵
        Drops file in System32 directory
        
        PID:10536
        
        C:\Windows\SysWOW64\Cmgjgcgo.exe
        
        C:\Windows\system32\Cmgjgcgo.exe
        385⤵
        
        PID:10584
        
        C:\Windows\SysWOW64\Cdabcm32.exe
        
        C:\Windows\system32\Cdabcm32.exe
        386⤵
        
        PID:10632
        
        C:\Windows\SysWOW64\Cfpnph32.exe
        
        C:\Windows\system32\Cfpnph32.exe
        387⤵
        
        PID:10672
        
        C:\Windows\SysWOW64\Cjkjpgfi.exe
        
        C:\Windows\system32\Cjkjpgfi.exe
        388⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:10720
        
        C:\Windows\SysWOW64\Cmiflbel.exe
        
        C:\Windows\system32\Cmiflbel.exe
        389⤵
        
        PID:10756
        
        C:\Windows\SysWOW64\Cdcoim32.exe
        
        C:\Windows\system32\Cdcoim32.exe
        390⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:10812
        
        C:\Windows\SysWOW64\Chokikeb.exe
        
        C:\Windows\system32\Chokikeb.exe
        391⤵
        
        PID:10852
        
        C:\Windows\SysWOW64\Cjmgfgdf.exe
        
        C:\Windows\system32\Cjmgfgdf.exe
        392⤵
        
        PID:10892
        
        C:\Windows\SysWOW64\Cnicfe32.exe
        
        C:\Windows\system32\Cnicfe32.exe
        393⤵
        
        PID:10932
        
        C:\Windows\SysWOW64\Cagobalc.exe
        
        C:\Windows\system32\Cagobalc.exe
        394⤵
        
        PID:10980
        
        C:\Windows\SysWOW64\Chagok32.exe
        
        C:\Windows\system32\Chagok32.exe
        395⤵
        
        PID:11016
        
        C:\Windows\SysWOW64\Cjpckf32.exe
        
        C:\Windows\system32\Cjpckf32.exe
        396⤵
        
        PID:11060
        
        C:\Windows\SysWOW64\Cnkplejl.exe
        
        C:\Windows\system32\Cnkplejl.exe
        397⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:11100
        
        C:\Windows\SysWOW64\Cmnpgb32.exe
        
        C:\Windows\system32\Cmnpgb32.exe
        398⤵
        
        PID:11140
        
        C:\Windows\SysWOW64\Chcddk32.exe
        
        C:\Windows\system32\Chcddk32.exe
        399⤵
        
        PID:11192
        
        C:\Windows\SysWOW64\Cjbpaf32.exe
        
        C:\Windows\system32\Cjbpaf32.exe
        400⤵
        
        PID:11228
        
        C:\Windows\SysWOW64\Cnnlaehj.exe
        
        C:\Windows\system32\Cnnlaehj.exe
        401⤵
        
        PID:9276
        
        C:\Windows\SysWOW64\Calhnpgn.exe
        
        C:\Windows\system32\Calhnpgn.exe
        402⤵
        
        PID:10276
        
        C:\Windows\SysWOW64\Dhfajjoj.exe
        
        C:\Windows\system32\Dhfajjoj.exe
        403⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:10352
        
        C:\Windows\SysWOW64\Djdmffnn.exe
        
        C:\Windows\system32\Djdmffnn.exe
        404⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:10436
        
        C:\Windows\SysWOW64\Dopigd32.exe
        
        C:\Windows\system32\Dopigd32.exe
        405⤵
        
        PID:10496
        
        C:\Windows\SysWOW64\Danecp32.exe
        
        C:\Windows\system32\Danecp32.exe
        406⤵
        
        PID:10568
        
        C:\Windows\SysWOW64\Ddmaok32.exe
        
        C:\Windows\system32\Ddmaok32.exe
        407⤵
        Drops file in System32 directory
        
        PID:10628
        
        C:\Windows\SysWOW64\Dfknkg32.exe
        
        C:\Windows\system32\Dfknkg32.exe
        408⤵
        
        PID:10704
        
        C:\Windows\SysWOW64\Dobfld32.exe
        
        C:\Windows\system32\Dobfld32.exe
        409⤵
        Modifies registry class
        
        PID:10860
        
        C:\Windows\SysWOW64\Daqbip32.exe
        
        C:\Windows\system32\Daqbip32.exe
        410⤵
        Drops file in System32 directory
        
        PID:10884
        
        C:\Windows\SysWOW64\Ddonekbl.exe
        
        C:\Windows\system32\Ddonekbl.exe
        411⤵
        
        PID:10920
        
        C:\Windows\SysWOW64\Dodbbdbb.exe
        
        C:\Windows\system32\Dodbbdbb.exe
        412⤵
        Drops file in System32 directory
        
        PID:10992
        
        C:\Windows\SysWOW64\Daconoae.exe
        
        C:\Windows\system32\Daconoae.exe
        413⤵
        
        PID:11056
        
        C:\Windows\SysWOW64\Deokon32.exe
        
        C:\Windows\system32\Deokon32.exe
        414⤵
        
        PID:11128
        
        C:\Windows\SysWOW64\Dhmgki32.exe
        
        C:\Windows\system32\Dhmgki32.exe
        415⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:11224
        
        C:\Windows\SysWOW64\Dkkcge32.exe
        
        C:\Windows\system32\Dkkcge32.exe
        416⤵
        Drops file in System32 directory
        
        PID:10264
        
        C:\Windows\SysWOW64\Dmjocp32.exe
        
        C:\Windows\system32\Dmjocp32.exe
        417⤵
        
        PID:10348
        
        C:\Windows\SysWOW64\Deagdn32.exe
        
        C:\Windows\system32\Deagdn32.exe
        418⤵
        
        PID:10480
        
        C:\Windows\SysWOW64\Dhocqigp.exe
        
        C:\Windows\system32\Dhocqigp.exe
        419⤵
        
        PID:10596
        
        C:\Windows\SysWOW64\Dknpmdfc.exe
        
        C:\Windows\system32\Dknpmdfc.exe
        420⤵
        Drops file in System32 directory
        
        PID:10680
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        421⤵
        
        PID:10880
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 10880 -s 404
        422⤵
        Program crash
        
        PID:11176

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 10880 -ip 10880
1⤵
PID:11124

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Jcefno32.exe

Filesize
59KB

MD5
ae99d50bc25fc405696dd3bc76300f39

SHA1
a4dd7aac4d9e29430a37e987977ca19fd6e563fc

SHA256
0e8e672aefff8dc3926ab8ed9c0a2c363d32d54995d0224888b7321f7028bdb2

SHA512
d7daafe406e9e7198daec369071b80df9bd44a304f860e40419bbf7e7ab333a0ec9937b7434c50a21751a2ec3abad147d31e78e567a48d5e37c2f8a454f45def

Download Submit
C:\Windows\SysWOW64\Lpebpm32.exe

Filesize
59KB

MD5
1b2b9a099b8b568254fa2fb41ef2858c

SHA1
a18393d479f101c37bea04a621b28a3fab57469f

SHA256
fdd50c8e222cef09d27b91349f94103ece0accb2a594cad1e064151bb35e810f

SHA512
96bea1a509e0199e12a75ca3aef873448e5ce94643363a55b00eef470833510fc3e45d4356086dd548db562202226dd7cae6527e105efc33951dc1d1cf48c09e

Download Submit
C:\Windows\SysWOW64\Nbhkac32.exe

Filesize
59KB

MD5
b0c0bd677262ab6bcb83a8b4136681a4

SHA1
1972c7935588193e855ea3499c1419093b35da37

SHA256
ef5c73ba9cdf3dbf36f0419f276524726dea59d8dacf5eb1a12a987a40300ea0

SHA512
870540913f224b7f65587deb8938e828b2b5a46dab6fc61224151a8aad1d337f319be45886636d308010491d4280bf50b32f65b0860a96dfccc93d841583293a

Download Submit
C:\Windows\SysWOW64\Nbmelbid.exe

Filesize
59KB

MD5
8cdc7be8b9b1379cc32d1f2b8a2618eb

SHA1
c4738e470a2f5b58c6868d9f1c8d887dffc9339f

SHA256
ab464b274225a4abd5bea4367a0cce920c1d272e8cecfae6df687e7c0d84d7a9

SHA512
f0a1d569dccf68e6eb7f0cf7b85c201b8498f1f6b0163db278c586cc99d3e69f16a9188be604de67d4cd8a5e78ce09720730f43e758055f4495f40b400c16770

Download Submit
C:\Windows\SysWOW64\Ndbnboqb.exe

Filesize
59KB

MD5
871e7c1d61f5914d23b8bca2ba73bf55

SHA1
4fd5e5e46ee681a44a252ace163ede42472454fa

SHA256
b19934bad0979e17477d9dc5f1a38c57eaa14c081a93fb46ad836be813eb1c13

SHA512
fd109deda602328440232c5d44d93b121c0eeba30f6f572ec06fef9f49054b19e1ccef971f518b961d80fe64165d907548746ff8b47a68d5ef0fcfeac13ec70f

Download Submit
C:\Windows\SysWOW64\Nddkgonp.exe

Filesize
59KB

MD5
3500e80db3e3a8484e7407a981f6aaa9

SHA1
64ec16b2299dbcf817d7ea911b95b47105ef6c79

SHA256
d650ba7bf997375523de6689a76485fad13bf0f51b6557b7ea455ab8a6209119

SHA512
1ff03848c8879cce90a4435b858d798e590b5dc9b2e235294883d6df79882bc3ac7abcfb062629aa78b520c0bc63f9339dbb5f48e5ccc35575f62a97d78abd79

Download Submit
C:\Windows\SysWOW64\Ndghmo32.exe

Filesize
59KB

MD5
63edad33919412351753b27a41cbe4b4

SHA1
72fe5fbd9a065b12bccbb21f197871ad444c71a4

SHA256
4e21ba1d4ec3ebd6d03d7598fef524547c122b063d49dd915a011ebcbf7c3104

SHA512
01291000789d14b36693442a8accf69020c3c2fadf991fcb305991367bf0dd9a3326dd55a0da2280c8b89dc405ae89be047f998a20cdb19cdbe812f04bb5f537

Download Submit
C:\Windows\SysWOW64\Ndidbn32.exe

Filesize
59KB

MD5
6da0d66d562c8fec7ae819f626fb8dd1

SHA1
7c973e20c8c67a7ccc3093e225a046c2050cb13b

SHA256
754eb7775f45a00f35f4c062f72ac6a65f1c5f2e7a94abd5a29eabffc491b55b

SHA512
18ff55d2dc33065542874b0ab6435d32b614d51966ba96fbd9ffc417e4c43dd255c487e5b08e78b36aede8b827d06ec38c3d3b034374fb090d4ef137052ec9a3

Download Submit
C:\Windows\SysWOW64\Nggqoj32.exe

Filesize
59KB

MD5
1140236aeb133239b17ef61e70be48ab

SHA1
48822ee32800273ab4f9087473ac4cc109c452af

SHA256
915434f676519d62de647af2d0c6174c00dd3fa2d9a5ce82c7aeeda17a7a79d8

SHA512
a9623b6d5d59fc28ed8766f0dbdd6e316cb80d1f85548280cf9d168dfdef38fc75a425616d7e26480776772f4ae6716d6212d87181985bea370ade9549b72c02

Download Submit
C:\Windows\SysWOW64\Njcpee32.exe

Filesize
59KB

MD5
78a5be4c5788bdf0b1e2190c71683896

SHA1
c77ad90d39398f13a814d6978d7bd168c2288e4f

SHA256
3fc915600d8f5baf23fd32781a420aeb7d3973152249f28666cdc8b0893afba4

SHA512
fbe45d1148a233b61d8f7bd80153035bc7e89efe692be483f6ed8d530d24a0d4a0ac6c5786be285f541ebd3fe730339222139f58a312c49731cbfa9cd4784b21

Download Submit
C:\Windows\SysWOW64\Nkncdifl.exe

Filesize
59KB

MD5
830d71dd686b695363e17e12bf84c14c

SHA1
748b4e36eb964883276976161d6e8a753bb78e53

SHA256
5dc7c2f23e18b51a0c5aad5af3db089f0b88c1f49f7a700446fbb937153c918f

SHA512
618455ddcd31e0f19b523936f3e10dfbe0076b2450ec902aaa1a22ca1531a6bb764ca5e2e103a8018932fd9a3da532ba714d06933c97ec40152733df8fa2c9cc

Download Submit
C:\Windows\SysWOW64\Nnaikd32.exe

Filesize
59KB

MD5
f4d07353b49cd9383174c7d38878cd02

SHA1
e8fd231c9ce92c5490b91d34b8cf7fc8af46752a

SHA256
fff471c7ab7b55ab2a3baff09cd09babe4057729bc30ae2ee45b9affab7c1cd1

SHA512
130cefd06feff0790b90cde93a7772ef334adeff3172ec7800c7effff41af8b66fa7f1b6dd562205f480a73a15f73b1dc66b10d499ad083969df81c99bcead0d

Download Submit
C:\Windows\SysWOW64\Nnjbke32.exe

Filesize
59KB

MD5
901c0c16f5ab5b72c7a98de6447670d0

SHA1
923e4ad83a8deda29edf47708d001c6752d607b9

SHA256
8770f73810ad477c6be1360084399fe9f7066e35a2b3160cde7ee69fdc1e28f0

SHA512
be0888284da503313950897cd6ccea9d8c734203b60c9c8514ed8936666b280908957911a96e575ec62a114163e99d821e32473708e8b5ca6b97ba5af3a10633

Download Submit
C:\Windows\SysWOW64\Ocegdjij.exe

Filesize
59KB

MD5
484313e8859d32c306aa741f52ff4d30

SHA1
e9311c0fa57be86f01b2f83310cfb62d9e266ae1

SHA256
7aff25b7349cd69e02b3d3963164282dedcedfe3296336280e538f9df2f4eb60

SHA512
dcc1dec20ae16697c584cce7d2341c4b967c9b29f57108b9ca06204221046125c870a3227b35d37d97007f88edcfe249b20a2e63560efa7eca066c8e61ac3344

Download Submit
C:\Windows\SysWOW64\Ocqnij32.exe

Filesize
59KB

MD5
8fe98f604d53181e8526be711dbf52b3

SHA1
6de241a5c9dc028912126f99fadddd462eeac336

SHA256
dddc058f272c82fb278c97798e9d844e96028eb91e7f75cf332c295b5eb11c26

SHA512
97f5d6a294cea8e010cc931ef84d13a543dd26ec3290fccf714c9d7634b24a0ecd256cc48c76270adcee89442759aa1e9be60d12633e413b0395d8d8a6372158

Download Submit
C:\Windows\SysWOW64\Odgqdlnj.exe

Filesize
59KB

MD5
54b261cccb40586fe7ff608e36ff3f53

SHA1
1543d142324333c8d637919e2e6d49be960f2efe

SHA256
266d0f0cf13bf98f74ee1eebe0d810b4b9ac9a9400ce293d8042b015974d8650

SHA512
7920d2b6a38074fda157058bd1fd5afa6107fed43f97ce209adefb371f8074b0283dd95ee161477435c9adf59ca2fa64daa62eb70d3c1d63fdff12f0dafa85e0

Download Submit
C:\Windows\SysWOW64\Odpjcm32.exe

Filesize
59KB

MD5
65f09c661bc78c596fef3e8b8cfbccf9

SHA1
f47237f7b16c7c325cacc494b827f0d9e95187a5

SHA256
cd5af68767ad09aaa96983acc0c6cd8340d49d5d34d212e5f0c8cc817df91427

SHA512
8674cb5fac905f3def0a32f3011d024327cbcfbc5ea8e410676da4d340ea95ebfd04756da6fea6e32f45a9269ea0c25b47aab697091644128a41bb6e1fd0287d

Download Submit
C:\Windows\SysWOW64\Ogaceh32.exe

Filesize
59KB

MD5
7c2c9e5933ea65e3ba6db8bae9d9dd60

SHA1
7f89f41863f127ffd4810752b22d3bda947920c4

SHA256
675926de44976051a5aebf7765127a1032356ff422611dbb661ef2f07db7a2a0

SHA512
fe0b903dd1a5dce1110d31941d61dcc8b779ee19f1e0045466eeaaed7788b64fe064814e3e493217950c9e6c908aed499ab64c35ad3270a577e9c254fe47c86b

Download Submit
C:\Windows\SysWOW64\Ogogoi32.exe

Filesize
59KB

MD5
c419171316316495e0d98d78409702d9

SHA1
699cd9c43f73800104e421355308021f2f63ddb0

SHA256
e9ca29a1859bc080c61e5ea03c2d26e24baa1dc85d5fbd8e9b6566bf95d2f249

SHA512
670c90d40265b3a53342bb3b0fbd7a8281a1299dd1391fd977aa904b2190c5e504a11b82abccacbd66535f93dcde8a9db97f0608b4da35992eec70e33e12454c

Download Submit
C:\Windows\SysWOW64\Ojalgcnd.exe

Filesize
59KB

MD5
67d5bbdab3fe647ccf2ac3972efc8ea8

SHA1
5e9b20d4eb8732af01b0186b06abeeb3fde6fd61

SHA256
01a527ae73174ffc8e31f020967e48d8095f7fa23018de09abc45564a34f79b4

SHA512
b99e2de441318b69456375a1c1728cac2134576a04754c42fdb43c7abb08ac4f0637cc94c75edf08a07201c6ac460355500a60d772fe6fd15685275aae138eb1

Download Submit
C:\Windows\SysWOW64\Ojjffddl.exe

Filesize
59KB

MD5
724fa1961376796470cbc0bad2ff57f9

SHA1
4fababa7683b59f18ea7af6ceabc56bf4bde6a93

SHA256
424aedb6cdfe20000c7fb87e18ca259f8b08d160910c2ce54b6d6016bfa2c564

SHA512
fbdefaea4c9b01df8614331deca452f4daab89ed5e76e7ce6fe2a148b38c01755141aabf27cd326af769560dca597eb60f3134486e8bbf8fee859774e593e71b

Download Submit
C:\Windows\SysWOW64\Ojmcld32.exe

Filesize
59KB

MD5
1d44fc1aa7dfdb330ac1fc727764435f

SHA1
37bfce7968b08af884deef21bc5758719d9e1edb

SHA256
aa7ea4562cd240e18c5b825770474562cf6aed1d0bf52007f10cda6165755654

SHA512
7e62fa0fa5e26a23256e2242cdb19d857d6ce4f2ce6a160518859906af5736dca969c86f3f76b6c05b6647174ad78e9499c8173947055e6479cdeb0e07a66930

Download Submit
C:\Windows\SysWOW64\Okeieh32.exe

Filesize
59KB

MD5
5613e2c0e2b54df0ff044502534d1610

SHA1
8c2fdd1f02ec1999b1e90fccb0e2aa7a803e1ce4

SHA256
532d392d6d163f617a2438e442baff002f827d891888ff79bd1d11a1913c5552

SHA512
6b33c341726540182208cdd95e01adee594f91d2dad4e73417bd8e689a62b8c5a13916f717f197c7474779188acbc6d03dcbc62afa4202e798f6a88edb2f9c17

Download Submit
C:\Windows\SysWOW64\Okhfjh32.exe

Filesize
59KB

MD5
9a12bea3b3a1989f926504c19f8deba5

SHA1
0fecb6a701ee6510a76455295f5474ee3a752a0b

SHA256
d749c76f7c5db43e15e639f70af78443c076acc563eada4aeace83d9e17c82df

SHA512
5cc8fcf0910be7af469993934934ace77f0c03ee261918db4d1573d2bd5f3a39273881994caae88be817297c8747e44803666106fb6ce9112cbe5ffeff7e7a40

Download Submit
C:\Windows\SysWOW64\Ondeac32.exe

Filesize
59KB

MD5
a480b7541eaf6b4018662e0d6d3e65d7

SHA1
2a07a07a698f3ff067903db296fa03a5d69c900f

SHA256
52bb152893c7597f400870b45adf62614d3150a344064fe721173d6a567034f8

SHA512
f70c684fab9b48772de78d7552543df796233fe224adf1f855323c25ea66f3a4634f84340b49640896895bd522dd5259a09c286c8f2b14a4aee03a86a24f71e6

Download Submit
C:\Windows\SysWOW64\Onklabip.exe

Filesize
59KB

MD5
9560a3271df5ba92010922f7b5512b3a

SHA1
0eb7195b1928476335a970c1f351749a0068e09a

SHA256
190d5e4ab7adc97cfbc01c68a7fb8a42b7205c2373eaa5e2c15c5781e6d136ad

SHA512
1eef2852de461f0de5bf72a39e198d3469fa4bd80a1a94733e76e2d3e5d27f068a71c2c60bcebfec253aedf7cf443ac6f83e0751396cbc6cee10dec0883554f4

Download Submit
C:\Windows\SysWOW64\Oqgkhnjf.exe

Filesize
59KB

MD5
85a5d7b523567ef796561cf1b94df567

SHA1
83e89a7edc70539e27497ed643f1138b6f48df34

SHA256
b0e3d24f4cdc4c7eacc9ce5764380470e6b52ff59be6f2b58f28b4498ae8a09f

SHA512
d65ce3554d0e0ec4324fab146193945ca79a7300637fa893813e2a7f68ace25cce3738105b7b88c511fdc9ef5d166ebc643ef2da2454d84d05b3068d0b3c5c59

Download Submit
C:\Windows\SysWOW64\Peimil32.exe

Filesize
59KB

MD5
b92697d9a9c2a9f6c56cd437ade10498

SHA1
62428c9381b640bb087fdaeda65f970959006d03

SHA256
329fc20c61da8c537f411b2d1fb15732d6593a4b0bd960123d2a0f6b00c1c56f

SHA512
d7caf795e694eaf3e4977f6f2e9e9fb361f7e70ccb61020ce1c0a9a9438454f428f227fc8884b93bb587ec5120c5742c9a803fdc9971100aa00ba114a0c02809

Download Submit
C:\Windows\SysWOW64\Peljol32.exe

Filesize
59KB

MD5
dcd96930c13e4c6f0e7da741267a3099

SHA1
64a5fc45d489184a3d55df4ee739cd04be796097

SHA256
b988f1017eb84298cfca17506cb2f2daba8391d7f04076909394c44642a68610

SHA512
031744e299cf546e9475a5c4bc7f8b05ba4d7bcd42c445dba387f6453eebe77683573dce98a5b07781823d5ddf780777a25a8d3755db661a260a6d39461a2da2

Download Submit
C:\Windows\SysWOW64\Pgemphmn.exe

Filesize
59KB

MD5
5acf488f2aa39905902a3a7eb8f8dd3e

SHA1
574f01fdbd7d5943bc2947faa6d135e472718123

SHA256
c81843f47122fdb491e0bf756cb451569265d416ee5ee66e85d8079c9efbf84b

SHA512
f9565e55e4d87841e860a158d658208183e79f1227ba39ba370a007f23281747c346341bb40cd0c4e71464551adf6b6f4024555f3361bd3b4076c7fe255b2e5c

Download Submit
C:\Windows\SysWOW64\Pkceffcd.exe

Filesize
59KB

MD5
98417bf0b35c130bcc683c013556ba83

SHA1
96f8bd05f48aeb32e186815f0956599c996ea77a

SHA256
e584f0ac45822f6cf63d841ef4b43fdceaea9c8e308aa6b88c22a7fef3c2a969

SHA512
1041e496ae12a2acb72b41cbee9ef859b953527758bf290020d59bcc543f9fb8377b05c6bf1796fbf0585bfa1fe138da8bf5a652a5174bf0b2be7151a1fcc508

Download Submit
C:\Windows\SysWOW64\Pnbbbabh.exe

Filesize
59KB

MD5
a175daef13c752a46940455c3643cc63

SHA1
44c60c9a955d250249c39d5c189444e7a30900e3

SHA256
d1369f643b40b0cf14b1e7fd9627947a89fcf5700d360d37af91770fb88a23ff

SHA512
844c71af6c0419591f6c3477e1206064344178f54ed4cd919dfd059e65155df787beb5ae8d41607d17de06bf9591f119fe4260de4cc3de7d73c3118409246f7d

Download Submit
C:\Windows\SysWOW64\Pndohaqe.exe

Filesize
59KB

MD5
c5565ee7d33b80d60f32ac3129243498

SHA1
f368adffae556112ecc0b3d8b0d19722913b46c5

SHA256
c6f79456f8b9d2a66d452dea7e2f6063b924e6f7f01a72f1fa10e07d49bf42cd

SHA512
4458d0781eb2b3165e9543bbfed1b75faf824053a664845e23309652494f9e51ff78fcbb9fcc5eb24a5c56c89149580a3cd0378990ac7e9d0d3de18cf0de229d

Download Submit
C:\Windows\SysWOW64\Pnpemb32.exe

Filesize
59KB

MD5
85d941fceb3de93066e3a4f1d137d250

SHA1
2218451b58878a42ed4856b4b9935b999a88d2a1

SHA256
d475dd6c3ce0810aded010bceba9232e253560714204bcd7e2fb0d604804c719

SHA512
9ffb823cfee094ef1002f8614284283442f41e522a7cc74ed06abdc5d90110131a4f7c758ab5e9d1d5989ded2be8e3848654937bb9ddf711a3e3f2170ca9d92f

Download Submit
C:\Windows\SysWOW64\Qnkdhpjn.exe

Filesize
59KB

MD5
3b93f7c7fd37b752bcf2a06bc620caef

SHA1
89789a5a389856397c2b190507b82d47c0712a28

SHA256
15026327a6478079062a7b570be16d41c3258ec511dda3abd128218fbe94a218

SHA512
5f859b95cc1b4bfaa81adbb998de23e75d48e18c2351c4992534e7282425873fbc117db8905a66e826ce3b73a84e30fcfd1004b1df01909ad668599d30b5deb8

Download Submit
memory/116-382-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/468-226-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/516-318-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/696-154-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/752-258-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/888-41-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1048-138-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1108-48-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1160-420-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1216-306-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1492-264-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1528-324-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1540-106-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1592-218-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1648-366-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1872-396-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1932-17-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1984-173-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1988-25-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2176-432-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2220-89-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2240-354-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2244-300-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2268-294-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2288-282-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2360-384-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2700-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2700-81-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2700-2-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2832-426-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2880-330-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2928-312-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2944-211-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2964-402-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3000-348-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3056-56-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3068-175-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3144-214-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3256-114-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3384-390-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3404-414-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3412-87-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3532-273-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3604-128-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3656-288-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3708-33-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3748-360-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3836-342-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4016-249-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4076-98-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4148-73-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4264-9-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4340-242-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4388-372-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4476-194-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4480-182-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4500-234-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4704-65-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4744-185-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4780-336-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4856-412-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4976-150-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4996-276-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5088-129-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/9276-2793-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/10436-2790-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/10496-2789-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/10596-2775-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/10704-2786-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/10852-2803-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/10884-2784-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/11140-2796-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/11224-2779-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads