898862db61629df6fbdc5118f2703e93aa083ab083907ba93c8a6fb96526df0c

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
23/04/2024, 00:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

898862db61629df6fbdc5118f2703e93aa083ab083907ba93c8a6fb96526df0c.exe
Size

85KB
MD5

eb0e8ae8a98e6e16b96d76c2f7453084
SHA1

5bfcaedd52a6134ae1ce4fed18f330c37bb96aae
SHA256

898862db61629df6fbdc5118f2703e93aa083ab083907ba93c8a6fb96526df0c
SHA512

bcabe2de9037bdae61759e3b7eed7466fc24e739e4b9c463bf7b96fb7ee6f99609e1848a684e29797bb7b8052ca79235b4fa004f68ead694c59c51884a47d206
SSDEEP

1536:omo+i8B0nOwbqqwp8lnSUcJCpMYbHzs72JF2LHVhMQ262AjCsQ2PCZZrqOlNfVSc:vornOp8EU+oH46oHDMQH2qC7ZQOlzSLA

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ifjodl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ofeilobp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pflplnlg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajhddjfn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnkgeg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hiefcj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mmpijp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pdpmpdbd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hoiafcic.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ehnglm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kpjcdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ldjhpl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngmgne32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdabcm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhkapp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gokdeeec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Miifeq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Njefqo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qdbiedpa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gofkje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kpeiioac.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ndcdmikd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Oneklm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bnhjohkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnkplejl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Delnin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jidklf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ieolehop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hopnqdan.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hiefcj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ifjodl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmoahijl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnpppgdj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dceohhja.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nfgmjqop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Oqhacgdh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aqppkd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Danecp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lbmhlihl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pclgkb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nfgmjqop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mlopkm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pnfdcjkg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmbplc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lbjlfi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hcdmga32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kboljk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lebkhc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nepgjaeg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmlcbbcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Eadopc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oflgep32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Acnlgp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Caebma32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chcddk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Deagdn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fakdpb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mplhql32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Neeqea32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bchomn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gfngap32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lphoelqn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ocgmpccl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	898862db61629df6fbdc5118f2703e93aa083ab083907ba93c8a6fb96526df0c.exe

Executes dropped EXE 64 IoCs

pid	Process
1664	Dhkapp32.exe
1848	Dkjmlk32.exe
3204	Deoaid32.exe
3456	Dhnnep32.exe
2160	Dohfbj32.exe
3368	Dafbne32.exe
4604	Dhpjkojk.exe
2860	Dkoggkjo.exe
3860	Dceohhja.exe
4804	Dedkdcie.exe
4660	Dlncan32.exe
3584	Eolpmi32.exe
4504	Eaklidoi.exe
5056	Ehedfo32.exe
3908	Ekcpbj32.exe
852	Ecjhcg32.exe
3928	Eamhodmf.exe
2496	Ekemhj32.exe
4544	Eapedd32.exe
4016	Eekaebcm.exe
4304	Ehimanbq.exe
1776	Ecoangbg.exe
1512	Eemnjbaj.exe
2004	Elgfgl32.exe
3076	Eofbch32.exe
3864	Eadopc32.exe
2176	Ehnglm32.exe
4240	Fohoigfh.exe
3068	Fafkecel.exe
3588	Fdegandp.exe
3560	Fhqcam32.exe
208	Fdgdgnbm.exe
4172	Flnlhk32.exe
760	Fomhdg32.exe
392	Fakdpb32.exe
2092	Fhemmlhc.exe
3828	Fooeif32.exe
3048	Ffimfqgm.exe
2284	Fhgjblfq.exe
1952	Foabofnn.exe
932	Ffkjlp32.exe
4868	Fdnjgmle.exe
3028	Gcojed32.exe
3680	Gfngap32.exe
4180	Ghlcnk32.exe
3524	Gofkje32.exe
2180	Gcagkdba.exe
1044	Gbdgfa32.exe
3176	Ghopckpi.exe
3972	Gbgdlq32.exe
1564	Gdeqhl32.exe
376	Gmlhii32.exe
4820	Gokdeeec.exe
2480	Gcfqfc32.exe
1440	Gfembo32.exe
3576	Gdhmnlcj.exe
1384	Gmoeoidl.exe
4404	Gkaejf32.exe
4080	Gomakdcp.exe
3664	Gcimkc32.exe
464	Gblngpbd.exe
3020	Gdjjckag.exe
3460	Hiefcj32.exe
2516	Hkdbpe32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Ehimanbq.exe	Eekaebcm.exe
File created	C:\Windows\SysWOW64\Jeaikh32.exe	Iikhfg32.exe
File opened for modification	C:\Windows\SysWOW64\Jmhale32.exe	Jeaikh32.exe
File created	C:\Windows\SysWOW64\Lgokmgjm.exe	Ldanqkki.exe
File created	C:\Windows\SysWOW64\Nepgjaeg.exe	Ngmgne32.exe
File created	C:\Windows\SysWOW64\Oqfdnhfk.exe	Olkhmi32.exe
File created	C:\Windows\SysWOW64\Amjknl32.dll	Deagdn32.exe
File opened for modification	C:\Windows\SysWOW64\Ehedfo32.exe	Eaklidoi.exe
File opened for modification	C:\Windows\SysWOW64\Eadopc32.exe	Eofbch32.exe
File opened for modification	C:\Windows\SysWOW64\Fdnjgmle.exe	Ffkjlp32.exe
File opened for modification	C:\Windows\SysWOW64\Npjebj32.exe	Nnlhfn32.exe
File opened for modification	C:\Windows\SysWOW64\Qdbiedpa.exe	Pjmehkqk.exe
File created	C:\Windows\SysWOW64\Nedmmlba.dll	Ceqnmpfo.exe
File created	C:\Windows\SysWOW64\Dkjmlk32.exe	Dhkapp32.exe
File created	C:\Windows\SysWOW64\Gblngpbd.exe	Gcimkc32.exe
File opened for modification	C:\Windows\SysWOW64\Hckjacjg.exe	Hopnqdan.exe
File opened for modification	C:\Windows\SysWOW64\Ncfdie32.exe	Ndcdmikd.exe
File created	C:\Windows\SysWOW64\Ehnglm32.exe	Eadopc32.exe
File created	C:\Windows\SysWOW64\Baacma32.dll	Anmjcieo.exe
File created	C:\Windows\SysWOW64\Jpcnha32.dll	Bnpppgdj.exe
File created	C:\Windows\SysWOW64\Mkfdhbpg.dll	Bfkedibe.exe
File created	C:\Windows\SysWOW64\Ceehho32.exe	Cmnpgb32.exe
File opened for modification	C:\Windows\SysWOW64\Jcbihpel.exe	Jlkagbej.exe
File opened for modification	C:\Windows\SysWOW64\Ceehho32.exe	Cmnpgb32.exe
File created	C:\Windows\SysWOW64\Dhnnep32.exe	Deoaid32.exe
File created	C:\Windows\SysWOW64\Agocgbni.dll	Ndokbi32.exe
File created	C:\Windows\SysWOW64\Njefqo32.exe	Nggjdc32.exe
File created	C:\Windows\SysWOW64\Kgldjcmk.dll	Pjmehkqk.exe
File created	C:\Windows\SysWOW64\Fhqcam32.exe	Fdegandp.exe
File created	C:\Windows\SysWOW64\Ofeilobp.exe	Ocgmpccl.exe
File created	C:\Windows\SysWOW64\Phiifkjp.dll	Bnhjohkb.exe
File created	C:\Windows\SysWOW64\Bnkgeg32.exe	Bfdodjhm.exe
File created	C:\Windows\SysWOW64\Dmllipeg.exe	Dknpmdfc.exe
File created	C:\Windows\SysWOW64\Hiefcj32.exe	Gdjjckag.exe
File opened for modification	C:\Windows\SysWOW64\Calhnpgn.exe	Chcddk32.exe
File created	C:\Windows\SysWOW64\Nfgmjqop.exe	Ngdmod32.exe
File created	C:\Windows\SysWOW64\Bdkfmkdc.dll	Kplpjn32.exe
File opened for modification	C:\Windows\SysWOW64\Lffhfh32.exe	Lbjlfi32.exe
File opened for modification	C:\Windows\SysWOW64\Lgokmgjm.exe	Ldanqkki.exe
File opened for modification	C:\Windows\SysWOW64\Nggjdc32.exe	Nckndeni.exe
File created	C:\Windows\SysWOW64\Ifoihl32.dll	Pncgmkmj.exe
File created	C:\Windows\SysWOW64\Hhkephlb.dll	Fdgdgnbm.exe
File opened for modification	C:\Windows\SysWOW64\Anfmjhmd.exe	Aglemn32.exe
File opened for modification	C:\Windows\SysWOW64\Daconoae.exe	Dmgbnq32.exe
File opened for modification	C:\Windows\SysWOW64\Qmmnjfnl.exe	Qnjnnj32.exe
File opened for modification	C:\Windows\SysWOW64\Jeaikh32.exe	Iikhfg32.exe
File opened for modification	C:\Windows\SysWOW64\Mpoefk32.exe	Mmpijp32.exe
File created	C:\Windows\SysWOW64\Cmlihfed.dll	Mdjagjco.exe
File created	C:\Windows\SysWOW64\Npjebj32.exe	Nnlhfn32.exe
File created	C:\Windows\SysWOW64\Gjihje32.dll	Dedkdcie.exe
File created	C:\Windows\SysWOW64\Eohipl32.dll	Nnlhfn32.exe
File created	C:\Windows\SysWOW64\Ghekjiam.dll	Cdcoim32.exe
File created	C:\Windows\SysWOW64\Jfpbkoql.dll	Oddmdf32.exe
File opened for modification	C:\Windows\SysWOW64\Icgjmapi.exe	Immapg32.exe
File created	C:\Windows\SysWOW64\Mgagbf32.exe	Mbfkbhpa.exe
File created	C:\Windows\SysWOW64\Ndfqbhia.exe	Npjebj32.exe
File created	C:\Windows\SysWOW64\Pqknig32.exe	Pmoahijl.exe
File created	C:\Windows\SysWOW64\Hdoemjgn.dll	Pjcbbmif.exe
File created	C:\Windows\SysWOW64\Imbajm32.dll	Chjaol32.exe
File created	C:\Windows\SysWOW64\Cnkplejl.exe	Cfdhkhjj.exe
File created	C:\Windows\SysWOW64\Hbbdholl.exe	Hodgkc32.exe
File created	C:\Windows\SysWOW64\Kbaipkbi.exe	Klgqcqkl.exe
File created	C:\Windows\SysWOW64\Jidklf32.exe	Jfeopj32.exe
File created	C:\Windows\SysWOW64\Elocna32.dll	Pmoahijl.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
8660	8544	WerFault.exe	375

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pniggbmk.dll"	Dlncan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ngmgne32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Chcddk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bbjiol32.dll"	Mmnldp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfpbkoql.dll"	Oddmdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Panfqmhb.dll"	Pfhfan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hdoemjgn.dll"	Pjcbbmif.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cmnpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gfembo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ligqhc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mchhggno.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bmbplc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ehedfo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Elgfgl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mmpijp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Balpgb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ceckcp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Danecp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Imdgqfbd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jpcnha32.dll"	Bnpppgdj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bnbmefbg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbmgladp.dll"	Nebdoa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Npjebj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hiclgb32.dll"	Onhhamgg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Daconoae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Paihpaak.dll"	Fakdpb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hmfkoh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qjkmdp32.dll"	Npfkgjdn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jlkagbej.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aepefb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amjknl32.dll"	Deagdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pnakhkol.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhfajjoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dmgbnq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Eamhodmf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gokdeeec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hkdbpe32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Iikhfg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bhbopgfn.dll"	Npjebj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bfhhoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nnjlpo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ojgbfocc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Papbpdoi.dll"	Qfcfml32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mplhql32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eokchkmi.dll"	Calhnpgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hbbdholl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ifefimom.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Efjecajf.dll"	Kipkhdeq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bfabnjjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjhmqf32.dll"	Hbbdholl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pemfincl.dll"	Nnjlpo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Njefqo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gokgpogl.dll"	Qdbiedpa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kplpjn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nilcjp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pfjcgn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aglemn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cnffqf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjbbkg32.dll"	Njefqo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ocgmpccl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Eolpmi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fdnjgmle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hckjacjg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jlnnmb32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1688 wrote to memory of 1664	1688	898862db61629df6fbdc5118f2703e93aa083ab083907ba93c8a6fb96526df0c.exe	86
PID 1688 wrote to memory of 1664	1688	898862db61629df6fbdc5118f2703e93aa083ab083907ba93c8a6fb96526df0c.exe	86
PID 1688 wrote to memory of 1664	1688	898862db61629df6fbdc5118f2703e93aa083ab083907ba93c8a6fb96526df0c.exe	86
PID 1664 wrote to memory of 1848	1664	Dhkapp32.exe	87
PID 1664 wrote to memory of 1848	1664	Dhkapp32.exe	87
PID 1664 wrote to memory of 1848	1664	Dhkapp32.exe	87
PID 1848 wrote to memory of 3204	1848	Dkjmlk32.exe	88
PID 1848 wrote to memory of 3204	1848	Dkjmlk32.exe	88
PID 1848 wrote to memory of 3204	1848	Dkjmlk32.exe	88
PID 3204 wrote to memory of 3456	3204	Deoaid32.exe	89
PID 3204 wrote to memory of 3456	3204	Deoaid32.exe	89
PID 3204 wrote to memory of 3456	3204	Deoaid32.exe	89
PID 3456 wrote to memory of 2160	3456	Dhnnep32.exe	90
PID 3456 wrote to memory of 2160	3456	Dhnnep32.exe	90
PID 3456 wrote to memory of 2160	3456	Dhnnep32.exe	90
PID 2160 wrote to memory of 3368	2160	Dohfbj32.exe	91
PID 2160 wrote to memory of 3368	2160	Dohfbj32.exe	91
PID 2160 wrote to memory of 3368	2160	Dohfbj32.exe	91
PID 3368 wrote to memory of 4604	3368	Dafbne32.exe	92
PID 3368 wrote to memory of 4604	3368	Dafbne32.exe	92
PID 3368 wrote to memory of 4604	3368	Dafbne32.exe	92
PID 4604 wrote to memory of 2860	4604	Dhpjkojk.exe	93
PID 4604 wrote to memory of 2860	4604	Dhpjkojk.exe	93
PID 4604 wrote to memory of 2860	4604	Dhpjkojk.exe	93
PID 2860 wrote to memory of 3860	2860	Dkoggkjo.exe	94
PID 2860 wrote to memory of 3860	2860	Dkoggkjo.exe	94
PID 2860 wrote to memory of 3860	2860	Dkoggkjo.exe	94
PID 3860 wrote to memory of 4804	3860	Dceohhja.exe	95
PID 3860 wrote to memory of 4804	3860	Dceohhja.exe	95
PID 3860 wrote to memory of 4804	3860	Dceohhja.exe	95
PID 4804 wrote to memory of 4660	4804	Dedkdcie.exe	96
PID 4804 wrote to memory of 4660	4804	Dedkdcie.exe	96
PID 4804 wrote to memory of 4660	4804	Dedkdcie.exe	96
PID 4660 wrote to memory of 3584	4660	Dlncan32.exe	97
PID 4660 wrote to memory of 3584	4660	Dlncan32.exe	97
PID 4660 wrote to memory of 3584	4660	Dlncan32.exe	97
PID 3584 wrote to memory of 4504	3584	Eolpmi32.exe	98
PID 3584 wrote to memory of 4504	3584	Eolpmi32.exe	98
PID 3584 wrote to memory of 4504	3584	Eolpmi32.exe	98
PID 4504 wrote to memory of 5056	4504	Eaklidoi.exe	99
PID 4504 wrote to memory of 5056	4504	Eaklidoi.exe	99
PID 4504 wrote to memory of 5056	4504	Eaklidoi.exe	99
PID 5056 wrote to memory of 3908	5056	Ehedfo32.exe	100
PID 5056 wrote to memory of 3908	5056	Ehedfo32.exe	100
PID 5056 wrote to memory of 3908	5056	Ehedfo32.exe	100
PID 3908 wrote to memory of 852	3908	Ekcpbj32.exe	101
PID 3908 wrote to memory of 852	3908	Ekcpbj32.exe	101
PID 3908 wrote to memory of 852	3908	Ekcpbj32.exe	101
PID 852 wrote to memory of 3928	852	Ecjhcg32.exe	102
PID 852 wrote to memory of 3928	852	Ecjhcg32.exe	102
PID 852 wrote to memory of 3928	852	Ecjhcg32.exe	102
PID 3928 wrote to memory of 2496	3928	Eamhodmf.exe	103
PID 3928 wrote to memory of 2496	3928	Eamhodmf.exe	103
PID 3928 wrote to memory of 2496	3928	Eamhodmf.exe	103
PID 2496 wrote to memory of 4544	2496	Ekemhj32.exe	104
PID 2496 wrote to memory of 4544	2496	Ekemhj32.exe	104
PID 2496 wrote to memory of 4544	2496	Ekemhj32.exe	104
PID 4544 wrote to memory of 4016	4544	Eapedd32.exe	105
PID 4544 wrote to memory of 4016	4544	Eapedd32.exe	105
PID 4544 wrote to memory of 4016	4544	Eapedd32.exe	105
PID 4016 wrote to memory of 4304	4016	Eekaebcm.exe	106
PID 4016 wrote to memory of 4304	4016	Eekaebcm.exe	106
PID 4016 wrote to memory of 4304	4016	Eekaebcm.exe	106
PID 4304 wrote to memory of 1776	4304	Ehimanbq.exe	107

C:\Users\Admin\AppData\Local\Temp\898862db61629df6fbdc5118f2703e93aa083ab083907ba93c8a6fb96526df0c.exe
"C:\Users\Admin\AppData\Local\Temp\898862db61629df6fbdc5118f2703e93aa083ab083907ba93c8a6fb96526df0c.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Suspicious use of WriteProcessMemory
PID:1688
- C:\Windows\SysWOW64\Dhkapp32.exe
  C:\Windows\system32\Dhkapp32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:1664
- - C:\Windows\SysWOW64\Dkjmlk32.exe
    C:\Windows\system32\Dkjmlk32.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:1848
  - - C:\Windows\SysWOW64\Deoaid32.exe
      C:\Windows\system32\Deoaid32.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious use of WriteProcessMemory
      PID:3204
    - - C:\Windows\SysWOW64\Dhnnep32.exe
        
        C:\Windows\system32\Dhnnep32.exe
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3456
      - C:\Windows\SysWOW64\Dohfbj32.exe
        
        C:\Windows\system32\Dohfbj32.exe
        6⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2160
        
        C:\Windows\SysWOW64\Dafbne32.exe
        
        C:\Windows\system32\Dafbne32.exe
        7⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3368
        
        C:\Windows\SysWOW64\Dhpjkojk.exe
        
        C:\Windows\system32\Dhpjkojk.exe
        8⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4604
        
        C:\Windows\SysWOW64\Dkoggkjo.exe
        
        C:\Windows\system32\Dkoggkjo.exe
        9⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2860
        
        C:\Windows\SysWOW64\Dceohhja.exe
        
        C:\Windows\system32\Dceohhja.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3860
        
        C:\Windows\SysWOW64\Dedkdcie.exe
        
        C:\Windows\system32\Dedkdcie.exe
        11⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4804
        
        C:\Windows\SysWOW64\Dlncan32.exe
        
        C:\Windows\system32\Dlncan32.exe
        12⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4660
        
        C:\Windows\SysWOW64\Eolpmi32.exe
        
        C:\Windows\system32\Eolpmi32.exe
        13⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3584
        
        C:\Windows\SysWOW64\Eaklidoi.exe
        
        C:\Windows\system32\Eaklidoi.exe
        14⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4504
        
        C:\Windows\SysWOW64\Ehedfo32.exe
        
        C:\Windows\system32\Ehedfo32.exe
        15⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5056
        
        C:\Windows\SysWOW64\Ekcpbj32.exe
        
        C:\Windows\system32\Ekcpbj32.exe
        16⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3908
        
        C:\Windows\SysWOW64\Ecjhcg32.exe
        
        C:\Windows\system32\Ecjhcg32.exe
        17⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:852
        
        C:\Windows\SysWOW64\Eamhodmf.exe
        
        C:\Windows\system32\Eamhodmf.exe
        18⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3928
        
        C:\Windows\SysWOW64\Ekemhj32.exe
        
        C:\Windows\system32\Ekemhj32.exe
        19⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2496
        
        C:\Windows\SysWOW64\Eapedd32.exe
        
        C:\Windows\system32\Eapedd32.exe
        20⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4544
        
        C:\Windows\SysWOW64\Eekaebcm.exe
        
        C:\Windows\system32\Eekaebcm.exe
        21⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4016
        
        C:\Windows\SysWOW64\Ehimanbq.exe
        
        C:\Windows\system32\Ehimanbq.exe
        22⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4304
        
        C:\Windows\SysWOW64\Ecoangbg.exe
        
        C:\Windows\system32\Ecoangbg.exe
        23⤵
        Executes dropped EXE
        
        PID:1776
        
        C:\Windows\SysWOW64\Eemnjbaj.exe
        
        C:\Windows\system32\Eemnjbaj.exe
        24⤵
        Executes dropped EXE
        
        PID:1512
        
        C:\Windows\SysWOW64\Elgfgl32.exe
        
        C:\Windows\system32\Elgfgl32.exe
        25⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2004
        
        C:\Windows\SysWOW64\Eofbch32.exe
        
        C:\Windows\system32\Eofbch32.exe
        26⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3076
        
        C:\Windows\SysWOW64\Eadopc32.exe
        
        C:\Windows\system32\Eadopc32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3864
        
        C:\Windows\SysWOW64\Ehnglm32.exe
        
        C:\Windows\system32\Ehnglm32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2176
        
        C:\Windows\SysWOW64\Fohoigfh.exe
        
        C:\Windows\system32\Fohoigfh.exe
        29⤵
        Executes dropped EXE
        
        PID:4240
        
        C:\Windows\SysWOW64\Fafkecel.exe
        
        C:\Windows\system32\Fafkecel.exe
        30⤵
        Executes dropped EXE
        
        PID:3068
        
        C:\Windows\SysWOW64\Fdegandp.exe
        
        C:\Windows\system32\Fdegandp.exe
        31⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3588
        
        C:\Windows\SysWOW64\Fhqcam32.exe
        
        C:\Windows\system32\Fhqcam32.exe
        32⤵
        Executes dropped EXE
        
        PID:3560
        
        C:\Windows\SysWOW64\Fdgdgnbm.exe
        
        C:\Windows\system32\Fdgdgnbm.exe
        33⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:208
        
        C:\Windows\SysWOW64\Flnlhk32.exe
        
        C:\Windows\system32\Flnlhk32.exe
        34⤵
        Executes dropped EXE
        
        PID:4172
        
        C:\Windows\SysWOW64\Fomhdg32.exe
        
        C:\Windows\system32\Fomhdg32.exe
        35⤵
        Executes dropped EXE
        
        PID:760
        
        C:\Windows\SysWOW64\Fakdpb32.exe
        
        C:\Windows\system32\Fakdpb32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:392
        
        C:\Windows\SysWOW64\Fhemmlhc.exe
        
        C:\Windows\system32\Fhemmlhc.exe
        37⤵
        Executes dropped EXE
        
        PID:2092
        
        C:\Windows\SysWOW64\Fooeif32.exe
        
        C:\Windows\system32\Fooeif32.exe
        38⤵
        Executes dropped EXE
        
        PID:3828
        
        C:\Windows\SysWOW64\Ffimfqgm.exe
        
        C:\Windows\system32\Ffimfqgm.exe
        39⤵
        Executes dropped EXE
        
        PID:3048
        
        C:\Windows\SysWOW64\Fhgjblfq.exe
        
        C:\Windows\system32\Fhgjblfq.exe
        40⤵
        Executes dropped EXE
        
        PID:2284
        
        C:\Windows\SysWOW64\Foabofnn.exe
        
        C:\Windows\system32\Foabofnn.exe
        41⤵
        Executes dropped EXE
        
        PID:1952
        
        C:\Windows\SysWOW64\Ffkjlp32.exe
        
        C:\Windows\system32\Ffkjlp32.exe
        42⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:932
        
        C:\Windows\SysWOW64\Fdnjgmle.exe
        
        C:\Windows\system32\Fdnjgmle.exe
        43⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4868
        
        C:\Windows\SysWOW64\Gcojed32.exe
        
        C:\Windows\system32\Gcojed32.exe
        44⤵
        Executes dropped EXE
        
        PID:3028
        
        C:\Windows\SysWOW64\Gfngap32.exe
        
        C:\Windows\system32\Gfngap32.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3680
        
        C:\Windows\SysWOW64\Ghlcnk32.exe
        
        C:\Windows\system32\Ghlcnk32.exe
        46⤵
        Executes dropped EXE
        
        PID:4180
        
        C:\Windows\SysWOW64\Gofkje32.exe
        
        C:\Windows\system32\Gofkje32.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3524
        
        C:\Windows\SysWOW64\Gcagkdba.exe
        
        C:\Windows\system32\Gcagkdba.exe
        48⤵
        Executes dropped EXE
        
        PID:2180
        
        C:\Windows\SysWOW64\Gbdgfa32.exe
        
        C:\Windows\system32\Gbdgfa32.exe
        49⤵
        Executes dropped EXE
        
        PID:1044
        
        C:\Windows\SysWOW64\Ghopckpi.exe
        
        C:\Windows\system32\Ghopckpi.exe
        50⤵
        Executes dropped EXE
        
        PID:3176
        
        C:\Windows\SysWOW64\Gbgdlq32.exe
        
        C:\Windows\system32\Gbgdlq32.exe
        51⤵
        Executes dropped EXE
        
        PID:3972
        
        C:\Windows\SysWOW64\Gdeqhl32.exe
        
        C:\Windows\system32\Gdeqhl32.exe
        52⤵
        Executes dropped EXE
        
        PID:1564
        
        C:\Windows\SysWOW64\Gmlhii32.exe
        
        C:\Windows\system32\Gmlhii32.exe
        53⤵
        Executes dropped EXE
        
        PID:376
        
        C:\Windows\SysWOW64\Gokdeeec.exe
        
        C:\Windows\system32\Gokdeeec.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4820
        
        C:\Windows\SysWOW64\Gcfqfc32.exe
        
        C:\Windows\system32\Gcfqfc32.exe
        55⤵
        Executes dropped EXE
        
        PID:2480
        
        C:\Windows\SysWOW64\Gfembo32.exe
        
        C:\Windows\system32\Gfembo32.exe
        56⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1440
        
        C:\Windows\SysWOW64\Gdhmnlcj.exe
        
        C:\Windows\system32\Gdhmnlcj.exe
        57⤵
        Executes dropped EXE
        
        PID:3576
        
        C:\Windows\SysWOW64\Gmoeoidl.exe
        
        C:\Windows\system32\Gmoeoidl.exe
        58⤵
        Executes dropped EXE
        
        PID:1384
        
        C:\Windows\SysWOW64\Gkaejf32.exe
        
        C:\Windows\system32\Gkaejf32.exe
        59⤵
        Executes dropped EXE
        
        PID:4404
        
        C:\Windows\SysWOW64\Gomakdcp.exe
        
        C:\Windows\system32\Gomakdcp.exe
        60⤵
        Executes dropped EXE
        
        PID:4080
        
        C:\Windows\SysWOW64\Gcimkc32.exe
        
        C:\Windows\system32\Gcimkc32.exe
        61⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3664
        
        C:\Windows\SysWOW64\Gblngpbd.exe
        
        C:\Windows\system32\Gblngpbd.exe
        62⤵
        Executes dropped EXE
        
        PID:464
        
        C:\Windows\SysWOW64\Gdjjckag.exe
        
        C:\Windows\system32\Gdjjckag.exe
        63⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3020
        
        C:\Windows\SysWOW64\Hiefcj32.exe
        
        C:\Windows\system32\Hiefcj32.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3460
        
        C:\Windows\SysWOW64\Hkdbpe32.exe
        
        C:\Windows\system32\Hkdbpe32.exe
        65⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2516
        
        C:\Windows\SysWOW64\Hopnqdan.exe
        
        C:\Windows\system32\Hopnqdan.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:3952
        
        C:\Windows\SysWOW64\Hckjacjg.exe
        
        C:\Windows\system32\Hckjacjg.exe
        67⤵
        Modifies registry class
        
        PID:4808
        
        C:\Windows\SysWOW64\Hbnjmp32.exe
        
        C:\Windows\system32\Hbnjmp32.exe
        68⤵
        
        PID:1816
        
        C:\Windows\SysWOW64\Helfik32.exe
        
        C:\Windows\system32\Helfik32.exe
        69⤵
        
        PID:3900
        
        C:\Windows\SysWOW64\Hbpgbo32.exe
        
        C:\Windows\system32\Hbpgbo32.exe
        70⤵
        
        PID:4352
        
        C:\Windows\SysWOW64\Hmfkoh32.exe
        
        C:\Windows\system32\Hmfkoh32.exe
        71⤵
        Modifies registry class
        
        PID:4896
        
        C:\Windows\SysWOW64\Hodgkc32.exe
        
        C:\Windows\system32\Hodgkc32.exe
        72⤵
        Drops file in System32 directory
        
        PID:4348
        
        C:\Windows\SysWOW64\Hbbdholl.exe
        
        C:\Windows\system32\Hbbdholl.exe
        73⤵
        Modifies registry class
        
        PID:4996
        
        C:\Windows\SysWOW64\Hkkhqd32.exe
        
        C:\Windows\system32\Hkkhqd32.exe
        74⤵
        
        PID:4344
        
        C:\Windows\SysWOW64\Hbeqmoji.exe
        
        C:\Windows\system32\Hbeqmoji.exe
        75⤵
        
        PID:3472
        
        C:\Windows\SysWOW64\Hecmijim.exe
        
        C:\Windows\system32\Hecmijim.exe
        76⤵
        
        PID:1136
        
        C:\Windows\SysWOW64\Hioiji32.exe
        
        C:\Windows\system32\Hioiji32.exe
        77⤵
        
        PID:3132
        
        C:\Windows\SysWOW64\Hoiafcic.exe
        
        C:\Windows\system32\Hoiafcic.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2748
        
        C:\Windows\SysWOW64\Hcdmga32.exe
        
        C:\Windows\system32\Hcdmga32.exe
        79⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2456
        
        C:\Windows\SysWOW64\Immapg32.exe
        
        C:\Windows\system32\Immapg32.exe
        80⤵
        Drops file in System32 directory
        
        PID:2652
        
        C:\Windows\SysWOW64\Icgjmapi.exe
        
        C:\Windows\system32\Icgjmapi.exe
        81⤵
        
        PID:5156
        
        C:\Windows\SysWOW64\Ifefimom.exe
        
        C:\Windows\system32\Ifefimom.exe
        82⤵
        Modifies registry class
        
        PID:5200
        
        C:\Windows\SysWOW64\Ikbnacmd.exe
        
        C:\Windows\system32\Ikbnacmd.exe
        83⤵
        
        PID:5240
        
        C:\Windows\SysWOW64\Ifgbnlmj.exe
        
        C:\Windows\system32\Ifgbnlmj.exe
        84⤵
        
        PID:5284
        
        C:\Windows\SysWOW64\Iejcji32.exe
        
        C:\Windows\system32\Iejcji32.exe
        85⤵
        
        PID:5328
        
        C:\Windows\SysWOW64\Ildkgc32.exe
        
        C:\Windows\system32\Ildkgc32.exe
        86⤵
        
        PID:5372
        
        C:\Windows\SysWOW64\Ifjodl32.exe
        
        C:\Windows\system32\Ifjodl32.exe
        87⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5412
        
        C:\Windows\SysWOW64\Imdgqfbd.exe
        
        C:\Windows\system32\Imdgqfbd.exe
        88⤵
        Modifies registry class
        
        PID:5452
        
        C:\Windows\SysWOW64\Ieolehop.exe
        
        C:\Windows\system32\Ieolehop.exe
        89⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5500
        
        C:\Windows\SysWOW64\Iikhfg32.exe
        
        C:\Windows\system32\Iikhfg32.exe
        90⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5548
        
        C:\Windows\SysWOW64\Jeaikh32.exe
        
        C:\Windows\system32\Jeaikh32.exe
        91⤵
        Drops file in System32 directory
        
        PID:5616
        
        C:\Windows\SysWOW64\Jmhale32.exe
        
        C:\Windows\system32\Jmhale32.exe
        92⤵
        
        PID:5656
        
        C:\Windows\SysWOW64\Jlkagbej.exe
        
        C:\Windows\system32\Jlkagbej.exe
        93⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5692
        
        C:\Windows\SysWOW64\Jcbihpel.exe
        
        C:\Windows\system32\Jcbihpel.exe
        94⤵
        
        PID:5740
        
        C:\Windows\SysWOW64\Jlnnmb32.exe
        
        C:\Windows\system32\Jlnnmb32.exe
        95⤵
        Modifies registry class
        
        PID:5784
        
        C:\Windows\SysWOW64\Jpijnqkp.exe
        
        C:\Windows\system32\Jpijnqkp.exe
        96⤵
        
        PID:5832
        
        C:\Windows\SysWOW64\Jmmjgejj.exe
        
        C:\Windows\system32\Jmmjgejj.exe
        97⤵
        
        PID:5876
        
        C:\Windows\SysWOW64\Jplfcpin.exe
        
        C:\Windows\system32\Jplfcpin.exe
        98⤵
        
        PID:5916
        
        C:\Windows\SysWOW64\Jfeopj32.exe
        
        C:\Windows\system32\Jfeopj32.exe
        99⤵
        Drops file in System32 directory
        
        PID:5968
        
        C:\Windows\SysWOW64\Jidklf32.exe
        
        C:\Windows\system32\Jidklf32.exe
        100⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6020
        
        C:\Windows\SysWOW64\Jpnchp32.exe
        
        C:\Windows\system32\Jpnchp32.exe
        101⤵
        
        PID:6080
        
        C:\Windows\SysWOW64\Jcioiood.exe
        
        C:\Windows\system32\Jcioiood.exe
        102⤵
        
        PID:6120
        
        C:\Windows\SysWOW64\Jeklag32.exe
        
        C:\Windows\system32\Jeklag32.exe
        103⤵
        
        PID:500
        
        C:\Windows\SysWOW64\Jlednamo.exe
        
        C:\Windows\system32\Jlednamo.exe
        104⤵
        
        PID:5184
        
        C:\Windows\SysWOW64\Kboljk32.exe
        
        C:\Windows\system32\Kboljk32.exe
        105⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5276
        
        C:\Windows\SysWOW64\Klgqcqkl.exe
        
        C:\Windows\system32\Klgqcqkl.exe
        106⤵
        Drops file in System32 directory
        
        PID:5380
        
        C:\Windows\SysWOW64\Kbaipkbi.exe
        
        C:\Windows\system32\Kbaipkbi.exe
        107⤵
        
        PID:5436
        
        C:\Windows\SysWOW64\Kmfmmcbo.exe
        
        C:\Windows\system32\Kmfmmcbo.exe
        108⤵
        
        PID:5528
        
        C:\Windows\SysWOW64\Kpeiioac.exe
        
        C:\Windows\system32\Kpeiioac.exe
        109⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5636
        
        C:\Windows\SysWOW64\Kdqejn32.exe
        
        C:\Windows\system32\Kdqejn32.exe
        110⤵
        
        PID:5684
        
        C:\Windows\SysWOW64\Klljnp32.exe
        
        C:\Windows\system32\Klljnp32.exe
        111⤵
        
        PID:5780
        
        C:\Windows\SysWOW64\Kdcbom32.exe
        
        C:\Windows\system32\Kdcbom32.exe
        112⤵
        
        PID:5820
        
        C:\Windows\SysWOW64\Kipkhdeq.exe
        
        C:\Windows\system32\Kipkhdeq.exe
        113⤵
        Modifies registry class
        
        PID:5340
        
        C:\Windows\SysWOW64\Kpjcdn32.exe
        
        C:\Windows\system32\Kpjcdn32.exe
        114⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5924
        
        C:\Windows\SysWOW64\Kefkme32.exe
        
        C:\Windows\system32\Kefkme32.exe
        115⤵
        
        PID:5964
        
        C:\Windows\SysWOW64\Kmncnb32.exe
        
        C:\Windows\system32\Kmncnb32.exe
        116⤵
        
        PID:6072
        
        C:\Windows\SysWOW64\Kplpjn32.exe
        
        C:\Windows\system32\Kplpjn32.exe
        117⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6096
        
        C:\Windows\SysWOW64\Lbjlfi32.exe
        
        C:\Windows\system32\Lbjlfi32.exe
        118⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5140
        
        C:\Windows\SysWOW64\Lffhfh32.exe
        
        C:\Windows\system32\Lffhfh32.exe
        119⤵
        
        PID:5248
        
        C:\Windows\SysWOW64\Ldjhpl32.exe
        
        C:\Windows\system32\Ldjhpl32.exe
        120⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5432
        
        C:\Windows\SysWOW64\Lbmhlihl.exe
        
        C:\Windows\system32\Lbmhlihl.exe
        121⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5600
        
        C:\Windows\SysWOW64\Ligqhc32.exe
        
        C:\Windows\system32\Ligqhc32.exe
        122⤵
        Modifies registry class
        
        PID:5704
        
        C:\Windows\SysWOW64\Ldanqkki.exe
        
        C:\Windows\system32\Ldanqkki.exe
        123⤵
        Drops file in System32 directory
        
        PID:2992
        
        C:\Windows\SysWOW64\Lgokmgjm.exe
        
        C:\Windows\system32\Lgokmgjm.exe
        124⤵
        
        PID:5860
        
        C:\Windows\SysWOW64\Lebkhc32.exe
        
        C:\Windows\system32\Lebkhc32.exe
        125⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5984
        
        C:\Windows\SysWOW64\Lllcen32.exe
        
        C:\Windows\system32\Lllcen32.exe
        126⤵
        
        PID:3000
        
        C:\Windows\SysWOW64\Lphoelqn.exe
        
        C:\Windows\system32\Lphoelqn.exe
        127⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1500
        
        C:\Windows\SysWOW64\Mbfkbhpa.exe
        
        C:\Windows\system32\Mbfkbhpa.exe
        128⤵
        Drops file in System32 directory
        
        PID:5392
        
        C:\Windows\SysWOW64\Mgagbf32.exe
        
        C:\Windows\system32\Mgagbf32.exe
        129⤵
        
        PID:5520
        
        C:\Windows\SysWOW64\Mlopkm32.exe
        
        C:\Windows\system32\Mlopkm32.exe
        130⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2460
        
        C:\Windows\SysWOW64\Mdehlk32.exe
        
        C:\Windows\system32\Mdehlk32.exe
        131⤵
        
        PID:5960
        
        C:\Windows\SysWOW64\Mchhggno.exe
        
        C:\Windows\system32\Mchhggno.exe
        132⤵
        Modifies registry class
        
        PID:5152
        
        C:\Windows\SysWOW64\Megdccmb.exe
        
        C:\Windows\system32\Megdccmb.exe
        133⤵
        
        PID:5724
        
        C:\Windows\SysWOW64\Mmnldp32.exe
        
        C:\Windows\system32\Mmnldp32.exe
        134⤵
        Modifies registry class
        
        PID:6112
        
        C:\Windows\SysWOW64\Mplhql32.exe
        
        C:\Windows\system32\Mplhql32.exe
        135⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5496
        
        C:\Windows\SysWOW64\Meiaib32.exe
        
        C:\Windows\system32\Meiaib32.exe
        136⤵
        
        PID:5272
        
        C:\Windows\SysWOW64\Mmpijp32.exe
        
        C:\Windows\system32\Mmpijp32.exe
        137⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6052
        
        C:\Windows\SysWOW64\Mpoefk32.exe
        
        C:\Windows\system32\Mpoefk32.exe
        138⤵
        
        PID:6156
        
        C:\Windows\SysWOW64\Mdjagjco.exe
        
        C:\Windows\system32\Mdjagjco.exe
        139⤵
        Drops file in System32 directory
        
        PID:6204
        
        C:\Windows\SysWOW64\Mgimcebb.exe
        
        C:\Windows\system32\Mgimcebb.exe
        140⤵
        
        PID:6248
        
        C:\Windows\SysWOW64\Migjoaaf.exe
        
        C:\Windows\system32\Migjoaaf.exe
        141⤵
        
        PID:6292
        
        C:\Windows\SysWOW64\Mpablkhc.exe
        
        C:\Windows\system32\Mpablkhc.exe
        142⤵
        
        PID:6340
        
        C:\Windows\SysWOW64\Mdmnlj32.exe
        
        C:\Windows\system32\Mdmnlj32.exe
        143⤵
        
        PID:6380
        
        C:\Windows\SysWOW64\Miifeq32.exe
        
        C:\Windows\system32\Miifeq32.exe
        144⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6428
        
        C:\Windows\SysWOW64\Mlhbal32.exe
        
        C:\Windows\system32\Mlhbal32.exe
        145⤵
        
        PID:6468
        
        C:\Windows\SysWOW64\Ndokbi32.exe
        
        C:\Windows\system32\Ndokbi32.exe
        146⤵
        Drops file in System32 directory
        
        PID:6508
        
        C:\Windows\SysWOW64\Ngmgne32.exe
        
        C:\Windows\system32\Ngmgne32.exe
        147⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6548
        
        C:\Windows\SysWOW64\Nepgjaeg.exe
        
        C:\Windows\system32\Nepgjaeg.exe
        148⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6600
        
        C:\Windows\SysWOW64\Nilcjp32.exe
        
        C:\Windows\system32\Nilcjp32.exe
        149⤵
        Modifies registry class
        
        PID:6636
        
        C:\Windows\SysWOW64\Nljofl32.exe
        
        C:\Windows\system32\Nljofl32.exe
        150⤵
        
        PID:6676
        
        C:\Windows\SysWOW64\Npfkgjdn.exe
        
        C:\Windows\system32\Npfkgjdn.exe
        151⤵
        Modifies registry class
        
        PID:6720
        
        C:\Windows\SysWOW64\Ngpccdlj.exe
        
        C:\Windows\system32\Ngpccdlj.exe
        152⤵
        
        PID:6764
        
        C:\Windows\SysWOW64\Nebdoa32.exe
        
        C:\Windows\system32\Nebdoa32.exe
        153⤵
        Modifies registry class
        
        PID:6804
        
        C:\Windows\SysWOW64\Nnjlpo32.exe
        
        C:\Windows\system32\Nnjlpo32.exe
        154⤵
        Modifies registry class
        
        PID:6848
        
        C:\Windows\SysWOW64\Nphhmj32.exe
        
        C:\Windows\system32\Nphhmj32.exe
        155⤵
        
        PID:6884
        
        C:\Windows\SysWOW64\Ndcdmikd.exe
        
        C:\Windows\system32\Ndcdmikd.exe
        156⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6924
        
        C:\Windows\SysWOW64\Ncfdie32.exe
        
        C:\Windows\system32\Ncfdie32.exe
        157⤵
        
        PID:6960
        
        C:\Windows\SysWOW64\Neeqea32.exe
        
        C:\Windows\system32\Neeqea32.exe
        158⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7008
        
        C:\Windows\SysWOW64\Nnlhfn32.exe
        
        C:\Windows\system32\Nnlhfn32.exe
        159⤵
        Drops file in System32 directory
        
        PID:7048
        
        C:\Windows\SysWOW64\Npjebj32.exe
        
        C:\Windows\system32\Npjebj32.exe
        160⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:7096
        
        C:\Windows\SysWOW64\Ndfqbhia.exe
        
        C:\Windows\system32\Ndfqbhia.exe
        161⤵
        
        PID:7136
        
        C:\Windows\SysWOW64\Ngdmod32.exe
        
        C:\Windows\system32\Ngdmod32.exe
        162⤵
        Drops file in System32 directory
        
        PID:5844
        
        C:\Windows\SysWOW64\Nfgmjqop.exe
        
        C:\Windows\system32\Nfgmjqop.exe
        163⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6200
        
        C:\Windows\SysWOW64\Nnneknob.exe
        
        C:\Windows\system32\Nnneknob.exe
        164⤵
        
        PID:6276
        
        C:\Windows\SysWOW64\Nckndeni.exe
        
        C:\Windows\system32\Nckndeni.exe
        165⤵
        Drops file in System32 directory
        
        PID:6376
        
        C:\Windows\SysWOW64\Nggjdc32.exe
        
        C:\Windows\system32\Nggjdc32.exe
        166⤵
        Drops file in System32 directory
        
        PID:6452
        
        C:\Windows\SysWOW64\Njefqo32.exe
        
        C:\Windows\system32\Njefqo32.exe
        167⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6540
        
        C:\Windows\SysWOW64\Olcbmj32.exe
        
        C:\Windows\system32\Olcbmj32.exe
        168⤵
        
        PID:6652
        
        C:\Windows\SysWOW64\Odkjng32.exe
        
        C:\Windows\system32\Odkjng32.exe
        169⤵
        
        PID:6736
        
        C:\Windows\SysWOW64\Ocnjidkf.exe
        
        C:\Windows\system32\Ocnjidkf.exe
        170⤵
        
        PID:6812
        
        C:\Windows\SysWOW64\Oflgep32.exe
        
        C:\Windows\system32\Oflgep32.exe
        171⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6892
        
        C:\Windows\SysWOW64\Ojgbfocc.exe
        
        C:\Windows\system32\Ojgbfocc.exe
        172⤵
        Modifies registry class
        
        PID:6956
        
        C:\Windows\SysWOW64\Olfobjbg.exe
        
        C:\Windows\system32\Olfobjbg.exe
        173⤵
        
        PID:7044
        
        C:\Windows\SysWOW64\Ogkcpbam.exe
        
        C:\Windows\system32\Ogkcpbam.exe
        174⤵
        
        PID:7116
        
        C:\Windows\SysWOW64\Oneklm32.exe
        
        C:\Windows\system32\Oneklm32.exe
        175⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6232
        
        C:\Windows\SysWOW64\Opdghh32.exe
        
        C:\Windows\system32\Opdghh32.exe
        176⤵
        
        PID:6396
        
        C:\Windows\SysWOW64\Onhhamgg.exe
        
        C:\Windows\system32\Onhhamgg.exe
        177⤵
        Modifies registry class
        
        PID:6616
        
        C:\Windows\SysWOW64\Olkhmi32.exe
        
        C:\Windows\system32\Olkhmi32.exe
        178⤵
        Drops file in System32 directory
        
        PID:6828
        
        C:\Windows\SysWOW64\Oqfdnhfk.exe
        
        C:\Windows\system32\Oqfdnhfk.exe
        179⤵
        
        PID:6868
        
        C:\Windows\SysWOW64\Ofcmfodb.exe
        
        C:\Windows\system32\Ofcmfodb.exe
        180⤵
        
        PID:6988
        
        C:\Windows\SysWOW64\Oqhacgdh.exe
        
        C:\Windows\system32\Oqhacgdh.exe
        181⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5164
        
        C:\Windows\SysWOW64\Oddmdf32.exe
        
        C:\Windows\system32\Oddmdf32.exe
        182⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6412
        
        C:\Windows\SysWOW64\Ocgmpccl.exe
        
        C:\Windows\system32\Ocgmpccl.exe
        183⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6760
        
        C:\Windows\SysWOW64\Ofeilobp.exe
        
        C:\Windows\system32\Ofeilobp.exe
        184⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6948
        
        C:\Windows\SysWOW64\Pmoahijl.exe
        
        C:\Windows\system32\Pmoahijl.exe
        185⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6324
        
        C:\Windows\SysWOW64\Pqknig32.exe
        
        C:\Windows\system32\Pqknig32.exe
        186⤵
        
        PID:6912
        
        C:\Windows\SysWOW64\Pfhfan32.exe
        
        C:\Windows\system32\Pfhfan32.exe
        187⤵
        Modifies registry class
        
        PID:6728
        
        C:\Windows\SysWOW64\Pjcbbmif.exe
        
        C:\Windows\system32\Pjcbbmif.exe
        188⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6456
        
        C:\Windows\SysWOW64\Pmannhhj.exe
        
        C:\Windows\system32\Pmannhhj.exe
        189⤵
        
        PID:6364
        
        C:\Windows\SysWOW64\Pclgkb32.exe
        
        C:\Windows\system32\Pclgkb32.exe
        190⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7196
        
        C:\Windows\SysWOW64\Pfjcgn32.exe
        
        C:\Windows\system32\Pfjcgn32.exe
        191⤵
        Modifies registry class
        
        PID:7236
        
        C:\Windows\SysWOW64\Pnakhkol.exe
        
        C:\Windows\system32\Pnakhkol.exe
        192⤵
        Modifies registry class
        
        PID:7276
        
        C:\Windows\SysWOW64\Pmdkch32.exe
        
        C:\Windows\system32\Pmdkch32.exe
        193⤵
        
        PID:7316
        
        C:\Windows\SysWOW64\Pgioqq32.exe
        
        C:\Windows\system32\Pgioqq32.exe
        194⤵
        
        PID:7360
        
        C:\Windows\SysWOW64\Pflplnlg.exe
        
        C:\Windows\system32\Pflplnlg.exe
        195⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7400
        
        C:\Windows\SysWOW64\Pncgmkmj.exe
        
        C:\Windows\system32\Pncgmkmj.exe
        196⤵
        Drops file in System32 directory
        
        PID:7440
        
        C:\Windows\SysWOW64\Pcppfaka.exe
        
        C:\Windows\system32\Pcppfaka.exe
        197⤵
        
        PID:7484
        
        C:\Windows\SysWOW64\Pgllfp32.exe
        
        C:\Windows\system32\Pgllfp32.exe
        198⤵
        
        PID:7520
        
        C:\Windows\SysWOW64\Pnfdcjkg.exe
        
        C:\Windows\system32\Pnfdcjkg.exe
        199⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7568
        
        C:\Windows\SysWOW64\Pdpmpdbd.exe
        
        C:\Windows\system32\Pdpmpdbd.exe
        200⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7608
        
        C:\Windows\SysWOW64\Pfaigm32.exe
        
        C:\Windows\system32\Pfaigm32.exe
        201⤵
        
        PID:7656
        
        C:\Windows\SysWOW64\Pjmehkqk.exe
        
        C:\Windows\system32\Pjmehkqk.exe
        202⤵
        Drops file in System32 directory
        
        PID:7692
        
        C:\Windows\SysWOW64\Qdbiedpa.exe
        
        C:\Windows\system32\Qdbiedpa.exe
        203⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:7740
        
        C:\Windows\SysWOW64\Qfcfml32.exe
        
        C:\Windows\system32\Qfcfml32.exe
        204⤵
        Modifies registry class
        
        PID:7784
        
        C:\Windows\SysWOW64\Qnjnnj32.exe
        
        C:\Windows\system32\Qnjnnj32.exe
        205⤵
        Drops file in System32 directory
        
        PID:7824
        
        C:\Windows\SysWOW64\Qmmnjfnl.exe
        
        C:\Windows\system32\Qmmnjfnl.exe
        206⤵
        
        PID:7860
        
        C:\Windows\SysWOW64\Qqijje32.exe
        
        C:\Windows\system32\Qqijje32.exe
        207⤵
        
        PID:7912
        
        C:\Windows\SysWOW64\Qffbbldm.exe
        
        C:\Windows\system32\Qffbbldm.exe
        208⤵
        
        PID:7956
        
        C:\Windows\SysWOW64\Anmjcieo.exe
        
        C:\Windows\system32\Anmjcieo.exe
        209⤵
        Drops file in System32 directory
        
        PID:8004
        
        C:\Windows\SysWOW64\Adgbpc32.exe
        
        C:\Windows\system32\Adgbpc32.exe
        210⤵
        
        PID:8048
        
        C:\Windows\SysWOW64\Ageolo32.exe
        
        C:\Windows\system32\Ageolo32.exe
        211⤵
        
        PID:8092
        
        C:\Windows\SysWOW64\Anogiicl.exe
        
        C:\Windows\system32\Anogiicl.exe
        212⤵
        
        PID:8136
        
        C:\Windows\SysWOW64\Ambgef32.exe
        
        C:\Windows\system32\Ambgef32.exe
        213⤵
        
        PID:8172
        
        C:\Windows\SysWOW64\Aqncedbp.exe
        
        C:\Windows\system32\Aqncedbp.exe
        214⤵
        
        PID:7216
        
        C:\Windows\SysWOW64\Agglboim.exe
        
        C:\Windows\system32\Agglboim.exe
        215⤵
        
        PID:7264
        
        C:\Windows\SysWOW64\Ajfhnjhq.exe
        
        C:\Windows\system32\Ajfhnjhq.exe
        216⤵
        
        PID:7344
        
        C:\Windows\SysWOW64\Amddjegd.exe
        
        C:\Windows\system32\Amddjegd.exe
        217⤵
        
        PID:7436
        
        C:\Windows\SysWOW64\Aqppkd32.exe
        
        C:\Windows\system32\Aqppkd32.exe
        218⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7472
        
        C:\Windows\SysWOW64\Acnlgp32.exe
        
        C:\Windows\system32\Acnlgp32.exe
        219⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7544
        
        C:\Windows\SysWOW64\Afmhck32.exe
        
        C:\Windows\system32\Afmhck32.exe
        220⤵
        
        PID:7616
        
        C:\Windows\SysWOW64\Ajhddjfn.exe
        
        C:\Windows\system32\Ajhddjfn.exe
        221⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7676
        
        C:\Windows\SysWOW64\Aabmqd32.exe
        
        C:\Windows\system32\Aabmqd32.exe
        222⤵
        
        PID:7748
        
        C:\Windows\SysWOW64\Acqimo32.exe
        
        C:\Windows\system32\Acqimo32.exe
        223⤵
        
        PID:7816
        
        C:\Windows\SysWOW64\Aglemn32.exe
        
        C:\Windows\system32\Aglemn32.exe
        224⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:7888
        
        C:\Windows\SysWOW64\Anfmjhmd.exe
        
        C:\Windows\system32\Anfmjhmd.exe
        225⤵
        
        PID:7944
        
        C:\Windows\SysWOW64\Aepefb32.exe
        
        C:\Windows\system32\Aepefb32.exe
        226⤵
        Modifies registry class
        
        PID:8044
        
        C:\Windows\SysWOW64\Agoabn32.exe
        
        C:\Windows\system32\Agoabn32.exe
        227⤵
        
        PID:7080
        
        C:\Windows\SysWOW64\Bfabnjjp.exe
        
        C:\Windows\system32\Bfabnjjp.exe
        228⤵
        Modifies registry class
        
        PID:8164
        
        C:\Windows\SysWOW64\Bnhjohkb.exe
        
        C:\Windows\system32\Bnhjohkb.exe
        229⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:7224
        
        C:\Windows\SysWOW64\Bebblb32.exe
        
        C:\Windows\system32\Bebblb32.exe
        230⤵
        
        PID:7324
        
        C:\Windows\SysWOW64\Bfdodjhm.exe
        
        C:\Windows\system32\Bfdodjhm.exe
        231⤵
        Drops file in System32 directory
        
        PID:7452
        
        C:\Windows\SysWOW64\Bnkgeg32.exe
        
        C:\Windows\system32\Bnkgeg32.exe
        232⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7516
        
        C:\Windows\SysWOW64\Beeoaapl.exe
        
        C:\Windows\system32\Beeoaapl.exe
        233⤵
        
        PID:7688
        
        C:\Windows\SysWOW64\Bchomn32.exe
        
        C:\Windows\system32\Bchomn32.exe
        234⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7808
        
        C:\Windows\SysWOW64\Bgcknmop.exe
        
        C:\Windows\system32\Bgcknmop.exe
        235⤵
        
        PID:7896
        
        C:\Windows\SysWOW64\Balpgb32.exe
        
        C:\Windows\system32\Balpgb32.exe
        236⤵
        Modifies registry class
        
        PID:5588
        
        C:\Windows\SysWOW64\Bcjlcn32.exe
        
        C:\Windows\system32\Bcjlcn32.exe
        237⤵
        
        PID:8032
        
        C:\Windows\SysWOW64\Bfhhoi32.exe
        
        C:\Windows\system32\Bfhhoi32.exe
        238⤵
        Modifies registry class
        
        PID:8132
        
        C:\Windows\SysWOW64\Bnpppgdj.exe
        
        C:\Windows\system32\Bnpppgdj.exe
        239⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:7268
        
        C:\Windows\SysWOW64\Bmbplc32.exe
        
        C:\Windows\system32\Bmbplc32.exe
        240⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:7372
        
        C:\Windows\SysWOW64\Banllbdn.exe
        
        C:\Windows\system32\Banllbdn.exe
        241⤵
        
        PID:7664
        
        C:\Windows\SysWOW64\Bfkedibe.exe
        
        C:\Windows\system32\Bfkedibe.exe
        242⤵
        Drops file in System32 directory
        
        PID:7720
        
        C:\Windows\SysWOW64\Bnbmefbg.exe
        
        C:\Windows\system32\Bnbmefbg.exe
        243⤵
        Modifies registry class
        
        PID:7928
        
        C:\Windows\SysWOW64\Bapiabak.exe
        
        C:\Windows\system32\Bapiabak.exe
        244⤵
        
        PID:8040
        
        C:\Windows\SysWOW64\Belebq32.exe
        
        C:\Windows\system32\Belebq32.exe
        245⤵
        
        PID:7184
        
        C:\Windows\SysWOW64\Chjaol32.exe
        
        C:\Windows\system32\Chjaol32.exe
        246⤵
        Drops file in System32 directory
        
        PID:7508
        
        C:\Windows\SysWOW64\Cfmajipb.exe
        
        C:\Windows\system32\Cfmajipb.exe
        247⤵
        
        PID:7712
        
        C:\Windows\SysWOW64\Cabfga32.exe
        
        C:\Windows\system32\Cabfga32.exe
        248⤵
        
        PID:5540
        
        C:\Windows\SysWOW64\Cdabcm32.exe
        
        C:\Windows\system32\Cdabcm32.exe
        249⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7380
        
        C:\Windows\SysWOW64\Cfpnph32.exe
        
        C:\Windows\system32\Cfpnph32.exe
        250⤵
        
        PID:7876
        
        C:\Windows\SysWOW64\Cnffqf32.exe
        
        C:\Windows\system32\Cnffqf32.exe
        251⤵
        Modifies registry class
        
        PID:7180
        
        C:\Windows\SysWOW64\Caebma32.exe
        
        C:\Windows\system32\Caebma32.exe
        252⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6236
        
        C:\Windows\SysWOW64\Ceqnmpfo.exe
        
        C:\Windows\system32\Ceqnmpfo.exe
        253⤵
        Drops file in System32 directory
        
        PID:7304
        
        C:\Windows\SysWOW64\Cdcoim32.exe
        
        C:\Windows\system32\Cdcoim32.exe
        254⤵
        Drops file in System32 directory
        
        PID:8240
        
        C:\Windows\SysWOW64\Cfbkeh32.exe
        
        C:\Windows\system32\Cfbkeh32.exe
        255⤵
        
        PID:8284
        
        C:\Windows\SysWOW64\Cmlcbbcj.exe
        
        C:\Windows\system32\Cmlcbbcj.exe
        256⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8328
        
        C:\Windows\SysWOW64\Cagobalc.exe
        
        C:\Windows\system32\Cagobalc.exe
        257⤵
        
        PID:8376
        
        C:\Windows\SysWOW64\Ceckcp32.exe
        
        C:\Windows\system32\Ceckcp32.exe
        258⤵
        Modifies registry class
        
        PID:8412
        
        C:\Windows\SysWOW64\Cfdhkhjj.exe
        
        C:\Windows\system32\Cfdhkhjj.exe
        259⤵
        Drops file in System32 directory
        
        PID:8480
        
        C:\Windows\SysWOW64\Cnkplejl.exe
        
        C:\Windows\system32\Cnkplejl.exe
        260⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8516
        
        C:\Windows\SysWOW64\Cmnpgb32.exe
        
        C:\Windows\system32\Cmnpgb32.exe
        261⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:8560
        
        C:\Windows\SysWOW64\Ceehho32.exe
        
        C:\Windows\system32\Ceehho32.exe
        262⤵
        
        PID:8612
        
        C:\Windows\SysWOW64\Chcddk32.exe
        
        C:\Windows\system32\Chcddk32.exe
        263⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:8652
        
        C:\Windows\SysWOW64\Calhnpgn.exe
        
        C:\Windows\system32\Calhnpgn.exe
        264⤵
        Modifies registry class
        
        PID:8704
        
        C:\Windows\SysWOW64\Dhfajjoj.exe
        
        C:\Windows\system32\Dhfajjoj.exe
        265⤵
        Modifies registry class
        
        PID:8748
        
        C:\Windows\SysWOW64\Dfiafg32.exe
        
        C:\Windows\system32\Dfiafg32.exe
        266⤵
        
        PID:8788
        
        C:\Windows\SysWOW64\Dopigd32.exe
        
        C:\Windows\system32\Dopigd32.exe
        267⤵
        
        PID:8828
        
        C:\Windows\SysWOW64\Danecp32.exe
        
        C:\Windows\system32\Danecp32.exe
        268⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:8872
        
        C:\Windows\SysWOW64\Ddmaok32.exe
        
        C:\Windows\system32\Ddmaok32.exe
        269⤵
        
        PID:8908
        
        C:\Windows\SysWOW64\Dfknkg32.exe
        
        C:\Windows\system32\Dfknkg32.exe
        270⤵
        
        PID:8960
        
        C:\Windows\SysWOW64\Dobfld32.exe
        
        C:\Windows\system32\Dobfld32.exe
        271⤵
        
        PID:9000
        
        C:\Windows\SysWOW64\Delnin32.exe
        
        C:\Windows\system32\Delnin32.exe
        272⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:9040
        
        C:\Windows\SysWOW64\Dhkjej32.exe
        
        C:\Windows\system32\Dhkjej32.exe
        273⤵
        
        PID:9080
        
        C:\Windows\SysWOW64\Dkifae32.exe
        
        C:\Windows\system32\Dkifae32.exe
        274⤵
        
        PID:9124
        
        C:\Windows\SysWOW64\Dmgbnq32.exe
        
        C:\Windows\system32\Dmgbnq32.exe
        275⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:9160
        
        C:\Windows\SysWOW64\Daconoae.exe
        
        C:\Windows\system32\Daconoae.exe
        276⤵
        Modifies registry class
        
        PID:9208
        
        C:\Windows\SysWOW64\Dhmgki32.exe
        
        C:\Windows\system32\Dhmgki32.exe
        277⤵
        
        PID:8228
        
        C:\Windows\SysWOW64\Deagdn32.exe
        
        C:\Windows\system32\Deagdn32.exe
        278⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:8312
        
        C:\Windows\SysWOW64\Dddhpjof.exe
        
        C:\Windows\system32\Dddhpjof.exe
        279⤵
        
        PID:8384
        
        C:\Windows\SysWOW64\Dknpmdfc.exe
        
        C:\Windows\system32\Dknpmdfc.exe
        280⤵
        Drops file in System32 directory
        
        PID:8464
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        281⤵
        
        PID:8544
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 8544 -s 396
        282⤵
        Program crash
        
        PID:8660

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 8544 -ip 8544
1⤵
PID:8620

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Agglboim.exe

Filesize
85KB

MD5
e0bd7d2ffd3d4bf38c8bd1ff650d55b3

SHA1
2e328b184c7446dc5e8db520496e8f3b978d1bca

SHA256
ff235ecb355867b5f372ee250e53063b0024ce86bdf9412c29eb2c7344b54237

SHA512
ac9156d42705274141051b93a4d010bb1703fbc96f314f6880b45b1958421300cc5cb606ec667701756e74f81efa8383f37b83a8ac20e98272c83c39bd3cabc9

Download Submit
C:\Windows\SysWOW64\Aglemn32.exe

Filesize
85KB

MD5
5e56247b9eb49bb32c5b160588eed86d

SHA1
ab6a8c3d8aad03b2fe5cab9e205a2b566438aa2b

SHA256
eeff585dd39018f9680b5615a0cd6389108a6ac1b162e7cb59b6c1ff85facfe0

SHA512
5335e4f34e4cd35c0fc1cf063066a91cbe32fa0ae951e7128c6ed794a6802133711c47a61762ecf31cb152a8c972c553d89da52473d5c8741d39ae8a6e3f5a75

Download Submit
C:\Windows\SysWOW64\Dafbne32.exe

Filesize
85KB

MD5
32afb9b15b8ad19ae8b83ddfbb1c2ba5

SHA1
efa704519eadc64d104b675ccfbb69d8d043a59f

SHA256
b7f35585bc8812eb15adf4bfdcccf9a65d4643929700480353e8d6f8894cd052

SHA512
eaf1b5a9ac59d834e474b4342a2eff1339c6d07a53fc885fd0852e53055418f39a8569fcf1eb3507becfa9039f46a4c619f70379406aa2dd51c7bb93b05c0b36

Download Submit
C:\Windows\SysWOW64\Dceohhja.exe

Filesize
85KB

MD5
a1da40accf8adfc96fb120df6f1b1a8d

SHA1
7b2921f4de062fab53b6b53914a55b4eec7e3706

SHA256
03e06625dba065a0710ef66fbeb36d831f8e19489244f8840fedb444424cb9f9

SHA512
fa4ab16fa6f67a9c0f207d2d967ee2d86dde8311d833c50f5f619741319f3004d7ed2fa8a5dbce9c58b66b4807f3c39e4c105ff71972ce7d2e5904205a9dc0be

Download Submit
C:\Windows\SysWOW64\Dedkdcie.exe

Filesize
85KB

MD5
6669f2d6f2cedb73f6cec2cc26885589

SHA1
42e0c726748e6326f78f7556fe1bd65d0a48511d

SHA256
1e02a79dc350f4561db377aa84a6e7fd52801a3a118ec402e3ae7969ac4d102c

SHA512
f05b06275e4a1f89ad8e6325b0748856facdd10926f67896b4d9afbc0484627d387bffc0799f6a87d6eeb3c15b1ba5596dafc87e98e2918b7bc9b96439c7f02e

Download Submit
C:\Windows\SysWOW64\Deoaid32.exe

Filesize
85KB

MD5
3987fdebd96de9cbb260d3998f42cba3

SHA1
f3a7562c72789d7b772367c8ac7c91b44872c9e5

SHA256
70cba661ead7be16d7024c71a20cd2477cbeb5c19b5db35d85b85be59eebd276

SHA512
3a7176aba81e0c6baca5603ea15dddcd84e7cf395fe8796a9abad4cc7ae4ab979c6c0cd125ce7219a16e1792d7baa4d4d232e9cbbd73a6b37d8634e97b56d73e

Download Submit
C:\Windows\SysWOW64\Dhkapp32.exe

Filesize
85KB

MD5
bf44401797d65a2c53d6ec91997074d5

SHA1
8d4365181be1e8d5c548741817a0f1e44c8c7757

SHA256
b87401b87d11dcd438b6e25a2cf22e468ee5ff008a91a0524e053ca33ef41b5c

SHA512
24fdcf3566663fb6bf39cbfefa4463ceb022bfd16c645b0664ce0acc63d9198d4fb5e723ce461441c2beec21c54abb6326a5bb517d7b04cf09e6c528df0ea2bf

Download Submit
C:\Windows\SysWOW64\Dhnnep32.exe

Filesize
85KB

MD5
2d16ac24b844f906555e0201c03f0488

SHA1
6e274eb42b308faf1d396ee43ffaf6abe4e5632c

SHA256
341880c60a402bfb2c9075446c670fac4c23999123d80e13068f96fdbc24917e

SHA512
feea2a17fb0ddb232c69b81018fa22be77e23014d3f7fb9a02446534e9bf54e46da8a33d0f67e66ffee8768a7ede65fcbcb30c4f40056594ce225c2552cdc723

Download Submit
C:\Windows\SysWOW64\Dhpjkojk.exe

Filesize
85KB

MD5
862ebca4f84a842dc7df33937866cf39

SHA1
d3917abae722179e735260bd9c92aeb0bdc48041

SHA256
e3ecd1c88f201c0dc1202c3ce62a878bd44b8269dd9bac7c25e3b9bc4870f0c8

SHA512
f88ffaf0f34fbc753bfe96050f0b50deb22449855dc0cbd005600c8c8c8b18f835ea066fe97f90999919137f5995c0e6683adcf0058bbbe47b4ec10db00f11c4

Download Submit
C:\Windows\SysWOW64\Dkjmlk32.exe

Filesize
85KB

MD5
3e42c26deead847e4732f29b9a19da8d

SHA1
fb356a2505edcda1a4a745364344da5616e5abce

SHA256
63a9742e0d235d249fbaa206d3ed58b0c0b4e703c7675e81027952b19db82ef3

SHA512
8b9e778a1039f6460300abcfe9e84cc7ce6442b9927660a6077a3db6842e4c5e15e9d5185870d0a92409cf0d4b8cd99d056a51480c84af18193c08d10bbfd9bf

Download Submit
C:\Windows\SysWOW64\Dkoggkjo.exe

Filesize
85KB

MD5
0f5e154267fdfe841728f26a9d4ee5aa

SHA1
5e36ab1aae476687d61ab1a6266810829ee88d60

SHA256
1e98b66be9babb75f9092aab8f1723d945a06fef013f80c7b5e2ceb7473d5982

SHA512
d953a56ba6262c7ad2314ffd046515e75cf91c499ae22d8990cb1371f3cef6b4d75123aec89d9ef785313f297165283c0320e0eeadca951d861caea9ee923b83

Download Submit
C:\Windows\SysWOW64\Dlncan32.exe

Filesize
85KB

MD5
2c24adb3bfaf12996771d01494d0e9f2

SHA1
32f568eb35ff5a406d8acdba22ff541c8daf2fa8

SHA256
de6f70a361f0443882f0917cbeb280d6971a63d4337fc52a851f22259d5414e6

SHA512
f401a5f7c2396d44cc303da3acf9862330a6c58487cefebe852243dfaa43c76dea51f7fe7fdf4f975c81b0c03fa49d1d3228d3de8fc9c2748e01f983ddc321c3

Download Submit
C:\Windows\SysWOW64\Dohfbj32.exe

Filesize
85KB

MD5
ed5d62c80e396fae4334c945688d3112

SHA1
609f877b19fe2b7557e9b7c3c93dd9772ad03296

SHA256
e12e97908cdbfeb11a9f83fe23d458d362e6ffe0f3bd8d76774f54cc12181213

SHA512
270f7b57410d8f894c534a01f82d07f56c59209ed50f617300aca14e2809ab2ea7d6f7a4b023d2e19cd5c673a97c7676e317de841d97a2a8546952d4b5e9691d

Download Submit
C:\Windows\SysWOW64\Eadopc32.exe

Filesize
85KB

MD5
ebfeeabc4aa0e7b6906be7f4a36c901d

SHA1
c7c47c5c89e28d579b031288ec744c5d4906fa91

SHA256
748dd9159d752dcf59d489ef2596dec1376bed2bf5d5b618035e787a92ef4b06

SHA512
bc5988a955c364128442fe1221f0d8e060ff18e9905dbbd77e337d408d74184c17e4ebd96e9a34c9c2b908344ada92cdf118c590860928b267860bd0e4202092

Download Submit
C:\Windows\SysWOW64\Eaklidoi.exe

Filesize
85KB

MD5
8ef19ba6d6f033e86e7f1791256651c6

SHA1
187bc457446a0d8e428d5a7055f6ad6fbdd91a16

SHA256
dd861632edb27fbb7189d430c2fe4b8fe52968aa200f4b4db9b29d41b047d83f

SHA512
d86d81608bc54ad17e85485ca28dc596f379861beba6b5ebbdf05393fdaaed8fdcc1b6c2e62a1f4fb319b47fcef3d536a098755f71b7c23f6d4247470b72931f

Download Submit
C:\Windows\SysWOW64\Eamhodmf.exe

Filesize
85KB

MD5
22c6f3d266ebb149bcb3df1abfffc0f1

SHA1
c3f7614bfab22ed327c51e07bdff32640b0b4b9b

SHA256
1236feeeea08422bb895ce85b9c4dc8050e50f0f2a3ab428f8840cd4d44cfe97

SHA512
c989a1dbc6da86b77f6b10d3c60730e04b2f8f2973ac8c078edecf469bdd537602ec7b877c5e39a0ce64c8963e055db55ffd1370bd101e96a6b97064aa0e4d75

Download Submit
C:\Windows\SysWOW64\Eapedd32.exe

Filesize
85KB

MD5
dccd3ab4fb5d781c17a9e910e456ac43

SHA1
68605bcb64413ff53e18d4433591182323889540

SHA256
3e0087d24b795de929cff44845514f2dc52243134a6b7cf7bbbc54dd42e7eb18

SHA512
b22e9a754a0ae6235cbd9becdf4c86b9db7280b36a3fefa70a8022f153f8647298831014c982648d3b376d96f53a2eb010f30529af3221a5d9b333b8106149c3

Download Submit
C:\Windows\SysWOW64\Ecjhcg32.exe

Filesize
85KB

MD5
34140c5dbac9beb06e0915fec9678b3e

SHA1
58cbfcb05c1f2a6def24f80cca49c6c9281ca7ae

SHA256
0058fbd256f057d48cbb9451c4fd39deca9f8676193c5accc3d4c345ee1f55aa

SHA512
48685eee5b890ffdfc40105ed97fc3197250f7b47501b2b467f94effb6b8378edd3c4bd261c6908f168cc7910d8f03d2edf25bcf7c49144d68a728a4c7f0782b

Download Submit
C:\Windows\SysWOW64\Ecoangbg.exe

Filesize
85KB

MD5
1c5b8cbb9dc29ac664af034b0cb79ff1

SHA1
1d8a37d615bc332b4c538d1148b2bac5d4034870

SHA256
7d681f45c8feb765017f7aca3c631aee5634ef6e09491c14bb5ab1c8e67aefce

SHA512
a0e5ef5f2e6355965737315d5b7b9ef648542768d16dec3d0ccd3ed8a654d8e1d103b2942279370479b59a9889e4926f28c7747e3033fc0b55a6d8511653045d

Download Submit
C:\Windows\SysWOW64\Eekaebcm.exe

Filesize
85KB

MD5
df3260dc77640c65f2d9edcc3ee88966

SHA1
351de3fd822406e10f1e70f614c23040bb2d3395

SHA256
d67ff251b522fbf5a2246a4de7dad35776a081dee31426646026fa226d4394f4

SHA512
f38201cc4a5dbfd40300bbb91af817ece3f99958403c038bc93cb566230618005524d110f4962ca588ec8120f1e3e67717581418c3ac0aa891ab5d7aee269a35

Download Submit
C:\Windows\SysWOW64\Eemnjbaj.exe

Filesize
85KB

MD5
ff8135d59faf03b0a4270f947357e230

SHA1
1ab06d27bed1737ac062ad4b78fd5ca4d4e7f032

SHA256
22447f1e74b1038ca9e5bb14aa2b6e18c57508deaf1b66baaf41e270c6749f1d

SHA512
6cf2f5ed1b187ff3e7899eebd181f5a5708c7c8df68f68fc16666eadcd96e1309f660cb86f3971bc6657f7c28e23e5c13f20e004ca74c4e2f316306048eef42f

Download Submit
C:\Windows\SysWOW64\Ehedfo32.exe

Filesize
85KB

MD5
3fa3c234ce6c8015cbabd884c7a7fb66

SHA1
193cab5be57cb666e6b769e0d3ea8b87e4243fc9

SHA256
006346b90a9937c34871d5f4d9d53f60a28a4391c794a69fa87ecf22f720bc52

SHA512
6256dc3076480a233d4f3089558e713e347c08ac63598a274cac6ea92e4c583d30d91c5c2183d7c5c734697eeebc37cd73926c724bf3ccc9bd8fd9bcb5f37d28

Download Submit
C:\Windows\SysWOW64\Ehimanbq.exe

Filesize
85KB

MD5
a3a45e679f3c498a27f265e1acd2e5d1

SHA1
55734e5f51e7b1311717776d02a37b40c557c31a

SHA256
2b2e44ea7ac6621992d2f2352cdcd0d05365e887f34ad614b0cd747647969492

SHA512
0794c10190d30af3bdbf022a0c625b3c0aafa2f5dd5ff626325fc6d5fc87351c5235a8ba42402456375d00bd557a45c98a3e8c5f0e6921253dcba45f851869be

Download Submit
C:\Windows\SysWOW64\Ehnglm32.exe

Filesize
85KB

MD5
ff48b36437f3c2d758f19982cc8030ea

SHA1
46668bd01119c2e2f2015f1e30a83f9efb164003

SHA256
9bd7be3f06727f62ef446e0981bd2f1319e79a4deed002bc186b53b20c72c3e0

SHA512
c5ceb2e4982d2ee0baeee59c1f95a5aa608253681d52aba47dc8b402f4b3feaea3cea62ee0358c349d098e3d1411d8bff92bff2b6fa36e8519c4c6abb367401b

Download Submit
C:\Windows\SysWOW64\Ekcpbj32.exe

Filesize
85KB

MD5
9e549a73aa0873cbb077dea1b531d5a9

SHA1
9dc27636f878a16ff74c861dbc26e921c64857c1

SHA256
cbd4b18ade508b7842feff68c51795debe1b8bc58ba8291a5ded55f611b9ce38

SHA512
06fcde1b1893b88b469cbdb41dce58ba25a25989617238013efaefeb3c8d92b52c892c2b9d99a85e4ce679e3f147e032dcd7bee373d4da9d39d418d496d1942b

Download Submit
C:\Windows\SysWOW64\Ekemhj32.exe

Filesize
85KB

MD5
758bef39d01a71d29467c632dee723c6

SHA1
13a40b6a08f4fdc21d20750eec6ceeafe423376b

SHA256
fda4fa3030db2e8ca2a0f6601b7b739685f847491c91acc1af356e66d057fda0

SHA512
49e4a2638310fe3c94c0b04b5fb155aa26eb4d9e84f71b3dac70008f463de268c7a3144a96b5fe966a06cc76648ed168da0e2094cde5ba5308d7db7155a29daf

Download Submit
C:\Windows\SysWOW64\Elgfgl32.exe

Filesize
85KB

MD5
12839cf99a83c0cf28eb1c244deabbb3

SHA1
0dfaf90b2955a2a43f3b598ffa139997c244e54e

SHA256
b70f188d87e586b974a2ca7bcc46c3941d2bb1a2f61aeee21cafa467ac520a37

SHA512
2745817548f5cc6eb4262bc100f75a0a1233495d1a01a374d08d8533d4383c3c0e5b7b86d85f63ba8da94515ba6518397de57331276ce88d6ee619e65f733b7b

Download Submit
C:\Windows\SysWOW64\Eofbch32.exe

Filesize
85KB

MD5
2bf6d6e9045355e5404fd8994d2492f5

SHA1
afdc801d5b28ce5d2ca5ad20cef7f88b7d42ed0d

SHA256
6d5896660a2f78682ed18f1a7e1fb9ea8e761983833388214585fc8afed0b566

SHA512
f8bcaff384875d71e123857ac21b88220a2d200979fd7abe9de3461fb6eded30eb715c58398067bc5c3f6cb06754d2a624a345a4591105a4dbfd339e7ead7175

Download Submit
C:\Windows\SysWOW64\Eolpmi32.exe

Filesize
85KB

MD5
68f234d46016f7302b08b12fa8dd867c

SHA1
25a7381dbf11d5194afa1bca666ea823b4d84374

SHA256
4f82ef3d4975f2ba21625695d3e8073eb41e719404e3c89ef08f11926d19bbc0

SHA512
97627ee32f9f1d1cca559421668daf3cfcd082e0ec9e8614b17b4572426608104aeb05992814962d77f424cc5389924d76d5191444c90412ada3f2fedeef0a1d

Download Submit
C:\Windows\SysWOW64\Fafkecel.exe

Filesize
85KB

MD5
8147af3fc5a84590be03efeb0e5edb4d

SHA1
2511c7cff03278c9e10390de99a75a03092d2386

SHA256
eb82507cdfd98a051a3f385e741eb3eb0a7f3df3a7ddb0eca996babad147c568

SHA512
b92dc456917e2cab2e6f5192ca77a5c2a29a3995adf97df8a553af3e82103701c624472e06fc1eda2f7e6dabbc6c0f4c1bb2c9af96a6dbcdb852fef4b1dcaad4

Download Submit
C:\Windows\SysWOW64\Fdegandp.exe

Filesize
85KB

MD5
0a3c88206b4ca6238bff8c4443f56798

SHA1
36e5527d2c83fcb55d73e8cac4fd5f520b6e097f

SHA256
ccf7b177e2251cbf4eff9f2db8800d00db4d95b9a6273a69b37c16625e1deb73

SHA512
e6d835f2b30f33fce80c6ea0c7ce45fd18e94f687c761508b565febf702d3c614135f9d86bf4fa647d7a6cef9a4a25282164be7bd15c5755ced03da264467016

Download Submit
C:\Windows\SysWOW64\Fdgdgnbm.exe

Filesize
85KB

MD5
0e1f5888d0fcecee2ee5518c3752058f

SHA1
f25087e11f75bb202871f8e5fd3ea9a65045287c

SHA256
6e8da6a79a9f4576f3959b2164ffdd3f6a5412e79b96f5648a7ae9efd479c5b2

SHA512
fb06e8ee73697bcd7e3d0aef86516094ee3a9df4e008d3ef4e858d5308bcb8c520bc4833b5c632d894fd1322a2d734fba149efea7617913604336ceabee06604

Download Submit
C:\Windows\SysWOW64\Fhqcam32.exe

Filesize
85KB

MD5
8dfbd0ad3b14e11f031b8033332550c3

SHA1
d890c4b82c6c74f5480282f9d90adc5e0b2ba41e

SHA256
a983ee17de69bb8a368b2e3247ca48493163d30ba499db91d0e7a670c341cba8

SHA512
8c69145261be13c05f99505eebbc2c585def16d724dd9ec60bc9848a87163b7f79854571622f4949e79138af895b3a0ef2ac3fce6ec2066c0462abe3f433dfd3

Download Submit
C:\Windows\SysWOW64\Fohoigfh.exe

Filesize
85KB

MD5
e5116a87e8d862f8d5e5d3ffc839f0a0

SHA1
6bb812d600648ee568ea4f72485a6708ccf1a46d

SHA256
8facbace5448aa635052c43d7690adf4f392ebcedcf9cda7d2a01e64e2148a2a

SHA512
37b794f52fce0266f79033a4573b220eaefe56e29abf520379c317146445f136af749d8b780b0391ccf2d1d1300dabd521d701cccc8f997b3b86958aeaf0db6a

Download Submit
C:\Windows\SysWOW64\Hioiji32.exe

Filesize
85KB

MD5
db3fb339230026ed4bcbde0b7629023a

SHA1
7df457e254fb80a7d725ec21e55f79c483387e3c

SHA256
80cb724b078d6fa96d1656b6f05a7215c64987ab083b86ab547e5d247e1a9265

SHA512
0ac64204f344936dcd82ac404c0728ee3d00281a012745ab764726ebd994c64f3d240132d36e70158406e8d702cabd0c80ef09fc4535ad0870f8416fe2e8cb8e

Download Submit
C:\Windows\SysWOW64\Jeaikh32.exe

Filesize
85KB

MD5
0ae21653f06b6a2d79b2b5f9a7957311

SHA1
0cb10e9a0dcf16cf2a81c7803fb2bec0670ab7da

SHA256
c274b1f380ad71171ff82dd1dd7493382676ec1fba368556339217a1460ebec6

SHA512
6fb20b7f5c64a172c6547b233470f6a2a49f3d8e841ad1398d4cfc994a1ac39c0ea4631a4cce9b627df3162efb8fcfa63188cf56c83d2e957974297b54d23a68

Download Submit
C:\Windows\SysWOW64\Pmannhhj.exe

Filesize
85KB

MD5
87c470bb0c15ca91705e1caa06c025a8

SHA1
e7dea28310b0e4ad8201a0e87135a2a021c6c865

SHA256
1be4a9f5948f392a734f49f2eff9b7a12dddf19df862d4f8b232b1219e076649

SHA512
2874b5f94335210edbf6dcdc32e9687580a229383933c9fa9b53a0a5382f509987f006d463a65adce42c38fc1da6746fa25eeb98aa657d020ffaf1cec156f91d

Download Submit
memory/208-268-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/208-334-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/392-293-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/760-287-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/852-138-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/932-333-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1512-278-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1512-194-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1664-8-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1664-89-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1688-5-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1688-0-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1776-190-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1848-97-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1848-17-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1952-321-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2004-285-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2004-202-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2092-300-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2160-41-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2160-140-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2176-227-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2176-311-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2284-318-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2496-159-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2860-65-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2860-165-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3028-345-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3048-313-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3068-244-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3068-320-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3076-216-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3204-111-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3204-25-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3368-48-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3368-148-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3456-37-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3456-124-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3560-327-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3560-259-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3584-103-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3588-256-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3680-351-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3828-306-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3860-73-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3860-177-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3864-294-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3864-218-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3908-132-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3928-142-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3928-235-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4016-174-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4172-280-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4240-241-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4304-183-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4504-114-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4544-172-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4604-150-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4604-57-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4660-95-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4804-85-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4868-340-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/5056-116-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/5056-213-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads